Revisit blacklistd support in ftpd

Enhance blacklistd support to not log anything by default,
unless blacklistd support is enabled on the command line.
Document new flag in man page, cleanup patches to be less
intrusive in code.

Reported by:	Rick Adams
Reviewed by:	cem, emaste
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D8374
This commit is contained in:
Kurt Lidl 2016-11-01 18:18:09 +00:00
parent dda4d36957
commit e07d11b691
4 changed files with 50 additions and 15 deletions

View File

@ -37,16 +37,20 @@
#include <blacklist.h>
static struct blacklist *blstate;
extern int use_blacklist;
void
blacklist_init(void)
{
blstate = blacklist_open();
if (use_blacklist)
blstate = blacklist_open();
}
void
blacklist_notify(int action, int fd, char *msg)
{
if (blstate == NULL)
return;
(void)blacklist_r(blstate, action, fd, msg);

View File

@ -28,5 +28,26 @@
/* $FreeBSD$ */
void blacklist_notify(int, int, char *);
#ifndef BLACKLIST_CLIENT_H
#define BLACKLIST_CLIENT_H
enum {
BLACKLIST_AUTH_OK = 0,
BLACKLIST_AUTH_FAIL
};
#ifdef USE_BLACKLIST
void blacklist_init(void);
void blacklist_notify(int, int, char *);
#define BLACKLIST_INIT() blacklist_init()
#define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z)
#else
#define BLACKLIST_INIT()
#define BLACKLIST_NOTIFY(x, y, z)
#endif
#endif /* BLACKLIST_CLIENT_H */

View File

@ -36,7 +36,7 @@
.Nd Internet File Transfer Protocol server
.Sh SYNOPSIS
.Nm
.Op Fl 468ADdEhMmOoRrSUvW
.Op Fl 468ABDdEhMmOoRrSUvW
.Op Fl l Op Fl l
.Op Fl a Ar address
.Op Fl P Ar port
@ -95,6 +95,14 @@ When
.Fl D
is specified, accept connections only on the specified
.Ar address .
.It Fl B
With this option set,
.Nm
sends authentication success and failure messages to the
.Xr blacklistd 8
daemon. If this option is not specified, no communcation with the
.Xr blacklistd 8
daemon is attempted.
.It Fl D
With this option set,
.Nm

View File

@ -144,6 +144,7 @@ int noretr = 0; /* RETR command is disabled. */
int noguestretr = 0; /* RETR command is disabled for anon users. */
int noguestmkd = 0; /* MKD command is disabled for anon users. */
int noguestmod = 1; /* anon users may not modify existing files. */
int use_blacklist = 0;
off_t file_size;
off_t byte_count;
@ -305,7 +306,7 @@ main(int argc, char *argv[], char **envp)
openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
while ((ch = getopt(argc, argv,
"468a:AdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
"468a:ABdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
switch (ch) {
case '4':
family = (family == AF_INET6) ? AF_UNSPEC : AF_INET;
@ -327,6 +328,14 @@ main(int argc, char *argv[], char **envp)
anon_only = 1;
break;
case 'B':
#ifdef USE_BLACKLIST
use_blacklist = 1;
#else
syslog(LOG_WARNING, "not compiled with USE_BLACKLIST support");
#endif
break;
case 'd':
ftpdebug++;
break;
@ -644,9 +653,7 @@ gotchild:
reply(220, "%s FTP server (%s) ready.", hostname, version);
else
reply(220, "FTP server ready.");
#ifdef USE_BLACKLIST
blacklist_init();
#endif
BLACKLIST_INIT();
for (;;)
(void) yyparse();
/* NOTREACHED */
@ -1422,9 +1429,7 @@ skip:
*/
if (rval) {
reply(530, "Login incorrect.");
#ifdef USE_BLACKLIST
blacklist_notify(1, STDIN_FILENO, "Login incorrect");
#endif
BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, STDIN_FILENO, "Login incorrect");
if (logging) {
syslog(LOG_NOTICE,
"FTP LOGIN FAILED FROM %s",
@ -1441,12 +1446,9 @@ skip:
exit(0);
}
return;
} else {
BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, STDIN_FILENO, "Login successful");
}
#ifdef USE_BLACKLIST
else {
blacklist_notify(0, STDIN_FILENO, "Login successful");
}
#endif
}
login_attempts = 0; /* this time successful */
if (setegid(pw->pw_gid) < 0) {