Package: pure-ftpd-mysql Version: 1.0.19-4 Severity: normal Tags: security
If anything bad happens to an user's home directory (deleted, not mounted, database not in sync with its master, etc), pure-ftpd will allow r to the entire filesystem, and w to whatever place the given user can write to (and since virtual users usually don't have separate Unix uids, thus typically home dirs of all other virtual accounts). And on a system with no untrusted local users, many private dirs tend to be world-readable. The ftp daemon should obviously deny access instead of granting it when not configured to allow so. A sample session: Connected to 10.0.2.2. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 11:31. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (10.0.2.2:kilobyte): 331 User kilobyte OK. Password required Password: 230-/home/ftp/dealerzy/kilobyte does not exist or is unreachable [No such file or directory]. 230-Starting in / 230-User kilobyte has group access to: dealerzy 230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful 150 Connecting to port 22208 drwxr-xr-x 2 0 root 2048 Jan 10 18:42 bin drwxr-xr-x 3 0 root 1024 Jan 10 18:27 boot [...] -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages pure-ftpd-mysql depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libcap1 1:1.10-14 support for getting/setting POSIX. ii libmysqlclient10 3.23.56-3 LGPL-licensed client library for M ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7e-3sarge1 SSL shared libraries ii pure-ftpd-common 1.0.19-4 Pure-FTPd FTP server (Common Files ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
