Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sourceware DOT cygnus DOT com Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com Message-ID: <392A4340.72F8B9E2@vinschen.de> Date: Tue, 23 May 2000 10:37:20 +0200 From: Corinna Vinschen Reply-To: cygwin X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: de, en MIME-Version: 1.0 To: tomcw AT localnet DOT com CC: cygwin AT sourceware DOT cygnus DOT com Subject: Re: ftpd + Win98 = security hole References: <3929EDFC DOT 8762 DOT 9BB92E AT localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tom Weichmann wrote: > I have noticed that when running ftpd from inetd, anyone can log in > via anonymous ftp. Usually the ftpd will chroot to /home/ftp for an > anonymous login, but under win98 chroot does not work. This > leaves user anonymous with read, write, execute, delete access to > your whole machine. I tried adding user ftp to /etc/ftpusers, but > this did not prevent the login. Is there any way to disable > anonymous logins via ftpd? I have just checked that on a W2K and a W98 system. /etc/ftpusers does actually prevent login. I have checked out another situation: If you have binary mounts and your ftpusers file has DOS line endings (\r\n) ftpd is unable to prevent logins via ftpusers. That's the only possible reason I can see so I suggest to check your ftpusers line endings. I will change that in the next release of inetutils so that such configuration files are always opened in textmode. Then you may have both styles of line endings regardless of the mount mode. Corinna -- Corinna Vinschen Cygwin Developer Cygnus Solutions, a Red Hat company -- Want to unsubscribe from this list? Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com