Commit Graph

234 Commits

Author SHA1 Message Date
Mark Johnston
3c0c1e01c9 ftpd: Add missing braces around a statfd check
This was harmless but looked incorrect.  No functional change intended.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2020-09-22 15:54:18 +00:00
Mark Johnston
2ac431003b ftpd: Exit during authentication if an error occurs after chroot().
admbug:		969
Security:	CVE-2020-7468
2020-09-15 20:54:18 +00:00
Xin LI
69097cd8da Use strlcpy().
MFC after:	2 weeks
2017-12-05 07:21:47 +00:00
Pedro F. Giffuni
8a16b7a18f General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
Eugene Grosbein
de8d85c908 ftpd(8): fix user context handling.
Apply authenticated user context after update of wtmp(5) at start of session,
so that ftpd process is not killed by kernel with SIGXFSZ when user has
"filesize" limit lower than size of system wtmp file. Same applies
to session finalization: revert to super-user context before update of wtmp.

If ftpd hits limit while writing a file at user request,
do not get killed with SIGXFSZ instantly but apparently ignore the signal,
process error and report it to the user, and continue with the session.

PR:		143570
Approved by:	avg (mentor), mav (mentor)
MFC after:	1 week
2017-10-06 13:46:05 +00:00
Kurt Lidl
959d78b29a Fix build when WITHOUT_BLACKLIST=yes is specified
PR:		214409
Submitted by:	matthew
Reported by:	matteo
MFC after:		3 days
Sponsored by:	The FreeBSD Foundation
2016-11-12 03:07:41 +00:00
Kurt Lidl
e07d11b691 Revisit blacklistd support in ftpd
Enhance blacklistd support to not log anything by default,
unless blacklistd support is enabled on the command line.
Document new flag in man page, cleanup patches to be less
intrusive in code.

Reported by:	Rick Adams
Reviewed by:	cem, emaste
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D8374
2016-11-01 18:18:09 +00:00
Kurt Lidl
504422fab3 Update blacklist support in ftpd to clarify fd usage
The ftp daemon dups the control socket to stdin and uses that fd
throughout the code.  Clarify this usage slightly by changing from
explicit use of "0" for the fd to a variable, to make it clear what
the zero represents in the non-blacklist code. Make the
blacklist_notify routine use STDIN_FILENO so as to have less of a
"magic number" feel to the code.

Reviewed by:	cem
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D6716
2016-06-06 20:00:13 +00:00
Kurt Lidl
3656f22999 Add blacklist support to ftpd
Reviewed by:	rpaulo
Approved by:	rpaulo
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D6703
2016-06-03 06:24:03 +00:00
Don Lewis
8877d1dbe6 Declare line[] in the outermost scope of retrieve() instead of
declaring it in an inner scope and then using it via a pointer
in the outer scope.

Reported by:    Coverity
CID:            605895
2016-05-13 01:52:41 +00:00
Baptiste Daroussin
f03ef8405b Rename getline with get_line to avoid collision with getline(3)
When getline(3) in 2009 was added a _WITH_GETLINE guard has also been added.
This rename is made in preparation for the removal of this guard
2016-05-10 11:12:31 +00:00
Pedro F. Giffuni
ec489d64bb libexec: minor spelling fixes in comments.
No functional change.
2016-05-01 19:39:23 +00:00
Christian Brueffer
5efaea4cc6 Remove the 3rd clause ("advertising clause") of the BSD license as
permitted by the University of Berkeley on July 22, 1999.

Reviewed by:	imp
MFC after:	1 week
2014-02-17 22:27:32 +00:00
Christian Brueffer
03d34ccc39 In sgetpwnam(), save and free pw_class like all other char members
of struct passwd.  This fixes spurious "login_getclass: unknown class"
errors.

PR:		186439
Submitted by:	UEMURA Tetsuya <t_uemura at macome.co.jp>
MFC after:	1 week
2014-02-14 12:01:52 +00:00
Colin Percival
3e65b9c6e6 Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]
Add an API for alerting internal libc routines to the presence of
"unsafe" paths post-chroot, and use it in ftpd. [11:07]

Fix a buffer overflow in telnetd. [11:08]

Make pam_ssh ignore unpassphrased keys unless the "nullok" option is
specified. [11:09]

Add sanity checking of service names in pam_start. [11:10]

Approved by:    so (cperciva)
Approved by:    re (bz)
Security:       FreeBSD-SA-11:06.bind
Security:       FreeBSD-SA-11:07.chroot
Security:       FreeBSD-SA-11:08.telnetd
Security:       FreeBSD-SA-11:09.pam_ssh
Security:       FreeBSD-SA-11:10.pam
2011-12-23 15:00:37 +00:00
Edward Tomasz Napierala
e81b1c7129 Add LOGIN_SETCPUMASK and LOGIN_SETLOGINCLASS to the setusercontext(3)
calls in ftpd(8).
2011-06-22 19:14:49 +00:00
Ed Maste
62f390ecd9 Make format string a string literal. (Discovered by clang.)
MFC After: 1 week
2011-01-04 00:39:56 +00:00
Ed Maste
763e8c9623 Handle failure from ftpd_popen in statfilecmd().
Reviewed by:	attilio
MFC after:	1 week
2011-01-04 00:11:09 +00:00
Christian S.J. Peron
cefb678553 expand checkuser() to support the propagation of error codes back to
the caller.  Currently, checkuser() does not differentiate between the
failure to open the file and the absence of a user in the file.  Check
to see if there was an error opening the file.  If there are any errors,
terminate the connection.  Currently, the only exception to this rule
is ENOENT, since there is nothing that says the /etc/ftpuser
and /etc/ftpchroot has to exist.

MFC after:	3 weeks
2011-01-03 21:28:12 +00:00
Ed Schouten
9f37b1a2b4 Really disable wtmp logging when chrooting.
Also perform a small cleanup to ftpd_logwtmp(). Just use a NULL
parameter for the username to indicate a logout, instead of an empty
string.

Reported by:	Alexey Shuvaev <shuvaev physik uni-wuerzburg de>
2010-01-18 23:28:25 +00:00
Ed Schouten
80643af02b Port ftpd to utmpx.
Unfortunately I have to partially wreck its functionality, though. ftpd
used to keep a file descriptor to the wtmp, which allowed it to work
from within a chroot. The current utmpx implementation doesn't offer a
way to do this. Maybe we can address this in the future, if it turns out
to be a real issue.
2010-01-13 18:28:41 +00:00
David E. O'Brien
ec85f7fa39 Move variable externs into extern.h so they are checked against the definitions. 2009-04-07 20:34:34 +00:00
Colin Percival
f0b40b1c97 Prevent cross-site forgery attacks on ftpd(8) due to splitting
long commands into multiple requests. [08:12]

Avoid calling uninitialized function pointers in protocol switch
code. [08:13]

Merry Christmas everybody...

Approved by:	so (cperciva)
Approved by:	re (kensmith)
Security:	FreeBSD-SA-08:12.ftpd, FreeBSD-SA-08:13.protosw
2008-12-23 01:23:09 +00:00
Yaroslav Tykhiy
2ea4228214 Add support for RFC 2389 (FEAT) and RFC 2640 (UTF8) to ftpd(8).
The support for RFC 2640 (UTF8) is optional and rudimentary.
The server just advertises its capability to handle UTF-8 file
names and relies on its own 8-bit cleanness, as well as on
the backward compatibility of UTF-8 with ASCII.  So uploaded
files will have UTF-8 names, but the initial server contents
should be prepared in UTF-8 by hand, no on-the-fly conversion
of file names will be done.

PR:		bin/111714
Submitted by:	Zhang Weiwu <see email in the PR>
MFC after:	1 week
2007-04-18 22:43:39 +00:00
Yaroslav Tykhiy
32072720cb Let automatic TCP send buffer sizing do its job for ftpd(8): stop
setting the SO_SNDBUF socket option.  Using a hard-coded value for
it was a poor idea anyway in the face of diverse network conditions.
2007-02-09 17:18:39 +00:00
Hajimu UMEMOTO
2c9fd5f29e - Reduce needless DNS query by lookup only appropriate address
family. [1]
- Specify appropriate hints to getaddrinfo(3). [1]
- Obtain address family from peername in inet mode.

Submitted by:	Rostislav Krasny <rosti.bsd__at__gmail.com> [1]
Tested by:	yar, Rostislav Krasny <rosti.bsd__at__gmail.com>
MFC after:	1 week
2006-03-01 16:13:17 +00:00
Yaroslav Tykhiy
a599a64a9f In the daemon code, check for and report possible errors
from accept(2) and fork(2).  Also close all unneeded fds
in the child process, namely listening sockets for all
address families and the fd initially obtained from accept(2).
(The main ftpd code operates on stdin/stdout anyway as it
has been designed for running from inetd.)

MFC after:	5 days
2006-01-21 13:06:37 +00:00
Yaroslav Tykhiy
8eb0508fe1 The daemon's child shouldn't go on with the for loop
over ctl_sock's -- it is solely the parent daemon's
job.  So just break out of the loop in the child.

MFC after:	5 days
2006-01-21 12:34:28 +00:00
Yaroslav Tykhiy
125b96351a Use pidfile(3) provided by libutil to manage the deamon's pid file.
By default, create a pid file at the standard location, /var/run/ftpd.pid,
in accord with the expected behavior of a stock system daemon.

MFC after:	5 days
2006-01-21 12:21:41 +00:00
Yaroslav Tykhiy
f9036ce6dc Add some consistency checks to the signal-related code.
MFC:	along with rev. 1.202
2005-02-16 11:35:51 +00:00
Yaroslav Tykhiy
91ae77792e A call to maskurg() makes sense only when a transfer is under way,
the function will emit an annoying log message otherwise.

Reported by:	kris
MFC:		along with rev. 1.202
2005-02-16 11:22:20 +00:00
Stefan Farfeleder
78e3eed071 Fix most cases where the address of an int is passed to a function expecting a
socklen_t * argument.
2005-02-14 17:42:58 +00:00
Yaroslav Tykhiy
220223fdf4 Respect the `logging' flag.
Pointed out by:	Nick Leuta
MFC after:	3 days
2005-01-19 10:49:40 +00:00
Yaroslav Tykhiy
4cd51076c5 Improve handling SIGURG and OOB commands on the control channel.
The major change is to process STAT sent as an OOB command w/o
breaking the current data transfer.  As a side effect, this gives
better error checking in the code performing data transfers.

A lesser, but in no way cosmetic, change is using the flag `recvurg'
in the only signal-safe way that has been blessed by SUSv3.  The
other flag, `transflag,' becomes private to the SIGURG machinery,
serves debugging purposes only, and may be dropped in the future.

The `byte_count' global variable is now accounting bytes actually
transferred over the network.  This can give status messages looking
strange, like "X of Y bytes transferred," where X > Y, but that has
more sense than trying to compensate for combinations of data formats
on the server and client when transferring ASCII type data.  BTW,
getting the size of a file in advance is unreliable for a number of
reasons in the first place.  See question 18.8 of the Infrequently
Asked Questions in comp.lang.c for details.

PR:		bin/52072
Tested by:	Nick Leuta (earlier versions), a stress-testing tool (final)
MFC after:	1 month
2005-01-19 10:33:20 +00:00
Yaroslav Tykhiy
1850cfa1c5 Replace err(3) calls when in daemon mode by syslog(3), too.
A daemon has no stderr to send its complains to.

Pointed out by:	Nick Leuta
MFC after:	1 week
2005-01-10 12:19:11 +00:00
Yaroslav Tykhiy
bcd2618483 Do a small style(9) fix before I'm hacking the code itself. 2004-12-16 07:27:28 +00:00
Yaroslav Tykhiy
8efc8b18e5 free(3) is void already. 2004-12-16 07:17:56 +00:00
Yaroslav Tykhiy
6c98f40194 Never emit a message to stderr: use syslog instead.
When in inetd mode, this prevents bogus messages from
appearing on the control channel.  When running as a
daemon, we shouldn't write to the terminal we used to
have at all.

PR:		bin/74823
MFC after:	1 week
2004-12-12 17:30:28 +00:00
Yaroslav Tykhiy
ebd83647a4 When looking for a virtual host to handle the connection,
stop the search on the first match for efficiency.

Submitted by:	Nick Leuta
2004-11-22 11:10:04 +00:00
Yaroslav Tykhiy
4cbc4ad644 Calling pam_chauthtok() isn't really needed since
an FTP user has no chance to change password anyway.

Submitted by:	Nick Leuta
2004-11-22 11:02:42 +00:00
Yaroslav Tykhiy
e897216f45 Don't log the chroot dir on every command since it's constant for a session.
Log it once at the beginning of the session instead.  OTOH, log wd each
time for the sake of better auditing and consistent log format.

Proposed by:	Nick Leuta <skynick -at- mail.sc.ru>
2004-11-22 10:48:29 +00:00
Yaroslav Tykhiy
7cdd3cb70b Always log remote IP.
PR:		bin/59773
2004-11-22 10:27:16 +00:00
Yaroslav Tykhiy
04683b2c35 Treat host name buffers consistently. 2004-11-22 10:16:43 +00:00
Yaroslav Tykhiy
215a9f9de5 Make chrootdir global and use it in log messages
regarding restricted users.

MFC after:	2 weeks
2004-11-18 14:15:32 +00:00
Yaroslav Tykhiy
2b7eb1c076 Nitpicking on style(9) and whitespace.
Tested with:	md5(1)
2004-11-18 13:55:15 +00:00
Yaroslav Tykhiy
0c4b401f76 Use __FBSDID. 2004-11-18 13:46:29 +00:00
Yaroslav Tykhiy
405e2987ca Don't say, "file: permission denied," if the operation
is disabled entirely.
2004-11-18 11:50:01 +00:00
Yaroslav Tykhiy
02c9749295 Use uniform punctuation, capitalization, and language style
in server messages wherever this doesn't contradict to a particular
message format.
2004-11-18 11:45:13 +00:00
Yaroslav Tykhiy
eb5b2bb3ae Apply __printflike() to the appendf() prototype so the compiler
can detect format errors.
2004-11-18 11:32:35 +00:00
Yaroslav Tykhiy
82c03024c2 Fix perror_reply() vs. reply() usage. 2004-11-18 11:27:31 +00:00