[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] FTP weirdness
- Subject: RE: [cobalt-users] FTP weirdness
- From: "Jolley, Carl" <Carl.Jolley@xxxxxxx>
- Date: Mon Aug 12 12:57:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
-----Original Message-----
From: Mike Smith
Sent: Monday, August 12, 2002 3:26 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] FTP weirdness
A client of mine has been testing a shell script from their linux box (not
on the same network as my Raq4i's)....the shell script performs a backup
from their linux box to their domain via ftp. This client has 2 domains, and
due to the fact that no user can have the same "user name" on a Raq4, this
is how things are setup (names are changed to protect the innocent):
first domain: my-domain-number1.com
user/siteadmin: jsmith
password: 12345
second domain: my-domain-number2.com
user/siteadmin: smith
password: 12345
Here's the weird part....in the shell script, the user was to connect via
ftp to "my-domain-number2.com", but inadvertently used his user name for
site#1....when the script connected, it actually sent the user to
"my-domain-number1.com" even though "my-domain-number2.com" was specified as
the domain to which it should connect. The shell script performed as it
should, uploading files to the (wrong) domain. This was only brought to my
attention when the Raq4 sent an email for domain number #1 being over quota.
Curiosity led me to attempt to do the same via a windoze ftp client. I set
the windoze ftp client to connect to "some-domain.com" using a login and
password for a _different_ domain "some-other-domain.com" (on the same
server)....when the ftp client connected, it appeared to connect to the
_proper_ IP address for "some-domain.com" yet the directories and files were
those for "some-other-domain.com" !
It appears that no matter which domain name is placed into the ftp client,
if the login and password are _that_ of another domain on the SAME machine,
the ftp client will connect to the _other_ domain.
This does not happen across different Raq's, I tried that, it only happens
for domains on the same box.
Anyone ever seen this before? It looks like a security issue to me, but I
could be wrong.
If I haven't been very clear, please do not hesitate to contact me and I
will attempt to explain it a little better.
-------------------------
My guess is that the two different domains resolve to the same IP
address. This is very common and typical. Some Raq's DO support muliple
different IP addresses but most do not. Usually the separate virtual domains
share the same IP address and the web server figures out which virual server
is being used by the domain name. However FTP doesn't do anything similar.
The only thing the system knows is that when a person logs in they specify a
valid user and a valid password and as a result they are logged into the
associated
home directory. Since the log in is actually done by IP address (after DNS
resolves
the name to an IP address) the actual domain name used does not matter.
I don't know of a a way to avoid this kind of user error. There's only
one set of users for the entire box, i.e. their's only one /etc/passwd file
That's why you can't have a duplicate user name. If a given person has
multiple user/passwords they should be careful to use the correct one when
logging in with FTP. BTW, the same caveats apply to telnet/SSH.