freebsd security - Sep 2016 - ftpd leaks info which might be useful to an attacker

I've been moving all of my stuff over to a shiny new VM that I've
purchased, and in the process I am having to revisit various
configuration decisions I made 10 years ago or more.

One set of such decisions has to do with the following files:

    ~ftp/etc/group
    ~ftp/etc/pwd.db

Thinking about how the contents of these files affects the behavior of
the ftp DIR command caused me to realize that I actually would prefer
it if there were some some option available for ftpd which would cause
it to display only something like ---- where it currently attempts to
print either a user ID name or number or a group ID name or number.

I should perhaps mention that I'm using the -A option to ftpd, and that
thus, pretty much any Tom, dick, and harry on the whole Internet will
be able to log in (as anonymous) to my FTP server and then scrounge
around for intersting stuff.  I would kind of prefer if the stuff that
any such party could find would _not_ include actual user or group IDs,
or even numeric UIDs/GIDs.

So, um, anybody else agree that it might be Better if ftpd could be
coerced into not leaking this kind fo account information?

> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.
I would be concerned about programs that parse that output choking on a 
field of only hyphens. It's likely safer to just report the uid and gid as 
0 (or 666, or some other made-up number of your choice).

--lyndon

On 13/09/2016 22:07, Ronald F. Guilmette wrote:
> One set of such decisions has to do with the following files:
> 
>     ~ftp/etc/group
>     ~ftp/etc/pwd.db
> 
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.
Why is this a problem, given that all the user and group IDs your ftpd
will display come from the private files in your chroot?  You can make
the ownership of the files under ~ftp anything you want, and you can
make them appear as anything you want.

In practice I'd make everything owned by root:wheel, unless you want to
support uploading, in which case *only* the area files can be uploaded
to should be made owned by ftpd and writable by that UID.  Some sort of
cron job running chown and chmod recursively over that collection to
enforce this would be a good idea.
> I should perhaps mention that I'm using the -A option to ftpd, and that
> thus, pretty much any Tom, dick, and harry on the whole Internet will
> be able to log in (as anonymous) to my FTP server and then scrounge
> around for intersting stuff.  I would kind of prefer if the stuff that
> any such party could find would _not_ include actual user or group IDs,
> or even numeric UIDs/GIDs.
Basically don't mix anonymous access with password authenticated access.
 Also, don't use password access with *plaintext* protocols like FTP.
About the only useful way to use FTP any more is for anonymous read-only
access to download stuff from an archive -- and in that use case, a web
server is generally a much better choice.  FTP as a protocol is archaic
and needs to die.

	Cheers,

	Matthew




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160914/e73cafc9/attachment.sig>

>>>>> On Tue, 13 Sep 2016 14:07:09 -0700, Ronald F Guilmette
said:
> 
> I've been moving all of my stuff over to a shiny new VM that I've
> purchased, and in the process I am having to revisit various
> configuration decisions I made 10 years ago or more.
> 
> One set of such decisions has to do with the following files:
> 
>     ~ftp/etc/group
>     ~ftp/etc/pwd.db
> 
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.
> 
> I should perhaps mention that I'm using the -A option to ftpd, and that
> thus, pretty much any Tom, dick, and harry on the whole Internet will
> be able to log in (as anonymous) to my FTP server and then scrounge
> around for intersting stuff.  I would kind of prefer if the stuff that
> any such party could find would _not_ include actual user or group IDs,
> or even numeric UIDs/GIDs.
> 
> So, um, anybody else agree that it might be Better if ftpd could be
> coerced into not leaking this kind fo account information?
You might consider an ftp daemon such as proftpd, which doesn't require an
etc
in the chroot and also has options for hiding the real uid/gid of the files.

__Martin

On 13 Sep 2016, at 17:07, Ronald F. Guilmette wrote:
>
> One set of such decisions has to do with the following files:
>
>     ~ftp/etc/group
>     ~ftp/etc/pwd.db
>
> Thinking about how the contents of these files affects the behavior of
> the ftp DIR command caused me to realize that I actually would prefer
> it if there were some some option available for ftpd which would cause
> it to display only something like ---- where it currently attempts to
> print either a user ID name or number or a group ID name or number.
Those files completely under the control of the sysadmin (aka "you"),
so you can put whatever you want in those files.  In my case, I think
I wrote a script which generates those two files from the real system
files, but it changes the userid and group names.  In my case I went
with fake userid's which were the first-and-last letters of the real
userid, followed by the UID.  That way there's some helpful information
there for the people who *do* have access to the passwd info for that
machine, but there isn't much info for others.

-- 
Garance Alistair Drosehn                =     drosih at rpi.edu
Senior Systems Programmer               or   gad at FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA