The vsftpd init script sources the configuration file /etc/vsftpd/vsftpd.conf. This is dangerous because in the vsftpd configuration file strings including blanks can be used without quoting. Now when you source a file containing a line like ftpd_banner=Welcome to my ftpserver. bash will set 'ftpd_banner=Welcome' and try to execute the command 'to my ftpserver'. Which luckily in my case just produced 'to: command not found' Now imagine what will happen if one puts in the config file a line like test=Strange reboot or worse: beware=never rm -rf / It consider it a bad idea to source files to bash that were not written with that purpose. In the case of the vsftpd init script, it is merely intended to check the config file for the occurrence of a specific configuration line. This can easily be done by some other means, eg. grep. See my patch in attachment. I have not made a systematic search (yet), but I would not be surprised to find such improper use of the source command in other places too. Reproducible: Always Steps to Reproduce: 1. Add a line 'ftpd_banner=Welcome to my FTP server' to /etc/vsftp/vsftpd.conf 2. /etc/init.d/vsftpd start 3. Actual Results: runscript.sh: to: command not found Expected Results: Not try to execute the 'to' command
Created attachment 31943 [details, diff] Patch for the vsftpd init script (vsftpd-1.2.1) This is the patch with my changes to the vsftpd init script, as mentioned in the bug report.
*** Bug 53245 has been marked as a duplicate of this bug. ***
updated cvs, thanks Benedict.
