Commit Graph

250 Commits

Author SHA1 Message Date
yar
cd7b1c298a Kill unnecessary vertical whitespace. 2003-02-11 14:10:48 +00:00
yar
f6108273cb Use LOG_AUTHPRIV to hide the username attempted during an invalid login
from everyone but sysadmins.

PR:		bin/29487
MFC after:	3 days
2003-02-11 11:58:33 +00:00
yar
5d11fbeaec Allow "~/" in pathnames to work for a chrooted user. 2003-02-05 11:11:32 +00:00
yar
92b68c7646 Let tilde expansion be done even if a file/directory doesn't exist yet.
This makes such natural commands as "MKD ~user/newdir" or "STOR ~/newfile"
do what they are supposed to instead of failing miserably with the
"File not found" error.

This involves a bit of code reorganization.  Namely, the code doing
glob(3) expansion has been separated to a function; a new function
has been introduced to do tilde expansion; the latter function is
invoked on a pathname before the former one.  Thus behaviour mimicing
that of the Bourne shell has been achieved.
2003-02-04 17:50:38 +00:00
yar
b1a2e9acb4 RFC 959 doesn't list reply code 550 as a valid responce to STOR/STOU,
so return reply code 553 to indicate a error from open(2) for consistency,
as long as the code is used in the rest of the STOR/STOU handler.
2003-02-04 03:33:25 +00:00
yar
02d8e2b208 Let real users access special files through FTP
if allowed by their filesystem permissions.

This doesn't break anything since using sendfile(2)
is triggered later by a separate S_ISREG conditional.

PR:		bin/20824
MFC after:	1 week
2003-01-31 13:18:55 +00:00
yar
6962d02957 When searching for a unique file name in guniquefd(),
distinguish between the cases of an existing file and
a real system error, such as I/O failure, no access etc.

MFC after:	3 days
2003-01-29 17:04:07 +00:00
yar
6284753cac Add a new option to ftpd(8), "-h", to disable printing any
host-specific information in FTP server messages (so paranoid
admins can sleep at night :-)

PR:		bin/16705
MFC after:	1 week
2003-01-29 10:58:58 +00:00
yar
e6e9500985 Give the code around chroot(2)/chdir(2) a major overhaul by
separating its part around chroot(2) from that around initial
chdir(2).  This makes the below changes really easy.

Move seteuid(to user's uid) to before calling chdir(2).  There are
two goals to achieve by that.  First, NFS mounted home directories
with restrictive permissions become accessible (local superuser
can't access them if not mapped to uid 0 on the remote side
explicitly.)  Second, all the permissions to the home directory
pathname components become effective; previously a user could be
carried to any local directory despite its permissions since the
chdir(2) was done with euid 0.  This reduces possible impact from
FTP server misconfiguration, e.g., assigning a wrong home directory
to a user.

Implement the "/./" feature.  Now a guest or user subject to chrooting
may have "/./" in his login directory, which separates his chroot
directory from his home directory inside the chrooted environment.
This works for ftpchroot(5) as well.

PR:		bin/17843 bin/23944
2003-01-29 10:07:27 +00:00
yar
a322ce3682 Actually extract the second field from a line in ftpchroot(5)
instead of just using the rest of the line behind the first field.
2003-01-27 15:34:22 +00:00
yar
704ec7b02a Allow more than one separator character between fields in ftpchroot(5). 2003-01-27 14:41:08 +00:00
yar
411365f15d Extend the format of /etc/ftpchroot so an alternative chroot
directory can be specified for a user or a group.

Add the manpage ftpchroot(5) since the file's format has grown
complex enough.

PR:			bin/45327
Portions submitted by:	Hideki SAKAMOTO <sakamoto@hlla.is.tsukuba.ac.jp>
MFC after:		1 week
2003-01-26 19:02:56 +00:00
yar
e67bf5e192 GLOB_MAXPATH has been deprecated in favour of GLOB_LIMIT. 2003-01-25 14:59:48 +00:00
yar
3d2488fff7 - Add a new option, ``-P port'', to specify the port for ftpd(8)
to listen at in daemon mode.
- Use the port by 1 less than the control port as the default
  data port instead of always using hard-coded port 20.

Submitted by:	roam
MFC after:	1 week
2003-01-23 18:39:48 +00:00
yar
f5eff04464 Prevent server-side glob(3) patterns from expanding
to a pathname that contains '\r' or '\n'.

Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.
2003-01-22 16:25:22 +00:00
cjc
29a813efb6 The FTP daemon was vulnerable to a DoS where an attacker could bind()
up port 20 for an extended period of time and thus lock out all other
users from establishing PORT data connections. Don't hold on to the
bind() while we loop around waiting to see if we can make our
connection.

Being a DoS, it has security implications, giving it a short MFC
time.

MFC after:	1 day
2003-01-21 05:13:02 +00:00
yar
65804c6d3c Prepend a space character if a line begins with a digit
in the output to the "STAT file" request.

This closes one discrepancy with RFC 959 (page 36.)

See also http://www.kb.cert.org/vuls/id/328867

Obtained from:	OpenBSD
2003-01-16 14:25:32 +00:00
yar
999cc66112 Replace the instances of literal "/bin/ls"
with the _PATH_LS macro to be consistent
with the rest of the ftpd(8) source.
2003-01-16 13:27:58 +00:00
schweikh
fec6546e12 english(4) police. 2002-12-27 12:15:40 +00:00
ru
146b294736 mdoc(7) police:
Properly sort options, spell "file system" correctly, expand contraction.

Catch up to the src/etc/syslog.conf,v 1.23 change: ftpd(8) session logs
are now by default get logged to /var/log/xferlog.

Approved by:	re
2002-11-25 15:20:06 +00:00
peter
570525a6c7 Oops. Some ut_time stuff slipped through the cracks. These turned out
to be non-fatal due to stack alignment roundups.
2002-11-17 23:46:45 +00:00
yar
e2616c6490 Don't free the current addrinfo list, or else a pointer to a freed
memory area would arise.  Only an addrinfo list from an earlier
call to getaddrinfo() should be freed there because it will be
substituted by the current list referenced by "res".

Reported by:	John Long <fbsd1@pruam.com>
MFC after:	5 days
2002-11-11 07:31:48 +00:00
rwatson
71edd02c55 Have ftpd specify the LOGIN_SETMAC flag to setlogincontext() so that
MAC labels are set if MAC is enabled and configured for the user
logging in.

Note that lukemftpd is not considered a supported application when
MAC is enabled, as it does not use the standard system interfaces for
managing user contexts; if lukemftpd is used with labeled MAC policies,
it will not properly give up privileges when switching to the user
account.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-24 16:19:52 +00:00
rwatson
a20ce31a58 Teach "ls -Z" to use the policy-agnostic MAC label interfaces rather
than the LOMAC-specific interfaces for listing MAC labels.  This permits
ls to view MAC labels in a manner similar to getfmac, when ls is used
with the -l argument.  Next generation LOMAC will use the MAC Framework
so should "just" work with this and other policies.  Not the prettiest
code in the world, but then, neither is ls(1).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-24 00:07:30 +00:00
mike
86a758e51b Use the standardized CHAR_BIT constant instead of NBBY in userland. 2002-09-25 04:06:37 +00:00
yar
f8c5ceb68d The mode can be "r+" as well on PUT, but only "a" on APPE. 2002-08-29 09:53:51 +00:00
yar
c4deb81f31 Fix lexer jam on unimplemented commands.
Submitted by:	maxim
MFC after:	5 days
2002-08-29 09:23:08 +00:00
yar
906476b28e Remove variables no longer used. 2002-08-27 09:05:03 +00:00
yar
9841ff7102 More inithosts() fixes:
o Don't free(3) memory occupied by host structures
  already in the host list.
o Set hrp->hostinfo to NULL if a host record has to stay in
  the host list, but is to be ignored.  Selecthost() knows that.
o Reduce the pollution with excessive NULL checks.
o Close a couple of memory leaks.

MFC after:	1 week
2002-08-27 09:02:52 +00:00
yar
57e404b3cd Fix an inconsistency between a printf-like format and its argument list.
Submitted by:	kris
MFC after:	3 days
2002-08-27 07:38:55 +00:00
yar
8edf222b9e Add option '-W': don't log FTP sessions to wtmp.
Submitted by:	maxim
MFC after:	1 week
2002-08-23 09:06:28 +00:00
yar
a5929f9a88 Clean up hostname and hostinfo handling in inithosts():
o check getaddrinfo(3) return value, not result pointer
o getaddrinfo(3) returns int, not pointer
o don't leak memory allocated for hostnames and hostinfo structures
o initialize pointers that will be checked for NULL somewhere

MFC after:	1 week
2002-08-20 14:56:06 +00:00
yar
2a6f0e09d3 Fix a wrong comment on (hopefully) right code.
MFC after:	3 days
2002-08-13 14:08:38 +00:00
yar
6c62e6d106 Fix command help lines:
o PORT takes six byte values, not five.
o TYPE argument is mandatory.

Submitted by:	demon (the 1st part)
MFC after:	3 days
2002-08-13 13:56:42 +00:00
yar
1402e3c762 Rework storing files thoroughly. This includes:
o Remove the race between stat(2) & fopen(3) when creating
  a unique file.

o Improve bound checking when generating a unique name from
  a given pathname.

o Ignore REST marker on APPE.  No RFC specifies this case,
  but the idea of resuming APPE's implies this.

o By default, deny upload resumes and appends by anonymous users.
  Previously these commands were translated to STOU silently,
  which led to broken files on server without any notification
  to the user.

o Add an option, -m, to allow anonymous users to modify
  existing files (e.g., to resume uploads) if filesystem
  permissions permit.

Portions obrainded from:	OpenBSD
MFC after:			3 weeks
2002-08-08 17:53:52 +00:00
yar
dbe59dc029 1) Use "pathstring" instead of "STRING" consistently.
2) Remove unneeded "if not NULL" props from "pathstring",
   which will never be NULL by the lexer design.

Inspired by:	OpenBSD
MFC after:	1 week
2002-08-05 17:34:15 +00:00
yar
37e3668bf5 Since GLOB_NOCHECK is set in the glob(3) call,
glob(3) will return at least one pathname unless
a system error has occured.  It's not a "not found"
error otherwise.

MFC after:	3 days
2002-08-05 14:40:38 +00:00
yar
4396de5e38 Spot places where "pathname" hasn't been checked
for NULL.  The "pathname" rule may return NULL
on a glob(3) error.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:26:40 +00:00
yar
09fb3e817b Disallow invalid numeric mode values for SITE CHMOD.
Earlier, a decimal number (e.g., 890) could be passed
for mode, leading to dangerous permissions set:
-1, that is, 07777.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:10:57 +00:00
yar
87d654b4a4 Reflect in the ftpd(8) manpage the fact that ASCII SIZE
requests against large files will be denied.

MFC after:	10 days
2002-08-05 13:37:18 +00:00
yar
919470cf7d Deny the SIZE command on large files when in ASCII mode.
This eliminates an opportunity for DoS attack.

Pointed out by:	maxim
Inspired by:	lukemftpd, OpenBSD
MFC after:	2 weeks
2002-07-31 10:55:31 +00:00
yar
856a7116df Conform to RFC 959, Appendix II, when replying
to a successful MKD command.

MFC after:	1 week
2002-07-29 15:54:27 +00:00
yar
b0f2856844 Make the -v' option a synonym for -d'
(as it was intended initially)
and document it in the manpage.

MFC after:	2 weeks
2002-07-26 16:07:19 +00:00
yar
ae142b4144 Document the -u (set umask) option
(which has been there at least since 4.4BSD-Lite!)

MFC after:	2 weeks
2002-07-26 16:01:24 +00:00
yar
11df7e3f6f Sort command-line options according to the mostly used style:
alphabetical order, lower and upper case of the same letter
stick together, lower case first.

MFC after:	2 weeks
2002-07-26 15:46:08 +00:00
yar
01cbae6356 Use <arpa/ftp.h> stuff cleanly, without introducing
non-portable constants (in this case, hidden as offsets
to the "?AEIL" string.)

MFC after:	1 week
2002-07-25 17:41:47 +00:00
yar
90caf3dc00 Re-use passive data ports with the SO_REUSEADDR
socket option to avoid exausting the passive port
space by TIME_WAIT'ing connections.

PR:		bin/36955
Submitted by:	Maxim Konovalov <maxim@FreeBSD.org>
MFC after:	2 weeks
2002-07-24 16:11:34 +00:00
yar
b55ffaf6bb Remove the outdated casts to "char *" from the setsockopt(2),
write(2), and getipnodebyaddr(3) calls.  Now all the above functions
accept "void *" in that arguments and have prototypes.  Thus, the
casts are useless under the normal circumstances (and would be harmful
if the functions had no prototypes.)

MFC after:	2 weeks
2002-07-24 15:30:53 +00:00
yar
d19478c57f Clean up the syslog(3) messages on the setsockopt(2) errors:
o Always check a setsockopt(2) return value
o Use a consistent message format
o Don't abort if the failed setsockopt(2) was actually not vital
o Use LOG_WARNING, not LOG_ERR, in non-fatal cases

MFC after:	1 week
2002-07-24 14:50:17 +00:00
ume
9c2c51a1e6 use IPV6_V6ONLY instead of non standard IPV6_BINDV6ONLY.
MFC after:	1 week
2002-07-22 15:22:53 +00:00