View Full Version : Site command, not able to restric

05-14-2005, 08:09 AM
Just found one thing that is a kinda security issue.

Im useing ioGroups and have overide site command "SITE USERS" from ioFTPD default to ioGroups. I was playing around with an anonymous account and found out that ANY one can use "SITE USERS"

Ive trippled checked my ioFTPD.ini to see if anything is wrong but cant find nothing. Here is what my ioFTPD.ini contains:

site = EXEC ..\scripts\iogroups\ioGroups.exe override_site_users

lusers = EXEC ..\scripts\iogroups\ioGroups.exe listusers

users = 1GM

Admin = flags 1M
Simple User = flags 3Ff
Anonymous = flags 3A

Everyone of abow can use "SITE USERS"
Can someone confirm this as I get the same on two ftpds.

05-14-2005, 08:37 AM
Well, it is working OK for me... i.e., normal users CAN NOT use "site users", they get "permission denied".

No idea what may be wrong in your config.

05-14-2005, 02:11 PM
If I disable
site = EXEC ..\scripts\iogroups\ioGroups.exe override_site_users

I get following when trying:

[R] site users
[R] 550 'SITE users': Access denied.

Very weird.

05-16-2005, 07:32 AM
What's weird about it?

I would assume "override_site_users" does what it says ;)

05-16-2005, 07:59 AM
Whats weird is that WHEN I use override_users, everybody can access "SITE USERS" while not usesing override_users only 1M flags can access "SITE USERS"

05-16-2005, 08:07 AM
Apparently, i was already fixing that about a year ago:
site = EXEC ..\scripts\ioGroups.exe override_internal

override_uinfo = 1
flags_restrict_uinfo = 1M

override_users = 1
flags_restrict_users = 1M

override_groups = 1
flags_restrict_groups = 1M but i think it was still unfinished or in beta status or something. I will look into it after my exams (end of june), and that's a promise I'll try to keep :)
(might post something here to remind me at the time)