Bug 15657 - deny-uid ignored by wu-ftpd-2.6.0-14.6x.i386.rpm in /etc/ftpaccess
Summary: deny-uid ignored by wu-ftpd-2.6.0-14.6x.i386.rpm in /etc/ftpaccess
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: wu-ftpd
Version: 6.2
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-08-07 16:36 UTC by tom
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2001-03-12 19:58:16 UTC
Embargoed:

Attachments (Terms of Use)
ftpaccess(5) one-liner: don't use deny-uid with anonymous accounts (417 bytes, patch)
2000-08-08 10:14 UTC, Pekka Savola 		no flags Details | Diff
View All

Description tom 2000-08-07 16:36:00 UTC 
from in.ftpd -V: Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000

After downloading and installing wuftpd from the security advisory 
(wu-ftpd-2.6.0-14.6x.i386.rpm), I found that it no longer honored the 'deny-uid ftp' 
line of my /etc/ftpaccess file.  Anonymous logins were now allowed!  I was very 
surprised to see anonymous FTP connections logged (with attempts at the SITE 
EXEC exploit) a few days later.

I had previously been using wuftpd from RedHat 6.0.  I verified that it was using 
that ftpaccess file by modifying the greeting text.

The man page for ftpaccess still lists deny-uid as a valid command.  I had to add 
'ftp' to my /etc/ftpaccounts file to block anonymous access.
Comment 1 Pekka Savola 2000-08-08 08:31:01 UTC 
This still an issue in Pinstripe (wu-ftpd-2.6.1-5).

The _correct_ way to deal with this, however, is to remove anonymous from
/etc/ftpaccess line:

class   all   real,guest,anonymous  *
Comment 2 Bernhard Rosenkraenzer 2000-08-08 09:14:48 UTC 
deny-uid doesn't (and isn't supposed to) affect anonymous users. It's for real
and guest users.
Comment 3 Pekka Savola 2000-08-08 10:13:18 UTC 
True, but shouldn't this be mentioned in the man page? :-)

Well, I'll suggest this to the wuftpd people, at least.
Comment 4 Pekka Savola 2000-08-08 10:14:21 UTC 
Created attachment 2238 [details]
ftpaccess(5) one-liner: don't use deny-uid with anonymous accounts
Comment 5 tom 2000-08-08 16:38:28 UTC 
If deny-uid isn't for anonymous users, there needs to be a rewrite of that section of the 
man pages, beyond the small change pekkas made.  The manpage for 
ftpaccess *specifically* uses the ftp account in the deny-uid/allow-uid example to restrict 
access to anonymous users only.

This is something that worked in the past.  I doubt I was the only person who used it as 
a method of cutting off anonymous access to my server.  The man page states that you 
can replace /etc/ftpusers with allow/deny-uid/gid.  This is a security hole.  How many 
people will upgrade their server and not realize that they've opened up access to 
anonymous users?

My question:

Why was the previous behavior changed?  If there wasn't a compelling reason and 
wasn't an intentional change, I see it as an unintended side effect and it should be fixed.
Comment 6 WU-FTPD Development Group 2001-03-12 19:58:12 UTC 
defaultserver private is intended for use to deny anonymous access.

This way there is still a class allowing anonymous and the anonymous user is 
still allowed access to virtual hosts (unless virtual .. private is used as 
well).

ftpaccess manpage updated to reflect this in next release

Close this ticket.
Note You need to log in before you can comment on or make changes to this bug.