Re: Watch out! vsftpd anonymous access always enabled!
In article <[🔎] 20030921181134.GA7347@nevyn.them.org> you wrote:
> On Sat, Sep 20, 2003 at 12:47:21PM +0200, Robert van der Meulen wrote:
>> Hi,
>>
>> I was working on a newly-installed machine for a customer who requires an
>> ftp server. After installing vsftpd (which i *had* good experience with), I
>> noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when set to
>> 'NO' *does* allow anonymous access.
>> Logging in using the 'anonymous' user does not work, logging in using the
>> 'ftp' user *does* work.
>> The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a disabled
>> password on all machines where I tried this and saw it working.
>> I was only able to test this with 1.2.0-2 .
>>
>> If anyone here is running vsftpd on a non-anonymous box, I'd make sure to
>> check this too. In the case of this customer (who has pretty sensitive data
>> on his box), this could have been quite a disaster.
>>
>> 'funny':
>> |Description: The Very Secure FTP Daemon
>> | A lightweight, efficient FTP server written from the ground up with
>> | security in mind.
>>
>> Ahem.
>
> 1.2.0-3 is in incoming, or remove the pam_ftp line.
>
> If you're running something in situations that could be "quite a
> disaster", I suggest you immediately rething using the version of
> vsftpd from _unstable_.
>
Reply to: