Ftpfs security hole particulary fixed

Andrew V. Samoilov sav at it.efp.com.ua
Wed Jan 30 11:55:26 UTC 2002


Hello!

> Exactly the same is needed to read uploaded files - knowledge level,
> rights (i.e. shell access to the ftp server) 

Even ftp access to this ftp server is enough.

> and luck to read the right
> files in the right time (i.e. before chmod).  I mean fixed mc.  Otherwise
> the luck is not required :-)

> > Does we want to maintain 4.5.x barnch and do users need gmc is much
> > more important question.
 
> Seriously, even Ximian didn't bother to update gmc to 4.5.55.  Neither did
> RedHat.  What's the purpose in releasing another version that very few
> people will use?  Most GNOME users don't compile their sources, even if
> advised of security holes.

Well, I realized the volume of work if we will do at appropriative level.
You assured me :-)

> > > I don't think that using umask is worth the trouble, partly for the
> > > reasons explained above, partly because it only affects FTP upload.
> > > It also takes time to send a command and wait for the result.
> > 
> > Well, it may be configurable option in VFS Option menu.  BTW I want add
> > "Use Unix ls options" there because wu-ftpd 2.6.1 understands "LIST -la" as
> > "LIST -laR" and confuses mc parser.
> 
> I thing that "umask" in the menu is an overkill.

I want to leave umask question opened.

>  "Use Unix ls options"  
> should be there if only it's impossible to avoid.  Even it that case, we
> should try to make it remote host-specific, not user-specific.

Well, my wu-ftpd does "LIST -la" absolutely right
and others understands this as "LIST -lad".  So, if -d option is a
common place for ftp servers I will commit patch where all of
occurences of "LIST -la" will be replaced by "LIST -lad"

Regards,
Andrew.





More information about the mc-devel mailing list