Bugtraq mailing list archives
BSD/OS 3.0 config_anonftp script
From: trey () ANALOG ORG (trey)
Date: Mon, 16 Mar 1998 16:45:31 -0500
This being my first post, please excuse me if this information is already known. BSD/OS 3.0 comes without any anonymous ftp set up out-of-the-box. Configuration of anonymous ftp is provided by the perl script /usr/sbin/config_anonftp (for those who don't just set this up by hand). A problem seems to exist in the following lines of this script: ©_file("/etc", "group", "$ftp{\"DIR\"}/etc", 0444); ©_file("/etc", "pwd.db", "$ftp{\"DIR\"}/etc", 0444); What ever happened to creating dummy group and passwd files for anonymous ftp? This script copies the full system group and pwd.db files where anyone can get them. While pwd.db contains no password information (as does spwd.db), it makes it trivial to gather a full list of users and the info found in the other fields of the passwd file. I do realize that if config_anonftp is run before any system accounts are setup, pwd.db and group would not contain any unique system information. Wouldn't it be safer if config_anonftp constructed dummy group and pwd.db files? The -d option to pwd_mkdb seems ideal for this purpose. Again, if any of this information is known, I apologize. Sincerely, trey <trey () analog org> The Analog Organization
Current thread:
- LinCity Buffer Overflow T. Freak (Mar 16)
- Re: LinCity Buffer Overflow Bob Tracy - TDS (Mar 16)
- BSD/OS 3.0 config_anonftp script trey (Mar 16)
- bug in su (Slackware 3.4) Peter van Dijk (Mar 15)
- Re: bug in su (Slackware 3.4) Martin Schulze (Mar 22)
- Re: bug in su (Slackware 3.4) Martin Schulze (Mar 22)
- bug in su (Slackware 3.4) Peter van Dijk (Mar 15)
- Re: BSD/OS 3.0 config_anonftp script Bill Becker (Mar 18)
- ncftp 2.4.2 MkDirs bug Michal Zalewski (Mar 19)
- Re: ncftp 2.4.2 MkDirs bug Theo Van Dinter (Mar 20)
- New FrontPage98 Server Extensions Release (fwd) Marc Slemko (Mar 20)
- Ascend Kill Thomas Michaux (Mar 20)
- <Possible follow-ups>
- Re: Lincity Buffer Overflow bst () INAME COM (Mar 17)