Re: ftp access
From: Carroll Kong (damascus@home.com)
Date: 02/28/01
- Next message: Jacques A. Vidrine: "IPFILTER IPv6 support non-functional? (was Re: IPF and IPv6)"
- Previous message: Marco Molteni: "[dwheeler@IDA.ORG: DARPA BAA #01-24 - funding security research for open source OS's.]"
- In reply to: Roelof Osinga: "Re: ftp access"
- Next in thread: Roelof Osinga: "Re: ftp access"
- Reply: Roelof Osinga: "Re: ftp access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Feb 2001 09:37:06 -0500 To: Roelof Osinga <roelof@eboa.com> From: Carroll Kong <damascus@home.com>
At 07:21 AM 2/28/01 +0100, Roelof Osinga wrote:
>Carroll Kong wrote:
> >
> > > ...
> > >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's
> > >counting? - I realized that the client was right after all. He could
> > >not log in indeed. Due to /sbin/nologin.
> > >
> > >When using regular ftpd. Using ProFTPd no problem.
> > >
> > >Ah, as a matter of fact, I was using inetd. Haven't tried
> > >daemon mode with 4.2 yet. Who knows? There might be hope, still.
>
> > That is odd. The reason why ftpd does not work is because........ man ftpd
> > shows
> >
> > 4. The user must have a standard shell returned by
> > getusershell(3).
> >
> > So, man getusershell shows
> >
> > The getusershell() function returns a pointer to a legal user
> shell as
> > defined by the system manager in the file /etc/shells. If
> /etc/shells is
> > unreadable or does not exist, getusershell() behaves as if
> /bin/sh and
> > /bin/csh were listed in the file.
> >
> > This is very odd, unless I am forgetting something I did, I JUST
> > did this with a client two days ago on 4.2-STABLE. Telnet results in "not
> > authorized" or something like that, and ftpd lets them in happily. Same
> > user name and all. Please look it over, I am outright positive it
> > works! (ok, maybe 99.99999% sure). What is the error message? User
> > denied? Check man ftpd for that list of "reasons why ftpd would tell your
> > user to go away".
>
>
>As you can see, a lot more ASCII than before.
>
>But don't let me interupt you. You were saying "maybe
>99.99999% sure"... <g>.
>
>Ok, so how about that 0.00001% you were not sure about? ;)
>
>I agree, this isn't supposed to happen. But that's the story
>of my life. Yet I *am* alife! So, there you go.
>
>Roelof
>Rob Simmons wrote:
> >
> > /sbin/nologin as the user's shell. You also have to add this shell to
> > /etc/shells
Well, if you want to be sly about it, how about you try reading what I
wrote and what the others wrote? How about you do a cat /etc/shells | grep
nologin. If that returns nothing, I think you just absolutely ignored our
advice and ignored man ftpd and man getusershell which I posted quite
clearly. Mine returns "/sbin/nologin" as an allowable shell, so
getusershell returns a value pointer, so ftpd lets it through check point
#4. That is my 99.999999% sure part talking, unless you got some other
weirdo problem which I do not quite understand. The 99.999999% is also
saying that your cat /etc/shells | grep nologin is going to return nothing.
-Carroll Kong
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Jacques A. Vidrine: "IPFILTER IPv6 support non-functional? (was Re: IPF and IPv6)"
- Previous message: Marco Molteni: "[dwheeler@IDA.ORG: DARPA BAA #01-24 - funding security research for open source OS's.]"
- In reply to: Roelof Osinga: "Re: ftp access"
- Next in thread: Roelof Osinga: "Re: ftp access"
- Reply: Roelof Osinga: "Re: ftp access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
