ftpd: Exit during authentication if an error occurs after chroot().

admbug: 969 Security: CVE-2020-7468
author: Mark Johnston <markj@FreeBSD.org> 2020-09-15 20:54:18 +0000
committer: Mark Johnston <markj@FreeBSD.org> 2020-09-15 20:54:18 +0000
commit: 2ac431003bde2219848a31064a02ceecc834fead (patch)
tree: 55ef43ef86634e702236a652667c451a71fec258 /libexec
parent: 9673f305038f6d71a92b1ba94aa84a3b36d0aa6d (diff)
download: src-test2-2ac431003bde2219848a31064a02ceecc834fead.tar.gz
src-test2-2ac431003bde2219848a31064a02ceecc834fead.zip
1 files changed, 11 insertions, 4 deletions
diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index 38fc9ebb4778..043c896406fd 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -1595,13 +1595,20 @@ skip:
 	 *    (uid 0 has no root power over NFS if not mapped explicitly.)
 	 */
 	if (seteuid(pw->pw_uid) < 0) {
-		reply(550, "Can't set uid.");
-		goto bad;
+		if (guest || dochroot) {
+			fatalerror("Can't set uid.");
+		} else {
+			reply(550, "Can't set uid.");
+			goto bad;
+		}
 	}
+	/*
+	 * Do not allow the session to live if we're chroot()'ed and chdir()
+	 * fails. Otherwise the chroot jail can be escaped.
+	 */
 	if (chdir(homedir) < 0) {
 		if (guest || dochroot) {
-			reply(550, "Can't change to base directory.");
-			goto bad;
+			fatalerror("Can't change to base directory.");
 		} else {
 			if (chdir("/") < 0) {
 				reply(550, "Root is inaccessible.");
author	Mark Johnston <markj@FreeBSD.org>	2020-09-15 20:54:18 +0000
committer	Mark Johnston <markj@FreeBSD.org>	2020-09-15 20:54:18 +0000
commit	2ac431003bde2219848a31064a02ceecc834fead (patch)
tree	55ef43ef86634e702236a652667c451a71fec258 /libexec
parent	9673f305038f6d71a92b1ba94aa84a3b36d0aa6d (diff)
download	src-test2-2ac431003bde2219848a31064a02ceecc834fead.tar.gz src-test2-2ac431003bde2219848a31064a02ceecc834fead.zip