It appears that /bin/ls has slipped into the linux-ftpd distribution for Debian as setgid 0. This could possibly be used to leverage root group access.
9a2c4c72d6921d08161dd1e56bc5e49f3512f537413ccb2c789a4aa74343f336
Mea culpa. A stupid little bug crept into linux-ftpd for Debian, and
some other Linux distros. Some may have fixed it, but Debian hasn't.
The effect is that ftpd now runs /bin/ls (for DIR and similar commands)
with GID=0. Does not seem terribly dangerous as I do not seem able to
trick ls into running anything, nor are there any interesting objects
thusly accessible. Would become a "root hole" if someone finds a way
to execute anything from /bin/ls (as started from ftpd).
Please see
http://bugs.debian.org/384454
for details.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia