After upgrading 0.7 RC1 to 0.7.4919 (presumably stable), I observe following:
- proftpd.conf allows groups wheel and ftp (not only ftp as listed in release notes)
- user transmission is a member of group ftp
which means that user transmission is still able to login to FTP (of course if its password is bruteforced)
Group 50 (ftp) is assigned to user transmission as result of entry in config file, which is created during upgrade in some old version. So I suppose, now config upgrade routine should delete that entry from config,xml.
My temporary solution is to add <Limit LOGIN="">DenyUser transmission</Limit> to advanced config in proftpd.
You are right,
the user management is crap in FreeNAS, but i hope 0.8 will be a new beginning.
Regards
Volker