diff options
author | Gordon Tetlow <gordon@FreeBSD.org> | 2020-09-15 21:47:44 +0000 |
---|---|---|
committer | Gordon Tetlow <gordon@FreeBSD.org> | 2020-09-15 21:47:44 +0000 |
commit | 777d0c0c7a0c6e31a962ac38047d959bcdcc6f3d (patch) | |
tree | 4fcc278a5a4aeb97ea3be58cb3dfddc1600f5e36 | |
parent | 8c81deb6b04970a1e38557ad928972492161d647 (diff) | |
download | src-test2-777d0c0c7a0c6e31a962ac38047d959bcdcc6f3d.tar.gz src-test2-777d0c0c7a0c6e31a962ac38047d959bcdcc6f3d.zip |
Fix ftpd privilege escalation via ftpchroot.
Approved by: so
Approved by: re (implicit for releng/12.2)
Security: FreeBSD-SA-20:30.ftpd
Security: CVE-2020-7468
Notes
Notes:
svn path=/releng/11.4/; revision=365781
-rw-r--r-- | libexec/ftpd/ftpd.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c index badabacb348b..c057fdc7b500 100644 --- a/libexec/ftpd/ftpd.c +++ b/libexec/ftpd/ftpd.c @@ -1593,13 +1593,20 @@ skip: * (uid 0 has no root power over NFS if not mapped explicitly.) */ if (seteuid(pw->pw_uid) < 0) { - reply(550, "Can't set uid."); - goto bad; + if (guest || dochroot) { + fatalerror("Can't set uid."); + } else { + reply(550, "Can't set uid."); + goto bad; + } } + /* + * Do not allow the session to live if we're chroot()'ed and chdir() + * fails. Otherwise the chroot jail can be escaped. + */ if (chdir(homedir) < 0) { if (guest || dochroot) { - reply(550, "Can't change to base directory."); - goto bad; + fatalerror("Can't change to base directory."); } else { if (chdir("/") < 0) { reply(550, "Root is inaccessible."); |