Package: vsftpd
Version: 2.3.2-6
Severity: wishlist
vsftpd.postinst does
if ! getent passwd | grep -q "^${_USERNAME}:"
and
elif ! getent group | grep -q "^${_USERNAME}:
the grep could potentiall hit a false positive due to its interpretation
of "${_USERNAME}" as a regular expression. For example, _USERNAME could
be "ftp.user" which would then match "ftp_user" also.
This is mostly an edge case, but a '.' is allowable in unix user names.
The other small benefit of not using grep is avoiding a fork for some
minuscule performance benefit.
Instead of the grep, let 'getent' do the match for you:
- if ! getent passwd | grep -q "^${_USERNAME}:"
+ if ! getent passwd "${_USERNAME}"
and
- elif ! getent group | grep -q "^${_USERNAME}:
+ elif ! getent group "${USERNAME}"
This was brought up under ubuntu bug 629234
(https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/629234)
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.37-8-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
