First Last Prev Next    This bug is not in your last search results.
Bug 23721 - /etc/ftpusers is missing postgres and *probably* other system users
/etc/ftpusers is missing postgres and *probably* other system users
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: wu-ftpd (Show other bugs)
7.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-10 14:43 EST by Arenas Belon, Carlo Marcelo
Modified: 2007-04-18 12:30 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-10 14:43:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Arenas Belon, Carlo Marcelo 2001-01-10 14:43:09 EST 
The current PAM configuration for wu-ftpd restricts getting an ftp account
for users included on /etc/ftpusers as explained on :

auth required /lib/security/pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_shells.so

so if anyone with a shell on /etc/shells (like postgres) can ftp if it is
not explicitally denied for /etc/ftpusers (granted they have set a valid
password for that user)

i guess there could be other users that are allowed to ftp just because the
user is not on /etc/ftpusers (as any system user should be)

this could apply also to the mysql user or any other user that has recently
been added to RH
Comment 1 Bernhard Rosenkraenzer 2001-01-10 14:48:34 EST 
/etc/ftpaccess has

deny-uid %-99

which is already sufficient to block all system users.
Comment 2 Arenas Belon, Carlo Marcelo 2001-01-10 16:50:30 EST 
granted!! my fault as deny-uid is a better way than adding every single possible
login to /etc/ftpusers (i've even changed to sense=allow sometimes as it is far
easier to keep the "trusted" list this way)

it still aplies to RH <= 7.0, but i am not sure if an errata would be a good
idea though.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.