From owner-freebsd-bugs@FreeBSD.ORG  Sat Apr 24 05:40:08 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0B82D16A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 24 Apr 2004 05:40:08 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E39D343D3F
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 24 Apr 2004 05:40:07 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i3OCe7bv072026	for <freebsd-bugs@freefall.freebsd.org>;
	Sat, 24 Apr 2004 05:40:07 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i3OCe78g072025;
	Sat, 24 Apr 2004 05:40:07 -0700 (PDT)
	(envelope-from gnats)
Resent-Date: Sat, 24 Apr 2004 05:40:07 -0700 (PDT)
Resent-Message-Id: <200404241240.i3OCe78g072025@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Eugene Grosbein <eugen@grosbein.pp.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9B4B516A4CE; Sat, 24 Apr 2004 05:33:45 -0700 (PDT)
Received: from grosbein.pp.ru (grgw.svzserv.kemerovo.su [213.184.64.130])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B81CF43D60; Sat, 24 Apr 2004 05:33:43 -0700 (PDT)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (eugen@localhost [127.0.0.1])
	by grosbein.pp.ru (8.12.11/8.12.11) with ESMTP id i3OCXdXq001402;
	Sat, 24 Apr 2004 20:33:39 +0800 (KRAST)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.12.11/8.12.11/Submit) id i3OCXctq001401;
	Sat, 24 Apr 2004 20:33:38 +0800 (KRAST)
	(envelope-from eugen)
Message-Id: <200404241233.i3OCXctq001401@grosbein.pp.ru>
Date: Sat, 24 Apr 2004 20:33:38 +0800 (KRAST)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
cc: yar@FreeBSD.org
Subject: bin/65928: [PATCH] stock ftpd uses superuser credentials for active
	mode sockets
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Eugene Grosbein <eugen@grosbein.pp.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Apr 2004 12:40:08 -0000


>Number:         65928
>Category:       bin
>Synopsis:       [PATCH] stock ftpd uses superuser credentials for active mode sockets
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 24 05:40:07 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.10-BETA i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD grosbein.pp.ru 4.10-BETA FreeBSD 4.10-BETA #0: Sun Apr 11 15:43:04 KRAST 2004 eu@grosbein.pp.ru:/usr/local/obj/usr/local/src/sys/DADV i386

>Description:
		ftpd(8) has to switch euid to 0 when it needs to bind(2)
		a socket to a port 'ftp-data' for active mode transfer.
		Now uses seteuid/socket/bind/... sequence. So the socket
		belongs to the superuser and data flow is matched
		by rules similar to:

		ipfw add count tcp from me 20 to any uid root

		The sequence socket/seteuid/bind results in another situation:
		the socket belongs to the authenticated user and
		data flow is matched by rules similar to:

		ipfw add count tcp from me 20 to any uid ftp

		That's much better. That makes it possible to engage
		all the power of system credential control.
		Ftp traffic can be shaped using dummynet per-user,
		for example. It can be easily accounted or blocked, too.
		The same for ordinary user's traffic.
		
>How-To-Repeat:

		Use rules like this:

ipfw add 1 count tcp from 127.0.0.1 ftp-data to any uid root out
ipfw add 2 count tcp from 127.0.0.1 ftp-data to any uid ftp out

		Connect to local ftpd, turn passive mode off and do 'ls'.
		Then see ipfw rules counters.

>Fix:

		Apply next patch:

--- ftpd.c.orig	Fri Apr 23 20:42:47 2004
+++ ftpd.c	Fri Apr 23 20:43:23 2004
@@ -1792,7 +1792,6 @@
 
 	if (data >= 0)
 		return (fdopen(data, mode));
-	(void) seteuid((uid_t)0);
 
 	s = socket(data_dest.su_family, SOCK_STREAM, 0);
 	if (s < 0)
@@ -1802,6 +1801,7 @@
 	/* anchor socket to avoid multi-homing problems */
 	data_source = ctrl_addr;
 	data_source.su_port = htons(dataport);
+	(void) seteuid((uid_t)0);
 	for (tries = 1; ; tries++) {
 		if (bind(s, (struct sockaddr *)&data_source,
 		    data_source.su_len) >= 0)


Eugene Grosbein
>Release-Note:
>Audit-Trail:
>Unformatted: