ftpd security bug revisited: patches for 4.2bsd

Thu Nov 17 05:34:37 AEST 1988

After the recent scares, I went back to install the fixes for 4bsd ftpd.
UCB was kind enough to supply source code for all of ftpd,  however it
was for 4.3bsd.  I think I've patched the ftpd source for 4.2 compatibility,
but I'd like to make sure that I didn't do anything stupid.  If there's
anyone out there who'd like to look at this / try it,  I'd appreciate it.

Disclaimer: I *think* it works right,  but don't bet your life on it.

The following trivial changes were made to ftpd & popen.  I can't be sure
I did everything right, because I don't have 4.3 documentation,  but ...
chances are it's right.

	ftpd:		fixed for 4.2bsd syslog() - openlog call
			removed check of /etc/shells (getusershell/endusershell)

	popen:		uid_t doesn't exist in 4.2 sys/types, looked like it
			  should be sizeof() return of vfork (size of a pid),
			  so I typedef'ed to int.

Here's a shar with the diffs to these two files.  My base was the ftpd
package source posted by Keith Bostic a few weeks ago.

#! /bin/sh
# This is a shell archive.  Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file".  To overwrite existing
# files, type "sh file -c".  You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g..  If this archive is complete, you
# will see the following message at the end:
#		"End of shell archive."
# Contents:  ftpd.diff popen.diff
# Wrapped by pst at comdesign on Wed Nov 16 11:33:14 1988
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f 'ftpd.diff' -a "${1}" != "-c" ; then 
  echo shar: Will not clobber existing file \"'ftpd.diff'\"
else
echo shar: Extracting \"'ftpd.diff'\" \(1145 characters\)
sed "s/^X//" >'ftpd.diff' <<'END_OF_FILE'
X*** ftpd.c.ucb	Wed Nov 16 11:02:31 1988
X--- ftpd.c	Wed Nov 16 11:20:44 1988
X***************
X*** 128,134 ****
X  	}
X  	data_source.sin_port = htons(ntohs(ctrl_addr.sin_port) - 1);
X  	debug = 0;
X! 	openlog("ftpd", LOG_PID, LOG_DAEMON);
X  	argc--, argv++;
X  	while (argc > 0 && *argv[0] == '-') {
X  		for (cp = &argv[0][1]; *cp; cp++) switch (*cp) {
X--- 128,134 ----
X  	}
X  	data_source.sin_port = htons(ntohs(ctrl_addr.sin_port) - 1);
X  	debug = 0;
X! 	openlog("ftpd", LOG_PID);		/* pst modified for 4.2syslog */
X  	argc--, argv++;
X  	while (argc > 0 && *argv[0] == '-') {
X  		for (cp = &argv[0][1]; *cp; cp++) switch (*cp) {
X***************
X*** 842,847 ****
X--- 842,850 ----
X  		return (0);
X  	if ((shell = p->pw_shell) == NULL || *shell == 0)
X  		shell = "/bin/sh";
X+ 
X+ /* pst - 4.2bsd doesn't support /etc/shells */
X+ #ifdef notdef
X  	while ((cp = getusershell()) != NULL)
X  		if (strcmp(cp, shell) == 0)
X  			break;
X***************
X*** 848,853 ****
X--- 851,858 ----
X  	endusershell();
X  	if (cp == NULL)
X  		return (0);
X+ #endif
X+ 
X  	if ((fd = fopen(FTPUSERS, "r")) == NULL)
X  		return (1);
X  	while (fgets(line, sizeof (line), fd) != NULL) {
END_OF_FILE
if test 1145 -ne `wc -c <'ftpd.diff'`; then
    echo shar: \"'ftpd.diff'\" unpacked with wrong size!
fi
# end of 'ftpd.diff'
fi
if test -f 'popen.diff' -a "${1}" != "-c" ; then 
  echo shar: Will not clobber existing file \"'popen.diff'\"
else
echo shar: Extracting \"'popen.diff'\" \(269 characters\)
sed "s/^X//" >'popen.diff' <<'END_OF_FILE'
X*** popen.c.ucb	Wed Nov 16 11:22:05 1988
X--- popen.c	Wed Nov 16 11:11:43 1988
X***************
X*** 34,39 ****
X--- 34,41 ----
X   * command.
X   */
X  
X+ typedef int uid_t;	/* pst 4.2bsd addition, it should be in sys/types.h */
X+ 
X  static uid_t *pids;
X  static int fds;
X  
END_OF_FILE
if test 269 -ne `wc -c <'popen.diff'`; then
    echo shar: \"'popen.diff'\" unpacked with wrong size!
fi
# end of 'popen.diff'
fi
echo shar: End of shell archive.
exit 0

------
Paul Traina				To believe that what is true for
{uunet|pyramid}!comdesign!pst		you in your private heart is true
pst at cdi.com				for all men, that is genius.