Hi Regid, Regid Ichira wrote:
> Referring to Package: vsftpd, Version: 2.3.5-1. > > 1. Can I get the debian source for 2.3.4, and possibly older? > I think debian had some version control archive for the vsftpd > package. Sure, they are available from http://snapshot.debian.org/ and from vcs.progress-linux.org. The latter does not seem to be advertised anywhere for reasons related to the Debian trademark and unpleasant emails, or something. > 2. Since I write, I'll mention the issue I am after: > > $ zcat /usr/share/doc/vsftpd/changelog.gz | tail -6 > - Add stronger checks for the configuration error of running with a > writeable > root directory inside a chroot(). This may bite people who carelessly > turned > on chroot_local_user but such is life. > > At this point: v2.3.5 released! > =============================== > > I think those stronger checks are wrong, because it prevents > modifying (uploading, deletion, modifying) files. Am I wrong? > Such modifications used to work. I think the stronger checks are right, though they could probably be relaxed without harm in some special cases. To elaborate a little: suppose my friend patches out these security checks. I have access with upload rights to the directory served over FTP, but no shell access. I would like shell access in order to play a prank (maybe I will send local mail or something). I create a directory named /bin and upload a binary named sh there. I also create a directory named /usr/share/locale and put some hand-crafted locale data there. I do something to exploit (for example) a buffer overflow in locale handling in libc that allows me to run the code I would like. This avenue of attack requires that I be able to write to filenames under /bin, /usr/share/locale, /etc, and so on that the process can be convinced to access and more or less trust. If my friend had only allowed me to write to a directory named "/pub" under the directory chroot()ed to, this attack would not have been possible. So the intent is to prevent creating directories like /bin, /usr, and /etc under the toplevel. If your users already have shell access or you are able by some other means to prevent creating such directories then the check is probably not needed. See /usr/share/doc/vsftpd/FAQ.gz for more details. Hope that helps, Jonathan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120120063518.GA32039@burratino
