Lutz Donnerhacke wrote:
>
[...]
> >I also wonder about IBM's answer:
> >SOLUTION: Remove the setuid bit from the "ftp" command.
> >
> >On our 4.2.1, ftp will not run if it is not suid.
> >Didn't somebody test this?
>
> Yep. ftp does not need suid:
> -rwxr-xr-x 1 root root /bin/ftp*
> -rwxr-xr-x 1 root root /usr/bin/ncftp*
>
> DFN-CERT corrected the solution of IBM. It was a false statment according to
> them.
We contacted IBM before forwarding the advisory to our site security
contacts (because removing the setuid bit won't fix the problem). In
our introduction we said that the information in the bulltin
SOLUTION: Remove the setuid bit from the "ftp" command.
was wrong and should be replaced by
SOLUTION: Apply fixes listed below.
This correction statement was the result of our discussion with IBM.
Removing the setuid-bit has the result that only root is able to use the
original AIX ftp client (because there are some audit functions in the
ftp client which do require the root privs --- don't ask me why and I
certainly think that this is broken design, too).
This mail is just to let you know that we haven't corrected the bulletin
in a way to suggest removing the setuid bit (although I would prefer this,
but test have shown problems with this additional security precaution).
Bye,
Wolfgang Ley (DFN-CERT)
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/ ...have a nice day
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBNGHyVQQmfXmOCknRAQEXrQP/UXoVTwA2G9wcmrGTW0AnFla9lcFWBIu9
a7AwLoEGg+GuQ7I4XqDJpb/XBg+dcJThB7oTknsFgtgPQwVQXP4O37yLBoRsRKXZ
88tA6ZX6/PRqvlmLVatmkHNARoWIOgSnRMgjOXZFJO/WAPEo93TyZoH+PaD5cFSf
DjR3Vug2XkU=
=g3lp
-----END PGP SIGNATURE-----