From nobody@FreeBSD.org  Thu Nov  8 13:21:20 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BE96816A418
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  8 Nov 2007 13:21:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 9D98313C4A5
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  8 Nov 2007 13:21:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id lA8DL2SA074737
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 8 Nov 2007 13:21:02 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id lA8DL2eX074736;
	Thu, 8 Nov 2007 13:21:02 GMT
	(envelope-from nobody)
Message-Id: <200711081321.lA8DL2eX074736@www.freebsd.org>
Date: Thu, 8 Nov 2007 13:21:02 GMT
From: Igor Marijko <im@sv.ua>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftpd: remote ftp user possible leave chrooted environment in 7.0-BETA2
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         117922
>Category:       bin
>Synopsis:       ftpd(8): remote ftp user possible leave chrooted environment in 7.0-BETA2
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 08 13:30:01 UTC 2007
>Closed-Date:    
>Last-Modified:  Mon Jan 14 00:37:53 UTC 2008
>Originator:     Igor Marijko
>Release:        FreeBSD 7.0-BETA2
>Organization:
sv
>Environment:
FreeBSD bsd2.SV.UA 7.0-BETA2 FreeBSD 7.0-BETA2 #0: Fri Nov  2 16:47:33 UTC 2007     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
ftpd included in FreeBSD allows remote ftp user leave chrooted (via
/etc/ftpchroot) environment within the bounds of the parition.  

Bug also present in 5.4-RELEASE and 6.2-RELEASE (and may be in other versions)
>How-To-Repeat:
Using default instalations,
uncoment next line in /etc/inetd.conf
ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -ll 
add line 'inetd_enable="YES"' to /etc/rc.conf

and start inetd using '/etc/rc.d/inetd start'

create new user, for example 'admin'
and add login of this user to /etc/ftpchroot

After that using any ftp client (FAR manager) connect to our ftpd as
'admin'. Create on ftp any directory and 'cd' into it.

If user been in some folder (user session root changed to /home/admin)
and in time this directory has been moved by another user outside chroot
directory (/home/admin) within the bounds of the parition (to
"/usr/local/www/data" for example). Ftp user going out directory (cd ..)
leave chroot directory and grand access to files on partition.


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:
