This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: security with the ftp daemon
- From: Corinna Vinschen <cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Mon, 21 Jan 2002 10:39:59 +0100
- Subject: Re: security with the ftp daemon
- References: <002c01c1a23f$ac0f2e80$2801a8c0@DCUTHBERT2K>
On Mon, Jan 21, 2002 at 02:51:29PM +0900, Dylan Cuthbert wrote:
> Hi there,
>
> I've set up the ftp server with inetutils on win2k, but I get a strange
> security hole.
>
> I've set permissions so that only "Administrators" can access the cygwin
> directories. The home directories are only accessible by their respective
> users and /bin is Everyone and read-only.
>
> However, after setting this up and rebooting the machine once, if I ftp in
> as a regular user I can access all the administrator priviledge directories
> (in read/write mode!) with no problem at all. Is this a known problem and
> is there a way to get it to work securely? Surely the ftp daemon should
> switch its user to the id of the person logging in?
Check if your /etc/group is setup correctly. If the group of
the user doesn't exist, setgid() falls back to the admins group
currently.
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/