FTP Mystery
Alexandra Andrews
Scientific, artistic, religious and academic discoveries are hiding in plain site. With an investigation of forgotten basement collections in museums, universities, old houses, walls, tombs, etc., lost knowledge comes into the light.
The same seems to be true in Computer Code. Can it be that in the search for the new exciting latest whatever, we have become blinded to old basics.
I rediscovered a security hole in the basic UNIX file system. There is no need to steal Tappy’s arm as in the Huawei case. Users can blithely waltz into and adopt files. I was using this pathway in the early 2000s. Thought it had been plugged, but alas – No!
I invented this website code in 2000. After reading about using viewport in CSS, I asked why? I put up my code for Always Responsive Accessible Web Page Display and Printing For Any Device on GitHub in June 2018.
Hiding in plain sight, FTP can be used to change file ownership and permissions. FTP (File Transfer Protocol) or SFTP (Secure File Transfer Protocol) are both impacted by this mystery. In researching the net, I have not found any documentation or mention regarding this possible security danger. FTP is used by thousands daily. Is this problem overlooked? Did the documentation disappear in rewrites? Who knows?
- For my satisfaction, I am publishing examples of this mystery. - I am using a terminal shell on a local MAC. - I am writing the files with vim. - For the examples - Using the MAC as a mini example of a local area network (LAN) system, I have created two user accounts.
-
- BowWow
- Meow - I have used both ftp and sftp to access several servers with different distributions.
FTP Example:
- - Using ftp _put_ to place the file dogfriend.txt on the ftp server. The permissions are 644, but the ownership changes to the name of the ftp account. The file data is not changed. Using ftp _get_ to download the file into the local account, the permissions remain 644 but ownership changes to match the account name. FTP seems unable to discriminate between correct and incorrect users.
- **SFTP Example**:
- - Again discrimination between correct and incorrect accounts is missing.
- Permissions remain 644.
- File data is not affected.
- File ownership reflects the account whether on the sftp server or local sftp.
File Examples:
Cat Kedi
Cat Music
Name Caller
Dog Friend
- **FTP**
Uploading files from local host to (s)ftp server.
- ![files owned by the user account bowwow](bowwowfiles2.jpg) ![files owned by the user account meow](meowfiles2.jpg)
- - FTP user now owns the files.
- ![files now owned by the ftp user account](ftpfiles2.jpg) /dd>
- **SFTP**
- SFTP user now owns the files.
- ![files now owned by the user account on the sftp and ssh server](sftpfiles2.jpg)
- **New Ownership Transferred by (S)FTP**
- User meow files now owned by bowwow
- ![meow files owned by the bowwow user account](bowwowtransfer2.jpg)
- - User bowwow files now owned by meow
- ![bowwow files owned by the meow user account](meowtransfer2.jpg)
What do you think? Thank you for reading.