From nobody@FreeBSD.org  Thu Jan  1 18:49:39 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A9B0316A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  1 Jan 2004 18:49:39 -0800 (PST)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E3B1643D1D
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  1 Jan 2004 18:49:38 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i022ncdL042411
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 1 Jan 2004 18:49:38 -0800 (PST)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.10/8.12.10/Submit) id i022ncGL042410;
	Thu, 1 Jan 2004 18:49:38 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200401020249.i022ncGL042410@www.freebsd.org>
Date: Thu, 1 Jan 2004 18:49:38 -0800 (PST)
From: Alexander Melkov <melkov@comptek.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftpd should not allow anonymous users to delete files [patch]
X-Send-Pr-Version: www-2.0

>Number:         60809
>Category:       bin
>Synopsis:       ftpd should not allow anonymous users to delete files [patch]
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    yar
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 01 18:50:08 PST 2004
>Closed-Date:    Mon Feb 16 08:21:28 PST 2004
>Last-Modified:  Mon Feb 16 08:21:28 PST 2004
>Originator:     Alexander Melkov
>Release:        4.9-STABLE
>Organization:
>Environment:
>Description:
As man ftpd says, "by default, anonymous users cannot modify existing files". Anyway, current ftpd code allows them to delete existing files, provided that access rights are correct.
This is, in effect, very much like allowing to modify.

Combining SUIDDIR and -M flag to ftpd is not a good workaround.
>How-To-Repeat:
run
/usr/libexec/ftpd -ADllS
(may be other flags, but not -m).

create mode 1777 incoming directory in appropriate location.

Using ftp client, create and then delete a file in incoming.

>Fix:
ftpd.c is 1.62.2.51
melkov:/usr/src/libexec/ftpd# diff ftpd.c.orig ftpd.c
2450c2450
<       if (unlink(name) < 0) {
---
>       if ((guest && noguestmod) || unlink(name) < 0) {

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: anholt 
State-Changed-When: Wed Jan 7 11:28:40 PST 2004 
State-Changed-Why:  
Committed to -current, thanks! 


Responsible-Changed-From-To: freebsd-bugs->anholt 
Responsible-Changed-By: anholt 
Responsible-Changed-When: Wed Jan 7 11:28:40 PST 2004 
Responsible-Changed-Why:  
Committed to -current, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60809 
Responsible-Changed-From-To: anholt->freebsd-bugs 
Responsible-Changed-By: anholt 
Responsible-Changed-When: Wed Jan 28 00:50:08 PST 2004 
Responsible-Changed-Why:  
Return this to freebsd-bugs.  I'm leaving for 3 months and won't be doing 
FreeBSD things. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60809 
Responsible-Changed-From-To: freebsd-bugs->yar 
Responsible-Changed-By: yar 
Responsible-Changed-When: Sat Feb 7 07:03:44 PST 2004 
Responsible-Changed-Why:  
I'll finish the work. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60809 

From: Yar Tikhiy <yar@freebsd.org>
To: melkov@comptek.ru, anholt@freebsd.org
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/60809: ftpd should not allow anonymous users to delete files [patch]
Date: Sat, 7 Feb 2004 18:28:44 +0300

 Gentlemen,
 
 Please note that the standard library function perror(3),
 its modern variants err(3) and warn(3), and ftpd-specific
 perror_reply() are to be used if and only if the failed
 operation to report about has set the errno variable to
 indicate a particular system error.
 Therefore the patch to ftpd.c one of you proposed and the
 other committed without a thorough review was not quite
 correct.  Please be more careful.  Thank you.
 
 -- 
 Yar
State-Changed-From-To: patched->closed 
State-Changed-By: yar 
State-Changed-When: Mon Feb 16 08:17:36 PST 2004 
State-Changed-Why:  
This bug has been fixed in CURRENT & STABLE, thanks! 
I've also fixed a similar bug WRT renaming files. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60809 
>Unformatted:
