From nobody@FreeBSD.org  Tue Jan  2 19:26:14 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id F3A7437B400
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  2 Jan 2001 19:26:13 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f033QDa61649;
	Tue, 2 Jan 2001 19:26:13 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200101030326.f033QDa61649@freefall.freebsd.org>
Date: Tue, 2 Jan 2001 19:26:13 -0800 (PST)
From: me@me.me.com
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: "CWD" discloses the full "real" path in a chroot environment (freebsd 4.2-stable aprox december 11th)
X-Send-Pr-Version: www-1.0

>Number:         24034
>Category:       misc
>Synopsis:       "CWD" discloses the full "real" path in a chroot environment (freebsd 4.2-stable aprox december 11th)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 02 19:30:01 PST 2001
>Closed-Date:    Fri Feb 8 18:47:46 PST 2002
>Last-Modified:  Fri Feb 08 18:47:58 PST 2002
>Originator:     me
>Release:        
>Organization:
Netomics
>Environment:
FreeBSD me.com 4.2-STABLE FreeBSD 4.2-STABLE #0: Mon Dec 11 08:58:19 EST 2000
>Description:
A user in the /etc/ftpchroot file shouldn't be able to disclose the "Real" directory they are in.
>How-To-Repeat:
1) Connect to a freebsd ftp server /w a valid account that is chrooted (i.e. the ftp "/" directory is really "/somedir/whatever/")
2) "CWD" will show you 550 CWD /somedir/whatever/[servername]: no such file or directory


>Fix:


>Release-Note:
>Audit-Trail:

From: Daniel Hagan <dhagan@colltech.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc: danny@FreeBSD.org, des@FreeBSD.org
Subject: Re: misc/24034: "CWD" discloses the full "real" path in a chroot 
 environment (freebsd 4.2-stable aprox december 11th)
Date: Wed, 03 Jan 2001 11:31:55 -0500

 It looks to me like this was fixed in r. 1.18 of ftpcmd.y (2000/11/26). 
 I can't test it to be sure, but the log messages indicate something to
 that effect, and the code doesn't look like it should leak anymore. 
 Perhaps someone should roll this back into STABLE as well (r. 1.16.x.x I
 think)?
 
 Daniel
 

From: George Reid <greid@ukug.uk.freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:  
Subject: Re: misc/24034: "CWD" discloses the full "real" path in a chroot
 environment (freebsd 4.2-stable aprox december 11th) (fwd)
Date: Wed, 3 Jan 2001 17:28:24 +0000 (GMT)

 [Reposted s/t tracked by GNATS]
 
 This patch fixes:
 
 Index: ftpcmd.y
 ===================================================================
 RCS file: /usr/cvs/src/libexec/ftpd/ftpcmd.y,v
 retrieving revision 1.19
 diff -u -r1.19 ftpcmd.y
 --- ftpcmd.y	2000/12/16 19:19:19	1.19
 +++ ftpcmd.y	2001/01/03 03:52:35
 @@ -76,6 +76,7 @@
  extern	int logged_in;
  extern	struct passwd *pw;
  extern	int guest;
 +extern	int dochroot;
  extern 	int paranoid;
  extern	int logging;
  extern	int type;
 @@ -505,7 +506,7 @@
  	| CWD check_login CRLF
  		{
  			if ($2) {
 -				if (guest)
 +				if (guest || dochroot)
  					cwd("/");
  				else
  					cwd(pw->pw_dir);
 
 
 
 To Unsubscribe: send mail to majordomo@FreeBSD.org
 with "unsubscribe freebsd-bugs" in the body of the message
 
 

From: Daniel Hagan <dhagan@colltech.com>
To: freebsd-gnats-submit@FreeBSD.org, me@me.me.com
Cc:  
Subject: Re: misc/24034: "CWD" discloses the full "real" path in a chroot 
 environment (freebsd 4.2-stable aprox december 11th)
Date: Thu, 04 Jan 2001 16:54:18 -0500

 This should probably defer to bin/23944 now, as I have a patch that
 addresses both issues filed to 23944.
 
 Daniel
 
State-Changed-From-To: open->closed 
State-Changed-By: ashp 
State-Changed-When: Fri Feb 8 18:47:46 PST 2002 
State-Changed-Why:  
Closed in favour of bin/23944. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=24034 
>Unformatted:
