conf/93284: Insecure placement of user ftp into operator group (.snap directories access)

[Vadim S. Goncharov]

>Number:         93284
>Category:       conf
>Synopsis:       Insecure placement of user ftp into operator group (.snap directories access)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 13 12:50:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Vadim S. Goncharov
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
AVTF TPU Hostel, Tomsk, Russia
>Environment:
System: FreeBSD hostel.avtf.net 5.4-STABLE FreeBSD 5.4-STABLE #2: Tue Jan 31 15:05:09 NOVT 2006 vadim at hostel.avtf.net:/usr/obj/usr/src/sys/HOSTEL i386

>Description:

	sysinstall(8) asks (when configuring) about enabling anonymous ftp, and
	if so, create user ftp witf uid 14 and places it into group operator
	(gid 5). But UFS2 partitions after nefws by default have .snap
	subdirectory with root:operator ownership and mode 775. Thus, if you
	create separate partition for your ftp (good practice), .snap will be
	writeable by anonymous users, even if all other data on your ftp is in
	read-only public access (very bad). As a side effect, placing ftp user
	in such important system group as operator can have other security
	implications.

>How-To-Repeat:

	Answer "yes" to question about enabling anonymous ftp and mount eralier
	created (at disklabel stage) UFS2 partition to /var/ftp - anonymous
	users will be able to write to .snap subdirectory.

>Fix:

	Create group ftp with gid=21 and assign this group as primary for
	user ftp.

	Suggested src/conf fix is to make default separate group for ftp already in
	base system (and teach sysinstall about it), as it is already done with
	users www, news, etc.

>Release-Note:
>Audit-Trail:
>Unformatted: