from in.ftpd -V: Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000
After downloading and installing wuftpd from the security advisory
(wu-ftpd-2.6.0-14.6x.i386.rpm), I found that it no longer honored the 'deny-uid ftp'
line of my /etc/ftpaccess file. Anonymous logins were now allowed! I was very
surprised to see anonymous FTP connections logged (with attempts at the SITE
EXEC exploit) a few days later.
I had previously been using wuftpd from RedHat 6.0. I verified that it was using
that ftpaccess file by modifying the greeting text.
The man page for ftpaccess still lists deny-uid as a valid command. I had to add
'ftp' to my /etc/ftpaccounts file to block anonymous access.
This still an issue in Pinstripe (wu-ftpd-2.6.1-5).
The _correct_ way to deal with this, however, is to remove anonymous from
class all real,guest,anonymous *
deny-uid doesn't (and isn't supposed to) affect anonymous users. It's for real
and guest users.
True, but shouldn't this be mentioned in the man page? :-)
Well, I'll suggest this to the wuftpd people, at least.
Created attachment 2238 [details]
ftpaccess(5) one-liner: don't use deny-uid with anonymous accounts
If deny-uid isn't for anonymous users, there needs to be a rewrite of that section of the
man pages, beyond the small change firstname.lastname@example.org made. The manpage for
ftpaccess *specifically* uses the ftp account in the deny-uid/allow-uid example to restrict
access to anonymous users only.
This is something that worked in the past. I doubt I was the only person who used it as
a method of cutting off anonymous access to my server. The man page states that you
can replace /etc/ftpusers with allow/deny-uid/gid. This is a security hole. How many
people will upgrade their server and not realize that they've opened up access to
Why was the previous behavior changed? If there wasn't a compelling reason and
wasn't an intentional change, I see it as an unintended side effect and it should be fixed.
defaultserver private is intended for use to deny anonymous access.
This way there is still a class allowing anonymous and the anonymous user is
still allowed access to virtual hosts (unless virtual .. private is used as
ftpaccess manpage updated to reflect this in next release
Close this ticket.