(and it appears possible throughout ftpd(8) source.)
It is not a mere issue of style: Null pointers in C
seem to have been mistaken one way or another quite often.
of the current user, not root. This will allow neat things
like matching anonymous FTP data traffic with a single ipfw(8)
rule:
ipfw add ... tcp from any to any uid ftp
Note that the control connection socket still belongs to the
user ftpd(8) was started from, usually root.
PR: bin/65928
Submitted by: Eugene Grosbein <eugen at grosbein.pp.ru>
MFC after: 1 month
says they may not modify existing files through FTP.
Renaming a file is effectively a way to modify it.
For instance, if a malicious party is unable to delete or overwrite
a sensitive file, they can nevertheless rename it to a hidden name
and then upload a troyan horse under the guise of the old file name.
contents in reply to a RETR command. Such clients consider RETR
as a way to tell a file from a directory. Mozilla is an example.
PR: bin/62232
Submitted by: Bob Finch <bob+freebsd <at> nas <dot> com>
MFC after: 1 week
However, the code did allow deletion of files. Make deleting require the -m
flag, too.
PR: bin/60809
Submitted by: Alexander Melkov <melkov@comptek.ru>
Rationale:
SIGURG is configured by ftpd to interrupt system calls, which is useful
during data transfers. However, SIGURG could interrupt I/O on the
control channel as well, which was mistaken for the end of the session.
A practical example could be aborting the download of a tiny file,
when the abort sequence reached ftpd after ftpd had passed the file
data to the system and returned to its command loop.
Reported by: ceri
MFC after: 1 week
- always check the return value from getc(3) for EOF;
- if the attempt to read the TELNET command byte has
returned EOF, exit from the loop instead of using
the EOF value as a normal character.
MFC after: 1 week
don't reveal the info in reply to the SYST command.
Get rid of using the "unix" macro at the same time. It was a rather
poor way to check if the system was Unix since there were quite a
few Unix clones out there whose cc didn't define "unix" (e.g.,
NetBSD.) It was also sensitive to the C standard used, which caused
unnecessary trouble: With -std=c99, it should have been "__unix__",
and so on.
PR: bin/50690
Submitted by: Alex Semenyaka <alexs _at_ snark.ratmir.ru>
MFC after: 1 week
This makes such natural commands as "MKD ~user/newdir" or "STOR ~/newfile"
do what they are supposed to instead of failing miserably with the
"File not found" error.
This involves a bit of code reorganization. Namely, the code doing
glob(3) expansion has been separated to a function; a new function
has been introduced to do tilde expansion; the latter function is
invoked on a pathname before the former one. Thus behaviour mimicing
that of the Bourne shell has been achieved.
if allowed by their filesystem permissions.
This doesn't break anything since using sendfile(2)
is triggered later by a separate S_ISREG conditional.
PR: bin/20824
MFC after: 1 week
separating its part around chroot(2) from that around initial
chdir(2). This makes the below changes really easy.
Move seteuid(to user's uid) to before calling chdir(2). There are
two goals to achieve by that. First, NFS mounted home directories
with restrictive permissions become accessible (local superuser
can't access them if not mapped to uid 0 on the remote side
explicitly.) Second, all the permissions to the home directory
pathname components become effective; previously a user could be
carried to any local directory despite its permissions since the
chdir(2) was done with euid 0. This reduces possible impact from
FTP server misconfiguration, e.g., assigning a wrong home directory
to a user.
Implement the "/./" feature. Now a guest or user subject to chrooting
may have "/./" in his login directory, which separates his chroot
directory from his home directory inside the chrooted environment.
This works for ftpchroot(5) as well.
PR: bin/17843 bin/23944
directory can be specified for a user or a group.
Add the manpage ftpchroot(5) since the file's format has grown
complex enough.
PR: bin/45327
Portions submitted by: Hideki SAKAMOTO <sakamoto@hlla.is.tsukuba.ac.jp>
MFC after: 1 week
to listen at in daemon mode.
- Use the port by 1 less than the control port as the default
data port instead of always using hard-coded port 20.
Submitted by: roam
MFC after: 1 week
