Date: Wed, 28 Feb 2001 09:37:06 -0500 From: Carroll Kong <damascus@home.com> To: Roelof Osinga <roelof@eboa.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <4.2.2.20010228092524.00ba1b10@netmail.home.com> In-Reply-To: <3A9C98D1.C6919F6@eboa.com> References: <Pine.BSF.4.33.0102271738250.82118-100000@mail.wlcg.com> <4.2.2.20010228002521.00c58340@netmail.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:21 AM 2/28/01 +0100, Roelof Osinga wrote: >Carroll Kong wrote: > > > > > ... > > >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's > > >counting? - I realized that the client was right after all. He could > > >not log in indeed. Due to /sbin/nologin. > > > > > >When using regular ftpd. Using ProFTPd no problem. > > > > > >Ah, as a matter of fact, I was using inetd. Haven't tried > > >daemon mode with 4.2 yet. Who knows? There might be hope, still. > > > That is odd. The reason why ftpd does not work is because........ man ftpd > > shows > > > > 4. The user must have a standard shell returned by > > getusershell(3). > > > > So, man getusershell shows > > > > The getusershell() function returns a pointer to a legal user > shell as > > defined by the system manager in the file /etc/shells. If > /etc/shells is > > unreadable or does not exist, getusershell() behaves as if > /bin/sh and > > /bin/csh were listed in the file. > > > > This is very odd, unless I am forgetting something I did, I JUST > > did this with a client two days ago on 4.2-STABLE. Telnet results in "not > > authorized" or something like that, and ftpd lets them in happily. Same > > user name and all. Please look it over, I am outright positive it > > works! (ok, maybe 99.99999% sure). What is the error message? User > > denied? Check man ftpd for that list of "reasons why ftpd would tell your > > user to go away". > > >As you can see, a lot more ASCII than before. > >But don't let me interupt you. You were saying "maybe >99.99999% sure"... <g>. > >Ok, so how about that 0.00001% you were not sure about? ;) > >I agree, this isn't supposed to happen. But that's the story >of my life. Yet I *am* alife! So, there you go. > >Roelof >Rob Simmons wrote: > > > > /sbin/nologin as the user's shell. You also have to add this shell to > > /etc/shells Well, if you want to be sly about it, how about you try reading what I wrote and what the others wrote? How about you do a cat /etc/shells | grep nologin. If that returns nothing, I think you just absolutely ignored our advice and ignored man ftpd and man getusershell which I posted quite clearly. Mine returns "/sbin/nologin" as an allowable shell, so getusershell returns a value pointer, so ftpd lets it through check point #4. That is my 99.999999% sure part talking, unless you got some other weirdo problem which I do not quite understand. The 99.999999% is also saying that your cat /etc/shells | grep nologin is going to return nothing. -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20010228092524.00ba1b10>