Date: Wed, 11 Apr 2001 18:27:53 +0700 From: Eugene Grosbein <eugen@svzserv.kemerovo.su> To: Anton Vladimirov <admin128@mail.ru> Cc: Eugene Grosbein <eugen@iname.com>, security@FreeBSD.ORG Subject: Re: ftp vulnerability Message-ID: <3AD43FB9.7D28DC8B@svzserv.kemerovo.su> References: <15739596567.20010411131004@mail.ru> <20010411171843.A78034@svzserv.kemerovo.su> <941113000.20010411133520@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Anton Vladimirov wrote: > >> I run FreeBSD 4.0-RELEASE with all security patches applied. > >> Could anyone clearly explain how to fix the recent > >> ftpd hole for this version? > > EG> You can use workaround: put a record into /etc/login.conf: > > EG> anonftp:\ > EG> :datasize=16M:\ > EG> :stacksize=8M:\ > EG> :memoryuse=16M:\ > EG> :priority=5:\ > EG> :tc=default: > > EG> Choose values suitable for you. Then do > EG> cap_mkdb /etc/login.conf > EG> and set login class of user 'ftp' to anonftp. > EG> This will prevent exloiting this hole. > > Is this vulnerability concerned only to anonymous ftp? > Can it be exploited by non-anonymous users? Yes, it can. You should either set login class of users to 'anonftp' or modify their login classes. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD43FB9.7D28DC8B>