Mail Archives: cygwin/2000/08/07/18:17:41
I agree that this is a NT feature.. in fact the guest account can be
renamed, or disabled. Bob - if you disable the guest account on your
machine, cygwin shouldn't be able to login you whether or not guest is
listed in /etc/passwd.
Rob
----- Original Message -----
From: "David A. Cobb" <superbiskit AT home DOT com>
To: <bheckel AT excite DOT com>; <cygwin AT sources DOT redhat DOT com>
Sent: Tuesday, August 08, 2000 12:10 AM
Subject: Re: inetd security hole?
> Bob Heckel wrote:
> >
> > I just set up inetd-1.3.2-5p1 as a service on my W2K box. My
> > thanks to the Cygwin team. Great job on this piece. There
> > may, however, be a security hole for some people. I was
> > able to FTP from a remote Unix box to my Cygwin W2K box
> > simply by using user guest and password (enter). Had to
> > delete the Guest entry from /etc/passwd to close the hole.
> >
> > I may not be configured properly and your system may be
> > different but I wanted to make sure no one is accidently
> > exposed to trouble. I checked the mailing list search
> > engine prior to posting this and didn't see any warnings regarding this
> > issue.
> >
> > Bob Heckel
> >
>
> This sounds like part of the NT heritage. On an NT system the user
> name "guest" (null password) is normally enabled - might even be
> immutable. Guest, however, should have minimum or no access.
> Making that a true statement is an administrator's job.
>
> --
> David A. Cobb, Software Engineer, Public Access Advocate
> "Don't buy or use crappy software"
> "By the grace of God I am a Christian man,
> by my actions a great sinner" -- The Way of a Pilgrim [R. M.
> French, tr.]
>
> --
> Want to unsubscribe from this list?
> Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com
>
>
--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com
- Raw text -