Commit Graph

262 Commits

Author SHA1 Message Date
kan
b4fd3d4025 Eliminate last three uses of varargs.h in the tree. These three files
were including varargs.h file but did not use any of its macros,
so they escaped the clean-up before.
2003-09-01 04:12:18 +00:00
ceri
31d73d3c9e Add a note that the -u option can be overridden by settings in login.conf(5).
PR:		docs/56017
Submitted by:	Josef El-Rayes <j.el-rayes@daemon.li>
2003-08-31 07:45:48 +00:00
yar
06a1f59c63 Block SIGURG while reading from the control channel.
Rationale:

SIGURG is configured by ftpd to interrupt system calls, which is useful
during data transfers.  However, SIGURG could interrupt I/O on the
control channel as well, which was mistaken for the end of the session.

A practical example could be aborting the download of a tiny file,
when the abort sequence reached ftpd after ftpd had passed the file
data to the system and returned to its command loop.

Reported by:	ceri
MFC after:	1 week
2003-07-09 13:54:33 +00:00
yar
6fbb3e2bf8 Improve error handling in getline():
- always check the return value from getc(3) for EOF;
- if the attempt to read the TELNET command byte has
  returned EOF, exit from the loop instead of using
  the EOF value as a normal character.

MFC after:	1 week
2003-07-09 13:15:32 +00:00
yar
d3ba445436 Make a malloced copy of "chrootdir" even if it points to an absolute
pathname inside "residue" so "chrootdir" can be simply freed later.

PR:		bin/53435
Submitted by:	Yutaka Ishihara <yutaka at fandc.co.jp>
MFC after:	1 week
2003-07-09 12:46:24 +00:00
yar
4050edb36f Don't declare unneeded extern variables,
leave alone specifying a wrong type for one of them.
2003-06-21 10:45:38 +00:00
yar
c54b222f81 If ftpd is run with an -h option (hide host-specific info,)
don't reveal the info in reply to the SYST command.

Get rid of using the "unix" macro at the same time.  It was a rather
poor way to check if the system was Unix since there were quite a
few Unix clones out there whose cc didn't define "unix" (e.g.,
NetBSD.)  It was also sensitive to the C standard used, which caused
unnecessary trouble:  With -std=c99, it should have been "__unix__",
and so on.

PR:		bin/50690
Submitted by:	Alex Semenyaka <alexs _at_ snark.ratmir.ru>
MFC after:	1 week
2003-06-16 11:30:23 +00:00
charnier
28c1746547 Add section number to .Xr 2003-06-08 12:40:50 +00:00
ru
38efffd415 Assorted mdoc(7) fixes. 2003-06-01 19:52:36 +00:00
ru
4c3fd5b0b7 mdoc(7) police: Properly markup the previous revision.
Approved by:	re (blanket)
2003-05-16 21:36:10 +00:00
silby
3c5f645d99 Update the description of the -u option to mention that IP_PORTRANGE_HIGH
and _DEFAULT are the same for 5.x.

Committed under threat of action from:	The mdoc police
2003-03-25 22:20:02 +00:00
ru
e698a908c7 mdoc(7) police: Scheduled sweep. 2003-02-24 22:53:26 +00:00
yar
5053d1a754 Kill unnecessary vertical whitespace. 2003-02-11 14:10:48 +00:00
yar
2037baab93 Use LOG_AUTHPRIV to hide the username attempted during an invalid login
from everyone but sysadmins.

PR:		bin/29487
MFC after:	3 days
2003-02-11 11:58:33 +00:00
yar
6241c1000a Allow "~/" in pathnames to work for a chrooted user. 2003-02-05 11:11:32 +00:00
yar
4726f09424 Let tilde expansion be done even if a file/directory doesn't exist yet.
This makes such natural commands as "MKD ~user/newdir" or "STOR ~/newfile"
do what they are supposed to instead of failing miserably with the
"File not found" error.

This involves a bit of code reorganization.  Namely, the code doing
glob(3) expansion has been separated to a function; a new function
has been introduced to do tilde expansion; the latter function is
invoked on a pathname before the former one.  Thus behaviour mimicing
that of the Bourne shell has been achieved.
2003-02-04 17:50:38 +00:00
yar
16284fc83a RFC 959 doesn't list reply code 550 as a valid responce to STOR/STOU,
so return reply code 553 to indicate a error from open(2) for consistency,
as long as the code is used in the rest of the STOR/STOU handler.
2003-02-04 03:33:25 +00:00
yar
be2978efdf Let real users access special files through FTP
if allowed by their filesystem permissions.

This doesn't break anything since using sendfile(2)
is triggered later by a separate S_ISREG conditional.

PR:		bin/20824
MFC after:	1 week
2003-01-31 13:18:55 +00:00
yar
a50bdf3ed1 When searching for a unique file name in guniquefd(),
distinguish between the cases of an existing file and
a real system error, such as I/O failure, no access etc.

MFC after:	3 days
2003-01-29 17:04:07 +00:00
yar
98e404d560 Add a new option to ftpd(8), "-h", to disable printing any
host-specific information in FTP server messages (so paranoid
admins can sleep at night :-)

PR:		bin/16705
MFC after:	1 week
2003-01-29 10:58:58 +00:00
yar
6ac2a3e425 Give the code around chroot(2)/chdir(2) a major overhaul by
separating its part around chroot(2) from that around initial
chdir(2).  This makes the below changes really easy.

Move seteuid(to user's uid) to before calling chdir(2).  There are
two goals to achieve by that.  First, NFS mounted home directories
with restrictive permissions become accessible (local superuser
can't access them if not mapped to uid 0 on the remote side
explicitly.)  Second, all the permissions to the home directory
pathname components become effective; previously a user could be
carried to any local directory despite its permissions since the
chdir(2) was done with euid 0.  This reduces possible impact from
FTP server misconfiguration, e.g., assigning a wrong home directory
to a user.

Implement the "/./" feature.  Now a guest or user subject to chrooting
may have "/./" in his login directory, which separates his chroot
directory from his home directory inside the chrooted environment.
This works for ftpchroot(5) as well.

PR:		bin/17843 bin/23944
2003-01-29 10:07:27 +00:00
yar
d24a64c1e5 Actually extract the second field from a line in ftpchroot(5)
instead of just using the rest of the line behind the first field.
2003-01-27 15:34:22 +00:00
yar
e98fb45749 Allow more than one separator character between fields in ftpchroot(5). 2003-01-27 14:41:08 +00:00
yar
7d02e4cccf Extend the format of /etc/ftpchroot so an alternative chroot
directory can be specified for a user or a group.

Add the manpage ftpchroot(5) since the file's format has grown
complex enough.

PR:			bin/45327
Portions submitted by:	Hideki SAKAMOTO <sakamoto@hlla.is.tsukuba.ac.jp>
MFC after:		1 week
2003-01-26 19:02:56 +00:00
yar
89bd996ce0 GLOB_MAXPATH has been deprecated in favour of GLOB_LIMIT. 2003-01-25 14:59:48 +00:00
yar
19deae60b4 - Add a new option, ``-P port'', to specify the port for ftpd(8)
to listen at in daemon mode.
- Use the port by 1 less than the control port as the default
  data port instead of always using hard-coded port 20.

Submitted by:	roam
MFC after:	1 week
2003-01-23 18:39:48 +00:00
yar
02f8462999 Prevent server-side glob(3) patterns from expanding
to a pathname that contains '\r' or '\n'.

Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.
2003-01-22 16:25:22 +00:00
cjc
36053fa83d The FTP daemon was vulnerable to a DoS where an attacker could bind()
up port 20 for an extended period of time and thus lock out all other
users from establishing PORT data connections. Don't hold on to the
bind() while we loop around waiting to see if we can make our
connection.

Being a DoS, it has security implications, giving it a short MFC
time.

MFC after:	1 day
2003-01-21 05:13:02 +00:00
yar
0d33e7e65c Prepend a space character if a line begins with a digit
in the output to the "STAT file" request.

This closes one discrepancy with RFC 959 (page 36.)

See also http://www.kb.cert.org/vuls/id/328867

Obtained from:	OpenBSD
2003-01-16 14:25:32 +00:00
yar
722c554dce Replace the instances of literal "/bin/ls"
with the _PATH_LS macro to be consistent
with the rest of the ftpd(8) source.
2003-01-16 13:27:58 +00:00
schweikh
2505bee728 english(4) police. 2002-12-27 12:15:40 +00:00
ru
e2f1b7b194 mdoc(7) police:
Properly sort options, spell "file system" correctly, expand contraction.

Catch up to the src/etc/syslog.conf,v 1.23 change: ftpd(8) session logs
are now by default get logged to /var/log/xferlog.

Approved by:	re
2002-11-25 15:20:06 +00:00
peter
a42cfe9a71 Oops. Some ut_time stuff slipped through the cracks. These turned out
to be non-fatal due to stack alignment roundups.
2002-11-17 23:46:45 +00:00
yar
7a21395d79 Don't free the current addrinfo list, or else a pointer to a freed
memory area would arise.  Only an addrinfo list from an earlier
call to getaddrinfo() should be freed there because it will be
substituted by the current list referenced by "res".

Reported by:	John Long <fbsd1@pruam.com>
MFC after:	5 days
2002-11-11 07:31:48 +00:00
rwatson
cd8c0c96c7 Have ftpd specify the LOGIN_SETMAC flag to setlogincontext() so that
MAC labels are set if MAC is enabled and configured for the user
logging in.

Note that lukemftpd is not considered a supported application when
MAC is enabled, as it does not use the standard system interfaces for
managing user contexts; if lukemftpd is used with labeled MAC policies,
it will not properly give up privileges when switching to the user
account.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-24 16:19:52 +00:00
rwatson
5169086ecc Teach "ls -Z" to use the policy-agnostic MAC label interfaces rather
than the LOMAC-specific interfaces for listing MAC labels.  This permits
ls to view MAC labels in a manner similar to getfmac, when ls is used
with the -l argument.  Next generation LOMAC will use the MAC Framework
so should "just" work with this and other policies.  Not the prettiest
code in the world, but then, neither is ls(1).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-24 00:07:30 +00:00
mike
c29fb91cfa Use the standardized CHAR_BIT constant instead of NBBY in userland. 2002-09-25 04:06:37 +00:00
yar
6aab9bd866 The mode can be "r+" as well on PUT, but only "a" on APPE. 2002-08-29 09:53:51 +00:00
yar
42def1ebe7 Fix lexer jam on unimplemented commands.
Submitted by:	maxim
MFC after:	5 days
2002-08-29 09:23:08 +00:00
yar
ef479081de Remove variables no longer used. 2002-08-27 09:05:03 +00:00
yar
531954c3dd More inithosts() fixes:
o Don't free(3) memory occupied by host structures
  already in the host list.
o Set hrp->hostinfo to NULL if a host record has to stay in
  the host list, but is to be ignored.  Selecthost() knows that.
o Reduce the pollution with excessive NULL checks.
o Close a couple of memory leaks.

MFC after:	1 week
2002-08-27 09:02:52 +00:00
yar
5df6e11624 Fix an inconsistency between a printf-like format and its argument list.
Submitted by:	kris
MFC after:	3 days
2002-08-27 07:38:55 +00:00
yar
fd83a147dc Add option '-W': don't log FTP sessions to wtmp.
Submitted by:	maxim
MFC after:	1 week
2002-08-23 09:06:28 +00:00
yar
a208f00e2a Clean up hostname and hostinfo handling in inithosts():
o check getaddrinfo(3) return value, not result pointer
o getaddrinfo(3) returns int, not pointer
o don't leak memory allocated for hostnames and hostinfo structures
o initialize pointers that will be checked for NULL somewhere

MFC after:	1 week
2002-08-20 14:56:06 +00:00
yar
337c1e18ee Fix a wrong comment on (hopefully) right code.
MFC after:	3 days
2002-08-13 14:08:38 +00:00
yar
b761bed4c3 Fix command help lines:
o PORT takes six byte values, not five.
o TYPE argument is mandatory.

Submitted by:	demon (the 1st part)
MFC after:	3 days
2002-08-13 13:56:42 +00:00
yar
cfdcdc2ad0 Rework storing files thoroughly. This includes:
o Remove the race between stat(2) & fopen(3) when creating
  a unique file.

o Improve bound checking when generating a unique name from
  a given pathname.

o Ignore REST marker on APPE.  No RFC specifies this case,
  but the idea of resuming APPE's implies this.

o By default, deny upload resumes and appends by anonymous users.
  Previously these commands were translated to STOU silently,
  which led to broken files on server without any notification
  to the user.

o Add an option, -m, to allow anonymous users to modify
  existing files (e.g., to resume uploads) if filesystem
  permissions permit.

Portions obrainded from:	OpenBSD
MFC after:			3 weeks
2002-08-08 17:53:52 +00:00
yar
09fb9ec520 1) Use "pathstring" instead of "STRING" consistently.
2) Remove unneeded "if not NULL" props from "pathstring",
   which will never be NULL by the lexer design.

Inspired by:	OpenBSD
MFC after:	1 week
2002-08-05 17:34:15 +00:00
yar
78689ac599 Since GLOB_NOCHECK is set in the glob(3) call,
glob(3) will return at least one pathname unless
a system error has occured.  It's not a "not found"
error otherwise.

MFC after:	3 days
2002-08-05 14:40:38 +00:00
yar
e4057c9d37 Spot places where "pathname" hasn't been checked
for NULL.  The "pathname" rule may return NULL
on a glob(3) error.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:26:40 +00:00