[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] Serious security vulnerability in ftpd

From: Sergey Poznyakoff
Subject: Re: [bug-inetutils] Serious security vulnerability in ftpd
Date: Tue, 04 Nov 2003 11:35:04 +0200

Davin McCall <address@hidden> wrote:

> Ie. If a user is NOT listed in /etc/ftpusers, they WILL be allowed to
> login via ftp. If on the other hand they ARE listed in ftpusers, they
> will NOT be allowed to login.

This is intended behavior. The file /etc/ftpusers is used to block
ftp access to a selected set of users. From ftpd manpage:

       Ftpd authenticates users according to the following rules:

         1.   The  user  name  must be in the password data base,

         2.   An AUTH  command  must  be  accepted,  the  ensuing
              authentication  protocol  (conducted  via ADAT com-
              mands and replies) must successfully complete,  and
              the authenticated user must permitted access.  Oth-
              erwise, a valid password which is not null must  be
              provided by the client.

         3.   The   user   name  must  not  appear  in  the  file


reply via email to

[Prev in Thread] Current Thread [Next in Thread]