Date: Tue, 15 Sep 2020 20:55:13 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r365772 - stable/12/libexec/ftpd Message-ID: <202009152055.08FKtDl6015735@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Tue Sep 15 20:55:13 2020 New Revision: 365772 URL: https://svnweb.freebsd.org/changeset/base/365772 Log: MFC r365771: ftpd: Exit during authentication if an error occurs after chroot(). admbug: 969 Security: CVE-2020-7468 Modified: stable/12/libexec/ftpd/ftpd.c Directory Properties: stable/12/ (props changed) Modified: stable/12/libexec/ftpd/ftpd.c ============================================================================== --- stable/12/libexec/ftpd/ftpd.c Tue Sep 15 20:54:18 2020 (r365771) +++ stable/12/libexec/ftpd/ftpd.c Tue Sep 15 20:55:13 2020 (r365772) @@ -1595,13 +1595,20 @@ skip: * (uid 0 has no root power over NFS if not mapped explicitly.) */ if (seteuid(pw->pw_uid) < 0) { - reply(550, "Can't set uid."); - goto bad; + if (guest || dochroot) { + fatalerror("Can't set uid."); + } else { + reply(550, "Can't set uid."); + goto bad; + } } + /* + * Do not allow the session to live if we're chroot()'ed and chdir() + * fails. Otherwise the chroot jail can be escaped. + */ if (chdir(homedir) < 0) { if (guest || dochroot) { - reply(550, "Can't change to base directory."); - goto bad; + fatalerror("Can't change to base directory."); } else { if (chdir("/") < 0) { reply(550, "Root is inaccessible.");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009152055.08FKtDl6015735>