ftp server showing root directory!!!

baig · 02-07-2009, 03:16 PM

Hi,

My university ftp server lists whole root directory as below.

Quote:

02/01/09 11:48PM <DIR> bin
03/18/08 12:00AM <DIR> boot
01/31/09 06:51AM <DIR> dev
02/06/09 04:11AM <DIR> etc
01/31/09 11:31PM <DIR> home
01/31/09 11:23PM <DIR> home2
08/12/04 12:00AM <DIR> initrd
02/01/09 11:48PM <DIR> lib
03/18/08 12:00AM <DIR> lost+found
01/31/09 06:52AM <DIR> media
12/08/04 12:00AM <DIR> misc
12/06/09 09:38AM <DIR> mnt
08/12/04 12:00AM <DIR> opt
01/31/09 06:50AM <DIR> proc
02/07/09 08:47PM <DIR> root
02/01/09 11:48PM <DIR> sbin
01/31/09 06:50AM <DIR> selinux
08/12/04 12:00AM <DIR> srv
01/31/09 06:50AM <DIR> sys
02/07/09 04:15PM <DIR> tmp
03/18/08 12:00AM <DIR> usr
03/18/08 12:00AM <DIR> var

is it normal from security point of view?

In my opinion its a big risk ... even i can go to /boot/grub

any comments??

what is casing this problem? what missconfiguration they might have made? and what could be the countermeasure??

Thanks.

win32sux · 02-07-2009, 04:16 PM

They seem to have not done a chroot. Maybe send them a nice email to make sure they are aware of this condition? Technically, it's only a serious issue if the permissions on the filesystem are not properly set. But still, I'm sure most people would agree that it's best to simply not provide this type of access regardless.