Bug#638955: proftpd-basic: World-readable config files containing password

Thijs Kinkhorst thijs at debian.org
Wed Aug 24 06:39:53 UTC 2011


severity 638955 normal
tags 638955 -security
thanks

Hi Kim,

On Tue, August 23, 2011 12:11, Kim Rostgaard Christensen wrote:
> /etc/proftpd/ldap.conf contains passwords and should therefore not be
> world readable per default.
>
> I think the same applies to other vuser backends

Thanks for your report. The file does not contain such passwords by
default: the administrator has to edit the file and put an LDAP admin
password in there. We can expect system administrators to check the
permissions of files they put the LDAP admin passwords into, so I don't
think this is a grave security issue.

It would be good as a proactive security mesure to change the permissions
on that file to prevent mistakes, but the current situation is not really
a vulnerability.


Cheers,
Thijs





More information about the Pkg-proftpd-maintainers mailing list