Security flaw: The package configures pure-ftpd to start automatically without informing the user/admin.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pure-ftpd (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
It seems to me that when pure-ftpd is installed, it is also configured to start automatically as part of the boot process. Now, this is a dangerous practice when the user/administrator is not informed about this.
I construe that the documentation that comes with the package comes from the developers of pure-ftpd, whereas the decision or code to automatically start pure-ftpd has been made by the creator of the package. Now, there are probably a number of approaches to fixing this bug, fox example:
(1) Disabling auto-start by default,
(2) adding documentation about configuration arrangements specific to this Ubuntu/Debian package of pure-ftpd,
(3) showing some sort of an information window to inform the user/administrator that auto-starting has been enabled and how to disable it if desired.
I believe FTP servers are generally configured by the administrator before introducing to regular use, and therefore starting them automatically in a "plug-and-play" fashion is not of so much benefit. Anyway, the administrator must be informed, for sure, lest the FTP server go online unconfigured or half-configured.
| Seth Arnold (seth-arnold) wrote Bug is not a security issue | #1 |
| information type: | Private Security → Public |
| Seth Arnold (seth-arnold) wrote | #2 |
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.