current-users: NetBSD Security Advisory 2000-006

Subject: NetBSD Security Advisory 2000-006
To: None <netbsd-announce@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 05/28/2000 23:48:29
-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-006
                 =================================

Topic:		/etc/ftpchroot parsing broken in NetBSD-1.4.2
Version:	NetBSD 1.4.2 only
Severity:	medium to high if using /etc/ftpchroot, none if not.


Abstract
========

A fix which attempted to make ftpd's parsing of /etc/ftpusers more
robust was incorrect, and broke parsing of /etc/ftpchroot, allowing
users listed in /etc/ftpchroot access to files outside their home
directory.

Technical Details
=================

The chroot(2) system call, short for "change root", restricts a
process to only be able to access a subtree of the filesystem.

/etc/ftpchroot specifies users who are allowed to log in using ftp
with a password, but are chroot'ed to their home directory, preventing
them from accessing files outside their home directory via FTP.  The
incorrect fix in 1.4.2 caused the chroot call to not occur, allowing
them regular, unpriviledged access to files outside their home
directory via FTP.  

Solutions and Workarounds
=========================

The fix is to back out the incorrect half of the fix.

This problem affects only NetBSD-1.4.2 and versions of NetBSD-current
between 19990930 and 19991212; it does not affect NetBSD-1.4.1 or
earlier, or versions of NetBSD-current after 19991212 or before 19990930.

If you do not need to use /etc/ftpchroot, you do not need to take any
action.

If you're running NetBSD-current fetched between the above dates,
update to a newer version of NetBSD-current.

If you're runing NetBSD-1.4.2, fetch the following patch, apply it to
src/libexec/ftpd/ftpd.c using the patch(1) command, rebuild and
reinstall ftpd, and kill off any existing FTP daemons (to ensure that
any improperly granted access is revoked).

    ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000527-ftpd

Since the patch is small, it is reproduced inline here:

*** ftpd.c	1999/10/01 12:08:06	1.61.2.1
- --- ftpd.c	2000/05/11 10:14:37	1.61.2.2
***************
*** 489,496 ****
  		if (glob == NULL || glob[0] == '#')
  			continue;
  		perm = strtok(NULL, " \t\n");
- - 		if (perm == NULL)
- - 			continue;
  		if (fnmatch(glob, name, 0) == 0)  {
  			if (perm != NULL &&
  			    ((strcasecmp(perm, "allow") == 0) ||
- --- 489,494 ----

Thanks To
=========

Paul J. Lavoie <pjl@ilx.com> for reporting the problem
Luke Mewburn <lukem@netbsd.org> for verifying the fix.


Revision History
================

	20000527	original draft of advisory


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 200X, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-006.txt,v 1.1 2000/05/28 04:15:23 sommerfeld Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOTG4MT5Ru2/4N2IFAQFMPgP+O4apS+65HzYRT/OlY9PeqfBxaMjjfHjc
Yg/C8l/cGAmluzWHTiy6TX0GFm14qgvcf/2lom9OSHvfpWYWK8QT0ZbMODbLjb3S
hrwaN63SeX3PRJ7QrhGbWPAyavuO3lvyt8v+G7CIIponaIK/XzOCyhT3eaLtn1BE
uD3itgQRtIU=
=245w
-----END PGP SIGNATURE-----