Re: root access via FTP

To: debian-testing@lists.debian.org
Subject: Re: root access via FTP
From: Justin Pryzby <justinpryzby@users.sourceforge.net>
Date: Thu, 10 Feb 2005 15:28:20 -0500
Message-id: <[🔎] 20050210202820.GA9196@andromeda>
In-reply-to: <[🔎] 20050210.hmJ.54584800@group>
References: <[🔎] 20050210200736.GB9119@andromeda> <[🔎] 20050210.hmJ.54584800@group>

On Thu, Feb 10, 2005 at 12:17:51PM -0800, Shawn Clark wrote:
> Just about every ftp server I have ever seen offers you the login of
> the user you are logged in as. I just logged in as root on my own
> Sarge system and ftp'd to localhost and was offered a root
> login....that doesn't mean I can get in as root...it's simply
> offered up as a convenience.
Oh; right, so its just a convenience offered by your ftp client (bsd
ftp or netkit ftp or whatever its called).

So, you're still not allowed to login?

I agree that it is a nice security-conscious feature if the ftp client
tries to log you in as a non root user.

Are you doing anything differently than before?  Same program?  When
is the last time you remember having your ftp client default to your
username?  Were you using su or sudo?

I'm thinking that you used su or some such to become route, but it
left traces of your original login (say, in the logname environment
variable or some such).  Then, the ftp client was able to find your
"real" username.

If you log into a getty as root, though, there's no way for the ftp
client to "know" what your "real" username is, and so the only default
it can use is your current user, which, unfortunately, is root.

One could argue, though, that if there is no evidence of a non-root
username to which it could default, that it should not offer a default
name.

Is that an explanation for the right question?

Justin

> Justin Pryzby (justinpryzby@users.sourceforge.net) wrote:
> >
> > I just reread your subject.  You're "offered" a root ftp login?  What
> > program?
> >
> > Justin
> >
> > On Thu, Feb 10, 2005 at 03:04:39PM -0500, Justin Pryzby wrote:
> > > On Thu, Feb 10, 2005 at 08:59:34PM +0100, JP Glutting wrote:
> > > > For some reason, when I log into Sarge, I am offered to login as root
> > > > by default. Up until today, I was offered to login with my username. I
> > > Offered?  I take it you are using {k,g,x}dm?
> > >
> > > > am surprised by this, since I though root logins were turned off by
> > > > default.
> > > >
> > > > Has anyone else noticed this?
> > > I hadn't, but someone was complaing that they couldn't log into root
> > > from kdm, so I, too, am surprised.

Reply to:

References:
- Re: root access via FTP
  - From: Justin Pryzby <justinpryzby@users.sourceforge.net>
- Re: root access via FTP
  - From: "Shawn Clark" <sc@mtxnet.com>

Prev by Date: Re: root access via FTP
Next by Date: Re: root access via FTP
Previous by thread: Re: root access via FTP
Next by thread: Re: root access via FTP
Index(es):
- Date
- Thread