Commit Graph

360 Commits

Author SHA1 Message Date
Yaroslav Tykhiy
02c9749295 Use uniform punctuation, capitalization, and language style
in server messages wherever this doesn't contradict to a particular
message format.
2004-11-18 11:45:13 +00:00
Yaroslav Tykhiy
eb5b2bb3ae Apply __printflike() to the appendf() prototype so the compiler
can detect format errors.
2004-11-18 11:32:35 +00:00
Yaroslav Tykhiy
82c03024c2 Fix perror_reply() vs. reply() usage. 2004-11-18 11:27:31 +00:00
Yaroslav Tykhiy
4a3e5acd8d '\n' needs not to appear in reply() strings. 2004-11-18 11:07:00 +00:00
Yaroslav Tykhiy
6b2dee6ba1 Log pathname arguments to ftp commands as the user specified them;
add the working directory pathname to the log message if any of
such arguments isn't absolute.  This has advantage over the old
way of logging that an admin can see what users are actually trying
to do, and where.  The old code was also not too robust when it
came to a chrooted session and an absolute pathname.

Pointed out by: Nick Leuta
MFC after:      2 weeks
2004-11-18 10:02:28 +00:00
Yaroslav Tykhiy
ac4f2391be Use S_ISDIR() macro instead of a hand-rolled test. 2004-11-18 09:26:58 +00:00
Yaroslav Tykhiy
75933089af getcwd() won't leave a error string in the buffer, unlike getwd(). 2004-11-18 00:14:09 +00:00
Yaroslav Tykhiy
de9b6c0343 Use POSIX functions instead of legacy ones:
getwd() -> getcwd()
	wait3() -> waitpid()
2004-11-17 22:43:46 +00:00
Yaroslav Tykhiy
7e295315e6 Kill more unneeded casts found.
Noticed by:	Nick Leuta <skynick -at- mail.sc.ru> (some of them)
2004-11-17 11:52:41 +00:00
Yaroslav Tykhiy
3b48b87700 Don't invent ways of capitalization orthogonal to the English grammar. 2004-11-15 12:47:44 +00:00
Yaroslav Tykhiy
41c57b487e RFC 959 states that the following codes should be used
for status replies on file system objects:

 212 Directory status.
 213 File status.

Reported by:	Oleg Koreshkov <okor -at- zone.salut.ru>
MFC after:	1 week
2004-11-15 12:41:56 +00:00
Yaroslav Tykhiy
6e4b0a55f7 Using off_t to pass a block size is obvious overkill.
The size_t type is better suited for that, particularly because
the "blksize" argument is to be passed to malloc() and read().
On 64-bit archs it's more to a style issue, but the good style
of coding in C is also important.
2004-11-13 13:42:43 +00:00
Yaroslav Tykhiy
e3765043a8 Kill ancient casts to integral types left from the K&R era.
They're unneeded and sometimes erroneous now.
2004-11-13 13:15:47 +00:00
Yaroslav Tykhiy
8c1c21f2ef Fix logxfer() by using realpath(3) instead of playing with getwd(3).
Previously logxfer() used to record bogus pathnames to the log
in some cases, namely, when cwd was / or "name" was absolute.

Noticed by:	Nick Leuta
MFC after:	2 weeks
2004-11-03 06:52:40 +00:00
Yaroslav Tykhiy
bb4641e28b Replace the last occurence of (long long) and %qd with
(intmax_t) and %jd, which is the right way to printf
an off_t in the presence of <stdint.h>.

Submitted by:	Nick Leuta
2004-11-02 18:48:44 +00:00
Yaroslav Tykhiy
545ea86459 OpenPAM allows passing a NULL "pamh" to pam_strerror() to indicate
that the creation of a PAM context has failed.

N.B. This does not apply to pam_strerror() in RELENG_4, it
will mishandle a NULL "pamh".

Discussed with:	des
2004-11-01 16:05:57 +00:00
Yaroslav Tykhiy
de45162d8c - Stop shadowing global "pamh" by a local variable in auth_pam().
- Stop calling pam_strerror() with NULL pamh.
- Add a missing call to pam_end().

PR:		bin/59776
Submitted by:	Nick Leuta <see PR for email>
MFC after:	2 weeks
2004-10-30 17:30:56 +00:00
Yaroslav Tykhiy
c29b9b4797 Describe the semantics of the sgetpwnam() helper function
in the comment above it so that nobody will save pointers
returned inside "struct passwd" across the calls to the function.
2004-10-30 16:11:15 +00:00
Yaroslav Tykhiy
c999732b45 Log the actual number of bytes sent on the wire to /var/log/ftpd
instead of the disk size of the file sent.   Since the log file
is intended to provide data for anonymous ftp traffic accounting,
the disk size of the file isn't really informative in this case.

PR:		bin/72687
Submitted by:	Oleg Koreshkov
MFC after:	1 week
2004-10-24 20:12:08 +00:00
Yaroslav Tykhiy
b4585cc137 We must not fall back to the old way (read-write)
if sendfile() transferred some data before throwing
a error condition because sendfile() won't move the
file offset for read() to start from.

MFC after:	2 weeks
2004-10-15 09:51:36 +00:00
Yaroslav Tykhiy
2f492fc883 Clean-up around sendfile(): drop an excessive check for error condition. 2004-10-15 09:38:13 +00:00
Yaroslav Tykhiy
2e22b91434 Account for the fact that sendfile(2) may hit the end of file
prematurely, e.g., if the file has been truncated by someone else.

PR:		bin/72649
Submitted by:	Oleg Koreshkov (portions)
MFC after:	2 weeks
2004-10-15 09:31:08 +00:00
Maxim Konovalov
6d4a0e75fc Indent. 2004-09-24 13:22:45 +00:00
Maxim Konovalov
40e677651c o Merge rev. 1.5 libexec/ftpd/ftpd.c from DragonflyBSD:
Do not unconditionally fork() after accept().  accept() can
  return -1 due to an interrupted system call (i.e. SIGCHLD).
  If we fork in that case ftpd can get into an
  accept()/SIGCHLD/fork/[fail]/repeat loop.

  Reported-by: fabian <fabian.duelli@bluewin.ch>

Obtained from:	DragonflyBSD
MFC after:	1 month
2004-09-24 13:21:52 +00:00
Yaroslav Tykhiy
809ad9288f ftpd(8) seems to be WARNS=2 clean now.
Tested on:	i386, ia64, amd64, sparc64, alpha
2004-07-31 15:07:33 +00:00
Yaroslav Tykhiy
aa5a9d3fff Change `(foo *)0'' to `NULL'' where it's possible
(and it appears possible throughout ftpd(8) source.)

It is not a mere issue of style: Null pointers in C
seem to have been mistaken one way or another quite often.
2004-07-31 15:03:17 +00:00
Yaroslav Tykhiy
0e519c96ef Kill a small herd of casts to off_t where they were not needed.
Thank Fortune, the C compiler can figure out by itself the proper
conversion for assignments, comparisons, and prototyped function
arguments.
2004-07-31 14:46:41 +00:00
Yaroslav Tykhiy
a57e1ef070 Printf(3) off_t values through conversion to intmax_t since
we've got <stdint.h> et al now.  (This makes ftpd(8) WARNS=2 clean.)
2004-07-31 14:22:02 +00:00
Yaroslav Tykhiy
c16cd94d23 Kill an unused variable (heading to WARNS=2.) 2004-07-31 14:03:59 +00:00
Yaroslav Tykhiy
012cdd2c90 Convert a couple of bogus null statements to the right form.
(Heading to WARNS=2.)
2004-07-31 14:03:14 +00:00
Yaroslav Tykhiy
c4536e21d4 Ditto for (gid_t). 2004-07-30 17:30:07 +00:00
Yaroslav Tykhiy
52e7ee748d Kill casts to (uid_t) obviously left from the K&R era.
Prototyping library functions in header files has rendered
them superfluous.
2004-07-30 17:27:23 +00:00
Yaroslav Tykhiy
9ec7612a2f Add a comment to explain that the loop around the call to bind(2)
is not a hack, but it has a clear purpose.
2004-07-30 17:18:57 +00:00
Yaroslav Tykhiy
6c124a8422 Open a socket for a data transfer in active mode using euid
of the current user, not root.  This will allow neat things
like matching anonymous FTP data traffic with a single ipfw(8)
rule:
	ipfw add ... tcp from any to any uid ftp

Note that the control connection socket still belongs to the
user ftpd(8) was started from, usually root.

PR:		bin/65928
Submitted by:	Eugene Grosbein <eugen at grosbein.pp.ru>
MFC after:	1 month
2004-07-30 16:57:42 +00:00
Ruslan Ermilov
c481aa05e8 Mechanically kill hard sentence breaks. 2004-07-02 21:28:50 +00:00
David E. O'Brien
63047c6ffc Simplify conditional compilation logic some. 2004-06-13 19:54:12 +00:00
Ruslan Ermilov
53ee59fe53 There's no such beast like AF_INET4, even when powered by whiskey. 2004-05-16 22:11:40 +00:00
Tim J. Robbins
9cbb335cfd Handle variable argument lists correctly in reply() and lreply().
In particular, do not pass the same va_list to both vprintf() and
vsyslog() without first reinitializing it. This fixes ftpd -d
on amd64.
2004-05-13 05:36:38 +00:00
Yaroslav Tykhiy
385f9bf07c NULL looks better than (char *)0 unless we're passing
an unprototyped argument to a function.
2004-02-07 14:59:11 +00:00
Yaroslav Tykhiy
b943b3c4ae Deny attempts to rename a file from guest users if the policy
says they may not modify existing files through FTP.

Renaming a file is effectively a way to modify it.
For instance, if a malicious party is unable to delete or overwrite
a sensitive file, they can nevertheless rename it to a hidden name
and then upload a troyan horse under the guise of the old file name.
2004-02-07 14:54:30 +00:00
Yaroslav Tykhiy
3f8b9cfe85 perror_reply() should not be used where errno isn't meaningful. 2004-02-07 14:38:04 +00:00
Yaroslav Tykhiy
10e8910499 Work around a bug in some clients by never returning raw directory
contents in reply to a RETR command.  Such clients consider RETR
as a way to tell a file from a directory.  Mozilla is an example.

PR:		bin/62232
Submitted by:	Bob Finch <bob+freebsd <at> nas <dot> com>
MFC after:	1 week
2004-02-07 14:11:38 +00:00
Ruslan Ermilov
40f38d59c2 Reorder dependencies to fix static NOPAM build.
Submitted by:	lorder(1)
2004-02-02 18:19:41 +00:00
Philippe Charnier
c433c9daac add missing setusershell() calls.
PR: bin/2442
Reviewed by: Friedemann Becker <zxmxy33@mail.uni-tuebingen.de>
2004-01-18 21:29:33 +00:00
Eric Anholt
c83098a31d man ftpd says that "by default, anonymous users cannot modify existing files."
However, the code did allow deletion of files.  Make deleting require the -m
flag, too.

PR:		bin/60809
Submitted by:	Alexander Melkov <melkov@comptek.ru>
2004-01-07 19:28:31 +00:00
Yaroslav Tykhiy
db1c2da334 If a file to send in ASCII mode already has CRLF as end-of-line,
don't add excessive CR on the wire.

PR:		bin/59285
Submitted by:	Andrey Beresovsky <and at rsu.ru>
MFC after:	1 week
2003-11-15 11:08:26 +00:00
Peter Wemm
45ffe5605f Pacify gcc warning with a Douglas Adams reference. 2003-10-26 04:30:05 +00:00
Hajimu UMEMOTO
206fe568bf Don't depend on IPv4-mapped IPv6 address to bind to both IPv4
and IPv6.

Wrote at:	Hakone.
Powered by:	Warner Losh's scotch whisky.
Requested by:	nork
2003-09-14 16:42:46 +00:00
Alexander Kabaev
84c0a48249 Eliminate last three uses of varargs.h in the tree. These three files
were including varargs.h file but did not use any of its macros,
so they escaped the clean-up before.
2003-09-01 04:12:18 +00:00
Ceri Davies
a707b683e7 Add a note that the -u option can be overridden by settings in login.conf(5).
PR:		docs/56017
Submitted by:	Josef El-Rayes <j.el-rayes@daemon.li>
2003-08-31 07:45:48 +00:00
Yaroslav Tykhiy
e25d3184d0 Block SIGURG while reading from the control channel.
Rationale:

SIGURG is configured by ftpd to interrupt system calls, which is useful
during data transfers.  However, SIGURG could interrupt I/O on the
control channel as well, which was mistaken for the end of the session.

A practical example could be aborting the download of a tiny file,
when the abort sequence reached ftpd after ftpd had passed the file
data to the system and returned to its command loop.

Reported by:	ceri
MFC after:	1 week
2003-07-09 13:54:33 +00:00
Yaroslav Tykhiy
39b96ba75d Improve error handling in getline():
- always check the return value from getc(3) for EOF;
- if the attempt to read the TELNET command byte has
  returned EOF, exit from the loop instead of using
  the EOF value as a normal character.

MFC after:	1 week
2003-07-09 13:15:32 +00:00
Yaroslav Tykhiy
39bce48245 Make a malloced copy of "chrootdir" even if it points to an absolute
pathname inside "residue" so "chrootdir" can be simply freed later.

PR:		bin/53435
Submitted by:	Yutaka Ishihara <yutaka at fandc.co.jp>
MFC after:	1 week
2003-07-09 12:46:24 +00:00
Yaroslav Tykhiy
9581ecbd72 Don't declare unneeded extern variables,
leave alone specifying a wrong type for one of them.
2003-06-21 10:45:38 +00:00
Yaroslav Tykhiy
a278e092d3 If ftpd is run with an -h option (hide host-specific info,)
don't reveal the info in reply to the SYST command.

Get rid of using the "unix" macro at the same time.  It was a rather
poor way to check if the system was Unix since there were quite a
few Unix clones out there whose cc didn't define "unix" (e.g.,
NetBSD.)  It was also sensitive to the C standard used, which caused
unnecessary trouble:  With -std=c99, it should have been "__unix__",
and so on.

PR:		bin/50690
Submitted by:	Alex Semenyaka <alexs _at_ snark.ratmir.ru>
MFC after:	1 week
2003-06-16 11:30:23 +00:00
Philippe Charnier
42161502bd Add section number to .Xr 2003-06-08 12:40:50 +00:00
Ruslan Ermilov
052a8966eb Assorted mdoc(7) fixes. 2003-06-01 19:52:36 +00:00
Ruslan Ermilov
c00ee5e567 mdoc(7) police: Properly markup the previous revision.
Approved by:	re (blanket)
2003-05-16 21:36:10 +00:00
Mike Silbersack
d28af25586 Update the description of the -u option to mention that IP_PORTRANGE_HIGH
and _DEFAULT are the same for 5.x.

Committed under threat of action from:	The mdoc police
2003-03-25 22:20:02 +00:00
Ruslan Ermilov
ace5be682d mdoc(7) police: Scheduled sweep. 2003-02-24 22:53:26 +00:00
Yaroslav Tykhiy
f29288c05e Kill unnecessary vertical whitespace. 2003-02-11 14:10:48 +00:00
Yaroslav Tykhiy
b8939f6fa6 Use LOG_AUTHPRIV to hide the username attempted during an invalid login
from everyone but sysadmins.

PR:		bin/29487
MFC after:	3 days
2003-02-11 11:58:33 +00:00
Yaroslav Tykhiy
31f77a4b49 Allow "~/" in pathnames to work for a chrooted user. 2003-02-05 11:11:32 +00:00
Yaroslav Tykhiy
6cfbc84115 Let tilde expansion be done even if a file/directory doesn't exist yet.
This makes such natural commands as "MKD ~user/newdir" or "STOR ~/newfile"
do what they are supposed to instead of failing miserably with the
"File not found" error.

This involves a bit of code reorganization.  Namely, the code doing
glob(3) expansion has been separated to a function; a new function
has been introduced to do tilde expansion; the latter function is
invoked on a pathname before the former one.  Thus behaviour mimicing
that of the Bourne shell has been achieved.
2003-02-04 17:50:38 +00:00
Yaroslav Tykhiy
50618d61ae RFC 959 doesn't list reply code 550 as a valid responce to STOR/STOU,
so return reply code 553 to indicate a error from open(2) for consistency,
as long as the code is used in the rest of the STOR/STOU handler.
2003-02-04 03:33:25 +00:00
Yaroslav Tykhiy
ea7012261a Let real users access special files through FTP
if allowed by their filesystem permissions.

This doesn't break anything since using sendfile(2)
is triggered later by a separate S_ISREG conditional.

PR:		bin/20824
MFC after:	1 week
2003-01-31 13:18:55 +00:00
Yaroslav Tykhiy
88b707218e When searching for a unique file name in guniquefd(),
distinguish between the cases of an existing file and
a real system error, such as I/O failure, no access etc.

MFC after:	3 days
2003-01-29 17:04:07 +00:00
Yaroslav Tykhiy
c152df28e5 Add a new option to ftpd(8), "-h", to disable printing any
host-specific information in FTP server messages (so paranoid
admins can sleep at night :-)

PR:		bin/16705
MFC after:	1 week
2003-01-29 10:58:58 +00:00
Yaroslav Tykhiy
ce9287fc02 Give the code around chroot(2)/chdir(2) a major overhaul by
separating its part around chroot(2) from that around initial
chdir(2).  This makes the below changes really easy.

Move seteuid(to user's uid) to before calling chdir(2).  There are
two goals to achieve by that.  First, NFS mounted home directories
with restrictive permissions become accessible (local superuser
can't access them if not mapped to uid 0 on the remote side
explicitly.)  Second, all the permissions to the home directory
pathname components become effective; previously a user could be
carried to any local directory despite its permissions since the
chdir(2) was done with euid 0.  This reduces possible impact from
FTP server misconfiguration, e.g., assigning a wrong home directory
to a user.

Implement the "/./" feature.  Now a guest or user subject to chrooting
may have "/./" in his login directory, which separates his chroot
directory from his home directory inside the chrooted environment.
This works for ftpchroot(5) as well.

PR:		bin/17843 bin/23944
2003-01-29 10:07:27 +00:00
Yaroslav Tykhiy
341e476e25 Actually extract the second field from a line in ftpchroot(5)
instead of just using the rest of the line behind the first field.
2003-01-27 15:34:22 +00:00
Yaroslav Tykhiy
0ba71e2424 Allow more than one separator character between fields in ftpchroot(5). 2003-01-27 14:41:08 +00:00
Yaroslav Tykhiy
8657b576d8 Extend the format of /etc/ftpchroot so an alternative chroot
directory can be specified for a user or a group.

Add the manpage ftpchroot(5) since the file's format has grown
complex enough.

PR:			bin/45327
Portions submitted by:	Hideki SAKAMOTO <sakamoto@hlla.is.tsukuba.ac.jp>
MFC after:		1 week
2003-01-26 19:02:56 +00:00
Yaroslav Tykhiy
80f728d4ff GLOB_MAXPATH has been deprecated in favour of GLOB_LIMIT. 2003-01-25 14:59:48 +00:00
Yaroslav Tykhiy
63591ba5c8 - Add a new option, ``-P port'', to specify the port for ftpd(8)
to listen at in daemon mode.
- Use the port by 1 less than the control port as the default
  data port instead of always using hard-coded port 20.

Submitted by:	roam
MFC after:	1 week
2003-01-23 18:39:48 +00:00
Yaroslav Tykhiy
b7f470a943 Prevent server-side glob(3) patterns from expanding
to a pathname that contains '\r' or '\n'.

Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.
2003-01-22 16:25:22 +00:00
Crist J. Clark
e509445689 The FTP daemon was vulnerable to a DoS where an attacker could bind()
up port 20 for an extended period of time and thus lock out all other
users from establishing PORT data connections. Don't hold on to the
bind() while we loop around waiting to see if we can make our
connection.

Being a DoS, it has security implications, giving it a short MFC
time.

MFC after:	1 day
2003-01-21 05:13:02 +00:00
Yaroslav Tykhiy
f8a581a0c6 Prepend a space character if a line begins with a digit
in the output to the "STAT file" request.

This closes one discrepancy with RFC 959 (page 36.)

See also http://www.kb.cert.org/vuls/id/328867

Obtained from:	OpenBSD
2003-01-16 14:25:32 +00:00
Yaroslav Tykhiy
dcb4f239cd Replace the instances of literal "/bin/ls"
with the _PATH_LS macro to be consistent
with the rest of the ftpd(8) source.
2003-01-16 13:27:58 +00:00
Jens Schweikhardt
57bd0fc6e8 english(4) police. 2002-12-27 12:15:40 +00:00
Ruslan Ermilov
d939fc70a7 mdoc(7) police:
Properly sort options, spell "file system" correctly, expand contraction.

Catch up to the src/etc/syslog.conf,v 1.23 change: ftpd(8) session logs
are now by default get logged to /var/log/xferlog.

Approved by:	re
2002-11-25 15:20:06 +00:00
Peter Wemm
f316609eb4 Oops. Some ut_time stuff slipped through the cracks. These turned out
to be non-fatal due to stack alignment roundups.
2002-11-17 23:46:45 +00:00
Yaroslav Tykhiy
1f75c13ee0 Don't free the current addrinfo list, or else a pointer to a freed
memory area would arise.  Only an addrinfo list from an earlier
call to getaddrinfo() should be freed there because it will be
substituted by the current list referenced by "res".

Reported by:	John Long <fbsd1@pruam.com>
MFC after:	5 days
2002-11-11 07:31:48 +00:00
Robert Watson
d9e2c4241f Have ftpd specify the LOGIN_SETMAC flag to setlogincontext() so that
MAC labels are set if MAC is enabled and configured for the user
logging in.

Note that lukemftpd is not considered a supported application when
MAC is enabled, as it does not use the standard system interfaces for
managing user contexts; if lukemftpd is used with labeled MAC policies,
it will not properly give up privileges when switching to the user
account.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-24 16:19:52 +00:00
Robert Watson
4d33b62edc Teach "ls -Z" to use the policy-agnostic MAC label interfaces rather
than the LOMAC-specific interfaces for listing MAC labels.  This permits
ls to view MAC labels in a manner similar to getfmac, when ls is used
with the -l argument.  Next generation LOMAC will use the MAC Framework
so should "just" work with this and other policies.  Not the prettiest
code in the world, but then, neither is ls(1).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-24 00:07:30 +00:00
Mike Barcroft
89fdc4e117 Use the standardized CHAR_BIT constant instead of NBBY in userland. 2002-09-25 04:06:37 +00:00
Yaroslav Tykhiy
7c20f33742 The mode can be "r+" as well on PUT, but only "a" on APPE. 2002-08-29 09:53:51 +00:00
Yaroslav Tykhiy
371348ae25 Fix lexer jam on unimplemented commands.
Submitted by:	maxim
MFC after:	5 days
2002-08-29 09:23:08 +00:00
Yaroslav Tykhiy
ec009cf024 Remove variables no longer used. 2002-08-27 09:05:03 +00:00
Yaroslav Tykhiy
f2fe752d6b More inithosts() fixes:
o Don't free(3) memory occupied by host structures
  already in the host list.
o Set hrp->hostinfo to NULL if a host record has to stay in
  the host list, but is to be ignored.  Selecthost() knows that.
o Reduce the pollution with excessive NULL checks.
o Close a couple of memory leaks.

MFC after:	1 week
2002-08-27 09:02:52 +00:00
Yaroslav Tykhiy
a23f61bc28 Fix an inconsistency between a printf-like format and its argument list.
Submitted by:	kris
MFC after:	3 days
2002-08-27 07:38:55 +00:00
Yaroslav Tykhiy
5d7e0128ff Add option '-W': don't log FTP sessions to wtmp.
Submitted by:	maxim
MFC after:	1 week
2002-08-23 09:06:28 +00:00
Yaroslav Tykhiy
b1d8d5cdd9 Clean up hostname and hostinfo handling in inithosts():
o check getaddrinfo(3) return value, not result pointer
o getaddrinfo(3) returns int, not pointer
o don't leak memory allocated for hostnames and hostinfo structures
o initialize pointers that will be checked for NULL somewhere

MFC after:	1 week
2002-08-20 14:56:06 +00:00
Yaroslav Tykhiy
f6daca0dac Fix a wrong comment on (hopefully) right code.
MFC after:	3 days
2002-08-13 14:08:38 +00:00
Yaroslav Tykhiy
e9b61cfeb0 Fix command help lines:
o PORT takes six byte values, not five.
o TYPE argument is mandatory.

Submitted by:	demon (the 1st part)
MFC after:	3 days
2002-08-13 13:56:42 +00:00
Yaroslav Tykhiy
a117c34534 Rework storing files thoroughly. This includes:
o Remove the race between stat(2) & fopen(3) when creating
  a unique file.

o Improve bound checking when generating a unique name from
  a given pathname.

o Ignore REST marker on APPE.  No RFC specifies this case,
  but the idea of resuming APPE's implies this.

o By default, deny upload resumes and appends by anonymous users.
  Previously these commands were translated to STOU silently,
  which led to broken files on server without any notification
  to the user.

o Add an option, -m, to allow anonymous users to modify
  existing files (e.g., to resume uploads) if filesystem
  permissions permit.

Portions obrainded from:	OpenBSD
MFC after:			3 weeks
2002-08-08 17:53:52 +00:00
Yaroslav Tykhiy
1b9f1a4bd2 1) Use "pathstring" instead of "STRING" consistently.
2) Remove unneeded "if not NULL" props from "pathstring",
   which will never be NULL by the lexer design.

Inspired by:	OpenBSD
MFC after:	1 week
2002-08-05 17:34:15 +00:00
Yaroslav Tykhiy
1d1dc13be6 Since GLOB_NOCHECK is set in the glob(3) call,
glob(3) will return at least one pathname unless
a system error has occured.  It's not a "not found"
error otherwise.

MFC after:	3 days
2002-08-05 14:40:38 +00:00
Yaroslav Tykhiy
effa0530c4 Spot places where "pathname" hasn't been checked
for NULL.  The "pathname" rule may return NULL
on a glob(3) error.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:26:40 +00:00
Yaroslav Tykhiy
c452fbe11c Disallow invalid numeric mode values for SITE CHMOD.
Earlier, a decimal number (e.g., 890) could be passed
for mode, leading to dangerous permissions set:
-1, that is, 07777.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:10:57 +00:00
Yaroslav Tykhiy
255a70376b Reflect in the ftpd(8) manpage the fact that ASCII SIZE
requests against large files will be denied.

MFC after:	10 days
2002-08-05 13:37:18 +00:00