Package: proftpd-mysql Version: 1.3.0-19 Severity: grave This is not really mysql related, but should apply to all proftpd sql packages. I have the following configuration in my proftpd.conf:
SQLAuthTypes Crypt Plaintext SQLAuthenticate users* groups* SQLConnectInfo [EMAIL PROTECTED] syscp MYSQL_PASSWORD SQLUserInfo ftp_users username password uid gid homedir shell SQLGroupInfo ftp_groups groupname gid members SQLUserWhereClause "login_enabled = 'y'" One should think, a user who is defined in ftp_users should be able to login with his password (which can be encrypted or not) and a system-user should also be able to login. The first is perfectly true, so is the second, BUT: a system-user is also able to login with ! or * as password. ! or * in /etc/shadow indicates a bad password, so the user shouldn't be able to login (this is done for the users www-data, ftp, postfix, etc...) but proftpd seems to ignore that, if SQLAuthTypes Plaintext is set and allows the user to login with ! or * as password (whatever is set in /etc/shadow). IMHO this is a grave security bug, because if someone enables plaintext for SQL anyone can login with (guessable) system-accounts and do some sh** :( -- ^^^ | Evgeni -SargentD- Golov ([EMAIL PROTECTED]) d(O_o)b | GPG/PGP-Key-ID: 0xAC15B50C >-|-< | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C / \ | http://www.die-welt.net - [EMAIL PROTECTED] If you had a chance, right now, to go back in time and stop Hitler, wouldn't you do it? I mean, I personally wouldn't stop him, because I think he was awesome, but you would right? (Eric Cartman, Make Love, not Warcraft)
pgp7HOD9LfYB7.pgp
Description: PGP signature