From owner-freebsd-bugs  Mon May 18 13:24:49 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA23802
          for freebsd-bugs-outgoing; Mon, 18 May 1998 13:24:49 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA23713
          for <freebsd-bugs@FreeBSD.org>; Mon, 18 May 1998 13:24:29 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id NAA20892;
	Mon, 18 May 1998 13:20:03 -0700 (PDT)
Received: from gw.jmrodgers.com (gw.jmrodgers.com [205.247.224.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA22572
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 18 May 1998 13:20:30 -0700 (PDT)
          (envelope-from max@gw.jmrodgers.com)
Received: (from max@localhost)
	by gw.jmrodgers.com (8.8.8/8.8.8) id QAA04914;
	Mon, 18 May 1998 16:20:00 -0400 (EDT)
	(envelope-from max)
Message-Id: <199805182020.QAA04914@gw.jmrodgers.com>
Date: Mon, 18 May 1998 16:20:00 -0400 (EDT)
From: meuston@jmrodgers.com
Reply-To: meuston@jmrodgers.com
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/6682: [Patch] ftpd(8) does not check default group in config files
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         6682
>Category:       bin
>Synopsis:       [Patch] ftpd(8) does not check default group in config files
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 18 13:20:01 PDT 1998
>Last-Modified:
>Originator:     Max Euston
>Organization:
>Release:        FreeBSD 2.2.5-STABLE i386
>Environment:

	-STABLE (and -CURRENT w/ offset=7 lines)

>Description:

ftpd(8) allows '@gname' in /etc/ftpusers and /etc/ftpchroot to specify
that group name 'gname' is A) not allowed to login or B) required to
chroot to their home directory respectively.  The program however, ONLY
checks supplementary group names (in /etc/group), and NOT the default group
(in /etc/passwd).

[I have marked this PR "serious/high" since it is likely that there are
other systems configured as mine was (until recently) that mistakenly
either A) allowed unauthorized logins or B) allowed restricted users
enhanced access.]

>How-To-Repeat:

Add an entry to /etc/ftpusers or /etc/ftpchroot and then 'vipw' to add
a new user in the specified group.  Try to ftp with that user id.

>Fix:
	
diff -u /usr/src/libexec/ftpd/ftpd.c ./ftpd.c
--- /usr/src/libexec/ftpd/ftpd.c	Fri Feb 20 17:19:38 1998
+++ ./ftpd.c	Mon May 18 14:35:40 1998
@@ -234,7 +234,7 @@
 #endif
 static void	 ack __P((char *));
 static void	 myoob __P((int));
-static int	 checkuser __P((char *, char *));
+static int	 checkuser __P((char *, char *, int));
 static FILE	*dataconn __P((char *, off_t, char *));
 static void	 dolog __P((struct sockaddr_in *));
 static char	*curdir __P((void));
@@ -777,8 +777,8 @@
 
 	guest = 0;
 	if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) {
-		if (checkuser(_PATH_FTPUSERS, "ftp") ||
-		    checkuser(_PATH_FTPUSERS, "anonymous"))
+		if (checkuser(_PATH_FTPUSERS, "ftp", 0) ||
+		    checkuser(_PATH_FTPUSERS, "anonymous", 0))
 			reply(530, "User %s access denied.", name);
 #ifdef VIRTUAL_HOSTING
 		else if ((pw = sgetpwnam(thishost->anonuser)) != NULL) {
@@ -809,7 +809,7 @@
 				break;
 		endusershell();
 
-		if (cp == NULL || checkuser(_PATH_FTPUSERS, name)) {
+		if (cp == NULL || checkuser(_PATH_FTPUSERS, name, 1)) {
 			reply(530, "User %s access denied.", name);
 			if (logging)
 				syslog(LOG_NOTICE,
@@ -840,9 +840,10 @@
  * Check if a user is in the file "fname"
  */
 static int
-checkuser(fname, name)
+checkuser(fname, name, pwset)
 	char *fname;
 	char *name;
+	int pwset;
 {
 	FILE *fd;
 	int found = 0;
@@ -863,6 +864,14 @@
 
 					if ((grp = getgrnam(line+1)) == NULL)
 						continue;
+					/*
+					 * Check user's default group
+					 */
+					if (pwset && grp->gr_gid == pw->pw_gid)
+						found = 1;
+					/*
+					 * Check supplementary groups
+					 */
 					while (!found && grp->gr_mem[i])
 						found = strcmp(name,
 							grp->gr_mem[i++])
@@ -1009,7 +1018,7 @@
 #ifdef	LOGIN_CAP	/* Allow login.conf configuration as well */
 		login_getcapbool(lc, "ftp-chroot", 0) ||
 #endif
-		checkuser(_PATH_FTPCHROOT, pw->pw_name);
+		checkuser(_PATH_FTPCHROOT, pw->pw_name, 1);
 	if (guest) {
 		/*
 		 * We MUST do a chdir() after the chroot. Otherwise
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message