ftpd leaks info which might be useful to an attacker

[Ronald F. Guilmette]

I've been moving all of my stuff over to a shiny new VM that I've
purchased, and in the process I am having to revisit various
configuration decisions I made 10 years ago or more.

One set of such decisions has to do with the following files:

~ftp/etc/group
~ftp/etc/pwd.db

Thinking about how the contents of these files affects the behavior of
the ftp DIR command caused me to realize that I actually would prefer
it if there were some some option available for ftpd which would cause
it to display only something like ---- where it currently attempts to
print either a user ID name or number or a group ID name or number.

I should perhaps mention that I'm using the -A option to ftpd, and that
thus, pretty much any Tom, dick, and harry on the whole Internet will
be able to log in (as anonymous) to my FTP server and then scrounge
around for intersting stuff. I would kind of prefer if the stuff that
any such party could find would _not_ include actual user or group IDs,
or even numeric UIDs/GIDs.

So, um, anybody else agree that it might be Better if ftpd could be
coerced into not leaking this kind fo account information?
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"

[Lyndon Nerenberg]

> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.

I would be concerned about programs that parse that output choking on a
field of only hyphens. It's likely safer to just report the uid and gid as
0 (or 666, or some other made-up number of your choice).

--lyndon

[Martin Simmons]

>>>>> On Tue, 13 Sep 2016 14:07:09 -0700, Ronald F Guilmette said:
>
> I've been moving all of my stuff over to a shiny new VM that I've
> purchased, and in the process I am having to revisit various
> configuration decisions I made 10 years ago or more.
>
> One set of such decisions has to do with the following files:
>
> ~ftp/etc/group
> ~ftp/etc/pwd.db
>
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.
>
> I should perhaps mention that I'm using the -A option to ftpd, and that
> thus, pretty much any Tom, dick, and harry on the whole Internet will
> be able to log in (as anonymous) to my FTP server and then scrounge
> around for intersting stuff. I would kind of prefer if the stuff that
> any such party could find would _not_ include actual user or group IDs,
> or even numeric UIDs/GIDs.
>
> So, um, anybody else agree that it might be Better if ftpd could be
> coerced into not leaking this kind fo account information?

You might consider an ftp daemon such as proftpd, which doesn't require an etc
in the chroot and also has options for hiding the real uid/gid of the files.

__Martin

[Nelson H. F. Beebe]

Matthew Seaman <mat...@FreeBSD.org> writes today:

>> About the only useful way to use FTP any more is for anonymous read-only
>> access to download stuff from an archive -- and in that use case, a web
>> server is generally a much better choice. FTP as a protocol is archaic
>> and needs to die.

I agree with the first point (up to the dash), but strongly disagree
with the second: FTP provides directory listing capability, whereas
HTTP does not. I use "dir -tr" in FTP connections quite frequently,
and I find the timestamps in the directory listings critical
information that is routinely lost at many HTTP-only sites.

-------------------------------------------------------------------------------
- Nelson H. F. Beebe Tel: +1 801 581 5254 -
- University of Utah FAX: +1 801 581 4148 -
- Department of Mathematics, 110 LCB Internet e-mail: be...@math.utah.edu -
- 155 S 1400 E RM 233 be...@acm.org be...@computer.org -
- Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------

[Garance A Drosehn]

On 13 Sep 2016, at 17:07, Ronald F. Guilmette wrote:
>
> One set of such decisions has to do with the following files:
>
> ~ftp/etc/group
> ~ftp/etc/pwd.db
>
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.

Those files completely under the control of the sysadmin (aka "you"),
so you can put whatever you want in those files. In my case, I think
I wrote a script which generates those two files from the real system
files, but it changes the userid and group names. In my case I went
with fake userid's which were the first-and-last letters of the real
userid, followed by the UID. That way there's some helpful information
there for the people who *do* have access to the passwd info for that
machine, but there isn't much info for others.

--
Garance Alistair Drosehn = dro...@rpi.edu
Senior Systems Programmer or g...@FreeBSD.org
Rensselaer Polytechnic Institute; Troy, NY; USA