Bug 33389 - guestusers with delimiter ',' gives root access
guestusers with delimiter ',' gives root access
Product: Red Hat Linux
Classification: Retired
Component: wu-ftpd (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-03-27 09:11 EST by Need Real Name
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-03-27 09:11:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-03-27 09:11:39 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

When in /etc/ftpaccess guestusers are defined with delimiter ',' they are 
allowed root access when ftp'ing.

Reproducible: Always
Steps to Reproduce:
1.Create a set of logins, say guest1, guest2, guest3
2.add line to /etc/ftpaccess:
 guestuser guest1,guest2,guest3
3.login using guest1 from a client workstation onto the server.

Actual Results:  you get your root access. your directory permissions are 
not restricted, etc.

Expected Results:  either parsing of /etc/ftpaccess should ignore the 
lines or something else but should not give root access
Comment 1 Bernhard Rosenkraenzer 2001-03-27 11:56:30 EST
It does NOT give you root access (==access to the root account). It just gives 
you access to the root directory, which is the correct behavior, since the 
user is not listed as a guest user.

Fixing this would break situations where an admin wants to make an actual user 
with the login name "guest1,guest2" a guest user.

Both situations are a result of not reading the documentation (wrong syntax in 
/etc/ftpaccess or bad symantics for user names), so I consider both of them to 
be the same and won't break one to fix the other.

Note You need to log in before you can comment on or make changes to this bug.