[原文]Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources.
FreeBSD contains a flaw that may allow a malicious user to access the platform. The issue is triggered when a malicious user logs onto the victim system using a passwordless account "ftp" that is automatically created by sysinstall, while an authorized user is running the sysinstall utility. It is possible that the flaw may allow shell access (via /bin/date) resulting in a loss of integrity.
It is possible to correct the flaw by implementing the following workaround: use the vipw command to change "ftp::" to "ftp:*:" and the shell from "/bin/date" to "/nonexistent".
Also, FreeBSD has released a patch.