Re: [bug-inetutils] Serious security vulnerability in ftpd

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] Serious security vulnerability in ftpd

From:	Sergey Poznyakoff
Subject:	Re: [bug-inetutils] Serious security vulnerability in ftpd
Date:	Tue, 04 Nov 2003 11:35:04 +0200

Davin McCall <address@hidden> wrote:

> Ie. If a user is NOT listed in /etc/ftpusers, they WILL be allowed to
> login via ftp. If on the other hand they ARE listed in ftpusers, they
> will NOT be allowed to login.

This is intended behavior. The file /etc/ftpusers is used to block
ftp access to a selected set of users. From ftpd manpage:


       Ftpd authenticates users according to the following rules:

         1.   The  user  name  must be in the password data base,
              /etc/passwd.

         2.   An AUTH  command  must  be  accepted,  the  ensuing
              authentication  protocol  (conducted  via ADAT com-
              mands and replies) must successfully complete,  and
              the authenticated user must permitted access.  Oth-
              erwise, a valid password which is not null must  be
              provided by the client.

         3.   The   user   name  must  not  appear  in  the  file
              /etc/ftpusers.

Regards,
Sergey

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-inetutils] Serious security vulnerability in ftpd, Davin McCall, 2003/11/04
- Re: [bug-inetutils] Serious security vulnerability in ftpd, Sergey Poznyakoff <=

Prev by Date: [bug-inetutils] Serious security vulnerability in ftpd
Next by Date: [bug-inetutils] inetd patch: server args passed incorrectly
Previous by thread: [bug-inetutils] Serious security vulnerability in ftpd
Next by thread: [bug-inetutils] inetd patch: server args passed incorrectly
Index(es):
- Date
- Thread