Red Hat Bugzilla – Bug 15742
blank guestserver in ftpaccess has unintended behavior
Last modified: 2008-05-01 11:37:57 EDT
This is somewhat related to bug 15657, which involves blocking anonymous users
After finding that 'deny-uid ftp' didn't work to block anonymous access, I tried using
the 'guestserver' command. From the man page:
Controls which hosts may be used for anonymous or
guest access. If used without <hostname>, denies all
guest or anonymous access to this site. More than
one <hostname> may be specified. Guest and anonymous
access will only be allowed on the named machines.
If access is denied, the user will be asked to use
the first <hostname> listed.
Using guestserver with a blank hostname did NOT deny access to anonymous
users. Either the code or documentation needs to be updated.
I would also suggest, for security reasons, that RedHat consider turning
anonymous access OFF as default behavior on future wu-ftpd releases. It might be
useful to include comments in ftpaccess with instructions on the 'best' way to
enable/disable anonymous access to the server.
Anonymous access *IS* turned off by default, unless you install the anonftp
Verified the above with wu-ftpd-2.6.1-6 from pinstripe.
guestserver only applies to anonymous users.
man page for ftpaccess has been updated for next release.
close this ticket