15742 – blank guestserver in ftpaccess has unintended behavior

Bug 15742 - blank guestserver in ftpaccess has unintended behavior

Summary: blank guestserver in ftpaccess has unintended behavior

Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	wu-ftpd
Sub Component:	(Show other bugs)
Version:	6.2
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bernhard Rosenkraenzer
QA Contact:
Docs Contact:
URL:
Whiteboard:
Keywords:	Security
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-08-08 16:54 UTC by tom
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2001-03-12 20:11:17 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description tom 2000-08-08 16:54:13 UTC

This is somewhat related to bug 15657, which involves blocking anonymous users 
in /etc/ftpaccess.

After finding that 'deny-uid ftp' didn't work to block anonymous access, I tried using 
the 'guestserver' command.  From the man page:

       guestserver [<hostname>]

            Controls which hosts may be  used  for  anonymous  or
            guest access.  If used without <hostname>, denies all
            guest or anonymous access to this  site.   More  than
            one <hostname> may be specified.  Guest and anonymous
            access will only be allowed on  the  named  machines.
            If  access  is  denied, the user will be asked to use
            the first <hostname> listed.

Using guestserver with a blank hostname did NOT deny access to anonymous 
users.  Either the code or documentation needs to be updated.

I would also suggest, for security reasons, that RedHat consider turning 
anonymous access OFF as default behavior on future wu-ftpd releases.  It might be 
useful to include comments in ftpaccess with instructions on the 'best' way to 
enable/disable anonymous access to the server.

Comment 1 Bernhard Rosenkraenzer 2000-08-09 09:51:21 UTC

Anonymous access *IS* turned off by default, unless you install the anonftp
package.

Comment 2 Derek Tattersall 2000-08-19 15:29:41 UTC

Verified the above with wu-ftpd-2.6.1-6 from pinstripe.

Comment 3 WU-FTPD Development Group 2001-03-12 20:11:13 UTC

guestserver only applies to anonymous users.

man page for ftpaccess has been updated for next release.

close this ticket

Note You need to log in before you can comment on or make changes to this bug.