Subject: NetBSD Security Advisory 2000-006
To: None <>
From: NetBSD Security Officer <>
List: current-users
Date: 05/28/2000 23:48:29

                 NetBSD Security Advisory 2000-006

Topic:		/etc/ftpchroot parsing broken in NetBSD-1.4.2
Version:	NetBSD 1.4.2 only
Severity:	medium to high if using /etc/ftpchroot, none if not.


A fix which attempted to make ftpd's parsing of /etc/ftpusers more
robust was incorrect, and broke parsing of /etc/ftpchroot, allowing
users listed in /etc/ftpchroot access to files outside their home

Technical Details

The chroot(2) system call, short for "change root", restricts a
process to only be able to access a subtree of the filesystem.

/etc/ftpchroot specifies users who are allowed to log in using ftp
with a password, but are chroot'ed to their home directory, preventing
them from accessing files outside their home directory via FTP.  The
incorrect fix in 1.4.2 caused the chroot call to not occur, allowing
them regular, unpriviledged access to files outside their home
directory via FTP.  

Solutions and Workarounds

The fix is to back out the incorrect half of the fix.

This problem affects only NetBSD-1.4.2 and versions of NetBSD-current
between 19990930 and 19991212; it does not affect NetBSD-1.4.1 or
earlier, or versions of NetBSD-current after 19991212 or before 19990930.

If you do not need to use /etc/ftpchroot, you do not need to take any

If you're running NetBSD-current fetched between the above dates,
update to a newer version of NetBSD-current.

If you're runing NetBSD-1.4.2, fetch the following patch, apply it to
src/libexec/ftpd/ftpd.c using the patch(1) command, rebuild and
reinstall ftpd, and kill off any existing FTP daemons (to ensure that
any improperly granted access is revoked).


Since the patch is small, it is reproduced inline here:

*** ftpd.c	1999/10/01 12:08:06
- --- ftpd.c	2000/05/11 10:14:37
*** 489,496 ****
  		if (glob == NULL || glob[0] == '#')
  		perm = strtok(NULL, " \t\n");
- - 		if (perm == NULL)
- - 			continue;
  		if (fnmatch(glob, name, 0) == 0)  {
  			if (perm != NULL &&
  			    ((strcasecmp(perm, "allow") == 0) ||
- --- 489,494 ----

Thanks To

Paul J. Lavoie <> for reporting the problem
Luke Mewburn <> for verifying the fix.

Revision History

	20000527	original draft of advisory

More Information

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 200X, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-006.txt,v 1.1 2000/05/28 04:15:23 sommerfeld Exp $

Version: 2.6.3ia
Charset: noconv