Ubuntu Server Guide

documentation is wrong for ftp server

Bug #1484717 reported by harp on 2015-08-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Server Guide	Invalid	Undecided	Unassigned

Bug Description

I selected security vulnerability since this document leads the reader to believe that authenticated access is insecure and can pick Anonymous access thinking that Anonymous is secure when it really is very insecure.

https://help.ubuntu.com/lts/serverguide/ftp-server.html

The documentation is wrong for this section:

------------------

In the Anonymous mode, remote clients can access the FTP server by using the default user account called "anonymous" or "ftp" and sending an email address as the password. In the Authenticated mode a user must have an account and a password. This latter choice is very insecure and should not be used except in special circumstances.

---------------

This documentation is telling the suer that authenticated mode is very insecure when I think the author meant to say that Anonymous is very insecure.

latter choice means the second choice. The author means to say the first choice. Regardless they should be more specific and say Anonymous or Authenticated. If someone else were to edit this they might not look at the generic term 'latter' and could reverse the order or add a different option.

Thanks.

Revision history for this message

Gunnar Hjalmarsson (gunnarhj) wrote on 2015-08-13:

Thanks for your concern, harp, but I can't see how you would achieve better security by hiding this report, where you point out the possible problem.

information type:

Private Security → Public

Revision history for this message

harp (harpss-r) wrote on 2015-08-13: Re: [Bug 1484717] Re: documentation is wrong for ftp server

Hi Gunnar,

My intention was not to hide the report, merely to highlight that it is a security issue. I have no objection to it being public and would have specified so had I known.

Thanks for your prompt response

Harp

> On Aug 13, 2015, at 3:26 PM, Gunnar Hjalmarsson <email address hidden> wrote:
>
> Thanks for your concern, harp, but I can't see how you would achieve
> better security by hiding this report, where you point out the possible
> problem.
>
> ** Information type changed from Private Security to Public
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1484717
>
> Title:
> documentation is wrong for ftp server
>
> Status in Ubuntu Server Guide:
> New
>
> Bug description:
> I selected security vulnerability since this document leads the reader
> to believe that authenticated access is insecure and can pick
> Anonymous access thinking that Anonymous is secure when it really is
> very insecure.
>
>
>
> https://help.ubuntu.com/lts/serverguide/ftp-server.html
>
> The documentation is wrong for this section:
>
> ------------------
>
> In the Anonymous mode, remote clients can access the FTP server by
> using the default user account called "anonymous" or "ftp" and sending
> an email address as the password. In the Authenticated mode a user
> must have an account and a password. This latter choice is very
> insecure and should not be used except in special circumstances.
>
> ---------------
>
>
> This documentation is telling the suer that authenticated mode is very insecure when I think the author meant to say that Anonymous is very insecure.
>
>
> latter choice means the second choice. The author means to say the first choice. Regardless they should be more specific and say Anonymous or Authenticated. If someone else were to edit this they might not look at the generic term 'latter' and could reverse the order or add a different option.
>
>
> Thanks.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/serverguide/+bug/1484717/+subscriptions

Hi Gunnar,

My intention was not to hide the report, merely to highlight that it is a security issue.  I have no objection to it being public and would have specified so had I known.

Thanks for your prompt response

Harp

> On Aug 13, 2015, at 3:26 PM, Gunnar Hjalmarsson <1484717@bugs.launchpad.net> wrote:
> 
> Thanks for your concern, harp, but I can't see how you would achieve
> better security by hiding this report, where you point out the possible
> problem.
> 
> ** Information type changed from Private Security to Public
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1484717
> 
> Title:
>  documentation is wrong for ftp server
> 
> Status in Ubuntu Server Guide:
>  New
> 
> Bug description:
>  I selected security vulnerability since this document leads the reader
>  to believe that authenticated access is insecure and can pick
>  Anonymous access thinking that Anonymous is secure when it really is
>  very insecure.
> 
> 
> 
>  https://help.ubuntu.com/lts/serverguide/ftp-server.html
> 
>  The documentation is wrong for this section:
> 
>  ------------------
> 
>  In the Anonymous mode, remote clients can access the FTP server by
>  using the default user account called "anonymous" or "ftp" and sending
>  an email address as the password. In the Authenticated mode a user
>  must have an account and a password. This latter choice is very
>  insecure and should not be used except in special circumstances.
> 
>  ---------------
> 
> 
>  This documentation is telling the suer that authenticated mode is very insecure when I think the author meant to say that Anonymous is very insecure.  
> 
> 
>  latter choice means the second choice.  The author means to say the first choice.  Regardless they should be more specific and say Anonymous or Authenticated.  If someone else were to edit this they might not look at the generic term 'latter' and could reverse the order or add a different option.
> 
> 
>  Thanks.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/serverguide/+bug/1484717/+subscriptions

Revision history for this message

Doug Smythies (dsmythies) wrote on 2015-09-30:

I believe the text as it is written is correct. Authenticated FTP is very insecure, because nothing is encrypted. We don't really care as much about anonymous, because it doesn't involve real passwords.

Peter Matuils: Do you have an opinion? Otherwise I will set this one to invalid.

The real root issue is to not use FTP at all, and we do debate taking this stuff out of the serverguide entirely.

Doug Smythies (dsmythies) on 2018-02-23

Changed in serverguide:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.