[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-inetutils] Serious security vulnerability in ftpd
From: |
Sergey Poznyakoff |
Subject: |
Re: [bug-inetutils] Serious security vulnerability in ftpd |
Date: |
Tue, 04 Nov 2003 11:35:04 +0200 |
Davin McCall <address@hidden> wrote:
> Ie. If a user is NOT listed in /etc/ftpusers, they WILL be allowed to
> login via ftp. If on the other hand they ARE listed in ftpusers, they
> will NOT be allowed to login.
This is intended behavior. The file /etc/ftpusers is used to block
ftp access to a selected set of users. From ftpd manpage:
Ftpd authenticates users according to the following rules:
1. The user name must be in the password data base,
/etc/passwd.
2. An AUTH command must be accepted, the ensuing
authentication protocol (conducted via ADAT com-
mands and replies) must successfully complete, and
the authenticated user must permitted access. Oth-
erwise, a valid password which is not null must be
provided by the client.
3. The user name must not appear in the file
/etc/ftpusers.
Regards,
Sergey