Watch out! vsftpd anonymous access always enabled!
Hi,
I was working on a newly-installed machine for a customer who requires an
ftp server. After installing vsftpd (which i *had* good experience with), I
noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when set to
'NO' *does* allow anonymous access.
Logging in using the 'anonymous' user does not work, logging in using the
'ftp' user *does* work.
The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a disabled
password on all machines where I tried this and saw it working.
I was only able to test this with 1.2.0-2 .
If anyone here is running vsftpd on a non-anonymous box, I'd make sure to
check this too. In the case of this customer (who has pretty sensitive data
on his box), this could have been quite a disaster.
'funny':
|Description: The Very Secure FTP Daemon
| A lightweight, efficient FTP server written from the ground up with
| security in mind.
Ahem.
Greets,
Robert
--
/^"- '-(\__/)-' -"^\
'-.' oo '.-' Holy Jesus! What are these goddamn animals?!
`-..-'
Finger rvdm@db.debian.org for my GPG key.
Reply to: