tags 315687 sid thanks On Sat, Jun 25, 2005 at 12:14:34AM +0200, Michael Bergbauer wrote: > Package: proftpd > Version: 1.2.10-17 > Severity: critical > Justification: root security hole > > In the most recent (1.2.10-17) version of proftpd, the permissions used > by the daemon are somehome mixed up: both anonymous and authenticated > connections are mapped to uid 0/gid 0 in the filesystem. New files and > directories are created with uid 0/gid 0 (instead of the ftp/nogroup for > anon connections resp. the authenticated user). > > In anon mode, you seem to be trapped in the anon enviroment and can't > delete files. > > With authenticated connections, you also get root access to the whole > system (visible to proftpd) and as your access is mapped to root/root, > you can delete everything you like (thus the critical severity, as this > opens root access to the ftp server's file system. > > This bug was not reproducable on 1.2.10-16, I had to install 1.2.10-17. > The config file wasn't touched during the update to -17. > >
Sigh, something definitively messed up things during build on sid. Quite interestingly the same package compiled on sarge does not present that problem :-? deb http://people.debian.org/debian/sarge/ ./ -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
