Bugtraq mailing list archives
Re: ftpd: the advisory version
From: diz () CAFES NET (Mike Eldridge)
Date: Thu, 29 Jun 2000 14:25:34 -0500
On Tue, 27 Jun 2000, Olaf Kirch wrote:
* The publicfile FTP server uses local ports above 1024 for PORT connections. I.e. publicfile is able to drop root privs because it stops using port 20 when creating data connections in response to a PORT command. It's against the spec but works with most clients.
Against spec, it may be, but in my opinion, it makes more sense. If you ask me, active ftp data transfers are dumb. Maybe that's because all of my computers at home are behind a masquerading firewall, but still. ;) It would seem to me that the way it should have been done was a bind to port 21 as root, then the control connection should drop root privileges by setuid() to the incoming user. FTP data transfers should be passive by default, binding to some unused random port above 1024. We use ncftpd for our ftp server. It chroot()s to the user's home directory and also setuid()s to the user. Simple security precautions can go a long way. All daemons that run as root that takes input of any kind will have some possibility of exploit as it's almost impossible to cover all possible holes. That would just take entirely too long. :) So, I think the lesson learned here is, whenever possible, use chroot() and/or setuid() to avoid remote root exploits. Mike Eldridge System Administrator
Current thread:
- Re: ftpd: the advisory version Lamagra Argamal (Jun 24)
- Re: ftpd: the advisory version Jim Knoble (Jun 26)
- Re: ftpd: the advisory version Olaf Kirch (Jun 27)
- Re: ftpd: the advisory version Mike Eldridge (Jun 29)
- Re: ftpd: the advisory version Olaf Kirch (Jun 27)
- Linux capability bounding set weakness Patrick Reynolds (Jun 26)
- Re: Linux capability bounding set weakness Paul Wouters (Jun 27)
- Re: Linux capability bounding set weakness Matthew Kirkwood (Jun 27)
- Improved ARP sniffer Paul Starzetz (Jun 27)
- [suse-security-announce] SuSE Security Announcement: kernel-2.2.x (fwd) Daniel T. Chen (Jun 27)
- <Possible follow-ups>
- Re: ftpd: the advisory version Steven M. Bellovin (Jun 26)
- Re: ftpd: the advisory version Dan Harkless (Jun 27)
- Re: ftpd: the advisory version Teodor Cimpoesu (Jun 28)
- Re: ftpd: the advisory version Sebastian (Jun 28)
- Re: ftpd: the advisory version Kasatenko Ivan Alex. (Jun 29)
(Thread continues...)
- Re: ftpd: the advisory version Jim Knoble (Jun 26)