Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 149031

Summary: net-fs/curlftpfs "ps -ef" reveals username and password of mounted ftpfs
Product: Gentoo Security Reporter: Bjoern Olausson <contactme>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: major CC: genstef, net-fs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard:
Package list:
Runtime testing required: ---

Description Bjoern Olausson 2006-09-25 02:59:30 UTC 
As reported to upstream:

http://sourceforge.net/tracker/index.php?func=detail&aid=1564953&group_id=160565&atid=816357

"ps -ef" reveals username and password 	Private: (?) 
No 
When mounting a ftp dir with curlFtpFS via fstab or 
via commandline a "ps -ef" reveals full usernamen and 
password.

fstab example:
curlftpfs#user:somepass@ftp.server.xyz /mnt/ftp fuse 
defaults,allow_other 0 0

ps -ef shows the following:
root 11531 1 0 Sep22 ? 00:00:00 
curlftpfs user:somepass@ftp.server.xyz /mnt/ftp -o 
rw,allow_other

Even as unprivileged user you can see this process.

at least the password should be masked.

observed with:
curlftpfs 0.8 libcurl/7.15.4 fuse/2.5

But I guess other version have the same problem.

regards
spamsuxx
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-26 13:08:13 UTC 
net-fs please advise.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-03 11:54:17 UTC 
upstream has closed the bug as WONTFIX
their advise is to use a .netrc file containing the username/password

I'm therefore also closing this as WONTFIX on our side. Please reopen, if anyone disagrees.