Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <012b01c000be$2f287260$f7c723cb@lifelesswks>
From: "Robert Collins" <robert DOT collins AT itdomain DOT com DOT au>
To: "David A. Cobb" <superbiskit AT home DOT com>, <bheckel AT excite DOT com>,
        <cygwin AT sources DOT redhat DOT com>
References: <26370583 DOT 965423060526 DOT JavaMail DOT imail AT scorch DOT excite DOT com> <398EC360 DOT 51E1E8F5 AT home DOT com>
Subject: Re: inetd security hole?
Date: Tue, 8 Aug 2000 08:23:57 +1000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.3018.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
X-OriginalArrivalTime: 07 Aug 2000 22:16:23.0187 (UTC) FILETIME=[1ECBDE30:01C000BD]

I agree that this is a NT feature.. in fact the guest account can be
renamed, or disabled. Bob - if you disable the guest account on your
machine, cygwin shouldn't be able to login you whether or not guest is
listed in /etc/passwd.

Rob
----- Original Message -----
From: "David A. Cobb" <superbiskit AT home DOT com>
To: <bheckel AT excite DOT com>; <cygwin AT sources DOT redhat DOT com>
Sent: Tuesday, August 08, 2000 12:10 AM
Subject: Re: inetd security hole?


> Bob Heckel wrote:
> >
> > I just set up inetd-1.3.2-5p1 as a service on my W2K box.  My
> > thanks to the Cygwin team.  Great job on this piece.  There
> > may, however, be a security hole for some people.  I was
> > able to FTP from a remote Unix box to my Cygwin W2K box
> > simply by using user guest and password (enter).  Had to
> > delete the Guest entry from /etc/passwd to close the hole.
> >
> > I may not be configured properly and your system may be
> > different but I wanted to make sure no one is accidently
> > exposed to trouble.  I checked the mailing list search
> > engine prior to posting this and didn't see any warnings regarding this
> > issue.
> >
> > Bob Heckel
> >
>
> This sounds like part of the NT heritage.  On an NT system the user
> name "guest" (null password) is normally enabled - might even be
> immutable.  Guest, however, should have minimum or no access.
> Making that a true statement is an administrator's job.
>
> --
> David A. Cobb, Software Engineer, Public Access Advocate
> "Don't buy or use crappy software"
> "By the grace of God I am a Christian man,
>  by my actions a great sinner" -- The Way of a Pilgrim [R. M.
> French, tr.]
>
> --
> Want to unsubscribe from this list?
> Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com
>
>


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com