Re: ftpd + Win98 = security hole

[Corinna Vinschen <corinna at vinschen dot de>]

Charles Wilson wrote:
> --prefix=/usr --sysconfdir=/etc and then things should work like you
> expect: /etc/inetd.conf, /etc/ftpusers,
> [...]
> This is all complicated by Corinna's nifty addition to inetd.exe : it
> stores the expected location of inetd.conf in the registry. So, that's
> why /etc/inetd.conf works, but /etc/ftpusers doesn't. I guess that
> Corinna built inetutils with no 'prefix', so the default location for
> configuration files in her binary package is /usr/local/etc. BUT, that's
> overridden, in the case of inetd.conf ONLY, by the registry setting.
> 
> Does that analysis sound correct to you, Corinna?

Not completely, Charles,

the inetutils package on sourceware is configured with

	--prefix=/usr --libexecdir='${exec_prefix}/sbin'
	--sysconfdir=/etc

and...

> P.S. It would be nice if all, or as many as possible, of the binary
> packages in latest contained the config.status output somehow. That way,
> we wouldn't have to guess the 'correct' options to rebuild the packages.

...that's a good hint and...

> Tom Weichmann wrote:
> > All of my mounts are binary mounts, so that should not be the
> > problem.  For some reason /etc/ftpusers will not prevent the login.

..that _is_ a problem if your files have DOS line endings on
binary mounted disks and...

> > I moved ftpusers to /usr/local/etc/ftpusers, and this did the trick.

...you can't be using the inetutils-1.3.2-2 package from
sourceware because it's definitely compiled with --sysconfdir=/etc.
I have just checked that. The first package (inetutils-1.3.2) was
already configured that way. Are you sure that you don't have
a previous package (eg. Charles one) still installed and are you
sure using the right inetd.conf?

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com