Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Date: Mon, 21 Jan 2002 10:39:59 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: security with the ftp daemon Message-ID: <20020121103959.G11608@cygbert.vinschen.de> Mail-Followup-To: cygwin AT cygwin DOT com References: <002c01c1a23f$ac0f2e80$2801a8c0 AT DCUTHBERT2K> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002c01c1a23f$ac0f2e80$2801a8c0@DCUTHBERT2K> User-Agent: Mutt/1.3.22.1i On Mon, Jan 21, 2002 at 02:51:29PM +0900, Dylan Cuthbert wrote: > Hi there, > > I've set up the ftp server with inetutils on win2k, but I get a strange > security hole. > > I've set permissions so that only "Administrators" can access the cygwin > directories. The home directories are only accessible by their respective > users and /bin is Everyone and read-only. > > However, after setting this up and rebooting the machine once, if I ftp in > as a regular user I can access all the administrator priviledge directories > (in read/write mode!) with no problem at all. Is this a known problem and > is there a way to get it to work securely? Surely the ftp daemon should > switch its user to the id of the person logging in? Check if your /etc/group is setup correctly. If the group of the user doesn't exist, setgid() falls back to the admins group currently. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/