Bug#638955: proftpd-basic: World-readable config files containing password
Thijs Kinkhorst
thijs at debian.org
Wed Aug 24 06:39:53 UTC 2011
severity 638955 normal
tags 638955 -security
thanks
Hi Kim,
On Tue, August 23, 2011 12:11, Kim Rostgaard Christensen wrote:
> /etc/proftpd/ldap.conf contains passwords and should therefore not be
> world readable per default.
>
> I think the same applies to other vuser backends
Thanks for your report. The file does not contain such passwords by
default: the administrator has to edit the file and put an LDAP admin
password in there. We can expect system administrators to check the
permissions of files they put the LDAP admin passwords into, so I don't
think this is a grave security issue.
It would be good as a proactive security mesure to change the permissions
on that file to prevent mistakes, but the current situation is not really
a vulnerability.
Cheers,
Thijs
More information about the Pkg-proftpd-maintainers
mailing list