diff options
author | cperciva <cperciva@FreeBSD.org> | 2006-05-31 22:32:22 +0000 |
---|---|---|
committer | cperciva <cperciva@FreeBSD.org> | 2006-05-31 22:32:22 +0000 |
commit | 4e501fd8a3d7b1224960a895553cb7554ab5263c (patch) | |
tree | d8f9a485f92570b3c3e7ce9d0fe939bbc7cbc5c8 | |
parent | ea1857812cf3bac0a7519af233fd00f7d5d92f49 (diff) | |
download | FreeBSD-src-4e501fd8a3d7b1224960a895553cb7554ab5263c.zip FreeBSD-src-4e501fd8a3d7b1224960a895553cb7554ab5263c.tar.gz |
Enable inadvertantly disabled "securenet" access controls in ypserv. [1]
Correct a bug in the handling of backslash characters in smbfs which can
allow an attacker to escape from a chroot(2). [2]
Security: FreeBSD-SA-06:15.ypserv [1]
Security: FreeBSD-SA-06:16.smbfs [2]
-rw-r--r-- | sys/fs/smbfs/smbfs_vnops.c | 9 | ||||
-rw-r--r-- | usr.sbin/ypserv/yp_access.c | 37 |
2 files changed, 30 insertions, 16 deletions
diff --git a/sys/fs/smbfs/smbfs_vnops.c b/sys/fs/smbfs/smbfs_vnops.c index d741c06..ebdb309 100644 --- a/sys/fs/smbfs/smbfs_vnops.c +++ b/sys/fs/smbfs/smbfs_vnops.c @@ -1018,11 +1018,18 @@ smbfs_advlock(ap) static int smbfs_pathcheck(struct smbmount *smp, const char *name, int nmlen, int nameiop) { - static const char *badchars = "*/\\:<>;?"; + static const char *badchars = "*/:<>;?"; static const char *badchars83 = " +|,[]="; const char *cp; int i, error; + /* + * Backslash characters, being a path delimiter, are prohibited + * within a path component even for LOOKUP operations. + */ + if (index(name, '\\') != NULL) + return ENOENT; + if (nameiop == LOOKUP) return 0; error = ENOENT; diff --git a/usr.sbin/ypserv/yp_access.c b/usr.sbin/ypserv/yp_access.c index b906309..30ce740 100644 --- a/usr.sbin/ypserv/yp_access.c +++ b/usr.sbin/ypserv/yp_access.c @@ -87,12 +87,6 @@ const char *yp_procs[] = { "ypproc_maplist" }; -#ifdef TCP_WRAPPER -void -load_securenets(void) -{ -} -#else struct securenet { struct in_addr net; struct in_addr mask; @@ -177,7 +171,6 @@ load_securenets(void) fclose(fp); } -#endif /* * Access control functions. @@ -219,11 +212,12 @@ yp_access(const char *map, const struct svc_req *rqstp) #endif { struct sockaddr_in *rqhost; - int status = 0; + int status_securenets = 0; +#ifdef TCP_WRAPPER + int status_tcpwrap; +#endif static unsigned long oldaddr = 0; -#ifndef TCP_WRAPPER struct securenet *tmp; -#endif const char *yp_procedure = NULL; char procbuf[50]; @@ -274,21 +268,34 @@ not privileged", map, inet_ntoa(rqhost->sin_addr), ntohs(rqhost->sin_port)); } #ifdef TCP_WRAPPER - status = hosts_ctl("ypserv", STRING_UNKNOWN, + status_tcpwrap = hosts_ctl("ypserv", STRING_UNKNOWN, inet_ntoa(rqhost->sin_addr), ""); -#else +#endif tmp = securenets; while (tmp) { if (((rqhost->sin_addr.s_addr & ~tmp->mask.s_addr) | tmp->net.s_addr) == rqhost->sin_addr.s_addr) { - status = 1; + status_securenets = 1; break; } tmp = tmp->next; } -#endif - if (!status) { +#ifdef TCP_WRAPPER + if (status_securenets == 0 || status_tcpwrap == 0) { +#else + if (status_securenets == 0) { +#endif + /* + * One of the following two events occured: + * + * (1) The /var/yp/securenets exists and the remote host does not + * match any of the networks specified in it. + * (2) The hosts.allow file has denied access and TCP_WRAPPER is + * defined. + * + * In either case deny access. + */ if (rqhost->sin_addr.s_addr != oldaddr) { yp_error("connect from %s:%d to procedure %s refused", inet_ntoa(rqhost->sin_addr), |