Re: Exploit for Linux wu.ftpd hole

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Simon Burr: "Re: Exploit for Linux wu.ftpd hole"
• Previous message: Karl Strickland: "Re: SM 8.6.12"
• Maybe in reply to: Henri Karrenbeld: "Exploit for Linux wu.ftpd hole"
• Next in thread: Simon Burr: "Re: Exploit for Linux wu.ftpd hole"

Marek Michalkiewicz wrote:
>They are needed to create ftp-data sockets (privileged port number).
>That's why ftpd runs (most of the time) with the effective uid of the
>user who is logged in, but real uid 0 (so that it can get root privs
>for a while, to create a socket).  But no external program (like ls,
>gzip, tar, ...) needs to run as root - there should be something like
>setgid(getegid()); setuid(geteuid()); between fork and exec in ftpd_popen.
>This would prevent the slackware hole from giving root access.
>
>Comments?

Binding to a privileged port is what inetd is good for.  Still no
reason for ftpd to be root other than to do a chroot.  After the chroot
(which should happen in the first few executed statements), ftpd
should drop to some other user, like "ftp."

 -- William

• Next message: Simon Burr: "Re: Exploit for Linux wu.ftpd hole"
• Previous message: Karl Strickland: "Re: SM 8.6.12"
• Maybe in reply to: Henri Karrenbeld: "Exploit for Linux wu.ftpd hole"
• Next in thread: Simon Burr: "Re: Exploit for Linux wu.ftpd hole"