After probing the setup/config in the search for where/how to remove the “public” folder, or to chroot jail all users to that folder, I came across a section in the file wd-nas.conf
supportFTPLogin=“apollo_user:4poll0_u!”
For real? A backdoor delivered straight out of the box?
I tried to connect to my nas per ftp with the login and the user is rejected.
But i have the same section in my config file. Is it really a security problem?
I am not being hostile, but it warrants a few questions.
Why is it there?
Who can activate the account?
Why is this info omitted in the supplied manuals?
Of course if there is a way to reach the Nas with this login without our approval there is a major problem and this MUST be clarified.
knutlar wrote:
After probing the setup/config in the search for where/how to remove the “public” folder, or to chroot jail all users to that folder, I came across a section in the file wd-nas.conf
FTP Login Support
supportFTPLogin=“apollo_user:4poll0_u!”
For real? A backdoor delivered straight out of the box?
The wd-nas.conf file isn’t an “active” configuration. It just contains configuration variables that are used to create the live configuration data.
All you have to do is examine the actual FTP configuration file and see that information is NOT used.
Heck; just try logging in via FTP to the box and try those credentials… they don’t work.
If you want to keep digging into it, just grep through the various scripts for references to the variable “supportFTPLogin” to see where it’s referenced and how it’s used.
Thank you for your answer Tony, with 23300 posts I`ll think twice before disagreeing with you 
And as you suggested, I tested the login info before posting here of course, with no luck to log on. If I had been able to log on, well…
But that does not mean that its all sunshine, all it takes is one little script to activate those settings, or export them to the vsftpd.conf-file. Truth be told, I havent searched all the scripts on this install.
And why would SUPPORT want FTP access?
Leaving redundant code in config-files is nothing new, take a look at sshd_config. But leaving “redundant” ACCOUNTS hidden is another level of stupidity/control. Here there be dragons my friend. After running OpenBSD for 18 years, it makes me extremely weary. I dont have a tinfoil hat, but I sure am concidering making one
knutlar wrote:
And why would SUPPORT want FTP access?
It’s not for THEM to FTP into YOUR box.
It’s so that your box can upload to THEIR FTP servers.
Go into your My Cloud. Select SUPPORT. Click the little box that says “Attach my device’s diagnostics report…”
and see the privacy policy.
| Forums | News and Announcements | Register | Help | Forum Guidelines |
Copyright © 2021 Western Digital Technologies, Inc. All rights
reserved.
|
Trademarks
|
Privacy
|
Community Terms of Service
|
Site Terms of Use
|
Copyright
|
Contact WD
|