ftpd + Win98 = security hole

Charles Wilson cwilson@ece.gatech.edu
Tue May 23 10:11:00 GMT 2000


The default location for inetutils config files is ${prefix}/etc. The
default value of ${prefix} is /usr/local, unless you type '--prefix=foo'
when running ./configure prior to building. So, I would expect that
/usr/local/etc/ftpusers is the correct location. However, you can do:

--prefix=/usr --sysconfdir=/etc and then things should work like you
expect: /etc/inetd.conf, /etc/ftpusers, 

This is all complicated by Corinna's nifty addition to inetd.exe : it
stores the expected location of inetd.conf in the registry. So, that's
why /etc/inetd.conf works, but /etc/ftpusers doesn't. I guess that
Corinna built inetutils with no 'prefix', so the default location for
configuration files in her binary package is /usr/local/etc. BUT, that's
overridden, in the case of inetd.conf ONLY, by the registry setting.

Does that analysis sound correct to you, Corinna? 

--Chuck

P.S. It would be nice if all, or as many as possible, of the binary
packages in latest contained the config.status output somehow. That way,
we wouldn't have to guess the 'correct' options to rebuild the packages.



Tom Weichmann wrote:
> 
> Corinna,
> 
> > I have just checked that on a W2K and a W98 system. /etc/ftpusers does
> > actually prevent login.
> 
> > I have checked out another situation: If you have binary mounts
> > and your ftpusers file has DOS line endings (\r\n) ftpd is
> > unable to prevent logins via ftpusers. That's the only possible
> > reason I can see so I suggest to check your ftpusers line endings.
> >
> > I will change that in the next release of inetutils so that
> > such configuration files are always opened in textmode. Then
> > you may have both styles of line endings regardless of the
> > mount mode.
> 
> All of my mounts are binary mounts, so that should not be the
> problem.  For some reason /etc/ftpusers will not prevent the login.
> I moved ftpusers to /usr/local/etc/ftpusers, and this did the trick.
> 
> Thanks,
> 
> Tom Weichmann
> 
> --
> Want to unsubscribe from this list?
> Send a message to cygwin-unsubscribe@sourceware.cygnus.com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com



More information about the Cygwin mailing list