On Sat, Apr 14, 2007 at 06:29:06PM +0200, Evgeni Golov wrote: > Package: proftpd-mysql > Version: 1.3.0-19 > Severity: grave > > This is not really mysql related, but should apply to all proftpd sql > packages. I have the following configuration in my proftpd.conf: > > SQLAuthTypes Crypt Plaintext > SQLAuthenticate users* groups* > SQLConnectInfo [EMAIL PROTECTED] syscp MYSQL_PASSWORD > SQLUserInfo ftp_users username password uid gid homedir shell > SQLGroupInfo ftp_groups groupname gid members > SQLUserWhereClause "login_enabled = 'y'" > > One should think, a user who is defined in ftp_users should be able to > login with his password (which can be encrypted or not) and a > system-user should also be able to login. The first is perfectly true, > so is the second, BUT: a system-user is also able to login with ! or * > as password. ! or * in /etc/shadow indicates a bad password, so the > user shouldn't be able to login (this is done for the users www-data, > ftp, postfix, etc...) but proftpd seems to ignore that, if SQLAuthTypes > Plaintext is set and allows the user to login with ! or * as password > (whatever is set in /etc/shadow). >
Of course that partially depends on your authoritative information choice. If you added (disabled) system users to sql user table, that would not happen. The same if you - used the mod_sql as the only authoritative one - added system users to ftpusers etc - the system user shells are not listed /etc/shells and RequireValidShell is on Anyway as a maintainer I agree that the rule of least surprise should be apply. > IMHO this is a grave security bug, because if someone enables plaintext > for SQL anyone can login with (guessable) system-accounts and do some > sh** :( > PS: Please enclose your complete proftpd.conf, sql and syslogs, and what ever useful for tracking in any report. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
