This is the mail archive of the cygwin@sourceware.cygnus.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: ftpd + Win98 = security hole


Tom Weichmann wrote:
> I have noticed that when running ftpd from inetd, anyone can log in
> via anonymous ftp.  Usually the ftpd will chroot to /home/ftp for an
> anonymous login, but under win98 chroot does not work.  This
> leaves user anonymous with read, write, execute, delete access to
> your whole machine.  I tried adding user ftp to /etc/ftpusers, but
> this did not prevent the login.  Is there any way to disable
> anonymous logins via ftpd?

I have just checked that on a W2K and a W98 system. /etc/ftpusers
does actually prevent login.

I have checked out another situation: If you have binary mounts
and your ftpusers file has DOS line endings (\r\n) ftpd is
unable to prevent logins via ftpusers. That's the only possible
reason I can see so I suggest to check your ftpusers line endings.

I will change that in the next release of inetutils so that
such configuration files are always opened in textmode. Then
you may have both styles of line endings regardless of the
mount mode.

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]