[431] in linux-security and linux-alert archive
Re: slackware 3.0 bad hole
daemon@ATHENA.MIT.EDU (Al Longyear)
Thu Oct 26 18:49:01 1995
From: "Al Longyear" <longyear@sii.com>
To: okir@monad.swb.de (Olaf Kirch)
Date: Thu, 26 Oct 1995 13:29:39 -0700 (PDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199510261844.OAA27287@tarsier.cv.nrao.edu> from "Olaf Kirch" at Oct 25, 95 12:22:04 pm
>
> Jean-Luc Duprat wrote:
> > I've just finished installing slackware 3.0 from the Walnut Creek cdrom and to
> > my horror I saw that in ~ftp/etc the password file has root with no password:
>
> Whether this is really a security problem depends on the ftpd you're
> using. wu-ftpd will not allow sub-logins from within the guest account.
> (Neither will it let you log into passwordless accounts, even if they
> appeared in /etc/passwd).
>
> So the question is which ftpd is Slackware using?
It does not matter what version of Slackware is being used. It does
not matter which version or what program of ftpd is being used. They
all operate the same way when it comes to this.
Read my lips . . . . THIS IS NOT A BUG.
The 'panic' message about 'horror' conditions was posted by someone
who didn't do his homework. There are enough real security holes in most
any UNIX platform so that we don't need phantom ones from un-educated
users.
The files in the ~ftp/etc directory are there for the sole use of the
'ls' program for anonymous ftp users only. All that is used is the name
of the account and the account id.
The anonymous ftp system will operate just fine if you totally removed
all of the files in ~ftp/etc. The only difference would be that you
would get numbers for the 'ls -l' function rather than cute names.
--
Al Longyear longyear@sii.com
The above opinions do not necessarily represent those of the Management
of System Integrators nor any of its subsidiaries.
