Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Nov 2007 13:21:02 GMT
From:      Igor Marijko <im@sv.ua>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   bin/117922: ftpd: remote ftp user possible leave chrooted environment in 7.0-BETA2
Message-ID:  <200711081321.lA8DL2eX074736@www.freebsd.org>
Resent-Message-ID: <200711081330.lA8DU1L8017920@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         117922
>Category:       bin
>Synopsis:       ftpd: remote ftp user possible leave chrooted environment in 7.0-BETA2
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 08 13:30:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Igor Marijko
>Release:        FreeBSD 7.0-BETA2
>Organization:
sv
>Environment:
FreeBSD bsd2.SV.UA 7.0-BETA2 FreeBSD 7.0-BETA2 #0: Fri Nov  2 16:47:33 UTC 2007     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
ftpd included in FreeBSD allows remote ftp user leave chrooted (via /etc/ftpchroot) environment within the bounds of the parition.  

Bug also present in 5.4-RELEASE and 6.2-RELEASE (and may be in other versions)
>How-To-Repeat:
Using default instalations,
uncoment next line in /etc/inetd.conf
ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -ll 
add line 'inetd_enable="YES"' to /etc/rc.conf

and start inetd using '/etc/rc.d/inetd start'

create new user, for example 'admin'
and add login of this user to /etc/ftpchroot

After that using any ftp client (FAR manager) connect to our ftpd as 'admin'. Create on ftp any directory and 'cd' into it.
If user been in some folder (user session root changed to /home/admin) and in time this directory has been moved by another user outside chroot directory (/home/admin) within the bounds of the parition (to "/usr/local/www/data" for example). Ftp user going out directory (cd ..) leave chroot directory and grand access to files on partition.


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711081321.lA8DL2eX074736>