[security-announce] Globus Security Advisory 2012-01: GridFTP acts as wrong user when mapped user doesn't exist

Stuart Martin smartin at mcs.anl.gov
Thu May 24 15:04:48 CDT 2012 

Globus Security Advisory 2012-01: GridFTP acts as wrong user when mapped user doesn't exist

Original issue date: May 24, 2012
Last revised: None

Software affected:
	GridFTP Server
	Globus Toolkit releases 5.2.0, 5.2.1 all servers are affected
	Globus Toolkit pre-5.2.0 for *threaded* flavor servers only

Overview:

When a gridmap file is improperly configured with a valid user DN mapped to an invalid/nonexistent user account, the GridFTP server may grant access to the client under another account.

I. Description

The GridFTP server was improperly checking the return values from the getpwnam-based GT wrapper functions.  In the affected cases, the user authorization should have failed, but instead processing continues and the client is given access to another user account.

II. Impact

If a GridFTP server's gridmap file is improperly configured, a client with a valid user proxy and DN could get access to the files of another account.  The actual account is most likely the final account in /etc/passwd, but there could be variations based on individual system implementations of the getpwnam_r() function.

III. Solution

This issue is addressed with an updated GridFTP Server package.

For GT 5.2.0 and GT 5.2.1, the update package is globus_gridftp_server-6.11.

Download and installation instructions are here:
	http://globus.org/toolkit/advisories.html?version=5.2

For GT 5.0.x, the update package is globus_gridftp_server-3.42.

Download and installation instructions are here:
	http://globus.org/toolkit/advisories.html?version=5.0

For unsupported versions (GT 4.x and earlier) we recommend upgrading to the latest version or applying the workaround.

Workaround:  The main safeguard is to ensure that your gridmap file contains only valid usernames.  An additional workaround may be to place the "nobody" account, or an invalid account, as the last account in the /etc/passwd file.


IV. Acknowledgments

This issue was discovered by Doug Strain and Neha Sharma.

More information about the security-announce mailing list