From owner-freebsd-security Wed Feb 28 6:36:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from cc762335-a.ebnsk1.nj.home.com (cc762335-a.ebnsk1.nj.home.com [24.3.219.36]) by hub.freebsd.org (Postfix) with SMTP id D3C8137B71A for ; Wed, 28 Feb 2001 06:36:07 -0800 (PST) (envelope-from damascus@home.com) Received: (qmail 83426 invoked from network); 28 Feb 2001 14:36:16 -0000 Received: from athena.faerunhome.com (HELO athena) (192.168.0.2) by cc762335-a.ebnsk1.nj.home.com with SMTP; 28 Feb 2001 14:36:16 -0000 Message-Id: <4.2.2.20010228092524.00ba1b10@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 28 Feb 2001 09:37:06 -0500 To: Roelof Osinga From: Carroll Kong Subject: Re: ftp access Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3A9C98D1.C6919F6@eboa.com> References: <4.2.2.20010228002521.00c58340@netmail.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:21 AM 2/28/01 +0100, Roelof Osinga wrote: >Carroll Kong wrote: > > > > > ... > > >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's > > >counting? - I realized that the client was right after all. He could > > >not log in indeed. Due to /sbin/nologin. > > > > > >When using regular ftpd. Using ProFTPd no problem. > > > > > >Ah, as a matter of fact, I was using inetd. Haven't tried > > >daemon mode with 4.2 yet. Who knows? There might be hope, still. > > > That is odd. The reason why ftpd does not work is because........ man ftpd > > shows > > > > 4. The user must have a standard shell returned by > > getusershell(3). > > > > So, man getusershell shows > > > > The getusershell() function returns a pointer to a legal user > shell as > > defined by the system manager in the file /etc/shells. If > /etc/shells is > > unreadable or does not exist, getusershell() behaves as if > /bin/sh and > > /bin/csh were listed in the file. > > > > This is very odd, unless I am forgetting something I did, I JUST > > did this with a client two days ago on 4.2-STABLE. Telnet results in "not > > authorized" or something like that, and ftpd lets them in happily. Same > > user name and all. Please look it over, I am outright positive it > > works! (ok, maybe 99.99999% sure). What is the error message? User > > denied? Check man ftpd for that list of "reasons why ftpd would tell your > > user to go away". > > >As you can see, a lot more ASCII than before. > >But don't let me interupt you. You were saying "maybe >99.99999% sure"... . > >Ok, so how about that 0.00001% you were not sure about? ;) > >I agree, this isn't supposed to happen. But that's the story >of my life. Yet I *am* alife! So, there you go. > >Roelof >Rob Simmons wrote: > > > > /sbin/nologin as the user's shell. You also have to add this shell to > > /etc/shells Well, if you want to be sly about it, how about you try reading what I wrote and what the others wrote? How about you do a cat /etc/shells | grep nologin. If that returns nothing, I think you just absolutely ignored our advice and ignored man ftpd and man getusershell which I posted quite clearly. Mine returns "/sbin/nologin" as an allowable shell, so getusershell returns a value pointer, so ftpd lets it through check point #4. That is my 99.999999% sure part talking, unless you got some other weirdo problem which I do not quite understand. The 99.999999% is also saying that your cat /etc/shells | grep nologin is going to return nothing. -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message