MacOS – Bash on OS X 10.4 ftp server

bashftpmacos

I am running OS X 10.4 on a G4 using Rumpus software for a FTP server. I keep reading I do not have to worry about Bash Bug if I am not running a web server or other services. does my FTP server qualify as other services. Am I vulnarable

Best Answer

The primary concern would be if you were running Web Sharing with mod_cgi enabled. The other issue is if you have remote login enabled. If the latter is enabled, your system is at risk.

It's unlikely that your system is all that vulnerable. If you have got Xcode's developer tools (including gcc) installed, you might want to give compiling your own binaries a try. The page linked below is chock full of different approaches to solving the particular problem:

How do I recompile Bash to avoid Shellshock (the remote exploit CVE-2014-6271 and CVE-2014-7169)?

For ease, you'd want to retain the same bash base version as you have now, which is likely v2.05b. There are newer versions available, but some differences in behaviour may cause things to break. As such, it's best to take your existing 2.x version and apply the patches available to it. Currently, there are 10 patches released for that version of bash.

Patches can be downloaded here:

https://ftp.gnu.org/gnu/bash/bash-2.05b-patches/

The download of the main 2.05b source is available in the parent directory:

https://ftp.gnu.org/gnu/bash/

In summary: Are you vulnerable? Yes. Is it likely to be serious? No. If you have the skills to fix it yourself, then I recommend doing so. Apple last released a security update for Tiger in Nov 2010. As such, it's unlikely that Apple will ever release an update for that OS version again.

Related Solutions

OS X Server FTP server

I suggest you use what comes with OSX, namely sftp/scp, included with every OSX since the age of dawn.

Enable SSH in the sharing (Remote Login), configure what users have access and then try to use sftp from the Terminal (if you are familiar with it). Try

man sftp

to see the help.

DESCRIPTION sftp is an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport.

You have the benefits of "ftp-like" plus everything is encrypted.

If you still want to go ahead and use ftp, I suggest you take a look at ftpd conf file, located in /etc/ftpd.conf and /etc/ftpusers

In any case, take a look at the man page for ftpd.conf and ftpusers:

man ftpd.conf
man ftpusers

…to see other options you can add there (because the default one will be most likely empty or with little things in it).

There's no pretty program to configure FTP on OSX (there is on the Server version as far as I can remember).

Please note that FTP is not a very secure protocol by default and hence it should be running inside a chroot. (hint: man ftpchroot).

MacOS – Dropbox-like client for Macs to access existing FTP/WebDAV/CMIS storage

You may want to look into the following open source applications:

FTPSync

a Perl script to synchronize a local directory tree and a remote FTP directory tree.
ownCloud

Web services under your control.

Current features: file management, WebDAV access, share via public link, music streaming, users & groups, OpenID, LDAP In development: sharing, encryption, calendar, contacts, etc., desktop sync client, Android & webOS apps, server-server sync

NOTE: You do not have to utilize their storage.

Best Answer

Related Solutions

OS X Server FTP server

MacOS – Dropbox-like client for Macs to access existing FTP/WebDAV/CMIS storage

Related Question