[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Watch out! vsftpd anonymous access always enabled!

On Sat, Sep 20, 2003 at 12:47:21PM +0200, Robert van der Meulen wrote:
> Hi,
> 
> I was working on a newly-installed machine for a customer who requires an
> ftp server. After installing vsftpd (which i *had* good experience with), I
> noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when set to
> 'NO' *does* allow anonymous access.
> Logging in using the 'anonymous' user does not work, logging in using the
> 'ftp' user *does* work.
> The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a disabled
> password on all machines where I tried this and saw it working.
> I was only able to test this with 1.2.0-2 .
> 
> If anyone here is running vsftpd on a non-anonymous box, I'd make sure to
> check this too. In the case of this customer (who has pretty sensitive data
> on his box), this could have been quite a disaster. 
> 
> 'funny':
> |Description: The Very Secure FTP Daemon
> | A lightweight, efficient FTP server written from the ground up with
> | security in mind.
> 
> Ahem.

I'm working on it.

Something is wrong with the PAM config...

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer
Reply to: