-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-006 ================================= Topic: /etc/ftpchroot parsing broken in NetBSD-1.4.2 Version: NetBSD 1.4.2 only Severity: medium to high if using /etc/ftpchroot, none if not. Abstract ======== A fix which attempted to make ftpd's parsing of /etc/ftpusers more robust was incorrect, and broke parsing of /etc/ftpchroot, allowing users listed in /etc/ftpchroot access to files outside their home directory. Technical Details ================= The chroot(2) system call, short for "change root", restricts a process to only be able to access a subtree of the filesystem. /etc/ftpchroot specifies users who are allowed to log in using ftp with a password, but are chroot'ed to their home directory, preventing them from accessing files outside their home directory via FTP. The incorrect fix in 1.4.2 caused the chroot call to not occur, allowing them regular, unpriviledged access to files outside their home directory via FTP. Solutions and Workarounds ========================= The fix is to back out the incorrect half of the fix. This problem affects only NetBSD-1.4.2 and versions of NetBSD-current between 19990930 and 19991212; it does not affect NetBSD-1.4.1 or earlier, or versions of NetBSD-current after 19991212 or before 19990930. If you do not need to use /etc/ftpchroot, you do not need to take any action. If you're running NetBSD-current fetched between the above dates, update to a newer version of NetBSD-current. If you're runing NetBSD-1.4.2, fetch the following patch, apply it to src/libexec/ftpd/ftpd.c using the patch(1) command, rebuild and reinstall ftpd, and kill off any existing FTP daemons (to ensure that any improperly granted access is revoked). ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000527-ftpd Since the patch is small, it is reproduced inline here: *** ftpd.c 1999/10/01 12:08:06 1.61.2.1 - --- ftpd.c 2000/05/11 10:14:37 1.61.2.2 *************** *** 489,496 **** if (glob == NULL || glob[0] == '#') continue; perm = strtok(NULL, " \t\n"); - - if (perm == NULL) - - continue; if (fnmatch(glob, name, 0) == 0) { if (perm != NULL && ((strcasecmp(perm, "allow") == 0) || - --- 489,494 ---- Thanks To ========= Paul J. Lavoie for reporting the problem Luke Mewburn for verifying the fix. Revision History ================ 20000527 original draft of advisory More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 200X, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-006.txt,v 1.1 2000/05/28 04:15:23 sommerfeld Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOTG4MT5Ru2/4N2IFAQFMPgP+O4apS+65HzYRT/OlY9PeqfBxaMjjfHjc Yg/C8l/cGAmluzWHTiy6TX0GFm14qgvcf/2lom9OSHvfpWYWK8QT0ZbMODbLjb3S hrwaN63SeX3PRJ7QrhGbWPAyavuO3lvyt8v+G7CIIponaIK/XzOCyhT3eaLtn1BE uD3itgQRtIU= =245w -----END PGP SIGNATURE-----