Bug 15657

Summary: deny-uid ignored by wu-ftpd-2.6.0-14.6x.i386.rpm in /etc/ftpaccess
Product: [Retired] Red Hat Linux Reporter: tom
Component: wu-ftpdAssignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-03-12 19:58:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ftpaccess(5) one-liner: don't use deny-uid with anonymous accounts none

Description tom 2000-08-07 16:36:00 UTC 
from in.ftpd -V: Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000

After downloading and installing wuftpd from the security advisory 
(wu-ftpd-2.6.0-14.6x.i386.rpm), I found that it no longer honored the 'deny-uid ftp' 
line of my /etc/ftpaccess file.  Anonymous logins were now allowed!  I was very 
surprised to see anonymous FTP connections logged (with attempts at the SITE 
EXEC exploit) a few days later.

I had previously been using wuftpd from RedHat 6.0.  I verified that it was using 
that ftpaccess file by modifying the greeting text.

The man page for ftpaccess still lists deny-uid as a valid command.  I had to add 
'ftp' to my /etc/ftpaccounts file to block anonymous access.
Comment 1 Pekka Savola 2000-08-08 08:31:01 UTC 
This still an issue in Pinstripe (wu-ftpd-2.6.1-5).

The _correct_ way to deal with this, however, is to remove anonymous from
/etc/ftpaccess line:

class   all   real,guest,anonymous  *
Comment 2 Bernhard Rosenkraenzer 2000-08-08 09:14:48 UTC 
deny-uid doesn't (and isn't supposed to) affect anonymous users. It's for real
and guest users.
Comment 3 Pekka Savola 2000-08-08 10:13:18 UTC 
True, but shouldn't this be mentioned in the man page? :-)

Well, I'll suggest this to the wuftpd people, at least.
Comment 4 Pekka Savola 2000-08-08 10:14:21 UTC 
Created attachment 2238 [details]
ftpaccess(5) one-liner: don't use deny-uid with anonymous accounts
Comment 5 tom 2000-08-08 16:38:28 UTC 
If deny-uid isn't for anonymous users, there needs to be a rewrite of that section of the 
man pages, beyond the small change pekkas made.  The manpage for 
ftpaccess *specifically* uses the ftp account in the deny-uid/allow-uid example to restrict 
access to anonymous users only.

This is something that worked in the past.  I doubt I was the only person who used it as 
a method of cutting off anonymous access to my server.  The man page states that you 
can replace /etc/ftpusers with allow/deny-uid/gid.  This is a security hole.  How many 
people will upgrade their server and not realize that they've opened up access to 
anonymous users?

My question:

Why was the previous behavior changed?  If there wasn't a compelling reason and 
wasn't an intentional change, I see it as an unintended side effect and it should be fixed.
Comment 6 WU-FTPD Development Group 2001-03-12 19:58:12 UTC 
defaultserver private is intended for use to deny anonymous access.

This way there is still a class allowing anonymous and the anonymous user is 
still allowed access to virtual hosts (unless virtual .. private is used as 
well).

ftpaccess manpage updated to reflect this in next release

Close this ticket.