Back to list
*Note: Email address will appear as "user domain ext" to prevent harvesting.
/bin/ls with gid=0 in Debian linux-ftpd
Feb 20 2007 11:24PM
Paul Szabo (psz maths usyd edu au)
Mea culpa. A stupid little bug crept into linux-ftpd for Debian, and
some other Linux distros. Some may have fixed it, but Debian hasn't.
The effect is that ftpd now runs /bin/ls (for DIR and similar commands)
with GID=0. Does not seem terribly dangerous as I do not seem able to
trick ls into runnin...
[ more ]
Copyright 2010, SecurityFocus