[ CC: jhb and rwatson ]
On 23:52+0900, Oct 3, 2002, [EMAIL PROTECTED] wrote:
> Hello.
> Last night I was trying to start an anonymous ftp server on my
> -current box for my local network. I made a mistake in vipw:
>
> ftp:*:44444:44444:Unprivileged user:/sbin/nologin:/home/mp3
>
> i.e., wrote a path to a script where directory is needed, and directory
> where path to shell is needed. Without noticing, I started ftpd in
> standalone mode, and logged in as user ftp, when the box panicked:
>
> # /usr/libexec/ftpd -AD
> # ftp -4 localhost
>
> On 4.7-RC1 box, this just spewed an error message in /var/log/messages
> and didn't panic, and man 2 chroot doesn't state it should.
> If there's something other than the backtrace(attached), let me know it.
Yep, chroot("") panics -current. AFAIU the problem is in rev. 1.268
sys/kern/vfs_syscalls.c, we call vrele(9) in NDFREE(9) on already
vrele-ed vnode (change_dir() cares about that). Here is my patch but
I need someone with more experience in this area.
Index: vfs_syscalls.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.305
diff -u -r1.305 vfs_syscalls.c
--- vfs_syscalls.c 13 Jan 2003 00:28:55 -0000 1.305
+++ vfs_syscalls.c 20 Jan 2003 15:51:52 -0000
@@ -542,8 +542,10 @@
if ((error = change_dir(&nd, td)) != 0)
goto error;
#ifdef MAC
- if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp)))
+ if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) {
+ vput(vp);
goto error;
+ }
#endif
FILEDESC_LOCK(fdp);
if (chroot_allow_open_directories == 0 ||
@@ -567,7 +569,7 @@
FILEDESC_UNLOCK(fdp);
error:
mtx_unlock(&Giant);
- NDFREE(&nd, 0);
+ NDFREE(&nd, NDF_ONLY_PNBUF);
return (error);
}
%%%
--
Maxim Konovalov, [EMAIL PROTECTED], [EMAIL PROTECTED], +7 (095) 7969079
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
