ftpd leaks info which might be useful to an attacker

Lyndon Nerenberg lyndon at orthanc.ca
Tue Sep 13 21:27:33 UTC 2016

> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.

I would be concerned about programs that parse that output choking on a 
field of only hyphens. It's likely safer to just report the uid and gid as 
0 (or 666, or some other made-up number of your choice).


More information about the freebsd-security mailing list