ftpd leaks info which might be useful to an attacker
Martin Simmons
martin at lispworks.com
Wed Sep 14 11:29:28 UTC 2016
>>>>> On Tue, 13 Sep 2016 14:07:09 -0700, Ronald F Guilmette said:
>
> I've been moving all of my stuff over to a shiny new VM that I've
> purchased, and in the process I am having to revisit various
> configuration decisions I made 10 years ago or more.
>
> One set of such decisions has to do with the following files:
>
> ~ftp/etc/group
> ~ftp/etc/pwd.db
>
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.
>
> I should perhaps mention that I'm using the -A option to ftpd, and that
> thus, pretty much any Tom, dick, and harry on the whole Internet will
> be able to log in (as anonymous) to my FTP server and then scrounge
> around for intersting stuff. I would kind of prefer if the stuff that
> any such party could find would _not_ include actual user or group IDs,
> or even numeric UIDs/GIDs.
>
> So, um, anybody else agree that it might be Better if ftpd could be
> coerced into not leaking this kind fo account information?
You might consider an ftp daemon such as proftpd, which doesn't require an etc
in the chroot and also has options for hiding the real uid/gid of the files.
__Martin
More information about the freebsd-security
mailing list