[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Re: ftpd access to parent foders is allowed by peers
From:       Felipe de Andrade Neves Lavratti <felipelav () gmail ! com>
Date:       2014-10-29 18:25:41
Message-ID: CABaQWj62XkLeWPSZKJWzE_xT4c6X6TYXahrbasYLjvHZRTD-eA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


True, I was launching the daemon as user, not root, so the odd behavior
happened. If I launch it as root it works well, and yes, the daemon doesn't
drop root permissions.

Thanks!!

Em quarta-feira, 29 de outubro de 2014, Steven Honeyman <
stevenhoneyman@gmail.com> escreveu:

> On 29 October 2014 13:35, Felipe de Andrade Neves Lavratti
> <felipelav@gmail.com <javascript:;>> wrote:
> > Hello Friends!
> >
> > When using the command `tcpsvd -vE 0.0.0.0 21 ftpd /files/to/serve` to
> start
> > a ftpd service, but peers are allowed to CWD to any parent folder of
> > `/files/to/serve` in the embedded filesystem.
>
> Hi,
>
> I can't get this to happen - can you do a step-by-step of what you
> did? ftpd chdirs so in theory this should not be possible (well, not
> easily/accidently)
> Here's the client output from the server started in the same way as you
> did:
>
> Connected to localhost.localdomain.
> 220 Operation successful
> Name (localhost.localdomain:steven):
> 230 Operation successful
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 200 Operation successful
> 150 Directory listing
> -rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
> 226 Operation successful
> ftp> ls ..
> 200 Operation successful
> 150 Directory listing
> -rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
> 226 Operation successful
> ftp> pwd
> 257 "/"
> ftp> cd ..
> 250 Operation successful
> ftp> ls
> 200 Operation successful
> 150 Directory listing
> -rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
> 226 Operation successful
> ftp> ls ../../
> 200 Operation successful
> 150 Directory listing
> -rw-r--r--    1 1000     1000             0 Oct 29 17:44 this_is_ftp
> 226 Operation successful
> ftp> ls /usr/bin
> 200 Operation successful
> 150 Directory listing
> 226 Operation successful
> ftp>
>
> > The issue is that I need to protect parent folders from peers, how do you
> > suggest I deal with it?
>
> If security is a concern, I wouldn't use busybox ftpd. I forgot to
> check just now, but I don't think it drops root permissions.
>
>
> Thanks,
> Steven
>


-- 
Skype: felipeanl

[Attachment #5 (text/html)]

True, I was launching the daemon as user, not root, so  the odd behavior happened. If \
I launch it as root it works well, and yes, the daemon doesn&#39;t drop root \
permissions.  <div><br></div><div>Thanks!!<span></span><br><br>Em quarta-feira, 29 de \
outubro de 2014, Steven Honeyman &lt;<a \
href="mailto:stevenhoneyman@gmail.com">stevenhoneyman@gmail.com</a>&gt; \
escreveu:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex">On 29 October 2014 13:35, Felipe de Andrade Neves \
Lavratti<br> &lt;<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, \
&#39;felipelav@gmail.com&#39;)">felipelav@gmail.com</a>&gt; wrote:<br> &gt; Hello \
Friends!<br> &gt;<br>
&gt; When using the command `tcpsvd -vE 0.0.0.0 21 ftpd /files/to/serve` to start<br>
&gt; a ftpd service, but peers are allowed to CWD to any parent folder of<br>
&gt; `/files/to/serve` in the embedded filesystem.<br>
<br>
Hi,<br>
<br>
I can&#39;t get this to happen - can you do a step-by-step of what you<br>
did? ftpd chdirs so in theory this should not be possible (well, not<br>
easily/accidently)<br>
Here&#39;s the client output from the server started in the same way as you did:<br>
<br>
Connected to localhost.localdomain.<br>
220 Operation successful<br>
Name (localhost.localdomain:steven):<br>
230 Operation successful<br>
Remote system type is UNIX.<br>
Using binary mode to transfer files.<br>
ftp&gt; ls<br>
200 Operation successful<br>
150 Directory listing<br>
-rw-r--r--      1 1000        1000                    0 Oct 29 17:44 this_is_ftp<br>
226 Operation successful<br>
ftp&gt; ls ..<br>
200 Operation successful<br>
150 Directory listing<br>
-rw-r--r--      1 1000        1000                    0 Oct 29 17:44 this_is_ftp<br>
226 Operation successful<br>
ftp&gt; pwd<br>
257 &quot;/&quot;<br>
ftp&gt; cd ..<br>
250 Operation successful<br>
ftp&gt; ls<br>
200 Operation successful<br>
150 Directory listing<br>
-rw-r--r--      1 1000        1000                    0 Oct 29 17:44 this_is_ftp<br>
226 Operation successful<br>
ftp&gt; ls ../../<br>
200 Operation successful<br>
150 Directory listing<br>
-rw-r--r--      1 1000        1000                    0 Oct 29 17:44 this_is_ftp<br>
226 Operation successful<br>
ftp&gt; ls /usr/bin<br>
200 Operation successful<br>
150 Directory listing<br>
226 Operation successful<br>
ftp&gt;<br>
<br>
&gt; The issue is that I need to protect parent folders from peers, how do you<br>
&gt; suggest I deal with it?<br>
<br>
If security is a concern, I wouldn&#39;t use busybox ftpd. I forgot to<br>
check just now, but I don&#39;t think it drops root permissions.<br>
<br>
<br>
Thanks,<br>
Steven<br>
</blockquote></div><br><br>-- <br><div dir="ltr">Skype: \
felipeanl<div><br></div></div><br>



_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic