Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)
James W. Abendschan (jwa@nbs.nau.edu)
Wed, 12 Jul 1995 13:58:34 -0700
> People with local ftp access can use the filedescriptors in /proc of
> the iwu.)ftpd process (which is running under their euid) to read and append
> to files to which they should not have access. This gives write permission
> to /var/adm/wtmp and read access to /etc/shadow, if your ftpd is hacked
> in a 'dirty' way to incorporate shadow passwords. The 2.4 version also
> gave write access to /var/adm/xferlog. A friend of mine reported write
> access to /etc/ftpconversions (with possible root vulnerabilities), but
> I have not been able to repeat that (2.4.2 beta 4 appears to be safe in
> this)
Maybe I'm completely missing the point, but wouldn't this help?
linux# chown root.kmem /proc
linux# chmod 750 /proc
And then sgid kmem all the binaries that need /proc access:
linux# chown root.kmem `which w` `which ps` `which top` (etc)
linux# chmod 2755 `which w` `which ps` `which top` (etc)
This restricts ordinary users from wandering around in /proc, and
thus being able to access the "unclosed" files.
James
--
James Abendschan jwa@nbs.nau.edu Will Hack For Food
<a href="http://www.nbs.nau.edu/~jwa">Zero Funk Kick</a>