On Sat, 14 Apr 2007 19:53:14 +0200 Francesco P. Lovergine wrote: > Of course that partially depends on your authoritative information > choice. If you added (disabled) system users to sql user table, that > would not happen.
Yepp, but why should I? They have disabled passwords, that should be enough. > The same if you > > - used the mod_sql as the only authoritative one Maybe I need to login with some regular system-user? (I actually don't, but this is an argument contra mod_sql only) > - added system users to ftpusers etc Uhm, mass-bug-filling against all packages which add users but don't list them in ftpusers? ;-) > - the system user shells are not listed /etc/shells and > RequireValidShell is on Also not really a solution, you know ;-) > Anyway as a maintainer I agree that the rule of least surprise should > be apply. I think the rule should be: don't apply settings of modA to modB and be secure ;). I bet it is not unusual to have a mixed environment of system and virtual users who should be able to login without opening a big fat door for the kiddies out there if you don't double and tripple check the logins. > PS: > Please enclose your complete proftpd.conf, sql and syslogs, and what > ever useful for tracking in any report. You can find the conf here: http://dragonheart.ath.cx/~zhenech/syscp/proftpd.etch SQL is empty and syslogs do not show anything interesting. Some more information: the bug is also present in Sarges proftpd, so seems kinda old :( Hope you or upstream can fix it, even if it affects only "non-standard" installs (you have to enable Plaintext :)) Regards Evgeni -- ^^^ | Evgeni -SargentD- Golov ([EMAIL PROTECTED]) d(O_o)b | GPG/PGP-Key-ID: 0xAC15B50C >-|-< | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C / \ | http://www.die-welt.net - [EMAIL PROTECTED] lebt unser alter webserver noch, webserver noch, webserver noch... - jaaaaa, er pingt noch, er pingt noch, er pingt noch (jesse @ teranetworks.de)
pgpSBVACFqVUq.pgp
Description: PGP signature
