| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <17733.1197666684@turing-police.cc.vt.edu>
Date: Fri, 14 Dec 2007 16:11:24 -0500
From: Valdis.Kletnieks@...edu
To: Adam N <interfect@...il.com>
Cc: kcope <kingcope@....net>, full-disclosure@...ts.grok.org.uk
Subject: Re: Small Design Bug in Postfix - REMOTE
On Fri, 14 Dec 2007 13:52:33 CST, Adam N said:
> No, the idea is that you are a user with no login access, only FTP.
> By doing this, you get shell access (with sane privileges, thankfully) when
> you're supposed to only have FTP.
And this is why, for at least 2 decades, it's been recommended that people
doing the "FTP-only user" put the writeable directories for that user under
~ftp/$USER or some such, rather than ~$USER, and make the login shell for the
user /bin/false, and other such things.
For bonus points - if it's an FTP-only userid, why does the sysadmin not
have e-mail for the userid *blocked*? After all, if they can't login, they
can't *read* any mail that gets delivered to the system. Even if you fix
the MTA to drop mail directly in $HOME/mbox, it's the rare FTP daemon that
understands the locking needed to make this work - that's the primary
reason why the POP protocol was invented.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists