From vadim@hostel.avtf.net  Mon Feb 13 12:45:14 2006
Return-Path: <vadim@hostel.avtf.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 692AD16A420
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 13 Feb 2006 12:45:14 +0000 (GMT)
	(envelope-from vadim@hostel.avtf.net)
Received: from oasis.cctpu.edu.ru (oasis.cctpu.edu.ru [195.208.174.128])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DD0CB43D48
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 13 Feb 2006 12:45:12 +0000 (GMT)
	(envelope-from vadim@hostel.avtf.net)
Received: from hostel.avtf.net (hostel.avtf.net [82.117.64.190])
	by oasis.cctpu.edu.ru (8.11.3/8.11.3) with ESMTP id k1DCj4W34685
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 13 Feb 2006 19:45:05 +0700 (KRAT)
	(envelope-from vadim@hostel.avtf.net)
Received: from hostel.avtf.net (localhost [127.0.0.1])
	by hostel.avtf.net (8.13.4/8.13.4) with ESMTP id k1DCipCc046297
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 13 Feb 2006 18:44:52 +0600 (NOVT)
	(envelope-from vadim@hostel.avtf.net)
Received: (from vadim@localhost)
	by hostel.avtf.net (8.13.4/8.13.4/Submit) id k1DCinJS046295;
	Mon, 13 Feb 2006 18:44:49 +0600 (NOVT)
	(envelope-from vadim)
Message-Id: <200602131244.k1DCinJS046295@hostel.avtf.net>
Date: Mon, 13 Feb 2006 18:44:49 +0600 (NOVT)
From: "Vadim S. Goncharov" <vadim_nuclight@mail.ru>
Reply-To: "Vadim S. Goncharov" <vadim_nuclight@mail.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Insecure placement of user ftp into operator group (.snap directories access)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         93284
>Category:       bin
>Synopsis:       [sysinstall] Insecure placement of user ftp into operator group (.snap directories access)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 13 12:50:03 GMT 2006
>Closed-Date:    Thu Sep 13 09:50:31 GMT 2007
>Last-Modified:  Thu Sep 13 09:50:31 GMT 2007
>Originator:     Vadim S. Goncharov
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
AVTF TPU Hostel, Tomsk, Russia
>Environment:
System: FreeBSD hostel.avtf.net 5.4-STABLE FreeBSD 5.4-STABLE #2: Tue Jan 31 15:05:09 NOVT 2006 vadim@hostel.avtf.net:/usr/obj/usr/src/sys/HOSTEL i386

>Description:

	sysinstall(8) asks (when configuring) about enabling anonymous ftp, and
	if so, create user ftp witf uid 14 and places it into group operator
	(gid 5). But UFS2 partitions after nefws by default have .snap
	subdirectory with root:operator ownership and mode 775. Thus, if you
	create separate partition for your ftp (good practice), .snap will be
	writeable by anonymous users, even if all other data on your ftp is in
	read-only public access (very bad). As a side effect, placing ftp user
	in such important system group as operator can have other security
	implications.

>How-To-Repeat:

	Answer "yes" to question about enabling anonymous ftp and mount earlier
	created (at disklabel stage) UFS2 partition to /var/ftp - anonymous
	users will be able to write to .snap subdirectory.

>Fix:

	Create group ftp with gid=21 and assign this group as primary for
	user ftp.

	Suggested src/conf fix is to make default separate group for ftp already in
	base system (and teach sysinstall about it), as it is already done with
	users www, news, etc.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-qa 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Feb 13 17:58:33 UTC 2006 
Responsible-Changed-Why:  
This appears to be a sysinstall problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93284 
Responsible-Changed-From-To: freebsd-qa->secteam 
Responsible-Changed-By: simon 
Responsible-Changed-When: Wed Feb 15 10:37:53 UTC 2006 
Responsible-Changed-Why:  
Grab security issue for secteam. 

Note that if anybody else is interested in fixing this, please don't 
hesitate to contact secteam@ about it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93284 

From: Ceri Davies <ceri@submonkey.net>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Cc: secteam@FreeBSD.org
Subject: Re: bin/93284: Insecure placement of user ftp into operator group
	(.snap directories access)
Date: Sun, 10 Jun 2007 19:27:15 +0100

 I think that it's as easy as is; would be good to get in for 7.0.
 
 Index: etc/group
 ===================================================================
 RCS file: /home/ncvs/src/etc/group,v
 retrieving revision 1.34
 diff -u -r1.34 group
 --- etc/group	5 Feb 2006 19:34:09 -0000	1.34
 +++ etc/group	10 Jun 2007 18:24:15 -0000
 @@ -11,6 +11,7 @@
  news:*:8:
  man:*:9:
  games:*:13:
 +ftp:*:14:
  staff:*:20:
  sshd:*:22:
  smmsp:*:25:
 Index: usr.sbin/sysinstall/anonFTP.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/sysinstall/anonFTP.c,v
 retrieving revision 1.38
 diff -u -r1.38 anonFTP.c
 --- usr.sbin/sysinstall/anonFTP.c	28 Feb 2006 21:49:32 -0000	1.38
 +++ usr.sbin/sysinstall/anonFTP.c	10 Jun 2007 18:24:19 -0000
 @@ -49,8 +49,8 @@
  /* These change if we want to use different defaults */
  
  #define FTP_UID		14
 -#define FTP_GID		5
 -#define FTP_GROUP	"operator"
 +#define FTP_GID		14
 +#define FTP_GROUP	"ftp"
  #define FTP_UPLOAD	"incoming"
  #define FTP_COMMENT	"Anonymous FTP Admin"
  #define FTP_HOMEDIR	"/var/ftp"
 @@ -148,7 +148,7 @@
      else if (!getgrgid(gid)) {
  	/* group does not exist, create it by number */
  	
 -	tptr = msgGetInput("14", "What group name to use for gid %d ?", gid);
 +	tptr = msgGetInput("ftp", "What group name to use for gid %d ?", gid);
  	if (tptr && *tptr) {
  	    SAFE_STRCPY(tconf.group, tptr);
  	    if ((tgrp = getgrnam(tconf.group))) {

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Ceri Davies <ceri@submonkey.net>
Cc: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>,
	secteam@FreeBSD.org
Subject: Re: bin/93284: Insecure placement of user ftp into operator group
	(.snap directories access)
Date: Sun, 10 Jun 2007 22:05:40 +0200

 On 2007.06.10 19:27:15 +0100, Ceri Davies wrote:
 > I think that it's as easy as is; would be good to get in for 7.0.
 
 Oh, I think I was suposed to get back to you about that PR... :-/.
 
 While I haven't tested the patch, it seems like the right thing to do,
 and I don't see that it should cause problems.  So, I would say go for
 it sooner rather than later (ie, before the freeze) so it can get in
 7.0 / 6.3.
 
 -- 
 Simon L. Nielsen
 With hats: secteam / so
 
State-Changed-From-To: open->patched 
State-Changed-By: ceri 
State-Changed-When: Mon Jun 11 18:37:05 UTC 2007 
State-Changed-Why:  
Patched in -HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93284 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/93284: commit references a PR
Date: Mon, 11 Jun 2007 18:36:46 +0000 (UTC)

 ceri        2007-06-11 18:36:39 UTC
 
   FreeBSD src repository
 
   Modified files:
     etc                  group 
     usr.sbin/sysinstall  anonFTP.c 
   Log:
   Create group ftp by default.  This is gid 14 as this is the historical
   id used by sysinstall when enabling anonymous FTP.
   
   Change the default group used by sysinstall for setting up anonymous FTP
   from operator to ftp; there is no reason to use operator and there are
   potential security issues when doing so.
   
   PR:             93284
   Approved by:    ru (mentor)
   Reviewed by:    simon
   
   Revision  Changes    Path
   1.35      +1 -0      src/etc/group
   1.39      +3 -3      src/usr.sbin/sysinstall/anonFTP.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: ceri 
State-Changed-When: Thu Sep 13 09:49:12 UTC 2007 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=93284 
State-Changed-From-To: closed->patched 
State-Changed-By: ceri 
State-Changed-When: Thu Sep 13 09:49:32 UTC 2007 
State-Changed-Why:  
Forgot note. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93284 
State-Changed-From-To: patched->closed 
State-Changed-By: ceri 
State-Changed-When: Thu Sep 13 09:49:55 UTC 2007 
State-Changed-Why:  
I think that changing this for 6.3 could potentially cause the userbase 
some problems, so I don't intend to MFC this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93284 
>Unformatted:
