February 9, 2019
Scientific, artistic, religious and academic discoveries are hiding in plain site. With an investigation of forgotten basement collections in museums, universities, old houses, walls, tombs, etc., lost knowledge comes into the light.
The same seems to be true in Computer Code. Can it be that in the search for the new exciting latest whatever, we have become blinded to old basics.
I rediscovered a security hole in the basic UNIX file system. There is no need to steal Tappy’s arm as in the Huawei case. Users can blithely waltz into and adopt files. I was using this pathway in the early 2000s. Thought it had been plugged, but alas – No!
I invented this website code in 2000. After reading about using viewport in CSS, I asked why? I put up my code for Always Responsive Accessible Web Page Display and Printing For Any Device on GitHub in June 2018.
Hiding in plain sight, FTP can be used to change file ownership and permissions. FTP (File Transfer Protocol) or SFTP (Secure File Transfer Protocol) are both impacted by this mystery. In researching the net, I have not found any documentation or mention regarding this possible security danger. FTP is used by thousands daily. Is this problem overlooked? Did the documentation disappear in rewrites? Who knows?
- For my satisfaction, I am publishing examples of this mystery.
- I am using a terminal shell on a local MAC.
- I am writing the files with vim.
- For the examples - I have created two user accounts.
- - BowWow
- I have used both ftp and sftp to access several servers with different distributions.
- - Using ftp put to place the file dogfriend.txt on the ftp server.
The permissions are 644, but the ownership changes to the name of the ftp account. The file data is not changed.
Using ftp get to download the file into the local account, the permissions remain 644 but ownership changes to match the account name.
FTP seems unable to discriminate between correct and incorrect users.
- SFTP Example:
- - Again discrimination between correct and incorrect accounts is missing.
- Permissions remain 644.
- File data is not affected.
- File ownership reflects the account whether on the sftp server or local sftp.
Uploading files from local host to (s)ftp server.
- - FTP user now owns the files.
- SFTP user now owns the files.
- New Ownership Transferred by (S)FTP
- User meow files now owned by bowwow
- - User bowwow files now owned by meow
What do you think?
Thank you for reading.