Ftpfs security hole particulary fixed

Pavel Roskin proski at gnu.org
Wed Jan 30 01:16:32 UTC 2002


Hi!

> > I just want to clarify that the default permissions are not necessarily
> > bad.  The server must be seriously misconfigured to allow other users to
> > modify the uploaded files.  Normally the umask is 022, i.e. other users
> > can just read the new files.  Relying on FTP when uploading the files that
> > may not be read is not a good idea anyway, since FTP transfers data in
> > cleartext.
> 
> But you need some knowledge level, rights and luck to listen right ports in
> right time.

Exactly the same is needed to read uploaded files - knowledge level,
rights (i.e. shell access to the ftp server) and luck to read the right
files in the right time (i.e. before chmod).  I mean fixed mc.  Otherwise
the luck is not required :-)

> > I acknoledge that the bug is security-related.  However, it doesn't
> > warrant an emergency release in my opinion.
> 
> Does we want to maintain 4.5.x barnch and do users need gmc is much
> more important question.

I don't see any interests from GNOME users towards gmc.  I searched on
Google for gmc and words "love" and "hate".  It turns out that gmc has
more haters than lovers :-)

Seriously, even Ximian didn't bother to update gmc to 4.5.55.  Neither did
RedHat.  What's the purpose in releasing another version that very few
people will use?  Most GNOME users don't compile their sources, even if
advised of security holes.

> > I don't think that using umask is worth the trouble, partly for the
> > reasons explained above, partly because it only affects FTP upload.
> > It also takes time to send a command and wait for the result.
> 
> Well, it may be configurable option in VFS Option menu.  BTW I want add
> "Use Unix ls options" there because wu-ftpd 2.6.1 understands "LIST -la" as
> "LIST -laR" and confuses mc parser.

I thing that "umask" in the menu is an overkill.  "Use Unix ls options"  
should be there if only it's impossible to avoid.  Even it that case, we
should try to make it remote host-specific, not user-specific.

I'm using wu-ftpd 2.6.1 (from RedHat 7.2) and it works correctly.  Here's 
the transcript with debug enabled:

ftp> ls -al
---> PASV
227 Entering Passive Mode (127,0,0,1,4,177)
---> LIST -al
150 Opening ASCII mode data connection for directory listing.
total 48
drwxr-xr-x   6 root     root         4096 Nov 20 16:20 .
drwxr-xr-x   6 root     root         4096 Nov 20 16:20 ..
d--x--x--x   2 root     root         4096 Nov 20 16:20 bin
d--x--x--x   2 root     root         4096 Dec 17 15:57 etc
drwxr-xr-x   2 root     root         4096 Dec 17 15:57 lib
drwxr-xr-x   4 500      root         4096 Jan 29 01:36 pub
226 Transfer complete.
ftp>

I would prefer to try all possible solutions first (except stripping the
results of "ls -alR", which can be time and bandwidth consuming) before 
exposing the problem to the user.

Could you please send the transcript?  Have you reported the bug to
wu-ftpd developers?  Have you tried "ls -al" instead of "ls -la" ?

-- 
Regards,
Pavel Roskin




More information about the mc-devel mailing list