|
Vulnerability Development
mailing list archives
Re: wu-ftpd and /etc/passwd
From: bastian () BRAIN UNI-FREIBURG DE (Bastian Friedrich)
Date: Thu, 13 Jul 2000 15:35:49 +0200
Hi!
Chico claimed on Thu, 13 Jul 2000 at 07:47:
is wuftpd dependant upon the user account having a valid shell for security
reasons or just by design?
i.e. if i edit a users shell in /etc/passwd and set it to /bin/noshell that
user cannot ftp in...
man wu.ftpd:
3) The user must have a standard shell returned by
getusershell(3).
If you put /bin/noshell into your /etc/shells, users should be able to
connect via ftp. The most common option is to use /bin/false or /bin/true
(depends on your view of life :) as a shell for users that should not be
able to log in. Make sure /bin/false and /bin/true are binaries; older
versions (at least under linux) were shell scripts and might open a race
condition.
One reason for not letting users with invalid shells connect may be that
you can entirely disable obsoleted users without removing their accounts
or erase their passwords.
That's a security reason by design...
Bastian
--
Bastian Friedrich bastian () bastian-friedrich de
Adress & Fon available on my HP http://www.bastian-friedrich.de/
 By Date 
By Thread
Current thread:
| 
Intro
