Bug 1599
| Summary: | Login bug in wu-ftpd-2.4.2b18-2.1 | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | sweeheng |
| Component: | wu-ftpd | Assignee: | Bernhard Rosenkraenzer <bero> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.2 | CC: | wuftpd-bugs |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 1999-08-23 22:29:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Commenting out the 1st class line in /etc/ftpaccess and adding class guestuser guest * guestuser adam after adding user adam verifies that wu-ftpd-2.4.2vr17-3 has this behavior also. Fixed in wu-ftpd-2.5.0-5. |
I am getting a perculiar behaviour from the wu-ftpd-2.4.2b18-2.1.i386.rpm package downloaded from updates.redhat.com. It is reproducible for me. Scenario: I configured /etc/ftpaccess to allow only guest accounts, ie. no real and anonymous access. I modified the default ftpaccess file so that the first line reads: class guestuser guest * To verify it, I ftp to my machine using various combinations of real, guest and anonymous accounts. Almost every time it works - real and anonymous users rejected while guest admitted if password is right. I said almost because if I do it in the following sequence, I can get anonymous access: 1. FTP to machine; 2. Login as a *valid* guest user ("adam" in this example) Name(machine-name:someuser): adam <Enter> 331 Password required for adam. 3. Provide blank/dummy password. Password: <Enter> 530 Login incorrect. 4. Just as one would expect for the wrong password. However, immediately login as anonymous. ftp> user anonymous <enter> 331 Guest login ok, send your complete ...<blah> 5. Give some random address. Password: someone <Enter> 230 Guest login ok, access restriction apply. Tada! I get anonymous access when I am not supposed to. Seems like the first login as a valid guest user (but with the wrong password) sets some flag which subsequently makes ftpd forget the fact that anonymous access is not allowed. I believe the wu-ftpd VR14 release have the same problem too.