ftpd leaks info which might be useful to an attacker

Garance A Drosehn drosih at rpi.edu
Wed Sep 14 19:49:14 UTC 2016

On 13 Sep 2016, at 17:07, Ronald F. Guilmette wrote:
> One set of such decisions has to do with the following files:
>     ~ftp/etc/group
>     ~ftp/etc/pwd.db
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.

Those files completely under the control of the sysadmin (aka "you"),
so you can put whatever you want in those files.  In my case, I think
I wrote a script which generates those two files from the real system
files, but it changes the userid and group names.  In my case I went
with fake userid's which were the first-and-last letters of the real
userid, followed by the UID.  That way there's some helpful information
there for the people who *do* have access to the passwd info for that
machine, but there isn't much info for others.

Garance Alistair Drosehn                =     drosih at rpi.edu
Senior Systems Programmer               or   gad at FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA

More information about the freebsd-security mailing list