Date: Wed, 24 Sep 2003 15:14:17 -0700 (PDT) From: Alan Batie <alan@agora.rdrop.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/57194: ftpd does not honor passwd file expiration date Message-ID: <200309242214.h8OMEHxd007681@agora.rdrop.com> Resent-Message-ID: <200309242220.h8OMKI1A073011@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 57194 >Category: bin >Synopsis: ftpd does not honor passwd file expiration date >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Sep 24 15:20:17 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Alan Batie >Release: FreeBSD 4.7-STABLE i386 >Organization: RainDrop Laboratories >Environment: System: FreeBSD agora.rdrop.com 4.7-STABLE FreeBSD 4.7-STABLE #0: Mon Feb 3 00:57:16 PST 2003 root@agora.rdrop.com:/usr/src/freebsd/src/sys/compile/AGORA i386 >Description: The synopsis basically covers it. I use the password expiration field to lock out user accounts when the time they've paid for runs out, but they can still use ftp to access them. A big security hole for those who want to take advantage of it for free web hosting. >How-To-Repeat: Set expiration date on an account to a date in the past, then ftp localhost and login as that user. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309242214.h8OMEHxd007681>