Bug 57763 - rpm update destroys security profile & invites exploit
rpm update destroys security profile & invites exploit
Status: CLOSED DEFERRED
Product: Red Hat Linux
Classification: Retired
Component: wu-ftpd (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
David Lawrence
: Security
: 67762 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-12-21 10:39 EST by Timothy Burt
Modified: 2007-04-18 12:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-16 07:24:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Timothy Burt 2001-12-21 10:39:51 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Description of problem:
when the rpm update is installed, the default action is to rename 
the /etc/ftpusers file and replace it with rpm version.  If anon ftp has 
previously been disabled by adding ftp user to ftpusers (a common 
practice) then installing the update opens up the server to anon ftp 
access, a weak security profile.  Additionally, if users are prevented 
from using ftp by listing in /etc/ftpusers (a common practice), then 
installing the rpm instantly grants them all ftp access.  If ftp service 
has been disabled (via chkconfig --level 2345 wu-ftpd off), then 
installing the update rpm overrides this configuration and enables ftp.
Installing this rpm has significant consequences for a properly configured 
and secured server.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. disable ftp with chkconfig
2. add ftp and other login names to /etc/ftpusers
3. install update rpm
	

Actual Results:  FTP service is enabled.  Anonymous FTP is enabled, and 
any user logins previously denied ftp access are now granted access. Ouch!

Expected Results:  /etc/ftpusers.rpmnew should have been created instead 
of /etc/ftpusers.rpmsave.  /etc/xinetd.d/wu-ftpd should not be overwritten 
if no changes are mandated, and should be handled properly if service was 
previously disabled.

Additional info:

rpm used:

wu-ftpd-2.6.1-16.7x.1.i386.rpm

I am 99% sure about the "chkconfig" part of the report, but I don't have a 
fresh example in front of me to confirm it absolutely.

Users of up2date (or autorpm) would be unaware that the security profile 
of their box was changed overnight, without warning, and if a new local 
ftp exploit is discovered against the release, the user is setup for being 
rooted..
Comment 1 Alan Cox 2002-12-18 12:24:49 EST
*** Bug 67762 has been marked as a duplicate of this bug. ***
Comment 2 Kjartan Maraas 2003-03-31 15:56:35 EST
Should this be reassigned to someone actually working at RH? :)

Note You need to log in before you can comment on or make changes to this bug.