Bug 15657 – deny-uid ignored by wu-ftpd-2.6.0-14.6x.i386.rpm in /etc/ftpaccess

Bug 15657 - deny-uid ignored by wu-ftpd-2.6.0-14.6x.i386.rpm in /etc/ftpaccess

Summary:	deny-uid ignored by wu-ftpd-2.6.0-14.6x.i386.rpm in /etc/ftpaccess

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	wu-ftpd (Show other bugs)
Sub Component:
Version:	6.2
Hardware:	i386 Linux

Priority	high Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Bernhard Rosenkraenzer
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2000-08-07 12:36 EDT by tom
Modified:	2008-05-01 11:37 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2001-03-12 14:58:16 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
ftpaccess(5) one-liner: don't use deny-uid with anonymous accounts (417 bytes, patch) 2000-08-08 06:14 EDT, Pekka Savola	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description tom 2000-08-07 12:36:00 EDT

from in.ftpd -V: Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000

After downloading and installing wuftpd from the security advisory 
(wu-ftpd-2.6.0-14.6x.i386.rpm), I found that it no longer honored the 'deny-uid ftp' 
line of my /etc/ftpaccess file.  Anonymous logins were now allowed!  I was very 
surprised to see anonymous FTP connections logged (with attempts at the SITE 
EXEC exploit) a few days later.

I had previously been using wuftpd from RedHat 6.0.  I verified that it was using 
that ftpaccess file by modifying the greeting text.

The man page for ftpaccess still lists deny-uid as a valid command.  I had to add 
'ftp' to my /etc/ftpaccounts file to block anonymous access.

Comment 1 Pekka Savola 2000-08-08 04:31:01 EDT

This still an issue in Pinstripe (wu-ftpd-2.6.1-5).

The _correct_ way to deal with this, however, is to remove anonymous from
/etc/ftpaccess line:

class   all   real,guest,anonymous  *

Comment 2 Bernhard Rosenkraenzer 2000-08-08 05:14:48 EDT

deny-uid doesn't (and isn't supposed to) affect anonymous users. It's for real
and guest users.

Comment 3 Pekka Savola 2000-08-08 06:13:18 EDT

True, but shouldn't this be mentioned in the man page? :-)

Well, I'll suggest this to the wuftpd people, at least.

Comment 4 Pekka Savola 2000-08-08 06:14:21 EDT

Created attachment 2238 [details]
ftpaccess(5) one-liner: don't use deny-uid with anonymous accounts

Comment 5 tom 2000-08-08 12:38:28 EDT

If deny-uid isn't for anonymous users, there needs to be a rewrite of that section of the 
man pages, beyond the small change pekkas@netcore.fi made.  The manpage for 
ftpaccess *specifically* uses the ftp account in the deny-uid/allow-uid example to restrict 
access to anonymous users only.

This is something that worked in the past.  I doubt I was the only person who used it as 
a method of cutting off anonymous access to my server.  The man page states that you 
can replace /etc/ftpusers with allow/deny-uid/gid.  This is a security hole.  How many 
people will upgrade their server and not realize that they've opened up access to 
anonymous users?

My question:

Why was the previous behavior changed?  If there wasn't a compelling reason and 
wasn't an intentional change, I see it as an unintended side effect and it should be fixed.

Comment 6 WU-FTPD Development Group 2001-03-12 14:58:12 EST

defaultserver private is intended for use to deny anonymous access.

This way there is still a class allowing anonymous and the anonymous user is 
still allowed access to virtual hosts (unless virtual .. private is used as 
well).

ftpaccess manpage updated to reflect this in next release

Close this ticket.

Note You need to log in before you can comment on or make changes to this bug.