Xref: utzoo comp.bugs.4bsd:1079 comp.unix.wizards:12485 Path: utzoo!attcan!uunet!comdesign!pst From: pst@comdesign.cdi.com (Paul Traina) Newsgroups: comp.bugs.4bsd,comp.unix.wizards Subject: ftpd security bug revisited: patches for 4.2bsd Summary: has anyone else done this? did I miss anything? is this right? Keywords: ftpd, unix, bug, 4.2bsd, security Message-ID: <565@comdesign.CDI.COM> Date: 16 Nov 88 19:34:37 GMT Sender: news@comdesign.CDI.COM Lines: 117 After the recent scares, I went back to install the fixes for 4bsd ftpd. UCB was kind enough to supply source code for all of ftpd, however it was for 4.3bsd. I think I've patched the ftpd source for 4.2 compatibility, but I'd like to make sure that I didn't do anything stupid. If there's anyone out there who'd like to look at this / try it, I'd appreciate it. Disclaimer: I *think* it works right, but don't bet your life on it. The following trivial changes were made to ftpd & popen. I can't be sure I did everything right, because I don't have 4.3 documentation, but ... chances are it's right. ftpd: fixed for 4.2bsd syslog() - openlog call removed check of /etc/shells (getusershell/endusershell) popen: uid_t doesn't exist in 4.2 sys/types, looked like it should be sizeof() return of vfork (size of a pid), so I typedef'ed to int. Here's a shar with the diffs to these two files. My base was the ftpd package source posted by Keith Bostic a few weeks ago. #! /bin/sh # This is a shell archive. Remove anything before this line, then unpack # it by saving it into a file and typing "sh file". To overwrite existing # files, type "sh file -c". You can also feed this as standard input via # unshar, or by typing "sh 'ftpd.diff' <<'END_OF_FILE' X*** ftpd.c.ucb Wed Nov 16 11:02:31 1988 X--- ftpd.c Wed Nov 16 11:20:44 1988 X*************** X*** 128,134 **** X } X data_source.sin_port = htons(ntohs(ctrl_addr.sin_port) - 1); X debug = 0; X! openlog("ftpd", LOG_PID, LOG_DAEMON); X argc--, argv++; X while (argc > 0 && *argv[0] == '-') { X for (cp = &argv[0][1]; *cp; cp++) switch (*cp) { X--- 128,134 ---- X } X data_source.sin_port = htons(ntohs(ctrl_addr.sin_port) - 1); X debug = 0; X! openlog("ftpd", LOG_PID); /* pst modified for 4.2syslog */ X argc--, argv++; X while (argc > 0 && *argv[0] == '-') { X for (cp = &argv[0][1]; *cp; cp++) switch (*cp) { X*************** X*** 842,847 **** X--- 842,850 ---- X return (0); X if ((shell = p->pw_shell) == NULL || *shell == 0) X shell = "/bin/sh"; X+ X+ /* pst - 4.2bsd doesn't support /etc/shells */ X+ #ifdef notdef X while ((cp = getusershell()) != NULL) X if (strcmp(cp, shell) == 0) X break; X*************** X*** 848,853 **** X--- 851,858 ---- X endusershell(); X if (cp == NULL) X return (0); X+ #endif X+ X if ((fd = fopen(FTPUSERS, "r")) == NULL) X return (1); X while (fgets(line, sizeof (line), fd) != NULL) { END_OF_FILE if test 1145 -ne `wc -c <'ftpd.diff'`; then echo shar: \"'ftpd.diff'\" unpacked with wrong size! fi # end of 'ftpd.diff' fi if test -f 'popen.diff' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'popen.diff'\" else echo shar: Extracting \"'popen.diff'\" \(269 characters\) sed "s/^X//" >'popen.diff' <<'END_OF_FILE' X*** popen.c.ucb Wed Nov 16 11:22:05 1988 X--- popen.c Wed Nov 16 11:11:43 1988 X*************** X*** 34,39 **** X--- 34,41 ---- X * command. X */ X X+ typedef int uid_t; /* pst 4.2bsd addition, it should be in sys/types.h */ X+ X static uid_t *pids; X static int fds; X END_OF_FILE if test 269 -ne `wc -c <'popen.diff'`; then echo shar: \"'popen.diff'\" unpacked with wrong size! fi # end of 'popen.diff' fi echo shar: End of shell archive. exit 0 ------ Paul Traina To believe that what is true for {uunet|pyramid}!comdesign!pst you in your private heart is true pst@cdi.com for all men, that is genius.