Date: Tue, 11 Aug 1998 16:38:22 -0400 (EDT) From: "Mark J. Taylor" <mtaylor@cybernet.com> To: freebsd-security@FreeBSD.ORG Subject: Possible security "risk" in ftp client Message-ID: <XFMail.980811163822.mtaylor@cybernet.com>
next in thread | raw e-mail | index | archive | help
The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a cool but horrible feature: you can specify the user name and password to use via the command line (in the URL), as in: /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ This is actually quite bad: any "ps -ax" will show the username and password. Using setproctitle(3) would be an attempt to close this, but it would create a race condition. The program "/usr/bin/fetch" does it better: use the environment variables FTP_LOGIN and FTP_PASSWORD. SAMBA's smbclient does it both ways: using the command-line param "-Uusername%password" or using the USER environment variable. It will even parse the password from the USER environment variable if there is a "%" in it. Is there any possibility of making a man page annotation that lists this "hole"? And of getting in a patch that uses the environment? I can do the work, unless someone else would rather do it... -------------------------------------------------------------------- Mark J. Taylor Networking Research Cybernet Systems mtaylor@cybernet.com 727 Airport Blvd. PHONE (734) 668-2567 Ann Arbor, MI 48108 FAX (734) 668-8780 -------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.980811163822.mtaylor>