>Number:         4130
>Category:       security
>Synopsis:       ftpd permits access to users with null shell
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 21 08:20:01 1997
>Last-Modified:
>Originator:     Jim Bernard
>Organization:
	Speaking for myself
>Release:        Sept. 21, 1997
>Environment:
System: NetBSD zoo 1.2G NetBSD 1.2G (ZOO) #0: Sat Jul 19 12:48:58 MDT 1997 jim@zoo:/jaz/home/local/compile/sys/arch/i386/compile/ZOO i386


>Description:
	According to ftpd(8):

	   The user must have a standard shell returned by
	   getusershell(3).

	However, if the user has no shell specified in /etc/master.passwd,
	ftpd _assumes_ /bin/sh and allows access if other access checks
	succeed.  This is clearly a deliberate feature, but is contrary
	to the documented (and, I believe, proper) behavior.

>How-To-Repeat:
	Read the code and note assumption of _PATH_BSHELL if null shell,
	and/or create a user account with null shell and see that access
	is granted.

>Fix:
--- ftpd.c-dist	Thu Sep 18 05:40:28 1997
+++ ftpd.c	Sun Sep 21 08:47:41 1997
@@ -561,11 +561,11 @@
 pass(passwd)
 	char *passwd;
 {
 	int rval;
 	FILE *fd;
-	char *cp, *shell;
+	char *cp;
 
 	if (logged_in || askpasswd == 0) {
 		reply(503, "Login with USER first.");
 		return;
 	}
@@ -629,14 +629,12 @@
 			    remotehost, pw->pw_name);
 		pw = (struct passwd *) NULL;
 		return;
 	}
 	/* check for valid shell, if not guest user */
-	if ((shell = pw->pw_shell) == NULL || *shell == 0)
-		shell = _PATH_BSHELL;
 	while ((cp = getusershell()) != NULL)
-		if (strcmp(cp, shell) == 0)
+		if (strcmp(cp, pw->pw_shell) == 0)
 			break;
 	endusershell();
 	if (cp == NULL && guest == 0) {
 		reply(530, "User %s may not use FTP.", pw->pw_name);
 		if (logging)
>Audit-Trail:
>Unformatted: