From owner-freebsd-bugs@FreeBSD.ORG Thu Nov 8 13:30:01 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 813DE16A418 for ; Thu, 8 Nov 2007 13:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5408213C4AA for ; Thu, 8 Nov 2007 13:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id lA8DU1u7017922 for ; Thu, 8 Nov 2007 13:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id lA8DU1L8017920; Thu, 8 Nov 2007 13:30:01 GMT (envelope-from gnats) Resent-Date: Thu, 8 Nov 2007 13:30:01 GMT Resent-Message-Id: <200711081330.lA8DU1L8017920@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Igor Marijko Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE96816A418 for ; Thu, 8 Nov 2007 13:21:20 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 9D98313C4A5 for ; Thu, 8 Nov 2007 13:21:20 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.1/8.14.1) with ESMTP id lA8DL2SA074737 for ; Thu, 8 Nov 2007 13:21:02 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.1/8.14.1/Submit) id lA8DL2eX074736; Thu, 8 Nov 2007 13:21:02 GMT (envelope-from nobody) Message-Id: <200711081321.lA8DL2eX074736@www.freebsd.org> Date: Thu, 8 Nov 2007 13:21:02 GMT From: Igor Marijko To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: bin/117922: ftpd: remote ftp user possible leave chrooted environment in 7.0-BETA2 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Nov 2007 13:30:01 -0000 >Number: 117922 >Category: bin >Synopsis: ftpd: remote ftp user possible leave chrooted environment in 7.0-BETA2 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 08 13:30:01 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Igor Marijko >Release: FreeBSD 7.0-BETA2 >Organization: sv >Environment: FreeBSD bsd2.SV.UA 7.0-BETA2 FreeBSD 7.0-BETA2 #0: Fri Nov 2 16:47:33 UTC 2007 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: ftpd included in FreeBSD allows remote ftp user leave chrooted (via /etc/ftpchroot) environment within the bounds of the parition. Bug also present in 5.4-RELEASE and 6.2-RELEASE (and may be in other versions) >How-To-Repeat: Using default instalations, uncoment next line in /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/ftpd ftpd -ll add line 'inetd_enable="YES"' to /etc/rc.conf and start inetd using '/etc/rc.d/inetd start' create new user, for example 'admin' and add login of this user to /etc/ftpchroot After that using any ftp client (FAR manager) connect to our ftpd as 'admin'. Create on ftp any directory and 'cd' into it. If user been in some folder (user session root changed to /home/admin) and in time this directory has been moved by another user outside chroot directory (/home/admin) within the bounds of the parition (to "/usr/local/www/data" for example). Ftp user going out directory (cd ..) leave chroot directory and grand access to files on partition. >Fix: >Release-Note: >Audit-Trail: >Unformatted: