README.SECURITY.FIX
June 3, 1995 16:00 EST


	On June 2, 1995, Australian CERT announced that some Linux 
	distribution may have a problem with pre-compiled binaries 
	of the Washington University FTP Server Version 2.4

	It appears that Slackware 2.0-2.3, Yggdrasil  Plug&Play (Fall 94),
	Debian Distribution and probably a lot of others are/were shipped
	with the misconfigured ftp server. Unfortunately, such 
	misconfiguration made the ftp server a subject to attacks that allowed
	any user of a system to gain the root access.

	This version of the Washington University FTP server is correctly
	configured to prevent such attacks. I also cleaned the Makefile 
	in the support/ subdirectory so it compiles cleanly under Linux.
	This version was created from the source code of the wu.ftpd 2.4
	patched using wu-ftpd-2.4.patch.gz
	

	CONFIGURING wu.ftpd 2.4 FOR SYSTEMS WITH AND WITHOUT SHADOW

		By default, this wu.ftpd will be build with a shadow
		password support. If your system does not have shadow
		passwords (I do recommend you to get it), copy the file
		src/config/config.lnx.no-shadow into src/config/config.lnx


	CORRECTING PATHNAMES

		If you would like to place your files in different places,
		edit src/pathnames.h. 

		WARNING: THE VULNERABLE CONFIGURATION WAS CREATED BY
			 SPECIFYING /bin IN THE _PATH_EXECPATH. MAKE SURE
			 THAT THE DIRECTORY SPECIFIED IN _PATH_EXEC PATH
			 IS WRITE-PROTECTED FROM USERS AND ALL PROGRAMS
			 IN THAT DIRECTORY ARE "AWARE" OF BEING EXECUTED
			 WITH UID/GID 0 WHILE RESTRICTED WITH EUID/EGID!



             For more information please see Linux Security WWW
              http://bach.cis.temple.edu/linux/linux-security/


			Alexander O. Yuriev <alex@bach.cis.temple.edu>