Bug 33389 - guestusers with delimiter ',' gives root access
Summary: guestusers with delimiter ',' gives root access
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: wu-ftpd   
(Show other bugs)
Version: 6.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-03-27 14:11 UTC by Need Real Name
Modified: 2007-04-18 16:32 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-03-27 14:11:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Need Real Name 2001-03-27 14:11:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

When in /etc/ftpaccess guestusers are defined with delimiter ',' they are 
allowed root access when ftp'ing.

Reproducible: Always
Steps to Reproduce:
1.Create a set of logins, say guest1, guest2, guest3
2.add line to /etc/ftpaccess:
 guestuser guest1,guest2,guest3
3.login using guest1 from a client workstation onto the server.

Actual Results:  you get your root access. your directory permissions are 
not restricted, etc.

Expected Results:  either parsing of /etc/ftpaccess should ignore the 
lines or something else but should not give root access

Comment 1 Bernhard Rosenkraenzer 2001-03-27 16:56:30 UTC
It does NOT give you root access (==access to the root account). It just gives 
you access to the root directory, which is the correct behavior, since the 
user is not listed as a guest user.

Fixing this would break situations where an admin wants to make an actual user 
with the login name "guest1,guest2" a guest user.

Both situations are a result of not reading the documentation (wrong syntax in 
/etc/ftpaccess or bad symantics for user names), so I consider both of them to 
be the same and won't break one to fix the other.

Note You need to log in before you can comment on or make changes to this bug.