I am getting a perculiar behaviour from the wu-ftpd-2.4.2b18-2.1.i386.rpm package downloaded from updates.redhat.com. It is reproducible for me. Scenario: I configured /etc/ftpaccess to allow only guest accounts, ie. no real and anonymous access. I modified the default ftpaccess file so that the first line reads: class guestuser guest * To verify it, I ftp to my machine using various combinations of real, guest and anonymous accounts. Almost every time it works - real and anonymous users rejected while guest admitted if password is right. I said almost because if I do it in the following sequence, I can get anonymous access: 1. FTP to machine; 2. Login as a *valid* guest user ("adam" in this example) Name(machine-name:someuser): adam <Enter> 331 Password required for adam. 3. Provide blank/dummy password. Password: <Enter> 530 Login incorrect. 4. Just as one would expect for the wrong password. However, immediately login as anonymous. ftp> user anonymous <enter> 331 Guest login ok, send your complete ...<blah> 5. Give some random address. Password: someone <Enter> 230 Guest login ok, access restriction apply. Tada! I get anonymous access when I am not supposed to. Seems like the first login as a valid guest user (but with the wrong password) sets some flag which subsequently makes ftpd forget the fact that anonymous access is not allowed. I believe the wu-ftpd VR14 release have the same problem too.
Commenting out the 1st class line in /etc/ftpaccess and adding class guestuser guest * guestuser adam after adding user adam verifies that wu-ftpd-2.4.2vr17-3 has this behavior also.
Fixed in wu-ftpd-2.5.0-5.