Vulnerability Development mailing list archives
Re: wu-ftpd and /etc/passwd
From: sinster () DARKWATER COM (Jon Paul, Nollmann)
Date: Thu, 13 Jul 2000 12:12:40 -0700
Sprach Chico <chico () SUMMITPRO COM>:
is wuftpd dependant upon the user account having a valid shell for security reasons or just by design?
I can't speak for wuftpd in specific, only its authors can, but it's general practice to disallow logins when either the password isn't matched or when the shell is invalid. It's done for security reasons: it dodges a lot of errors with the old .rhosts, hosts.equiv, lpd % hack, and other similar mechanisms. So, yes: it is done for security reasons _and_ by design. (note: it's usually more effective to set the shell to a program that actually exists but is inoffensive, rather than a program that doesn't exist... historically, a number of daemons, in an attempt to be helpful, exec /bin/sh whenever they can't execute the shell in /etc/passwd. Most don't exist anymore, but I can't say that none exist now. My disable-shell of choice is /bin/false.) -- Jon Paul Nollmann ne' Darren Senn sinster () balltech net Unsolicited commercial email will be archived at $1/byte/day. Defenestrate Microsoft!
Current thread:
- wu-ftpd and /etc/passwd Chico (Jul 13)
- Re: wu-ftpd and /etc/passwd Tarhon-Onu Victor (Jul 13)
- Re: wu-ftpd and /etc/passwd Fabio Roccatagliata (Jul 13)
- Re: wu-ftpd and /etc/passwd Bastian Friedrich (Jul 13)
- Re: wu-ftpd and /etc/passwd Thomas Vincent (Jul 17)
- Re: wu-ftpd and /etc/passwd Jon Paul, Nollmann (Jul 13)