From nobody@FreeBSD.org  Fri Mar 16 03:04:08 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 3C39B37B71A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Mar 2001 03:04:08 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f2GB48x03389;
	Fri, 16 Mar 2001 03:04:08 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200103161104.f2GB48x03389@freefall.freebsd.org>
Date: Fri, 16 Mar 2001 03:04:08 -0800 (PST)
From: tedm@toybox.placo.com
To: freebsd-gnats-submit@FreeBSD.org
Subject: Security hole in anonymous FTP setup script
X-Send-Pr-Version: www-1.0

>Number:         25851
>Category:       bin
>Synopsis:       [patch] security hole in anonymous FTP setup script
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ceri
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 16 03:10:01 PST 2001
>Closed-Date:    Tue Jan 24 18:37:06 GMT 2006
>Last-Modified:  Tue Jan 24 18:37:06 GMT 2006
>Originator:     Ted Mittelstaedt
>Release:        Release 4.2
>Organization:
>Environment:
FreeBSD mail.freebsd-corp-net-guide.com 4.2-RELEASE FreeBSD 4.2-RELEASE #7: Wed
Mar 14 03:53:01 PST 2001     tedm@mail.freebsd-corp-net-guide.com:/usr/src/sys/c
ompile/MAILSERV  i386 
>Description:
If /stand/sysinstall is run AFTER users are added to the system,
and used to setup anonymous FTP, as part of it's setup routine
it copies the system /etc/group to /var/ftp/etc.  The problem is
that by then the system's /etc/group file has been populated with
the userID's of local users that are in the "wheel" group.

This allows an anonymous user to obtain a list of all users on
the system who are authorized to su to the root user.  It may also
give an attacker a list of all userID's on the sytem, depending on
how many userID's are in the system /etc/group file by then.  This
represents an unnecessary release of information to a remote attacker.
>How-To-Repeat:
Populate /etc/group with userID's in the system then run /stand/sysinstall and select Network services then select Setup Anonymous FTP.
>Fix:
I would suggest that during the setup, the anonymous
FTP setup script strip out the users listed on each one of the
group lines, as this information is not needed for operation of
anonymous FTP.  Another possibility would be to use a 
dummy group file with just the default groups in it that was
embedded in the setup script.  Even if the existing behavior was
left intact and a warning was put up this would be better than
nothing.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->sysinstall 
Responsible-Changed-By: kris 
Responsible-Changed-When: Fri Mar 23 21:45:39 PST 2001 
Responsible-Changed-Why:  
jkh is Mr sysinstall 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25851 
Responsible-Changed-From-To: sysinstall->jkh 
Responsible-Changed-By: ru 
Responsible-Changed-When: Tue Jul 3 07:25:08 PDT 2001 
Responsible-Changed-Why:  
Mr sysinstall is jkh 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=25851 
Responsible-Changed-From-To: jkh->eric 
Responsible-Changed-By: jkh 
Responsible-Changed-When: Thu Aug 30 17:28:41 PDT 2001 
Responsible-Changed-Why:  
Eric handles these now 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=25851 
Responsible-Changed-From-To: eric->freebsd-qa 
Responsible-Changed-By: eric 
Responsible-Changed-When: Mon Oct 1 11:51:56 PDT 2001 
Responsible-Changed-Why:  
assign idle sysinstall bugs to freebsd-qa, as suggested by murray 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=25851 

From: Zak Johnson <zakj@nox.cx>
To: freebsd-gnats-submit@FreeBSD.org, tedm@toybox.placo.com
Cc:  
Subject: Re: misc/25851: Security hole in anonymous FTP setup script
Date: Wed, 19 Jun 2002 11:31:41 -0400

 This patch fixes the problem by stripping the user list from each line.
 
 --- release/sysinstall/anonFTP.c.orig	Thu Sep 27 02:38:32 2001
 +++ release/sysinstall/anonFTP.c	Wed Jun 19 11:26:36 2002
 @@ -298,7 +298,7 @@
  	if (DITEM_STATUS(createFtpUser()) == DITEM_SUCCESS) {
  	    msgNotify("Copying password information for anon FTP.");
  	    vsystem("awk -F: '{if ($3 < 10 || $1 == \"ftp\") print $0}' /etc/passwd > %s/etc/passwd && chmod 444 %s/etc/passwd", tconf.homedir, tconf.homedir);
 -	    vsystem("awk -F: '{if ($3 < 100) print $0}' /etc/group > %s/etc/group && chmod 444 %s/etc/group", tconf.homedir, tconf.homedir);
 +	    vsystem("awk -F: '!/^#/ {if ($3 < 100) printf \"%s:%s:%s:\\n\", $1, $2, $3}' /etc/group > %s/etc/group && chmod 444 %s/etc/group", tconf.homedir, tconf.homedir);
  	    vsystem("chown -R root.%s %s/pub", tconf.group, tconf.homedir);
  	}
  	else {
 
 -Zak

From: Zak Johnson <zakj@nox.cx>
To: freebsd-gnats-submit@FreeBSD.org, tedm@toybox.placo.com
Cc:  
Subject: Re: misc/25851: Security hole in anonymous FTP setup script
Date: Wed, 19 Jun 2002 15:46:32 -0400

 Sorry, there was an error in the previous patch.
 
 -Zak
 
 --- anonFTP.c.orig	Thu Sep 27 02:38:32 2001
 +++ anonFTP.c	Wed Jun 19 15:43:02 2002
 @@ -298,7 +298,7 @@
  	if (DITEM_STATUS(createFtpUser()) == DITEM_SUCCESS) {
  	    msgNotify("Copying password information for anon FTP.");
  	    vsystem("awk -F: '{if ($3 < 10 || $1 == \"ftp\") print $0}' /etc/passwd > %s/etc/passwd && chmod 444 %s/etc/passwd", tconf.homedir, tconf.homedir);
 -	    vsystem("awk -F: '{if ($3 < 100) print $0}' /etc/group > %s/etc/group && chmod 444 %s/etc/group", tconf.homedir, tconf.homedir);
 +	    vsystem("awk -F: '!/^#/ {if ($3 < 100) printf \"%%s:%%s:%%s:\\n\", $1, $2, $3}' /etc/group > %s/etc/group && chmod 444 %s/etc/group", tconf.homedir, tconf.homedir);
  	    vsystem("chown -R root.%s %s/pub", tconf.group, tconf.homedir);
  	}
  	else {
Responsible-Changed-From-To: freebsd-qa->ceri 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Fri Dec 30 14:33:13 UTC 2005 
Responsible-Changed-Why:  
I have an updated patch for this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25851 

From: Ceri Davies <ceri@FreeBSD.org>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: bin/25851: Security hole in anonymous FTP setup script
Date: Fri, 30 Dec 2005 14:33:07 +0000

 Here is an update patch that works.
 
 
 Index: anonFTP.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/sysinstall/anonFTP.c,v
 retrieving revision 1.35
 diff -u -r1.35 anonFTP.c
 --- anonFTP.c	16 Nov 2004 19:06:42 -0000	1.35
 +++ anonFTP.c	30 Dec 2005 14:31:39 -0000
 @@ -299,7 +299,7 @@
  	    vsystem("awk -F: '{if ((substr($1, 1, 1) != \"+\") && (substr($1, 1, 1) != \"-\") && ($3 < 10 || $1 == \"ftp\")) print $0}' /etc/master.passwd > %s/etc/master.passwd", tconf.homedir);
  	    vsystem("/usr/sbin/pwd_mkdb -d %s/etc %s/etc/master.passwd && chmod 444 %s/etc/pwd.db", tconf.homedir, tconf.homedir, tconf.homedir);
  	    vsystem("rm -f %s/etc/master.passwd %s/etc/spwd.db", tconf.homedir, tconf.homedir);
 -	    vsystem("awk -F: '{if ((substr($1, 1, 1) != \"+\") && (substr($1, 1, 1) != \"-\") && ($3 < 100)) print $0}' /etc/group > %s/etc/group && chmod 444 %s/etc/group", tconf.homedir, tconf.homedir);
 +	    vsystem("awk -F: '!/^#/ {if ((substr($1, 1, 1) != \"+\") && (substr($1, 1, 1) != \"-\") && ($3 < 100)) printf \"%%s:%%s:%%s:\\n\", $1, $2, $3}' /etc/group > %s/etc/group && chmod 444 %s/etc/group", tconf.homedir, tconf.homedir);
  	    vsystem("chown -R root.%s %s/pub", tconf.group, tconf.homedir);
  	}
  	else {
State-Changed-From-To: open->patched 
State-Changed-By: ceri 
State-Changed-When: Sun Jan 15 22:53:44 UTC 2006 
State-Changed-Why:  
Patched in -HEAD, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25851 
State-Changed-From-To: patched->closed 
State-Changed-By: ceri 
State-Changed-When: Tue Jan 24 18:36:47 UTC 2006 
State-Changed-Why:  
Pulled back to RELENG_5 and RELENG_6.  Thank you. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25851 
>Unformatted:
