Security Update 2007-004 Special Report: FTP security issue
Security Update 2007-004 Special Report: FTP security issue
It appears that Security Update 2007-004 for Mac OS X 10.4.9 Server has introduced a serious issue where logged in client FTP users are able to access files outside of their home directories.
It appears that this issue is due to modifications Apple made to the following file:
/System/Library/LaunchDaemons/ftp.plist
specifically a reference to the ftpd program rather than xftpd. Apple also installed a new version of ftpd with this update, which may be causing the issue.
As such, you can change this file to again reference the xftpd program by opening the file (/System/Library/LaunchDaemons/ftp.plist) in your favorite text editor and changing the following strings:
- com.apple.ftpd to com.apple.xftpd
- /usr/libexec/ftpd to /usr/libexec/xftpd
- ftpd to xftpd (this is located under "Program arguments")
Save the file, then restart your FTP server and check for persistence of this issue. Note that you may be undoing some security refinements enacted by Security Update 2007-004 in performing this workaround.
A poster to Apple's Discussion threads, Joakim Hartmann, has also posted, verbatim, the old content of the ftp.plist file, which you can paste into the new ftp.plist file for a similar effect.
Index:
- Active Directory login issues
- AirPort connectivity issues, fixes
- Cannot connect to local servers (Error -35)
- Files in Finder cannot be renamed
- Flash playback not working
- FTP security issue
- Login problems: users cannot login after update
Resources