Subject: bin/491: /etc/ftpusers and /etc/ftpchroot do nothing.
To: None <>
From: matthew green <>
List: netbsd-bugs
Date: 09/20/1994 08:05:04
>Number:         491
>Category:       bin
>Synopsis:       /etc/ftpusers and /etc/ftpchroot are not used by ftpd(8), security
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    gnats-admin (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 20 08:05:03 1994
>Originator:     matthew green
bozo software foundation.
System: NetBSD 1.0_BETA NetBSD 1.0_BETA (_splode_) #23: Sat Sep 17 08:30:19 EST 1994 sparc

any users listed in /etc/ftpusers and /etc/ftpchroot can continue
to ftp in without being rejected, or chrooted to their $HOME.  this
evades the security that /etc/ftpusers and /etc/ftpchroot are
supposed to provide.  ouch.


add root to /etc/ftpusers, and ftp in as root.  ftpd will let
you in.

add any user to etc/ftpchroot, and ftp in as that user.  ftpd will
not do a chroot() to that user's $HOME.