Bug#384454: ftpd: Does not handle symlink? NFS? home directory

[Paul Szabo]

I suggest the patch below. Cheers,

Paul Szabo   [EMAIL PROTECTED]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

--- linux-ftpd-0.17/ftpd/popen.c.bak    1999-07-16 11:12:54.000000000 +1000
+++ linux-ftpd-0.17/ftpd/popen.c        2006-08-25 13:31:33.950447078 +1000
@@ -169,8 +169,13 @@
                 * XXX: this doesn't seem right... and shouldn't
                 * we initgroups, or at least setgroups(0,0)?
                 */
-               setgid(getegid());
-               setuid(i);
+
+/*
+ * PSz 25 Aug 06  Must check the return status of these setgid/setuid calls,
+ * see  http://www.bress.net/blog/archives/34-setuid-madness.html
+ */
+               if ( setgid(geteuid())  != 0 ) _exit(1);
+               if ( setuid(i)          != 0 ) _exit(1);
  
 #ifndef __linux__
 /* 
--- linux-ftpd-0.17/ftpd/ftpd.c.bak     2006-08-25 12:53:25.277537000 +1000
+++ linux-ftpd-0.17/ftpd/ftpd.c 2006-08-25 13:46:28.798975583 +1000
@@ -1159,6 +1159,13 @@
                }
                strcpy(pw->pw_dir, "/");
                setenv("HOME", "/", 1);
+       }
+       /* PSz 25 Aug 06  chdir for real users done after setting UID */
+       if (seteuid((uid_t)pw->pw_uid) < 0) {
+               reply(550, "Can't set uid.");
+               goto bad;
+       }
+       if (guest || dochroot) { /* do nothing, handled above */
        } else if (chdir(pw->pw_dir) < 0) {
                if (chdir("/") < 0) {
                        reply(530, "User %s: can't change directory to %s.",
@@ -1167,10 +1174,7 @@
                } else
                        lreply(230, "No directory! Logging in with home=/");
        }
-       if (seteuid((uid_t)pw->pw_uid) < 0) {
-               reply(550, "Can't set uid.");
-               goto bad;
-       }
+
        sigfillset(&allsigs);
        sigprocmask(SIG_UNBLOCK,&allsigs,NULL);
 
@@ -1408,7 +1412,8 @@
                        goto bad;
                sleep(tries);
        }
-       (void) seteuid((uid_t)pw->pw_uid);
+/* PSz 25 Aug 06  Check return status */
+       if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1);
        sigfillset(&allsigs);
        sigprocmask (SIG_UNBLOCK, &allsigs, NULL);
 
@@ -1440,7 +1445,8 @@
 bad:
        /* Return the real value of errno (close may change it) */
        t = errno;
-       (void) seteuid((uid_t)pw->pw_uid);
+/* PSz 25 Aug 06  Check return status */
+       if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1);
        sigfillset (&allsigs);
        sigprocmask (SIG_UNBLOCK, &allsigs, NULL);
        (void) close(s);


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]