Date: Tue, 15 Sep 2020 20:56:15 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r365773 - stable/11/libexec/ftpd Message-ID: <202009152056.08FKuFbL015824@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Tue Sep 15 20:56:14 2020 New Revision: 365773 URL: https://svnweb.freebsd.org/changeset/base/365773 Log: MFC r365771: ftpd: Exit during authentication if an error occurs after chroot(). admbug: 969 Security: CVE-2020-7468 Modified: stable/11/libexec/ftpd/ftpd.c Directory Properties: stable/11/ (props changed) Modified: stable/11/libexec/ftpd/ftpd.c ============================================================================== --- stable/11/libexec/ftpd/ftpd.c Tue Sep 15 20:55:13 2020 (r365772) +++ stable/11/libexec/ftpd/ftpd.c Tue Sep 15 20:56:14 2020 (r365773) @@ -1593,13 +1593,20 @@ skip: * (uid 0 has no root power over NFS if not mapped explicitly.) */ if (seteuid(pw->pw_uid) < 0) { - reply(550, "Can't set uid."); - goto bad; + if (guest || dochroot) { + fatalerror("Can't set uid."); + } else { + reply(550, "Can't set uid."); + goto bad; + } } + /* + * Do not allow the session to live if we're chroot()'ed and chdir() + * fails. Otherwise the chroot jail can be escaped. + */ if (chdir(homedir) < 0) { if (guest || dochroot) { - reply(550, "Can't change to base directory."); - goto bad; + fatalerror("Can't change to base directory."); } else { if (chdir("/") < 0) { reply(550, "Root is inaccessible.");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009152056.08FKuFbL015824>