Bug#466689: marked as done (security violation ... proftpd allows disabled user access ( i.e: user mysql) access to system .)

Debian Bug Tracking System Wed, 20 Feb 2008 05:16:53 -0800

Your message dated Wed, 20 Feb 2008 14:14:00 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#466689: security violation ... proftpd allows disabled 
user access ( i.e: user mysql) access to system .
has caused the Debian Bug report #466689,
regarding security violation ... proftpd allows disabled user access ( i.e: 
user mysql) access to system .
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
466689: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466689
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: proftpd
Version: 1.3.0-19
Severity: critical


proftpd allows disabled users to successfully login and access files accessable 
by that user
(i.e. all database files)

Logsnipped:
Feb 20 11:07:36 Beacon proftpd[16362]: LOGHOST 
(::ffff:83.170.124.152[::ffff:83.170.124.152]) - USER mysql (Login failed): 
Incorrect password.
Feb 20 11:07:36 Beacon proftpd[16362]: LOGHOST 
(::ffff:83.170.124.152[::ffff:83.170.124.152]) - USER mysql: Login successful.
Feb 20 11:07:37 Beacon proftpd[16362]: LOGHOST 
(::ffff:83.170.124.152[::ffff:83.170.124.152]) - Preparing to chroot to 
directory '/var/lib/mysql'
Feb 20 11:07:37 Beacon proftpd[16362]: LOGHOST 
(::ffff:83.170.124.152[::ffff:83.170.124.152]) - FTP session closed.

Passwd snippet:
mysql:x:100:102:MySQL Server,,,:/var/lib/mysql:/bin/false

Shadow snippet:
mysql:!:12369:0:99999:7:::
mysql:!!:11809:0:99999:7:::

proftpd is using the sql feature with mysql:
proftpd.conf snippet
AuthOrder mod_sql.c mod_auth_unix.c




-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20.7Phantasia
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages proftpd depends on:
ii  adduser                3.102             Add and remove users and groups
ii  debconf                1.5.11etch1       Debian configuration management sy
ii  debianutils            2.17              Miscellaneous utilities specific t
ii  libacl1                2.2.41-1          Access control list shared library
ii  libattr1               2.4.32-1          Extended attribute shared library
ii  libc6                  2.3.6.ds1-13etch4 GNU C Library: Shared libraries
ii  libldap2               2.1.30-13.3       OpenLDAP libraries
ii  libmysqlclient15off    5.0.51-0.dotdeb.1 MySQL database client library
ii  libncurses5            5.5-5             Shared libraries for terminal hand
ii  libpam-runtime         0.79-5            Runtime support for the PAM librar
ii  libpam0g               0.79-5            Pluggable Authentication Modules l
ii  libpq4                 8.1.11-0etch1     PostgreSQL C client library
ii  libssl0.9.8            0.9.8c-4etch1     SSL shared libraries
ii  libwrap0               7.6.dbs-13        Wietse Venema's TCP wrappers libra
ii  netbase                4.29              Basic TCP/IP networking system
ii  perl                   5.8.8-7etch1      Larry Wall's Practical Extraction 
ii  ucf                    2.0020            Update Configuration File: preserv
ii  zlib1g                 1:1.2.3-13        compression library - runtime

proftpd recommends no packages.

-- debconf information:
* shared/proftpd/warning:
* shared/proftpd/inetd_or_standalone: standalone

--- End Message ---

--- Begin Message ---

severity 466689 important
thanks

This is mainly a configuration issue. Authorization stacking is better
managed in 1.3.1 and a point release will be provided for etch somewhere
in the near future.
You can easily workaround by not allowing plaintext authorization
in sql, avoiding unix auth at all or providing fake system users
in the sql db. 

On Wed, Feb 20, 2008 at 01:54:45PM +0100, Hurl wrote:
> Package: proftpd
> Version: 1.3.0-19
> Severity: critical
> 
> 
> proftpd allows disabled users to successfully login and access files 
> accessable by that user
> (i.e. all database files)
> 
> Logsnipped:
> Feb 20 11:07:36 Beacon proftpd[16362]: LOGHOST 
> (::ffff:83.170.124.152[::ffff:83.170.124.152]) - USER mysql (Login failed): 
> Incorrect password.
> Feb 20 11:07:36 Beacon proftpd[16362]: LOGHOST 
> (::ffff:83.170.124.152[::ffff:83.170.124.152]) - USER mysql: Login successful.
> Feb 20 11:07:37 Beacon proftpd[16362]: LOGHOST 
> (::ffff:83.170.124.152[::ffff:83.170.124.152]) - Preparing to chroot to 
> directory '/var/lib/mysql'
> Feb 20 11:07:37 Beacon proftpd[16362]: LOGHOST 
> (::ffff:83.170.124.152[::ffff:83.170.124.152]) - FTP session closed.
> 
> Passwd snippet:
> mysql:x:100:102:MySQL Server,,,:/var/lib/mysql:/bin/false
> 
> Shadow snippet:
> mysql:!:12369:0:99999:7:::
> mysql:!!:11809:0:99999:7:::
> 
> proftpd is using the sql feature with mysql:
> proftpd.conf snippet
> AuthOrder mod_sql.c mod_auth_unix.c
> 
> 
> 
> 
> -- System Information:
> Debian Release: 4.0
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.20.7Phantasia
> Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
> 
> Versions of packages proftpd depends on:
> ii  adduser                3.102             Add and remove users and groups
> ii  debconf                1.5.11etch1       Debian configuration management 
> sy
> ii  debianutils            2.17              Miscellaneous utilities specific 
> t
> ii  libacl1                2.2.41-1          Access control list shared 
> library
> ii  libattr1               2.4.32-1          Extended attribute shared library
> ii  libc6                  2.3.6.ds1-13etch4 GNU C Library: Shared libraries
> ii  libldap2               2.1.30-13.3       OpenLDAP libraries
> ii  libmysqlclient15off    5.0.51-0.dotdeb.1 MySQL database client library
> ii  libncurses5            5.5-5             Shared libraries for terminal 
> hand
> ii  libpam-runtime         0.79-5            Runtime support for the PAM 
> librar
> ii  libpam0g               0.79-5            Pluggable Authentication Modules 
> l
> ii  libpq4                 8.1.11-0etch1     PostgreSQL C client library
> ii  libssl0.9.8            0.9.8c-4etch1     SSL shared libraries
> ii  libwrap0               7.6.dbs-13        Wietse Venema's TCP wrappers 
> libra
> ii  netbase                4.29              Basic TCP/IP networking system
> ii  perl                   5.8.8-7etch1      Larry Wall's Practical 
> Extraction 
> ii  ucf                    2.0020            Update Configuration File: 
> preserv
> ii  zlib1g                 1:1.2.3-13        compression library - runtime
> 
> proftpd recommends no packages.
> 
> -- debconf information:
> * shared/proftpd/warning:
> * shared/proftpd/inetd_or_standalone: standalone
> 

-- 
Francesco P. Lovergine

--- End Message ---

Bug#466689: marked as done (security violation ... proftpd allows disabled user access ( i.e: user mysql) access to system .)

Reply via email to