Ftpfs security hole particulary fixed
Andrew V. Samoilov
kai at cmail.ru
Tue Jan 29 10:39:21 UTC 2002
Hello!
> > After 4.5.43 chmod fails without warning if it called not
> > from root directory at ftp site. So uploading over mc ftpfs
> > can be insecure because uploaded files/directories have
> > default permissions.
>
> I just want to clarify that the default permissions are not necessarily
> bad. The server must be seriously misconfigured to allow other users to
> modify the uploaded files. Normally the umask is 022, i.e. other users
> can just read the new files. Relying on FTP when uploading the files that
> may not be read is not a good idea anyway, since FTP transfers data in
> cleartext.
But you need some knowledge level, rights and luck to listen right ports in
right time.
> I acknoledge that the bug is security-related. However, it doesn't
> warrant an emergency release in my opinion.
Does we want to maintain 4.5.x barnch and do users need gmc is much
more important question.
> I don't think that using umask is worth the trouble, partly for the
> reasons explained above, partly because it only affects FTP upload.
> It also takes time to send a command and wait for the result.
Well, it may be configurable option in VFS Option menu. BTW I want add
"Use Unix ls options" there because wu-ftpd 2.6.1 understands "LIST -la" as
"LIST -laR" and confuses mc parser.
Regards,
Andrew.
More information about the mc-devel
mailing list