Red Hat Bugzilla – Bug 33389
guestusers with delimiter ',' gives root access
Last modified: 2007-04-18 12:32:24 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
When in /etc/ftpaccess guestusers are defined with delimiter ',' they are
allowed root access when ftp'ing.
Steps to Reproduce:
1.Create a set of logins, say guest1, guest2, guest3
2.add line to /etc/ftpaccess:
3.login using guest1 from a client workstation onto the server.
Actual Results: you get your root access. your directory permissions are
not restricted, etc.
Expected Results: either parsing of /etc/ftpaccess should ignore the
lines or something else but should not give root access
It does NOT give you root access (==access to the root account). It just gives
you access to the root directory, which is the correct behavior, since the
user is not listed as a guest user.
Fixing this would break situations where an admin wants to make an actual user
with the login name "guest1,guest2" a guest user.
Both situations are a result of not reading the documentation (wrong syntax in
/etc/ftpaccess or bad symantics for user names), so I consider both of them to
be the same and won't break one to fix the other.