From owner-freebsd-security@FreeBSD.ORG  Thu Dec 29 21:02:03 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4FD1B106566B;
	Thu, 29 Dec 2011 21:02:03 +0000 (UTC) (envelope-from ache@vniz.net)
Received: from vniz.net (vniz.net [194.87.13.69])
	by mx1.freebsd.org (Postfix) with ESMTP id B69F98FC0C;
	Thu, 29 Dec 2011 21:02:02 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by vniz.net (8.14.5/8.14.5) with ESMTP id pBTL1vbW060214;
	Fri, 30 Dec 2011 01:01:57 +0400 (MSK) (envelope-from ache@vniz.net)
Received: (from ache@localhost)
	by localhost (8.14.5/8.14.5/Submit) id pBTL1vXF060213;
	Fri, 30 Dec 2011 01:01:57 +0400 (MSK) (envelope-from ache)
Date: Fri, 30 Dec 2011 01:01:56 +0400
From: Andrey Chernov <ache@FreeBSD.ORG>
To: d@delphij.net
Message-ID: <20111229210156.GA58409@vniz.net>
Mail-Followup-To: Andrey Chernov <ache@freebsd.org>, d@delphij.net,
	John Baldwin <jhb@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG,
	Doug Barton <dougb@FreeBSD.ORG>
References: <201112231500.pBNF0c0O071712@svn.freebsd.org>
	<201112291400.41075.jhb@freebsd.org>
	<CAGMYy3t89jcmU6AP4Bsa+v+Vs+K7qm_SaqwA5u==wKrzaqTWBQ@mail.gmail.com>
	<201112291435.03493.jhb@freebsd.org> <4EFCCDDF.5080602@delphij.net>
	<20111229204637.GB51102@vniz.net> <4EFCD37F.5030401@delphij.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4EFCD37F.5030401@delphij.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-security@FreeBSD.ORG, Doug Barton <dougb@FreeBSD.ORG>,
	John Baldwin <jhb@FreeBSD.ORG>
Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet
 head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen
 head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2011 21:02:03 -0000

On Thu, Dec 29, 2011 at 12:54:23PM -0800, Xin Li wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 12/29/11 12:46, Andrey Chernov wrote:
> [...]
> > In case user (more precisely, ftpd) runs any program which resides
> > in /incoming/, nothing helps in anycase. In case ftpd runs known
> > programs from known locations only, it can't be overriden because
> > known program
> 
> No it doesn't run external programs.

I know)

So, there are two problems as result:
1) Wrong chroot() setup (i.e. all program and directories are owned by 
user, not by root). The way to fight it is better explanation in both 
chroot(2) and ftpd(8) man pages.

2) Loading .so from the current directory. This should be fixed in the 
code by either calling rtld function or rtld env variable.

-- 
http://ache.vniz.net/