home *** CD-ROM | disk | FTP | other *** search
- README.SECURITY.FIX
- June 3, 1995 16:00 EST
-
-
- On June 2, 1995, Australian CERT announced that some Linux
- distribution may have a problem with pre-compiled binaries
- of the Washington University FTP Server Version 2.4
-
- It appears that Slackware 2.0-2.3, Yggdrasil Plug&Play (Fall 94),
- Debian Distribution and probably a lot of others are/were shipped
- with the misconfigured ftp server. Unfortunately, such
- misconfiguration made the ftp server a subject to attacks that allowed
- any user of a system to gain the root access.
-
- This version of the Washington University FTP server is correctly
- configured to prevent such attacks. I also cleaned the Makefile
- in the support/ subdirectory so it compiles cleanly under Linux.
- This version was created from the source code of the wu.ftpd 2.4
- patched using wu-ftpd-2.4.patch.gz
-
-
- CONFIGURING wu.ftpd 2.4 FOR SYSTEMS WITH AND WITHOUT SHADOW
-
- By default, this wu.ftpd will be build with a shadow
- password support. If your system does not have shadow
- passwords (I do recommend you to get it), copy the file
- src/config/config.lnx.no-shadow into src/config/config.lnx
-
-
- CORRECTING PATHNAMES
-
- If you would like to place your files in different places,
- edit src/pathnames.h.
-
- WARNING: THE VULNERABLE CONFIGURATION WAS CREATED BY
- SPECIFYING /bin IN THE _PATH_EXECPATH. MAKE SURE
- THAT THE DIRECTORY SPECIFIED IN _PATH_EXEC PATH
- IS WRITE-PROTECTED FROM USERS AND ALL PROGRAMS
- IN THAT DIRECTORY ARE "AWARE" OF BEING EXECUTED
- WITH UID/GID 0 WHILE RESTRICTED WITH EUID/EGID!
-
-
-
- For more information please see Linux Security WWW
- http://bach.cis.temple.edu/linux/linux-security/
-
-
- Alexander O. Yuriev <alex@bach.cis.temple.edu>
-
