ftpd leaks info which might be useful to an attacker

Matthew Seaman matthew at FreeBSD.org
Wed Sep 14 07:58:18 UTC 2016 

On 13/09/2016 22:07, Ronald F. Guilmette wrote:
> One set of such decisions has to do with the following files:
> 
>     ~ftp/etc/group
>     ~ftp/etc/pwd.db
> 
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.

Why is this a problem, given that all the user and group IDs your ftpd
will display come from the private files in your chroot?  You can make
the ownership of the files under ~ftp anything you want, and you can
make them appear as anything you want.

In practice I'd make everything owned by root:wheel, unless you want to
support uploading, in which case *only* the area files can be uploaded
to should be made owned by ftpd and writable by that UID.  Some sort of
cron job running chown and chmod recursively over that collection to
enforce this would be a good idea.

> I should perhaps mention that I'm using the -A option to ftpd, and that
> thus, pretty much any Tom, dick, and harry on the whole Internet will
> be able to log in (as anonymous) to my FTP server and then scrounge
> around for intersting stuff.  I would kind of prefer if the stuff that
> any such party could find would _not_ include actual user or group IDs,
> or even numeric UIDs/GIDs.

Basically don't mix anonymous access with password authenticated access.
 Also, don't use password access with *plaintext* protocols like FTP.
About the only useful way to use FTP any more is for anonymous read-only
access to download stuff from an archive -- and in that use case, a web
server is generally a much better choice.  FTP as a protocol is archaic
and needs to die.

	Cheers,

	Matthew




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160914/e73cafc9/attachment.sig>

More information about the freebsd-security mailing list