README.SECURITY.FIX June 3, 1995 16:00 EST On June 2, 1995, Australian CERT announced that some Linux distribution may have a problem with pre-compiled binaries of the Washington University FTP Server Version 2.4 It appears that Slackware 2.0-2.3, Yggdrasil Plug&Play (Fall 94), Debian Distribution and probably a lot of others are/were shipped with the misconfigured ftp server. Unfortunately, such misconfiguration made the ftp server a subject to attacks that allowed any user of a system to gain the root access. This version of the Washington University FTP server is correctly configured to prevent such attacks. I also cleaned the Makefile in the support/ subdirectory so it compiles cleanly under Linux. This version was created from the source code of the wu.ftpd 2.4 patched using wu-ftpd-2.4.patch.gz CONFIGURING wu.ftpd 2.4 FOR SYSTEMS WITH AND WITHOUT SHADOW By default, this wu.ftpd will be build with a shadow password support. If your system does not have shadow passwords (I do recommend you to get it), copy the file src/config/config.lnx.no-shadow into src/config/config.lnx CORRECTING PATHNAMES If you would like to place your files in different places, edit src/pathnames.h. WARNING: THE VULNERABLE CONFIGURATION WAS CREATED BY SPECIFYING /bin IN THE _PATH_EXECPATH. MAKE SURE THAT THE DIRECTORY SPECIFIED IN _PATH_EXEC PATH IS WRITE-PROTECTED FROM USERS AND ALL PROGRAMS IN THAT DIRECTORY ARE "AWARE" OF BEING EXECUTED WITH UID/GID 0 WHILE RESTRICTED WITH EUID/EGID! For more information please see Linux Security WWW http://bach.cis.temple.edu/linux/linux-security/ Alexander O. Yuriev