Re: Ftpfs security hole particulary fixed

[Pavel Roskin <proski gnu org>]

Hi, Andrew!

> This patch fixes bug in ftpfs chmod implementation.

Thank you for tracking it down!

> After 4.5.43 chmod fails without warning if it called not
> from root directory at ftp site.  So uploading over mc ftpfs
> can be insecure because uploaded files/directories have
> default permissions.

I just want to clarify that the default permissions are not necessarily
bad.  The server must be seriously misconfigured to allow other users to
modify the uploaded files.  Normally the umask is 022, i.e. other users
can just read the new files.  Relying on FTP when uploading the files that
may not be read is not a good idea anyway, since FTP transfers data in 
cleartext.

I acknoledge that the bug is security-related.  However, it doesn't 
warrant an emergency release in my opinion.

> BTW uploaded file has such permission some time after uploading before
> appropriative chmod call finishes.  May be something like "UMASK 077"
> has to be passed to ftp server after establishing connection. But I
> don't know is this command are widely supported by ftp servers. As far
> as I know wu-ftpd has this command.

Even a simple ftp client included with kerberos 1.2.2 has the "umask"  
command that sends "SITE UMASK" to the server, so the "umask" command has 
some "recognition".

I don't think that using umask is worth the trouble, partly for the
reasons explained above, partly because it only affects FTP upload.
It also takes time to send a command and wait for the result.

-- 
Regards,
Pavel Roskin