[H-GEN] I can't login - HELP!
Martin Pool
martinp at mincom.com
Mon Dec 20 01:04:27 EST 1999
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
Byron Ellacott wrote:
> I would be very surprised if any reasonably modern FTP server would not do
> a setuid(user_uid) as soon as it knows what user it should be running at
> -- this way, it does not have to check the permissions of files itself.
> Fork, get username/password, setuid, proceed. Same for any suid program.
> Drop the root privelidges ASAP.
This is not always possible: the child task may have to bind to
privileged ports, and it couldn't do that if it has given away all its
permissions. (I may be wrong, I can't seem to remember exactly why.)
Therefore we have setfsuid, seteuid and so on.
> One FTP exploit I'd like to mention involved anonymous uploads -- you
> could upload a .so to an anonymous path, take a good guess at the location
> in the Real filesystem (say, /home/ftp/pub/uploads/foobar.so) and then use
> a curious feature of the Telnet protocol to export LD_PRELOAD=<file> to
> login, thus allowing you to totally bypass password checks.
Very cute.
--
/\\\ Mincom | Martin Pool | martinp at mincom.com
// \\\ | Software Engineer | Phone: +61 7 3303-3333
\\ /// | Mincom Limited | Teneriffe, Brisbane
\/// | And now a word from our sponsor...
This transmission is for the intended addressee only and is
confidential information. If you have received this
transmission in error, please delete it and notify the
sender. The contents of this E-mail are the opinion of the
writer only and are not endorsed by Mincom Limited unless
expressly stated otherwise.
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list