wu-ftpd beta 13 Upload Ownership/Permissions Bug

Michael Brennen (mbrennen@fni.com)
Thu, 19 Jun 1997 23:55:52 -0500

There is a potentially serious bug in ftpd.c in wu-ftpd beta 13. I have
no idea if it exists in previous betas. I don't think this was a problem
in beta 11, but I've not kept any older source. If you are not running
beta 13, check this against your source.

During anonymous login, the /./ is not clipped off the struct passwd
pw->pw_dir field that is saved as the chroot directory in ftpd.c.

Because the /./ is still on the end of the pw->pw_dir field, upl_check()
'upload' directive processing will fail in extensions.c because the file
name paths will not compare. It is highly unlikely that the upload
directive root path would also have the /./ on the end.

If upload directive processing fails for the anonymous user, sites that
depend on upload directives to properly set incoming file permissions
could find their site security compromised.

For example, it is fairly common to set incoming files to not be readable
to the anonymous user; this prevents files from being traded through an
anonymous site without the permission of the owner. With this bug, all
uploaded files are owned by the anonymous user, with default permissions
set by CMASK.

The patch below is my version of a fix. In testing so far it has fixed
the problem. It may apply with an offset of 1; I'm not sure my ftpd.c
source is pristine. The patch has been sent to academ.com.

-- Michael

--- ftpd.c.orig Thu Jun 19 22:59:21 1997
+++ ftpd.c Thu Jun 19 23:01:26 1997
@@ -1560,12 +1560,7 @@
pw->pw_dir = sgetsave(virtual_root);
}
#endif
- if (anonymous) {
- if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) {
- reply(550, "Can't set guest privileges.");
- goto bad;
- }
- } else if (guest) {
+ if (anonymous || guest) {
char *sp;

/* determine root and home directory */