don't reveal the info in reply to the SYST command.
Get rid of using the "unix" macro at the same time. It was a rather
poor way to check if the system was Unix since there were quite a
few Unix clones out there whose cc didn't define "unix" (e.g.,
NetBSD.) It was also sensitive to the C standard used, which caused
unnecessary trouble: With -std=c99, it should have been "__unix__",
and so on.
PR: bin/50690
Submitted by: Alex Semenyaka <alexs _at_ snark.ratmir.ru>
MFC after: 1 week
This makes such natural commands as "MKD ~user/newdir" or "STOR ~/newfile"
do what they are supposed to instead of failing miserably with the
"File not found" error.
This involves a bit of code reorganization. Namely, the code doing
glob(3) expansion has been separated to a function; a new function
has been introduced to do tilde expansion; the latter function is
invoked on a pathname before the former one. Thus behaviour mimicing
that of the Bourne shell has been achieved.
if allowed by their filesystem permissions.
This doesn't break anything since using sendfile(2)
is triggered later by a separate S_ISREG conditional.
PR: bin/20824
MFC after: 1 week
separating its part around chroot(2) from that around initial
chdir(2). This makes the below changes really easy.
Move seteuid(to user's uid) to before calling chdir(2). There are
two goals to achieve by that. First, NFS mounted home directories
with restrictive permissions become accessible (local superuser
can't access them if not mapped to uid 0 on the remote side
explicitly.) Second, all the permissions to the home directory
pathname components become effective; previously a user could be
carried to any local directory despite its permissions since the
chdir(2) was done with euid 0. This reduces possible impact from
FTP server misconfiguration, e.g., assigning a wrong home directory
to a user.
Implement the "/./" feature. Now a guest or user subject to chrooting
may have "/./" in his login directory, which separates his chroot
directory from his home directory inside the chrooted environment.
This works for ftpchroot(5) as well.
PR: bin/17843 bin/23944
directory can be specified for a user or a group.
Add the manpage ftpchroot(5) since the file's format has grown
complex enough.
PR: bin/45327
Portions submitted by: Hideki SAKAMOTO <sakamoto@hlla.is.tsukuba.ac.jp>
MFC after: 1 week
to listen at in daemon mode.
- Use the port by 1 less than the control port as the default
data port instead of always using hard-coded port 20.
Submitted by: roam
MFC after: 1 week
to a pathname that contains '\r' or '\n'.
Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.
up port 20 for an extended period of time and thus lock out all other
users from establishing PORT data connections. Don't hold on to the
bind() while we loop around waiting to see if we can make our
connection.
Being a DoS, it has security implications, giving it a short MFC
time.
MFC after: 1 day
in the output to the "STAT file" request.
This closes one discrepancy with RFC 959 (page 36.)
See also http://www.kb.cert.org/vuls/id/328867
Obtained from: OpenBSD
Properly sort options, spell "file system" correctly, expand contraction.
Catch up to the src/etc/syslog.conf,v 1.23 change: ftpd(8) session logs
are now by default get logged to /var/log/xferlog.
Approved by: re
memory area would arise. Only an addrinfo list from an earlier
call to getaddrinfo() should be freed there because it will be
substituted by the current list referenced by "res".
Reported by: John Long <fbsd1@pruam.com>
MFC after: 5 days
MAC labels are set if MAC is enabled and configured for the user
logging in.
Note that lukemftpd is not considered a supported application when
MAC is enabled, as it does not use the standard system interfaces for
managing user contexts; if lukemftpd is used with labeled MAC policies,
it will not properly give up privileges when switching to the user
account.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
than the LOMAC-specific interfaces for listing MAC labels. This permits
ls to view MAC labels in a manner similar to getfmac, when ls is used
with the -l argument. Next generation LOMAC will use the MAC Framework
so should "just" work with this and other policies. Not the prettiest
code in the world, but then, neither is ls(1).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
o Don't free(3) memory occupied by host structures
already in the host list.
o Set hrp->hostinfo to NULL if a host record has to stay in
the host list, but is to be ignored. Selecthost() knows that.
o Reduce the pollution with excessive NULL checks.
o Close a couple of memory leaks.
MFC after: 1 week
o check getaddrinfo(3) return value, not result pointer
o getaddrinfo(3) returns int, not pointer
o don't leak memory allocated for hostnames and hostinfo structures
o initialize pointers that will be checked for NULL somewhere
MFC after: 1 week
o Remove the race between stat(2) & fopen(3) when creating
a unique file.
o Improve bound checking when generating a unique name from
a given pathname.
o Ignore REST marker on APPE. No RFC specifies this case,
but the idea of resuming APPE's implies this.
o By default, deny upload resumes and appends by anonymous users.
Previously these commands were translated to STOU silently,
which led to broken files on server without any notification
to the user.
o Add an option, -m, to allow anonymous users to modify
existing files (e.g., to resume uploads) if filesystem
permissions permit.
Portions obrainded from: OpenBSD
MFC after: 3 weeks
Earlier, a decimal number (e.g., 890) could be passed
for mode, leading to dangerous permissions set:
-1, that is, 07777.
Obtained from: OpenBSD
MFC after: 1 week
socket option to avoid exausting the passive port
space by TIME_WAIT'ing connections.
PR: bin/36955
Submitted by: Maxim Konovalov <maxim@FreeBSD.org>
MFC after: 2 weeks
write(2), and getipnodebyaddr(3) calls. Now all the above functions
accept "void *" in that arguments and have prototypes. Thus, the
casts are useless under the normal circumstances (and would be harmful
if the functions had no prototypes.)
MFC after: 2 weeks
o Always check a setsockopt(2) return value
o Use a consistent message format
o Don't abort if the failed setsockopt(2) was actually not vital
o Use LOG_WARNING, not LOG_ERR, in non-fatal cases
MFC after: 1 week
o "struct addrinfo" contains a pointer to "struct sockaddr,"
not "struct sockaddr" itself
o the function takes a pointer to "struct in*_addr", not to
"struct sockaddr," so the address length must be corresponding
MFC after: 1 week
Thus lines of any length can be handled, unlike before.
Don't assume that each line read from the files ends with a newline.
As a side effect in inithosts(), don't use automatic buffer at all,
utilize malloc(3) when getting local host name instead.
PR: misc/21494
Reviewed by: maxim, mikeh
MFC after: 1 month
returns off_t in yylval.u.o. REST is the only user of yylval.u.o at the
moment.
NB: seems lukemftpd has the same bug.
PR: misc/28629
Reviewed by: ru
Approved by: ru
MFC after: 1 month
handlers to set flags only (with exception for sigquit(),
which still seems to call some non-reentrant functions on
its way to _exit(2).) That must eliminate the possibility
of catching SIGSEGV from following non-reentrant paths from
signal handlers.
PR: bin/32740 bin/33846
Submitted by: Maxim Konovalov <maxim@macomnet.ru>
Obtained from: OpenBSD
is implemented in pam_opie module
For non-PAM variant rewrite empty password checking code to do the right thing
and not disallow empty passwords in all cases.
Hiroyuki YAMAMORI gave a patch for the EPRT command in the
PR below. Problems with the rest of the patch are my fault.
PR: 33268
Reviewed by: iedowse, sheldonh
DoS bug that the select(2)/accept(2) pair is called on
a socket that is in the blocking I/O mode. The bug is
triggered if a selected connection dies before the accept(2)
leading to the accept(2) blocking virtually forever.
MFC after: 1 week
in the SYNOPSIS and DESCRIPTION.
Note that -l remains an ugly exception, to which no known rules apply,
since the specification of a single option multiple times isn't normal
standards-compliant CLI behaviour.
While here, mark AF_INET* and LOG_* defined values up with Dv.
-O, which limits the impact of the write-only restriction to guest
users.
*) The existing manual page's SYNOPSIS and option listing in the
DESCRIPTION are already horribly disordered. No attempt has been
made to fix this.
*) The existing source's getopt() optstring and option handling switch
are already horribly disordered. No attempt has been made to fix
this.
Discussed with: nik, -audit
long -> time_t
%ld -> %qd
fseek -> fseeko
NOTE: that fseek not works for >long offsets per POSIX:
[EOVERFLOW] For fseek( ), the resulting file offset would be a value which
cannot be represented correctly in an object of type long.
preventing anyone from downloading files. In conjunction with -A, and some
appropriate file permissions, this lets you create an anonymous FTP drop
box for people to upload files to.
The more obvious "-w" flag is already taken by NetBSD's ftpd. "-o" was
available as an option letter in all three BSDs.
with NetBSD and OpenBSD. glob(3) will now return GLOB_NOSPACE with
errno set to 0 instead of GLOB_LIMIT when we match more than `gl_matchc'
patterns. GLOB_MAXPATH has been left as an alias of GLOB_LIMIT to
maintain backwards compatibility.
Reviewed by: sheldonh, assar
Obtained from: NetBSD/OpenBSD
with the conversation function and challenges which needs to be
revisited, so in the interim a hack is introduced to provide
an OPIE challenge (which is random if OPIE does not apply)
at all non-anonymnous logins.
Limit the "pathname" glob to one item, as that is what all users of it
are expecting, except for LIST.
Always glob, instead of when the first character is a ~. For example,
if you had directories ~/x1, and ~/x2, then "cwd x[1]" would fail, but
"cwd ~/x[1]" would work since it was globbed due to the ~ character.
Also, "cwd ~/x[12]" used to arbitarily work as it used the first
expansion (ie: x1) without an error. Make it return '550 ambiguous'
instead of '550 not found' so that the user can see the difference.
For LIST, just use the user supplied string as the popen does the glob.
Problem noticed by: Ajay Mittal <amittal@iprg.nokia.com>
This allows you to determine if the file on the other side is the same
as the one you have without transferring the entire file to compare.
Needless to say, if the server end lies to you this check doesn't work,
but on the other hand, if it lies to you about the files checksum,
what can you trust from it ?
The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c
Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>
files. Mostly -I${.CURDIR} was needed -- especially for YACC generated
files as the new cpp does not look in the ultimate source file
(ie, the .y file)'s directory as told by the "#line" directive. Some were
misspellings of "-I${.CURDIR}" as "-I.".
has set pwok to a non-zero value.
Previously, the fact that skey.access(5) allowed UNIX passwords for
this connection attempt was ignored, even in the NOPAM case.
This only addresses the NOPAM case; when libpam is used, the problem
will persist.
PR: 20333
