The current PAM configuration for wu-ftpd restricts getting an ftp account for users included on /etc/ftpusers as explained on : auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_shells.so so if anyone with a shell on /etc/shells (like postgres) can ftp if it is not explicitally denied for /etc/ftpusers (granted they have set a valid password for that user) i guess there could be other users that are allowed to ftp just because the user is not on /etc/ftpusers (as any system user should be) this could apply also to the mysql user or any other user that has recently been added to RH
/etc/ftpaccess has deny-uid %-99 which is already sufficient to block all system users.
granted!! my fault as deny-uid is a better way than adding every single possible login to /etc/ftpusers (i've even changed to sense=allow sometimes as it is far easier to keep the "trusted" list this way) it still aplies to RH <= 7.0, but i am not sure if an errata would be a good idea though.