Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin AT sources DOT redhat DOT com Message-ID: <398EC360.51E1E8F5@home.com> Date: Mon, 07 Aug 2000 10:10:40 -0400 From: "David A. Cobb" Organization: @home user X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en,ru,pdf MIME-Version: 1.0 To: bheckel AT excite DOT com, cygwin AT sources DOT redhat DOT com Subject: Re: inetd security hole? References: <26370583 DOT 965423060526 DOT JavaMail DOT imail AT scorch DOT excite DOT com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Bob Heckel wrote: > > I just set up inetd-1.3.2-5p1 as a service on my W2K box. My > thanks to the Cygwin team. Great job on this piece. There > may, however, be a security hole for some people. I was > able to FTP from a remote Unix box to my Cygwin W2K box > simply by using user guest and password (enter). Had to > delete the Guest entry from /etc/passwd to close the hole. > > I may not be configured properly and your system may be > different but I wanted to make sure no one is accidently > exposed to trouble. I checked the mailing list search > engine prior to posting this and didn't see any warnings regarding this > issue. > > Bob Heckel > This sounds like part of the NT heritage. On an NT system the user name "guest" (null password) is normally enabled - might even be immutable. Guest, however, should have minimum or no access. Making that a true statement is an administrator's job. -- David A. Cobb, Software Engineer, Public Access Advocate "Don't buy or use crappy software" "By the grace of God I am a Christian man, by my actions a great sinner" -- The Way of a Pilgrim [R. M. French, tr.] -- Want to unsubscribe from this list? Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com