from in.ftpd -V: Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000 After downloading and installing wuftpd from the security advisory (wu-ftpd-2.6.0-14.6x.i386.rpm), I found that it no longer honored the 'deny-uid ftp' line of my /etc/ftpaccess file. Anonymous logins were now allowed! I was very surprised to see anonymous FTP connections logged (with attempts at the SITE EXEC exploit) a few days later. I had previously been using wuftpd from RedHat 6.0. I verified that it was using that ftpaccess file by modifying the greeting text. The man page for ftpaccess still lists deny-uid as a valid command. I had to add 'ftp' to my /etc/ftpaccounts file to block anonymous access.
This still an issue in Pinstripe (wu-ftpd-2.6.1-5). The _correct_ way to deal with this, however, is to remove anonymous from /etc/ftpaccess line: class all real,guest,anonymous *
deny-uid doesn't (and isn't supposed to) affect anonymous users. It's for real and guest users.
True, but shouldn't this be mentioned in the man page? :-) Well, I'll suggest this to the wuftpd people, at least.
Created attachment 2238 [details] ftpaccess(5) one-liner: don't use deny-uid with anonymous accounts
If deny-uid isn't for anonymous users, there needs to be a rewrite of that section of the man pages, beyond the small change pekkas made. The manpage for ftpaccess *specifically* uses the ftp account in the deny-uid/allow-uid example to restrict access to anonymous users only. This is something that worked in the past. I doubt I was the only person who used it as a method of cutting off anonymous access to my server. The man page states that you can replace /etc/ftpusers with allow/deny-uid/gid. This is a security hole. How many people will upgrade their server and not realize that they've opened up access to anonymous users? My question: Why was the previous behavior changed? If there wasn't a compelling reason and wasn't an intentional change, I see it as an unintended side effect and it should be fixed.
defaultserver private is intended for use to deny anonymous access. This way there is still a class allowing anonymous and the anonymous user is still allowed access to virtual hosts (unless virtual .. private is used as well). ftpaccess manpage updated to reflect this in next release Close this ticket.