aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2020-09-15 21:47:44 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2020-09-15 21:47:44 +0000
commit777d0c0c7a0c6e31a962ac38047d959bcdcc6f3d (patch)
tree4fcc278a5a4aeb97ea3be58cb3dfddc1600f5e36
parent8c81deb6b04970a1e38557ad928972492161d647 (diff)
downloadsrc-777d0c0c7a0c6e31a962ac38047d959bcdcc6f3d.tar.gz
src-777d0c0c7a0c6e31a962ac38047d959bcdcc6f3d.zip
Fix ftpd privilege escalation via ftpchroot.
Approved by: so Approved by: re (implicit for releng/12.2) Security: FreeBSD-SA-20:30.ftpd Security: CVE-2020-7468
Notes
Notes: svn path=/releng/11.4/; revision=365781
-rw-r--r--libexec/ftpd/ftpd.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index badabacb348b..c057fdc7b500 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -1593,13 +1593,20 @@ skip:
* (uid 0 has no root power over NFS if not mapped explicitly.)
*/
if (seteuid(pw->pw_uid) < 0) {
- reply(550, "Can't set uid.");
- goto bad;
+ if (guest || dochroot) {
+ fatalerror("Can't set uid.");
+ } else {
+ reply(550, "Can't set uid.");
+ goto bad;
+ }
}
+ /*
+ * Do not allow the session to live if we're chroot()'ed and chdir()
+ * fails. Otherwise the chroot jail can be escaped.
+ */
if (chdir(homedir) < 0) {
if (guest || dochroot) {
- reply(550, "Can't change to base directory.");
- goto bad;
+ fatalerror("Can't change to base directory.");
} else {
if (chdir("/") < 0) {
reply(550, "Root is inaccessible.");