lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 14 Dec 2007 16:11:24 -0500
From: Valdis.Kletnieks@...edu
To: Adam N <interfect@...il.com>
Cc: kcope <kingcope@....net>, full-disclosure@...ts.grok.org.uk
Subject: Re: Small Design Bug in Postfix - REMOTE

On Fri, 14 Dec 2007 13:52:33 CST, Adam N said:

> No, the idea is that you are a user with no login access, only FTP.
> By doing this, you get shell access (with sane privileges, thankfully) when
> you're supposed to only have FTP.

And this is why, for at least 2 decades, it's been recommended that people
doing the "FTP-only user" put the writeable directories for that user under
~ftp/$USER or some such, rather than ~$USER, and make the login shell for the
user /bin/false, and other such things.

For bonus points - if it's an FTP-only userid, why does the sysadmin not
have e-mail for the userid *blocked*? After all, if they can't login, they
can't *read* any mail that gets delivered to the system. Even if you fix
the MTA to drop mail directly in $HOME/mbox, it's the rare FTP daemon that
understands the locking needed to make this work - that's the primary
reason why the POP protocol was invented.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ