adult lynx picture  

CancerLynx - we prowl the net
February 9, 2019

FTP Mystery
Alexandra Andrews


Scientific, artistic, religious and academic discoveries are hiding in plain site. With an investigation of forgotten basement collections in museums, universities, old houses, walls, tombs, etc., lost knowledge comes into the light.

The same seems to be true in Computer Code. Can it be that in the search for the new exciting latest whatever, we have become blinded to old basics.

I rediscovered a security hole in the basic UNIX file system. There is no need to steal Tappy’s arm as in the Huawei case. Users can blithely waltz into and adopt files. I was using this pathway in the early 2000s. Thought it had been plugged, but alas – No!

I invented this website code in 2000. After reading about using viewport in CSS, I asked why? I put up my code for Always Responsive Accessible Web Page Display and Printing For Any Device on GitHub in June 2018.

Hiding in plain sight, FTP can be used to change file ownership and permissions. FTP (File Transfer Protocol) or SFTP (Secure File Transfer Protocol) are both impacted by this mystery. In researching the net, I have not found any documentation or mention regarding this possible security danger. FTP is used by thousands daily. Is this problem overlooked? Did the documentation disappear in rewrites? Who knows?

For my satisfaction, I am publishing examples of this mystery.
- I am using a terminal shell on a local MAC.
- I am writing the files with vim.
- For the examples - I have created two user accounts.
- BowWow
- Meow
I have used both ftp and sftp to access several servers with different distributions.

FTP Example:
- Using ftp put to place the file dogfriend.txt on the ftp server.
The permissions are 644, but the ownership changes to the name of the ftp account. The file data is not changed.
Using ftp get to download the file into the local account, the permissions remain 644 but ownership changes to match the account name.
FTP seems unable to discriminate between correct and incorrect users.

SFTP Example:
- Again discrimination between correct and incorrect accounts is missing.
- Permissions remain 644.
- File data is not affected.
- File ownership reflects the account whether on the sftp server or local sftp.

File Examples:
Cat Kedi
Cat Music
Name Caller
Dog Friend

FTP

Uploading files from local host to (s)ftp server.
files owned by the user account bowwow
files owned by the user account meow

- FTP user now owns the files.
files now owned by the ftp user account

SFTP

- SFTP user now owns the files.
files now owned by the user account on the sftp and ssh server

New Ownership Transferred by (S)FTP

- User meow files now owned by bowwow
meow files owned by the bowwow user account

- User bowwow files now owned by meow
bowwow files owned by the meow user account

What do you think?
Thank you for reading.


You are welcome to share this © article with friends, but do not forget to include the author name and web address. Permission needed to use articles on commercial and non commercial websites. Thank you.

Search CancerLynx

one pawprintCancerLynx.com one pawprintWhat do you think? one pawprintTop of Page

kitten picture