Commit Graph

266 Commits

Author SHA1 Message Date
Yaroslav Tykhiy
a117c34534 Rework storing files thoroughly. This includes:
o Remove the race between stat(2) & fopen(3) when creating
  a unique file.

o Improve bound checking when generating a unique name from
  a given pathname.

o Ignore REST marker on APPE.  No RFC specifies this case,
  but the idea of resuming APPE's implies this.

o By default, deny upload resumes and appends by anonymous users.
  Previously these commands were translated to STOU silently,
  which led to broken files on server without any notification
  to the user.

o Add an option, -m, to allow anonymous users to modify
  existing files (e.g., to resume uploads) if filesystem
  permissions permit.

Portions obrainded from:	OpenBSD
MFC after:			3 weeks
2002-08-08 17:53:52 +00:00
Yaroslav Tykhiy
1b9f1a4bd2 1) Use "pathstring" instead of "STRING" consistently.
2) Remove unneeded "if not NULL" props from "pathstring",
   which will never be NULL by the lexer design.

Inspired by:	OpenBSD
MFC after:	1 week
2002-08-05 17:34:15 +00:00
Yaroslav Tykhiy
1d1dc13be6 Since GLOB_NOCHECK is set in the glob(3) call,
glob(3) will return at least one pathname unless
a system error has occured.  It's not a "not found"
error otherwise.

MFC after:	3 days
2002-08-05 14:40:38 +00:00
Yaroslav Tykhiy
effa0530c4 Spot places where "pathname" hasn't been checked
for NULL.  The "pathname" rule may return NULL
on a glob(3) error.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:26:40 +00:00
Yaroslav Tykhiy
c452fbe11c Disallow invalid numeric mode values for SITE CHMOD.
Earlier, a decimal number (e.g., 890) could be passed
for mode, leading to dangerous permissions set:
-1, that is, 07777.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:10:57 +00:00
Yaroslav Tykhiy
255a70376b Reflect in the ftpd(8) manpage the fact that ASCII SIZE
requests against large files will be denied.

MFC after:	10 days
2002-08-05 13:37:18 +00:00
Yaroslav Tykhiy
781cfb9348 Deny the SIZE command on large files when in ASCII mode.
This eliminates an opportunity for DoS attack.

Pointed out by:	maxim
Inspired by:	lukemftpd, OpenBSD
MFC after:	2 weeks
2002-07-31 10:55:31 +00:00
Yaroslav Tykhiy
2b7489878b Conform to RFC 959, Appendix II, when replying
to a successful MKD command.

MFC after:	1 week
2002-07-29 15:54:27 +00:00
Yaroslav Tykhiy
93bd9dc528 Make the -v' option a synonym for -d'
(as it was intended initially)
and document it in the manpage.

MFC after:	2 weeks
2002-07-26 16:07:19 +00:00
Yaroslav Tykhiy
38ed70b1ae Document the -u (set umask) option
(which has been there at least since 4.4BSD-Lite!)

MFC after:	2 weeks
2002-07-26 16:01:24 +00:00
Yaroslav Tykhiy
0e063efefb Sort command-line options according to the mostly used style:
alphabetical order, lower and upper case of the same letter
stick together, lower case first.

MFC after:	2 weeks
2002-07-26 15:46:08 +00:00
Yaroslav Tykhiy
4454edd688 Use <arpa/ftp.h> stuff cleanly, without introducing
non-portable constants (in this case, hidden as offsets
to the "?AEIL" string.)

MFC after:	1 week
2002-07-25 17:41:47 +00:00
Yaroslav Tykhiy
8af7c9a3c0 Re-use passive data ports with the SO_REUSEADDR
socket option to avoid exausting the passive port
space by TIME_WAIT'ing connections.

PR:		bin/36955
Submitted by:	Maxim Konovalov <maxim@FreeBSD.org>
MFC after:	2 weeks
2002-07-24 16:11:34 +00:00
Yaroslav Tykhiy
57d4ef078c Remove the outdated casts to "char *" from the setsockopt(2),
write(2), and getipnodebyaddr(3) calls.  Now all the above functions
accept "void *" in that arguments and have prototypes.  Thus, the
casts are useless under the normal circumstances (and would be harmful
if the functions had no prototypes.)

MFC after:	2 weeks
2002-07-24 15:30:53 +00:00
Yaroslav Tykhiy
406d1ae93a Clean up the syslog(3) messages on the setsockopt(2) errors:
o Always check a setsockopt(2) return value
o Use a consistent message format
o Don't abort if the failed setsockopt(2) was actually not vital
o Use LOG_WARNING, not LOG_ERR, in non-fatal cases

MFC after:	1 week
2002-07-24 14:50:17 +00:00
Hajimu UMEMOTO
fc99a00c7f use IPV6_V6ONLY instead of non standard IPV6_BINDV6ONLY.
MFC after:	1 week
2002-07-22 15:22:53 +00:00
Yaroslav Tykhiy
e4648f051f Fix one RFC 959 incompliance:
Double double-quotes in a PWD result
if they appear in the directory pathname.

PR:		misc/18365
MFC after:	1 week
2002-07-22 07:41:14 +00:00
Yaroslav Tykhiy
1b0e12d747 Allow deleting and renaming stale symlinks and
deleting symlinks pointing to directories.

PR:		bin/37250
Submitted by:	Nino Dehne <TeCeEm@gmx.de>
MFC after:	1 week
2002-07-21 12:06:56 +00:00
Yaroslav Tykhiy
233c0f6643 Avoid passing NULL to freehostent(3).
MFC after:	1 week
2002-07-17 19:29:25 +00:00
Yaroslav Tykhiy
4b4cc4c60b Fix setting parameters for getipnodebyaddr(3):
o "struct addrinfo" contains a pointer to "struct sockaddr,"
  not "struct sockaddr" itself
o the function takes a pointer to "struct in*_addr", not to
  "struct sockaddr," so the address length must be corresponding

MFC after:	1 week
2002-07-17 19:07:07 +00:00
Mike Heffner
12da320bf9 GLOB_QUOTE has been retired. 2002-07-17 05:47:49 +00:00
Yaroslav Tykhiy
5f76ebf34e Use the right indent for the closing brace: it belongs to `if',
not to `for'.  The previous indent was reather misleading for
the code reader.

MFC after:	1 week
2002-07-16 16:48:15 +00:00
Yaroslav Tykhiy
55b54aa791 Replace the awkward hackery about strtok(3)
by conventional one-way parsing of ftphosts(5).
Don't let NULL hostname pointers into virtual
host records as well.

PR:		bin/18410
MFC after:	1 month
2002-07-16 16:30:41 +00:00
Yaroslav Tykhiy
737d08f31e Use fgetln(3) to read lines from configuration files (ftpusers, ftphosts.)
Thus lines of any length can be handled, unlike before.

Don't assume that each line read from the files ends with a newline.

As a side effect in inithosts(), don't use automatic buffer at all,
utilize malloc(3) when getting local host name instead.

PR:		misc/21494
Reviewed by:	maxim, mikeh
MFC after:	1 month
2002-07-12 15:51:15 +00:00
Philippe Charnier
3f162cb85d The .Nm utility 2002-07-06 19:19:48 +00:00
Dan Moschuk
0849c18499 Make sure to reset transflag back to zero upon succesfully using sendfile()
to transfer a file.

PR: 39362
Submitted by: TANAKA Hiroyuki <kattyo@abk.nu>
MFC after: 1 week
2002-07-03 00:12:00 +00:00
Hajimu UMEMOTO
b0f06def52 Cope with 2292bis-01 getaddrinfo (no NI_WITHSCOPEID, always attach
scope identifier).

MFC after:	3 weeks
2002-07-02 11:11:17 +00:00
Maxim Konovalov
3ded9dcdae Remove trailing whitespaces. 2002-07-01 14:30:38 +00:00
Maxim Konovalov
3af48c420b Move 'byte_count' calculation just before 'recvurg' check. It is a global
variable and used in myoob().

PR:		bin/38928
Submitted by:	Oliver Fromme <olli@secnetix.de>
MFC after:	1 month
2002-07-01 14:29:44 +00:00
Matthew N. Dodd
d186bb1240 Implement a flag to disable directory creation for anonymous users.
PR:		misc/38987
Submitted by:	Peter da Silva <peter@abbnm.com>
MFC after:	1 week
2002-07-01 02:30:11 +00:00
Mark Murray
f2ed975453 Remove a GCC-specific command-line option. We should be using WARNS=n
for this stuff.
2002-06-28 10:36:14 +00:00
Alfred Perlstein
3613e24cdc Assume __STDC__, remove non-__STDC__ code. 2002-05-28 18:57:20 +00:00
Maxim Konovalov
7d0babda6d Teach REST how to restart a file transfer after 2^31 bytes: now yylex()
returns off_t in yylval.u.o. REST is the only user of yylval.u.o at the
moment.

NB: seems lukemftpd has the same bug.

PR:		misc/28629
Reviewed by:	ru
Approved by:	ru
MFC after:	1 month
2002-03-14 16:05:06 +00:00
Maxim Konovalov
39e992262c Remove duplicated yacc nonterminals declarations, sort includes.
No functional changes from rev. 1.31.

Reviewed by:	ru
Approved by:	ru
MFC after:	1 week
2002-03-11 11:48:55 +00:00
David E. O'Brien
0c934a5eed Put the last added source file in proper order.
(and dcc the committer a dictionary)
2002-02-27 18:29:11 +00:00
Dag-Erling Smørgrav
60769b19cd Rewrite the part of the conversation function that allocates the reply array;
it was inelegant and neglected to check the return value from malloc(3).

Sponsored by:	DARPA, NAI Labs
2002-02-25 16:39:34 +00:00
Maxim Konovalov
492f1d9cbd Fix infinite loop around sendfile(2) after sending >4GB file.
PR:		bin/33770
Submitted by:	Vladislav Shabanov <vs@rambler-co.ru>
Reviewed by:	ru
Approved by:	ru
MFC after:	1 month
2002-02-13 09:00:05 +00:00
Kris Kennaway
9357f4121d Lock down with WFORMAT?=1, with overrides in the subdirectories which
are not yet warning-clean.  Tested on i386 and alpha.
2002-02-04 02:33:51 +00:00
Kris Kennaway
042260016e Silence some FORMAT_AUDIT warnings (one left) 2002-02-04 01:23:44 +00:00
Warner Losh
e4bc453cc2 o Eliminate __P
o Use new-style function definitions
o remove some !__STDC__ code
o eliminate register
2002-02-03 15:53:02 +00:00
Yaroslav Tykhiy
4b82fc955f Remove the setjmp/longjmp stuff completely. Use signal
handlers to set flags only (with exception for sigquit(),
which still seems to call some non-reentrant functions on
its way to _exit(2).)  That must eliminate the possibility
of catching SIGSEGV from following non-reentrant paths from
signal handlers.

PR:		bin/32740 bin/33846
Submitted by:	Maxim Konovalov <maxim@macomnet.ru>
Obtained from:	OpenBSD
2002-01-28 19:28:14 +00:00
Hajimu UMEMOTO
46948173e8 Log wtmp according to an address family properly.
Reported by:	matusita
Reviewed by:	matusita
MFC after:	1 week
2002-01-28 14:50:07 +00:00
Andrey A. Chernov
f650a12484 Remove my workaround fallback since PAM now do it properly. 2002-01-21 19:07:15 +00:00
Dag-Erling Smørgrav
819a142080 Really back out ache's commits. These files are now precisely as they were
twentyfour hours ago, except for RCS ids.
2002-01-19 18:29:50 +00:00
Andrey A. Chernov
07977587ab Back out PAM_CRED_ERR addition 2002-01-19 18:06:05 +00:00
Andrey A. Chernov
3e4f7c7f99 Add PAM_CRED_ERR as valid failure case 2002-01-19 09:01:17 +00:00
Andrey A. Chernov
c0cbe6a9b8 Call opieunlock() only if we skip opieverify() part 2002-01-19 05:59:24 +00:00
Andrey A. Chernov
50356ef361 Remove conditional 'pwok' fallback for PAM which now
is implemented in pam_opie module

For non-PAM variant rewrite empty password checking code to do the right thing
and not disallow empty passwords in all cases.
2002-01-19 03:18:33 +00:00
David Malone
c507cedecf Be more careful about freeing memory after parsing commands.
Hiroyuki YAMAMORI gave a patch for the EPRT command in the
PR below. Problems with the rest of the patch are my fault.

PR:		33268
Reviewed by:	iedowse, sheldonh
2002-01-05 20:13:01 +00:00
Andrey A. Chernov
47499ecd7e Fix OPIE auth 2002-01-01 13:14:25 +00:00
Bruce Evans
6b96c275e9 Fixed missing DPADD in previous commit. Fixed most style bugs related to
DPADD and LDADD.
2001-12-29 12:06:59 +00:00
Josef Karthauser
481bfba66b Link with libm to take advantage of the -h flag to ls.
Submitted by:	Mike Makonnen <mike_makonnen@yahoo.com>
2001-12-29 10:22:13 +00:00
Brian Feldman
0cf1f69300 Add lomac.c.
Found by:	ken
2001-11-27 06:15:12 +00:00
Yaroslav Tykhiy
4cd48bace6 Eliminate another instance of the old and well-known
DoS bug that the select(2)/accept(2) pair is called on
a socket that is in the blocking I/O mode.  The bug is
triggered if a selected connection dies before the accept(2)
leading to the accept(2) blocking virtually forever.

MFC after:	1 week
2001-11-19 21:52:03 +00:00
Yaroslav Tykhiy
7a29d7da50 Don't let a user name in ftpd's proctitle
be mistaken for a status message.

PR:		misc/25217
MFC after:	7 days
2001-10-12 13:16:34 +00:00
Yaroslav Tykhiy
11342ab1d0 Be consistent about indent at least within one block of code. 2001-10-12 13:06:40 +00:00
Ruslan Ermilov
a8838c5351 mdoc(7) police: markup nits. 2001-10-01 12:58:03 +00:00
Andrey A. Chernov
896bddb546 1) Use OPIE response only when OPIE keys really used
2) Use commonly used OPIE response form instead of self-made one
2001-09-29 19:22:24 +00:00
Mike Heffner
9ba6d8e420 Improve the description on how to construct ~ftp/pub. Specifically,
don't instruct users to set the directory mode 777.

PR:		30690
Obtained from:	NetBSD (with modification)
MFC after:	2 weeks
2001-09-25 02:43:45 +00:00
Mike Heffner
b3a0a7cd53 Remove a field width specifier that's not doing anything more than
what using snprintf() achieves. It was also being used incorrectly.
2001-09-10 18:46:07 +00:00
Sheldon Hearn
481435871c Do the best we can with respect to fixing command-line option disorder
in the SYNOPSIS and DESCRIPTION.

Note that -l remains an ugly exception, to which no known rules apply,
since the specification of a single option multiple times isn't normal
standards-compliant CLI behaviour.

While here, mark AF_INET* and LOG_* defined values up with Dv.
2001-09-04 09:22:21 +00:00
Sheldon Hearn
1cc9f0bb31 Extend the functionality offered by the -o option into a new option
-O, which limits the impact of the write-only restriction to guest
users.

*) The existing manual page's SYNOPSIS and option listing in the
   DESCRIPTION are already horribly disordered.  No attempt has been
   made to fix this.

*) The existing source's getopt() optstring and option handling switch
   are already horribly disordered.  No attempt has been made to fix
   this.

Discussed with: nik, -audit
2001-09-02 17:24:19 +00:00
Andrey A. Chernov
e4a7111409 long -> off_t
long -> time_t
%ld -> %qd
fseek -> fseeko

NOTE: that fseek not works for >long offsets per POSIX:

[EOVERFLOW] For fseek( ), the resulting file offset would be a value which
cannot be represented correctly in an object of type long.
2001-09-02 14:18:28 +00:00
Nik Clayton
62513e761e Add a new option, '-o', for "Write-only". Disables the RETR command,
preventing anyone from downloading files.  In conjunction with -A, and some
appropriate file permissions, this lets you create an anonymous FTP drop
box for people to upload files to.

The more obvious "-w" flag is already taken by NetBSD's ftpd.  "-o" was
available as an option letter in all three BSDs.
2001-08-28 11:59:21 +00:00
Mike Heffner
75dc5f1a82 Rename the GLOB_MAXPATH flag of glob(3) to GLOB_LIMIT to be compatible
with NetBSD and OpenBSD. glob(3) will now return GLOB_NOSPACE with
errno set to 0 instead of GLOB_LIMIT when we match more than `gl_matchc'
patterns. GLOB_MAXPATH has been left as an alias of GLOB_LIMIT to
maintain backwards compatibility.

Reviewed by:	sheldonh, assar
Obtained from:	NetBSD/OpenBSD
2001-07-29 00:52:37 +00:00
David E. O'Brien
4b40ae1e46 Portability configuration data for LukeM ftpd. 2001-07-19 17:45:14 +00:00
Dima Dorfman
7ebcc426ef Remove whitespace at EOL. 2001-07-15 07:53:42 +00:00
Ruslan Ermilov
0efe23d669 mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 10:49:54 +00:00
Mark Murray
fa1746c93c Remove S/Key. PAM can do its job. Well, not quite - there is an issue
with the conversation function and challenges which needs to be
revisited, so in the interim a hack is introduced to provide
an OPIE challenge (which is random if OPIE does not apply)
at all non-anonymnous logins.
2001-07-09 17:46:24 +00:00
Dima Dorfman
ad442344b6 Move the definition of epsvall out of #ifdef VIRTUAL_HOSTING so that
the latter is not required for ftpd to compile.
2001-06-13 00:06:42 +00:00
Mark Murray
c7d9dcd340 Cleaner method of making PAMable apps static (in the optional case of
wanting static apps).
2001-04-28 15:18:10 +00:00
Mark Murray
9c3f4f5208 Damn. That should be _enable_ static linking, not _force_ static linking. 2001-04-28 07:58:12 +00:00
Mark Murray
d0392caa7b Enable (optional) static linking.
Asked for by:	BDE
2001-04-28 07:56:49 +00:00
Mark Murray
618b0bba1f Change names of functions and variables with global scope that are
in conflict with library values of the same name. This allows static
linking.
2001-04-28 07:55:19 +00:00
Ruslan Ermilov
eb0838029f mdoc(7) police: normalize .Nd. 2001-04-18 15:54:10 +00:00
Peter Wemm
70825609cf Previous clobbered a work-in-progress. Here is the merged result:
Limit the "pathname" glob to one item, as that is what all users of it
are expecting, except for LIST.

Always glob, instead of when the first character is a ~.  For example,
if you had directories ~/x1, and ~/x2, then "cwd x[1]" would fail, but
"cwd ~/x[1]" would work since it was globbed due to the ~ character.
Also, "cwd ~/x[12]" used to arbitarily work as it used the first
expansion (ie: x1) without an error.  Make it return '550 ambiguous'
instead of '550 not found' so that the user can see the difference.

For LIST, just use the user supplied string as the popen does the glob.

Problem noticed by:  Ajay Mittal <amittal@iprg.nokia.com>
2001-04-17 03:03:45 +00:00
Chris D. Faulhaber
6d3fe674ce Limit number of paths returned via glob() for authorized users
using tilde expansion.
2001-04-17 02:33:20 +00:00
Brian Feldman
7d6505e64e Support the empty "PASS\r\n" command. 2001-04-16 22:20:26 +00:00
Ruslan Ermilov
6a01974b78 Document that SITE extensions are disabled for anonymous logins.
Obtained from:	logdaemon package by Wietse Venema
2001-04-16 14:51:11 +00:00
Poul-Henning Kamp
53ba84a69e Add the "SITE MD5 filename" facility.
This allows you to determine if the file on the other side is the same
as the one you have without transferring the entire file to compare.

Needless to say, if the server end lies to you this check doesn't work,
but on the other hand, if it lies to you about the files checksum,
what can you trust from it ?
2001-04-15 20:59:29 +00:00
Mark Murray
5bc9d93db3 Add full PAM support for account management and sessions.
The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c

Submitted by:	"David J. MacKenzie" <djm@web.us.uu.net>
2001-03-27 19:40:51 +00:00
Ruslan Ermilov
e5b5c66bca - Backout botched attempt to intoduce MANSECT feature.
- MAN[1-9] -> MAN.
2001-03-26 14:22:12 +00:00
Ruslan Ermilov
020ee2dc9f Set the default manual section for libexec/ to 8. 2001-03-20 18:10:13 +00:00
Jonathan Lemon
6d10cb2f6f Teach ftpd about the new GLOB_MAXPATH flag. 2001-03-19 19:11:00 +00:00
Dag-Erling Smørgrav
1f15c0d66c When the file was transferred using sendfile(2), we forgot to keep track
of the transferred byte count. MFC candidate.

PR:		bin/25699
2001-03-11 13:20:44 +00:00
Dag-Erling Smørgrav
e22887cdda Change the read-only reply to "550 Permission denied.". 2001-02-19 21:51:26 +00:00
Chris D. Faulhaber
3fca54b652 Limit commands that can be issued when not logged in:
TYPE, STRU, MODE, ALLO, STAT, ABOR, SITE IDLE, SYST, REST

Reviewed by:	kris, sheldon
2001-01-20 01:34:22 +00:00
Dan Moschuk
f6f0c4b90d In send_data(), use sendfile() instead of the mmap() algorithm. 2000-12-20 03:34:54 +00:00
Ruslan Ermilov
19a05e112f mdoc(7) police: removed hard sentence breaks, run through spell-checker. 2000-12-18 08:33:25 +00:00
Dmitry Sivachenko
3276496d94 Fix typo.
PR:		23591
Submitted by:	mavetju@chello.nl
2000-12-17 17:45:22 +00:00
Poul-Henning Kamp
a4b77a2aaa Add option -E to disable EPSV which throws certain stateful firewalls
into confusion.

Add option -r to make ftpd support only read-only operations.

Submitted by:	Flemming (F3) Jacobsen <fj@batmule.dk>
Reviewed by:	phk
2000-12-16 19:19:19 +00:00
David E. O'Brien
2c5569d6ff The GCC 2.96 snapshots have slightly different rules for finding include
files.  Mostly -I${.CURDIR} was needed -- especially for YACC generated
files as the new cpp does not look in the ultimate source file
(ie, the .y file)'s directory as told by the "#line" directive.  Some were
misspellings of "-I${.CURDIR}" as "-I.".
2000-12-01 09:39:28 +00:00
David E. O'Brien
d548f6db32 There is no src/contrib-crypto/ anything directory. So don't look for
include files in subdirs of it.
2000-12-01 06:34:44 +00:00
Daniel O'Callaghan
3fbaa839f9 Prevent leakage of information about anonymous user's homedir
via 'QUOTE CWD'.

Reviewed by:	des
2000-11-26 23:33:36 +00:00
Ruslan Ermilov
760819894e mdoc(7) police: use the new features of the Nm macro. 2000-11-20 14:42:24 +00:00
Kris Kennaway
3fb3b78f0f Format string paranoia 2000-11-19 12:46:16 +00:00
Guido van Rooij
ea413ab7ad Fix broken PAM with SKEY behaviour: the skey.access file checks
were broken because the code failed to set PAM_RHOST.
2000-10-12 10:21:05 +00:00
Garrett Wollman
eb2fc78027 Don't depend on <sys/stat.h> bogusly including <sys/time.h> (and thereby
<time.h>).
2000-10-10 01:50:26 +00:00
Warner Losh
53410a4824 remove redundant optreset declaration 2000-09-04 05:47:14 +00:00
Sheldon Hearn
90906a46ea Don't set an arbitrary limit on username lengths; use MAXLOGNAME
instead.

PR:		20675
Submitted by:	Vladimir B Grebenschikov <vova@express.ru>
2000-08-17 12:31:17 +00:00