diff options
author | Mark Johnston <markj@FreeBSD.org> | 2020-09-15 20:55:13 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2020-09-15 20:55:13 +0000 |
commit | ff1e565f5a1708c18f58cddf8566bd79cca9cdea (patch) | |
tree | 1a7d694a03815a2b21cbf8c92e153c058c491c19 /libexec | |
parent | 3294cd04c6a48cfaa8196e19d5129ab44cfb6ca1 (diff) | |
download | src-test2-ff1e565f5a1708c18f58cddf8566bd79cca9cdea.tar.gz src-test2-ff1e565f5a1708c18f58cddf8566bd79cca9cdea.zip |
MFC r365771:
ftpd: Exit during authentication if an error occurs after chroot().
admbug: 969
Security: CVE-2020-7468
Notes
Notes:
svn path=/stable/12/; revision=365772
Diffstat (limited to 'libexec')
-rw-r--r-- | libexec/ftpd/ftpd.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c index 38fc9ebb4778..043c896406fd 100644 --- a/libexec/ftpd/ftpd.c +++ b/libexec/ftpd/ftpd.c @@ -1595,13 +1595,20 @@ skip: * (uid 0 has no root power over NFS if not mapped explicitly.) */ if (seteuid(pw->pw_uid) < 0) { - reply(550, "Can't set uid."); - goto bad; + if (guest || dochroot) { + fatalerror("Can't set uid."); + } else { + reply(550, "Can't set uid."); + goto bad; + } } + /* + * Do not allow the session to live if we're chroot()'ed and chdir() + * fails. Otherwise the chroot jail can be escaped. + */ if (chdir(homedir) < 0) { if (guest || dochroot) { - reply(550, "Can't change to base directory."); - goto bad; + fatalerror("Can't change to base directory."); } else { if (chdir("/") < 0) { reply(550, "Root is inaccessible."); |