Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC: r262136

Remove the 3rd clause ("advertising clause") of the BSD license as
permitted by the University of Berkeley on July 22, 1999.

Reviewed by: imp

MFC: r261885

In sgetpwnam(), save and free pw_class like all other char members
of struct passwd. This fixes spurious "login_getclass: unknown class"
errors.

PR: 186439
Submitted by: UEMURA Tetsuya <t_uemura at macome.co.jp>

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Bump date missed in r202756

PR: docs/171624
Submitted by: bdrewery
Approved by: gabor
MFC after: 3 days

Spelling fixes for libexec/

Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]

Add an API for alerting internal libc routines to the presence of
"unsafe" paths post-chroot, and use it in ftpd. [11:07]

Fix a buffer overflow in telnetd. [11:08]

Make pam_ssh ignore unpassphrased keys unless the "nullok" option is
specified. [11:09]

Add sanity checking of service names in pam_start. [11:10]

Approved by: so (cperciva)
Approved by: re (bz)
Security: FreeBSD-SA-11:06.bind
Security: FreeBSD-SA-11:07.chroot
Security: FreeBSD-SA-11:08.telnetd
Security: FreeBSD-SA-11:09.pam_ssh
Security: FreeBSD-SA-11:10.pam

Add LOGIN_SETCPUMASK and LOGIN_SETLOGINCLASS to the setusercontext(3)
calls in ftpd(8).

Make format string a string literal. (Discovered by clang.)

MFC After: 1 week

Handle failure from ftpd_popen in statfilecmd().

Reviewed by: attilio
MFC after: 1 week

expand checkuser() to support the propagation of error codes back to
the caller. Currently, checkuser() does not differentiate between the
failure to open the file and the absence of a user in the file. Check
to see if there was an error opening the file. If there are any errors,
terminate the connection. Currently, the only exception to this rule
is ENOENT, since there is nothing that says the /etc/ftpuser
and /etc/ftpchroot has to exist.

MFC after: 3 weeks

mdoc: drop redundant .Pp and .LP calls

They have no effect when coming in pairs, or before .Bl/.Bd

Check that gl_pathc is bigger than zero before derefencing gl_pathv.
When gl_pathc == 0, the content of gl_pathv is undefined.

PR: bin/144761
Submitted by: David BERARD <contact davidberard fr>
Obtained from: OpenBSD
MFC after: 1 week

Set ut_line to "ftpd" for ftpd.

This makes it a little easier to figure out which application was
responsible for this log entry. Ideally we should add an ut_process or
something similar.

Suggested by: Vincent Poy <vincepoy gmail com>

Remove stale references to utmp(5) and its corresponding filenames.

I removed utmp and its manpage, but not other manpages referring to it.

Really disable wtmp logging when chrooting.

Also perform a small cleanup to ftpd_logwtmp(). Just use a NULL
parameter for the username to indicate a logout, instead of an empty
string.

Reported by: Alexey Shuvaev <shuvaev physik uni-wuerzburg de>

Port ftpd to utmpx.

Unfortunately I have to partially wreck its functionality, though. ftpd
used to keep a file descriptor to the wtmp, which allowed it to work
from within a chroot. The current utmpx implementation doesn't offer a
way to do this. Maybe we can address this in the future, if it turns out
to be a real issue.

Move variable externs into extern.h so they are checked against the definitions.

o Fix typo: indentical -> identical.

PR: docs/131149
Submitted by: Patrick Oonk
MFC after: 1 week

Prevent cross-site forgery attacks on ftpd(8) due to splitting
long commands into multiple requests. [08:12]

Avoid calling uninitialized function pointers in protocol switch
code. [08:13]

Merry Christmas everybody...

Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-08:12.ftpd, FreeBSD-SA-08:13.protosw

Remove references to S/Key and list OPIE.

Reword the description of the UTF8 option (-8) so I can swear
to myself that I understand it.

Bump document date.

Add support for RFC 2389 (FEAT) and RFC 2640 (UTF8) to ftpd(8).

The support for RFC 2640 (UTF8) is optional and rudimentary.
The server just advertises its capability to handle UTF-8 file
names and relies on its own 8-bit cleanness, as well as on
the backward compatibility of UTF-8 with ASCII. So uploaded
files will have UTF-8 names, but the initial server contents
should be prepared in UTF-8 by hand, no on-the-fly conversion
of file names will be done.

PR: bin/111714
Submitted by: Zhang Weiwu <see email in the PR>
MFC after: 1 week

Let automatic TCP send buffer sizing do its job for ftpd(8): stop
setting the SO_SNDBUF socket option. Using a hard-coded value for
it was a poor idea anyway in the face of diverse network conditions.

Fix compilation of ftpcmd.y without -DINET6.
Respect MK_INET6_SUPPORT in Makefile.

Requested by: Attila Nagy <bra at fsn dot hu>
MFC after: 1 week

Reimplementation of world/kernel build options. For details, see:

http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)

- Reduce needless DNS query by lookup only appropriate address
family. [1]
- Specify appropriate hints to getaddrinfo(3). [1]
- Obtain address family from peername in inet mode.

Submitted by: Rostislav Krasny <rosti.bsd__at__gmail.com> [1]
Tested by: yar, Rostislav Krasny <rosti.bsd__at__gmail.com>
MFC after: 1 week

Touch .Dd because the last commit was content-related.

In the daemon code, check for and report possible errors
from accept(2) and fork(2). Also close all unneeded fds
in the child process, namely listening sockets for all
address families and the fd initially obtained from accept(2).
(The main ftpd code operates on stdin/stdout anyway as it
has been designed for running from inetd.)

MFC after: 5 days

The daemon's child shouldn't go on with the for loop
over ctl_sock's -- it is solely the parent daemon's
job. So just break out of the loop in the child.

MFC after: 5 days

Use pidfile(3) provided by libutil to manage the deamon's pid file.

By default, create a pid file at the standard location, /var/run/ftpd.pid,
in accord with the expected behavior of a stock system daemon.

MFC after: 5 days

Add some consistency checks to the signal-related code.

MFC: along with rev. 1.202

A call to maskurg() makes sense only when a transfer is under way,
the function will emit an annoying log message otherwise.

Reported by: kris
MFC: along with rev. 1.202

Fix most cases where the address of an int is passed to a function expecting a
socklen_t * argument.

Respect the `logging' flag.

Pointed out by: Nick Leuta
MFC after: 3 days

Improve handling SIGURG and OOB commands on the control channel.

The major change is to process STAT sent as an OOB command w/o
breaking the current data transfer. As a side effect, this gives
better error checking in the code performing data transfers.

A lesser, but in no way cosmetic, change is using the flag `recvurg'
in the only signal-safe way that has been blessed by SUSv3. The
other flag, `transflag,' becomes private to the SIGURG machinery,
serves debugging purposes only, and may be dropped in the future.

The `byte_count' global variable is now accounting bytes actually
transferred over the network. This can give status messages looking
strange, like "X of Y bytes transferred," where X > Y, but that has
more sense than trying to compensate for combinations of data formats
on the server and client when transferring ASCII type data. BTW,
getting the size of a file in advance is unreliable for a number of
reasons in the first place. See question 18.8 of the Infrequently
Asked Questions in comp.lang.c for details.

PR: bin/52072
Tested by: Nick Leuta (earlier versions), a stress-testing tool (final)
MFC after: 1 month

Sort sections.

Replace err(3) calls when in daemon mode by syslog(3), too.
A daemon has no stderr to send its complains to.

Pointed out by: Nick Leuta
MFC after: 1 week

NOPAM -> NO_PAM

Do a small style(9) fix before I'm hacking the code itself.

free(3) is void already.

Never emit a message to stderr: use syslog instead.
When in inetd mode, this prevents bogus messages from
appearing on the control channel. When running as a
daemon, we shouldn't write to the terminal we used to
have at all.

PR: bin/74823
MFC after: 1 week

When looking for a virtual host to handle the connection,
stop the search on the first match for efficiency.

Submitted by: Nick Leuta

Calling pam_chauthtok() isn't really needed since
an FTP user has no chance to change password anyway.

Submitted by: Nick Leuta

Don't log the chroot dir on every command since it's constant for a session.
Log it once at the beginning of the session instead. OTOH, log wd each
time for the sake of better auditing and consistent log format.

Proposed by: Nick Leuta <skynick -at- mail.sc.ru>

Always log remote IP.

PR: bin/59773

Treat host name buffers consistently.

Make chrootdir global and use it in log messages
regarding restricted users.

MFC after: 2 weeks

Nitpicking on style(9) and whitespace.

Tested with: md5(1)

Use __FBSDID.

Don't say, "file: permission denied," if the operation
is disabled entirely.

Use uniform punctuation, capitalization, and language style
in server messages wherever this doesn't contradict to a particular
message format.

Apply __printflike() to the appendf() prototype so the compiler
can detect format errors.

Fix perror_reply() vs. reply() usage.

'\n' needs not to appear in reply() strings.

Log pathname arguments to ftp commands as the user specified them;
add the working directory pathname to the log message if any of
such arguments isn't absolute. This has advantage over the old
way of logging that an admin can see what users are actually trying
to do, and where. The old code was also not too robust when it
came to a chrooted session and an absolute pathname.

Pointed out by: Nick Leuta
MFC after: 2 weeks

Use S_ISDIR() macro instead of a hand-rolled test.

getcwd() won't leave a error string in the buffer, unlike getwd().

Use POSIX functions instead of legacy ones:
getwd() -> getcwd()
wait3() -> waitpid()

Kill more unneeded casts found.

Noticed by: Nick Leuta <skynick -at- mail.sc.ru> (some of them)

Don't invent ways of capitalization orthogonal to the English grammar.

RFC 959 states that the following codes should be used
for status replies on file system objects:

212 Directory status.
213 File status.

Reported by: Oleg Koreshkov <okor -at- zone.salut.ru>
MFC after: 1 week

Using off_t to pass a block size is obvious overkill.
The size_t type is better suited for that, particularly because
the "blksize" argument is to be passed to malloc() and read().
On 64-bit archs it's more to a style issue, but the good style
of coding in C is also important.

Kill ancient casts to integral types left from the K&R era.
They're unneeded and sometimes erroneous now.

Fix logxfer() by using realpath(3) instead of playing with getwd(3).
Previously logxfer() used to record bogus pathnames to the log
in some cases, namely, when cwd was / or "name" was absolute.

Noticed by: Nick Leuta
MFC after: 2 weeks

Replace the last occurence of (long long) and %qd with
(intmax_t) and %jd, which is the right way to printf
an off_t in the presence of <stdint.h>.

Submitted by: Nick Leuta

OpenPAM allows passing a NULL "pamh" to pam_strerror() to indicate
that the creation of a PAM context has failed.

N.B. This does not apply to pam_strerror() in RELENG_4, it
will mishandle a NULL "pamh".

Discussed with: des

- Stop shadowing global "pamh" by a local variable in auth_pam().
- Stop calling pam_strerror() with NULL pamh.
- Add a missing call to pam_end().

PR: bin/59776
Submitted by: Nick Leuta <see PR for email>
MFC after: 2 weeks

Describe the semantics of the sgetpwnam() helper function
in the comment above it so that nobody will save pointers
returned inside "struct passwd" across the calls to the function.

Log the actual number of bytes sent on the wire to /var/log/ftpd
instead of the disk size of the file sent. Since the log file
is intended to provide data for anonymous ftp traffic accounting,
the disk size of the file isn't really informative in this case.

PR: bin/72687
Submitted by: Oleg Koreshkov
MFC after: 1 week

We must not fall back to the old way (read-write)
if sendfile() transferred some data before throwing
a error condition because sendfile() won't move the
file offset for read() to start from.

MFC after: 2 weeks

Clean-up around sendfile(): drop an excessive check for error condition.

Account for the fact that sendfile(2) may hit the end of file
prematurely, e.g., if the file has been truncated by someone else.

PR: bin/72649
Submitted by: Oleg Koreshkov (portions)
MFC after: 2 weeks

Indent.

o Merge rev. 1.5 libexec/ftpd/ftpd.c from DragonflyBSD:

Do not unconditionally fork() after accept(). accept() can
return -1 due to an interrupted system call (i.e. SIGCHLD).
If we fork in that case ftpd can get into an
accept()/SIGCHLD/fork/[fail]/repeat loop.

Reported-by: fabian <fabian.duelli@bluewin.ch>

Obtained from: DragonflyBSD
MFC after: 1 month

ftpd(8) seems to be WARNS=2 clean now.

Tested on: i386, ia64, amd64, sparc64, alpha

Change ``(foo *)0'' to ``NULL'' where it's possible
(and it appears possible throughout ftpd(8) source.)

It is not a mere issue of style: Null pointers in C
seem to have been mistaken one way or another quite often.

Kill a small herd of casts to off_t where they were not needed.
Thank Fortune, the C compiler can figure out by itself the proper
conversion for assignments, comparisons, and prototyped function
arguments.

Printf(3) off_t values through conversion to intmax_t since
we've got <stdint.h> et al now. (This makes ftpd(8) WARNS=2 clean.)

Kill an unused variable (heading to WARNS=2.)

Convert a couple of bogus null statements to the right form.
(Heading to WARNS=2.)

Ditto for (gid_t).

Kill casts to (uid_t) obviously left from the K&R era.
Prototyping library functions in header files has rendered
them superfluous.

Add a comment to explain that the loop around the call to bind(2)
is not a hack, but it has a clear purpose.

Open a socket for a data transfer in active mode using euid
of the current user, not root. This will allow neat things
like matching anonymous FTP data traffic with a single ipfw(8)
rule:
ipfw add ... tcp from any to any uid ftp

Note that the control connection socket still belongs to the
user ftpd(8) was started from, usually root.

PR: bin/65928
Submitted by: Eugene Grosbein <eugen at grosbein.pp.ru>
MFC after: 1 month

Mechanically kill hard sentence breaks.

Simplify conditional compilation logic some.

There's no such beast like AF_INET4, even when powered by whiskey.

Handle variable argument lists correctly in reply() and lreply().
In particular, do not pass the same va_list to both vprintf() and
vsyslog() without first reinitializing it. This fixes ftpd -d
on amd64.

NULL looks better than (char *)0 unless we're passing
an unprototyped argument to a function.

Deny attempts to rename a file from guest users if the policy
says they may not modify existing files through FTP.

Renaming a file is effectively a way to modify it.
For instance, if a malicious party is unable to delete or overwrite
a sensitive file, they can nevertheless rename it to a hidden name
and then upload a troyan horse under the guise of the old file name.

perror_reply() should not be used where errno isn't meaningful.

Work around a bug in some clients by never returning raw directory
contents in reply to a RETR command. Such clients consider RETR
as a way to tell a file from a directory. Mozilla is an example.

PR: bin/62232
Submitted by: Bob Finch <bob+freebsd <at> nas <dot> com>
MFC after: 1 week

Reorder dependencies to fix static NOPAM build.

Submitted by: lorder(1)

add missing setusershell() calls.

PR: bin/2442
Reviewed by: Friedemann Becker <zxmxy33@mail.uni-tuebingen.de>

man ftpd says that "by default, anonymous users cannot modify existing files."
However, the code did allow deletion of files. Make deleting require the -m
flag, too.

PR: bin/60809
Submitted by: Alexander Melkov <melkov@comptek.ru>

If a file to send in ASCII mode already has CRLF as end-of-line,
don't add excessive CR on the wire.

PR: bin/59285
Submitted by: Andrey Beresovsky <and at rsu.ru>
MFC after: 1 week

Pacify gcc warning with a Douglas Adams reference.

Don't depend on IPv4-mapped IPv6 address to bind to both IPv4
and IPv6.

Wrote at: Hakone.
Powered by: Warner Losh's scotch whisky.
Requested by: nork

Eliminate last three uses of varargs.h in the tree. These three files
were including varargs.h file but did not use any of its macros,
so they escaped the clean-up before.

Add a note that the -u option can be overridden by settings in login.conf(5).

PR: docs/56017
Submitted by: Josef El-Rayes <j.el-rayes@daemon.li>

Block SIGURG while reading from the control channel.

Rationale:

SIGURG is configured by ftpd to interrupt system calls, which is useful
during data transfers. However, SIGURG could interrupt I/O on the
control channel as well, which was mistaken for the end of the session.

A practical example could be aborting the download of a tiny file,
when the abort sequence reached ftpd after ftpd had passed the file
data to the system and returned to its command loop.

Reported by: ceri
MFC after: 1 week

Improve error handling in getline():
- always check the return value from getc(3) for EOF;
- if the attempt to read the TELNET command byte has
returned EOF, exit from the loop instead of using
the EOF value as a normal character.

MFC after: 1 week

Make a malloced copy of "chrootdir" even if it points to an absolute
pathname inside "residue" so "chrootdir" can be simply freed later.

PR: bin/53435
Submitted by: Yutaka Ishihara <yutaka at fandc.co.jp>
MFC after: 1 week

Don't declare unneeded extern variables,
leave alone specifying a wrong type for one of them.

If ftpd is run with an -h option (hide host-specific info,)
don't reveal the info in reply to the SYST command.

Get rid of using the "unix" macro at the same time. It was a rather
poor way to check if the system was Unix since there were quite a
few Unix clones out there whose cc didn't define "unix" (e.g.,
NetBSD.) It was also sensitive to the C standard used, which caused
unnecessary trouble: With -std=c99, it should have been "__unix__",
and so on.

PR: bin/50690
Submitted by: Alex Semenyaka <alexs _at_ snark.ratmir.ru>
MFC after: 1 week

Add section number to .Xr

Assorted mdoc(7) fixes.

mdoc(7) police: Properly markup the previous revision.

Approved by: re (blanket)

Update the description of the -u option to mention that IP_PORTRANGE_HIGH
and _DEFAULT are the same for 5.x.

Committed under threat of action from: The mdoc police

mdoc(7) police: Scheduled sweep.

Kill unnecessary vertical whitespace.

Use LOG_AUTHPRIV to hide the username attempted during an invalid login
from everyone but sysadmins.

PR: bin/29487
MFC after: 3 days

Allow "~/" in pathnames to work for a chrooted user.

Let tilde expansion be done even if a file/directory doesn't exist yet.
This makes such natural commands as "MKD ~user/newdir" or "STOR ~/newfile"
do what they are supposed to instead of failing miserably with the
"File not found" error.

This involves a bit of code reorganization. Namely, the code doing
glob(3) expansion has been separated to a function; a new function
has been introduced to do tilde expansion; the latter function is
invoked on a pathname before the former one. Thus behaviour mimicing
that of the Bourne shell has been achieved.

RFC 959 doesn't list reply code 550 as a valid responce to STOR/STOU,
so return reply code 553 to indicate a error from open(2) for consistency,
as long as the code is used in the rest of the STOR/STOU handler.

Let real users access special files through FTP
if allowed by their filesystem permissions.

This doesn't break anything since using sendfile(2)
is triggered later by a separate S_ISREG conditional.

PR: bin/20824
MFC after: 1 week

When searching for a unique file name in guniquefd(),
distinguish between the cases of an existing file and
a real system error, such as I/O failure, no access etc.

MFC after: 3 days

Add a new option to ftpd(8), "-h", to disable printing any
host-specific information in FTP server messages (so paranoid
admins can sleep at night :-)

PR: bin/16705
MFC after: 1 week

Give the code around chroot(2)/chdir(2) a major overhaul by
separating its part around chroot(2) from that around initial
chdir(2). This makes the below changes really easy.

Move seteuid(to user's uid) to before calling chdir(2). There are
two goals to achieve by that. First, NFS mounted home directories
with restrictive permissions become accessible (local superuser
can't access them if not mapped to uid 0 on the remote side
explicitly.) Second, all the permissions to the home directory
pathname components become effective; previously a user could be
carried to any local directory despite its permissions since the
chdir(2) was done with euid 0. This reduces possible impact from
FTP server misconfiguration, e.g., assigning a wrong home directory
to a user.

Implement the "/./" feature. Now a guest or user subject to chrooting
may have "/./" in his login directory, which separates his chroot
directory from his home directory inside the chrooted environment.
This works for ftpchroot(5) as well.

PR: bin/17843 bin/23944

Actually extract the second field from a line in ftpchroot(5)
instead of just using the rest of the line behind the first field.

Allow more than one separator character between fields in ftpchroot(5).

Extend the format of /etc/ftpchroot so an alternative chroot
directory can be specified for a user or a group.

Add the manpage ftpchroot(5) since the file's format has grown
complex enough.

PR: bin/45327
Portions submitted by: Hideki SAKAMOTO <sakamoto@hlla.is.tsukuba.ac.jp>
MFC after: 1 week

GLOB_MAXPATH has been deprecated in favour of GLOB_LIMIT.

- Add a new option, ``-P port'', to specify the port for ftpd(8)
to listen at in daemon mode.
- Use the port by 1 less than the control port as the default
data port instead of always using hard-coded port 20.

Submitted by: roam
MFC after: 1 week

Prevent server-side glob(3) patterns from expanding
to a pathname that contains '\r' or '\n'.

Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.

The FTP daemon was vulnerable to a DoS where an attacker could bind()
up port 20 for an extended period of time and thus lock out all other
users from establishing PORT data connections. Don't hold on to the
bind() while we loop around waiting to see if we can make our
connection.

Being a DoS, it has security implications, giving it a short MFC
time.

MFC after: 1 day

Prepend a space character if a line begins with a digit
in the output to the "STAT file" request.

This closes one discrepancy with RFC 959 (page 36.)

See also http://www.kb.cert.org/vuls/id/328867

Obtained from: OpenBSD

Replace the instances of literal "/bin/ls"
with the _PATH_LS macro to be consistent
with the rest of the ftpd(8) source.

english(4) police.

mdoc(7) police:

Properly sort options, spell "file system" correctly, expand contraction.

Catch up to the src/etc/syslog.conf,v 1.23 change: ftpd(8) session logs
are now by default get logged to /var/log/xferlog.

Approved by: re

Oops. Some ut_time stuff slipped through the cracks. These turned out
to be non-fatal due to stack alignment roundups.

Don't free the current addrinfo list, or else a pointer to a freed
memory area would arise. Only an addrinfo list from an earlier
call to getaddrinfo() should be freed there because it will be
substituted by the current list referenced by "res".

Reported by: John Long <fbsd1@pruam.com>
MFC after: 5 days

Have ftpd specify the LOGIN_SETMAC flag to setlogincontext() so that
MAC labels are set if MAC is enabled and configured for the user
logging in.

Note that lukemftpd is not considered a supported application when
MAC is enabled, as it does not use the standard system interfaces for
managing user contexts; if lukemftpd is used with labeled MAC policies,
it will not properly give up privileges when switching to the user
account.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Teach "ls -Z" to use the policy-agnostic MAC label interfaces rather
than the LOMAC-specific interfaces for listing MAC labels. This permits
ls to view MAC labels in a manner similar to getfmac, when ls is used
with the -l argument. Next generation LOMAC will use the MAC Framework
so should "just" work with this and other policies. Not the prettiest
code in the world, but then, neither is ls(1).

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Use the standardized CHAR_BIT constant instead of NBBY in userland.

The mode can be "r+" as well on PUT, but only "a" on APPE.

Fix lexer jam on unimplemented commands.

Submitted by: maxim
MFC after: 5 days

Remove variables no longer used.

More inithosts() fixes:
o Don't free(3) memory occupied by host structures
already in the host list.
o Set hrp->hostinfo to NULL if a host record has to stay in
the host list, but is to be ignored. Selecthost() knows that.
o Reduce the pollution with excessive NULL checks.
o Close a couple of memory leaks.

MFC after: 1 week

Fix an inconsistency between a printf-like format and its argument list.

Submitted by: kris
MFC after: 3 days

Add option '-W': don't log FTP sessions to wtmp.

Submitted by: maxim
MFC after: 1 week

Clean up hostname and hostinfo handling in inithosts():
o check getaddrinfo(3) return value, not result pointer
o getaddrinfo(3) returns int, not pointer
o don't leak memory allocated for hostnames and hostinfo structures
o initialize pointers that will be checked for NULL somewhere

MFC after: 1 week

Fix a wrong comment on (hopefully) right code.

MFC after: 3 days

Fix command help lines:
o PORT takes six byte values, not five.
o TYPE argument is mandatory.

Submitted by: demon (the 1st part)
MFC after: 3 days

Rework storing files thoroughly. This includes:

o Remove the race between stat(2) & fopen(3) when creating
a unique file.

o Improve bound checking when generating a unique name from
a given pathname.

o Ignore REST marker on APPE. No RFC specifies this case,
but the idea of resuming APPE's implies this.

o By default, deny upload resumes and appends by anonymous users.
Previously these commands were translated to STOU silently,
which led to broken files on server without any notification
to the user.

o Add an option, -m, to allow anonymous users to modify
existing files (e.g., to resume uploads) if filesystem
permissions permit.

Portions obrainded from: OpenBSD
MFC after: 3 weeks

1) Use "pathstring" instead of "STRING" consistently.
2) Remove unneeded "if not NULL" props from "pathstring",
which will never be NULL by the lexer design.

Inspired by: OpenBSD
MFC after: 1 week

Since GLOB_NOCHECK is set in the glob(3) call,
glob(3) will return at least one pathname unless
a system error has occured. It's not a "not found"
error otherwise.

MFC after: 3 days

Spot places where "pathname" hasn't been checked
for NULL. The "pathname" rule may return NULL
on a glob(3) error.

Obtained from: OpenBSD
MFC after: 1 week

Disallow invalid numeric mode values for SITE CHMOD.
Earlier, a decimal number (e.g., 890) could be passed
for mode, leading to dangerous permissions set:
-1, that is, 07777.

Obtained from: OpenBSD
MFC after: 1 week

Reflect in the ftpd(8) manpage the fact that ASCII SIZE
requests against large files will be denied.

MFC after: 10 days

Deny the SIZE command on large files when in ASCII mode.
This eliminates an opportunity for DoS attack.

Pointed out by: maxim
Inspired by: lukemftpd, OpenBSD
MFC after: 2 weeks

Conform to RFC 959, Appendix II, when replying
to a successful MKD command.

MFC after: 1 week

Make the `-v' option a synonym for `-d'
(as it was intended initially)
and document it in the manpage.

MFC after: 2 weeks

Document the -u (set umask) option
(which has been there at least since 4.4BSD-Lite!)

MFC after: 2 weeks

Sort command-line options according to the mostly used style:
alphabetical order, lower and upper case of the same letter
stick together, lower case first.

MFC after: 2 weeks

Use <arpa/ftp.h> stuff cleanly, without introducing
non-portable constants (in this case, hidden as offsets
to the "?AEIL" string.)

MFC after: 1 week

Re-use passive data ports with the SO_REUSEADDR
socket option to avoid exausting the passive port
space by TIME_WAIT'ing connections.

PR: bin/36955
Submitted by: Maxim Konovalov <maxim@FreeBSD.org>
MFC after: 2 weeks

Remove the outdated casts to "char *" from the setsockopt(2),
write(2), and getipnodebyaddr(3) calls. Now all the above functions
accept "void *" in that arguments and have prototypes. Thus, the
casts are useless under the normal circumstances (and would be harmful
if the functions had no prototypes.)

MFC after: 2 weeks

Clean up the syslog(3) messages on the setsockopt(2) errors:

o Always check a setsockopt(2) return value
o Use a consistent message format
o Don't abort if the failed setsockopt(2) was actually not vital
o Use LOG_WARNING, not LOG_ERR, in non-fatal cases

MFC after: 1 week

use IPV6_V6ONLY instead of non standard IPV6_BINDV6ONLY.

MFC after: 1 week

Fix one RFC 959 incompliance:
Double double-quotes in a PWD result
if they appear in the directory pathname.

PR: misc/18365
MFC after: 1 week

Allow deleting and renaming stale symlinks and
deleting symlinks pointing to directories.

PR: bin/37250
Submitted by: Nino Dehne <TeCeEm@gmx.de>
MFC after: 1 week

Avoid passing NULL to freehostent(3).

MFC after: 1 week

Fix setting parameters for getipnodebyaddr(3):
o "struct addrinfo" contains a pointer to "struct sockaddr,"
not "struct sockaddr" itself
o the function takes a pointer to "struct in*_addr", not to
"struct sockaddr," so the address length must be corresponding

MFC after: 1 week

GLOB_QUOTE has been retired.

Use the right indent for the closing brace: it belongs to `if',
not to `for'. The previous indent was reather misleading for
the code reader.

MFC after: 1 week

Replace the awkward hackery about strtok(3)
by conventional one-way parsing of ftphosts(5).
Don't let NULL hostname pointers into virtual
host records as well.

PR: bin/18410
MFC after: 1 month

Use fgetln(3) to read lines from configuration files (ftpusers, ftphosts.)
Thus lines of any length can be handled, unlike before.

Don't assume that each line read from the files ends with a newline.

As a side effect in inithosts(), don't use automatic buffer at all,
utilize malloc(3) when getting local host name instead.

PR: misc/21494
Reviewed by: maxim, mikeh
MFC after: 1 month

The .Nm utility

Make sure to reset transflag back to zero upon succesfully using sendfile()
to transfer a file.

PR: 39362
Submitted by: TANAKA Hiroyuki <kattyo@abk.nu>
MFC after: 1 week

Cope with 2292bis-01 getaddrinfo (no NI_WITHSCOPEID, always attach
scope identifier).

MFC after: 3 weeks

Remove trailing whitespaces.

Move 'byte_count' calculation just before 'recvurg' check. It is a global
variable and used in myoob().

PR: bin/38928
Submitted by: Oliver Fromme <olli@secnetix.de>
MFC after: 1 month

Implement a flag to disable directory creation for anonymous users.

PR: misc/38987
Submitted by: Peter da Silva <peter@abbnm.com>
MFC after: 1 week

Remove a GCC-specific command-line option. We should be using WARNS=n
for this stuff.

Assume __STDC__, remove non-__STDC__ code.

Teach REST how to restart a file transfer after 2^31 bytes: now yylex()
returns off_t in yylval.u.o. REST is the only user of yylval.u.o at the
moment.

NB: seems lukemftpd has the same bug.

PR: misc/28629
Reviewed by: ru
Approved by: ru
MFC after: 1 month

Remove duplicated yacc nonterminals declarations, sort includes.
No functional changes from rev. 1.31.

Reviewed by: ru
Approved by: ru
MFC after: 1 week

Put the last added source file in proper order.
(and dcc the committer a dictionary)

Rewrite the part of the conversation function that allocates the reply array;
it was inelegant and neglected to check the return value from malloc(3).

Sponsored by: DARPA, NAI Labs

Fix infinite loop around sendfile(2) after sending >4GB file.

PR: bin/33770
Submitted by: Vladislav Shabanov <vs@rambler-co.ru>
Reviewed by: ru
Approved by: ru
MFC after: 1 month

Lock down with WFORMAT?=1, with overrides in the subdirectories which
are not yet warning-clean. Tested on i386 and alpha.

Silence some FORMAT_AUDIT warnings (one left)

o Eliminate __P
o Use new-style function definitions
o remove some !__STDC__ code
o eliminate register

Remove the setjmp/longjmp stuff completely. Use signal
handlers to set flags only (with exception for sigquit(),
which still seems to call some non-reentrant functions on
its way to _exit(2).) That must eliminate the possibility
of catching SIGSEGV from following non-reentrant paths from
signal handlers.

PR: bin/32740 bin/33846
Submitted by: Maxim Konovalov <maxim@macomnet.ru>
Obtained from: OpenBSD

Log wtmp according to an address family properly.

Reported by: matusita
Reviewed by: matusita
MFC after: 1 week

Remove my workaround fallback since PAM now do it properly.

Really back out ache's commits. These files are now precisely as they were
twentyfour hours ago, except for RCS ids.

Back out PAM_CRED_ERR addition

Add PAM_CRED_ERR as valid failure case

Call opieunlock() only if we skip opieverify() part

Remove conditional 'pwok' fallback for PAM which now
is implemented in pam_opie module

For non-PAM variant rewrite empty password checking code to do the right thing
and not disallow empty passwords in all cases.

Be more careful about freeing memory after parsing commands.
Hiroyuki YAMAMORI gave a patch for the EPRT command in the
PR below. Problems with the rest of the patch are my fault.

PR: 33268
Reviewed by: iedowse, sheldonh

Fix OPIE auth

Fixed missing DPADD in previous commit. Fixed most style bugs related to
DPADD and LDADD.

Link with libm to take advantage of the -h flag to ls.

Submitted by: Mike Makonnen <mike_makonnen@yahoo.com>

Add lomac.c.

Found by: ken

Eliminate another instance of the old and well-known
DoS bug that the select(2)/accept(2) pair is called on
a socket that is in the blocking I/O mode. The bug is
triggered if a selected connection dies before the accept(2)
leading to the accept(2) blocking virtually forever.

MFC after: 1 week

Don't let a user name in ftpd's proctitle
be mistaken for a status message.

PR: misc/25217
MFC after: 7 days

Be consistent about indent at least within one block of code.

mdoc(7) police: markup nits.

1) Use OPIE response only when OPIE keys really used
2) Use commonly used OPIE response form instead of self-made one

Improve the description on how to construct ~ftp/pub. Specifically,
don't instruct users to set the directory mode 777.

PR: 30690
Obtained from: NetBSD (with modification)
MFC after: 2 weeks

Remove a field width specifier that's not doing anything more than
what using snprintf() achieves. It was also being used incorrectly.

Do the best we can with respect to fixing command-line option disorder
in the SYNOPSIS and DESCRIPTION.

Note that -l remains an ugly exception, to which no known rules apply,
since the specification of a single option multiple times isn't normal
standards-compliant CLI behaviour.

While here, mark AF_INET* and LOG_* defined values up with Dv.

Extend the functionality offered by the -o option into a new option
-O, which limits the impact of the write-only restriction to guest
users.

*) The existing manual page's SYNOPSIS and option listing in the
DESCRIPTION are already horribly disordered. No attempt has been
made to fix this.

*) The existing source's getopt() optstring and option handling switch
are already horribly disordered. No attempt has been made to fix
this.

Discussed with: nik, -audit

long -> off_t
long -> time_t
%ld -> %qd
fseek -> fseeko

NOTE: that fseek not works for >long offsets per POSIX:

[EOVERFLOW] For fseek( ), the resulting file offset would be a value which
cannot be represented correctly in an object of type long.

Add a new option, '-o', for "Write-only". Disables the RETR command,
preventing anyone from downloading files. In conjunction with -A, and some
appropriate file permissions, this lets you create an anonymous FTP drop
box for people to upload files to.

The more obvious "-w" flag is already taken by NetBSD's ftpd. "-o" was
available as an option letter in all three BSDs.

Rename the GLOB_MAXPATH flag of glob(3) to GLOB_LIMIT to be compatible
with NetBSD and OpenBSD. glob(3) will now return GLOB_NOSPACE with
errno set to 0 instead of GLOB_LIMIT when we match more than `gl_matchc'
patterns. GLOB_MAXPATH has been left as an alias of GLOB_LIMIT to
maintain backwards compatibility.

Reviewed by: sheldonh, assar
Obtained from: NetBSD/OpenBSD

Portability configuration data for LukeM ftpd.

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

Remove S/Key. PAM can do its job. Well, not quite - there is an issue
with the conversation function and challenges which needs to be
revisited, so in the interim a hack is introduced to provide
an OPIE challenge (which is random if OPIE does not apply)
at all non-anonymnous logins.

Move the definition of epsvall out of #ifdef VIRTUAL_HOSTING so that
the latter is not required for ftpd to compile.

Cleaner method of making PAMable apps static (in the optional case of
wanting static apps).

Damn. That should be _enable_ static linking, not _force_ static linking.

Enable (optional) static linking.
Asked for by: BDE

Change names of functions and variables with global scope that are
in conflict with library values of the same name. This allows static
linking.

mdoc(7) police: normalize .Nd.

Previous clobbered a work-in-progress. Here is the merged result:

Limit the "pathname" glob to one item, as that is what all users of it
are expecting, except for LIST.

Always glob, instead of when the first character is a ~. For example,
if you had directories ~/x1, and ~/x2, then "cwd x[1]" would fail, but
"cwd ~/x[1]" would work since it was globbed due to the ~ character.
Also, "cwd ~/x[12]" used to arbitarily work as it used the first
expansion (ie: x1) without an error. Make it return '550 ambiguous'
instead of '550 not found' so that the user can see the difference.

For LIST, just use the user supplied string as the popen does the glob.

Problem noticed by: Ajay Mittal <amittal@iprg.nokia.com>

Limit number of paths returned via glob() for authorized users
using tilde expansion.

Support the empty "PASS\r\n" command.

Document that SITE extensions are disabled for anonymous logins.

Obtained from: logdaemon package by Wietse Venema

Add the "SITE MD5 filename" facility.

This allows you to determine if the file on the other side is the same
as the one you have without transferring the entire file to compare.

Needless to say, if the server end lies to you this check doesn't work,
but on the other hand, if it lies to you about the files checksum,
what can you trust from it ?

Add full PAM support for account management and sessions.

The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c

Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>

- Backout botched attempt to intoduce MANSECT feature.
- MAN[1-9] -> MAN.

Set the default manual section for libexec/ to 8.

Teach ftpd about the new GLOB_MAXPATH flag.

When the file was transferred using sendfile(2), we forgot to keep track
of the transferred byte count. MFC candidate.

PR: bin/25699

Change the read-only reply to "550 Permission denied.".

Limit commands that can be issued when not logged in:
TYPE, STRU, MODE, ALLO, STAT, ABOR, SITE IDLE, SYST, REST

Reviewed by: kris, sheldon

In send_data(), use sendfile() instead of the mmap() algorithm.

mdoc(7) police: removed hard sentence breaks, run through spell-checker.

Fix typo.

PR: 23591
Submitted by: mavetju@chello.nl

Add option -E to disable EPSV which throws certain stateful firewalls
into confusion.

Add option -r to make ftpd support only read-only operations.

Submitted by: Flemming (F3) Jacobsen <fj@batmule.dk>
Reviewed by: phk

The GCC 2.96 snapshots have slightly different rules for finding include
files. Mostly -I${.CURDIR} was needed -- especially for YACC generated
files as the new cpp does not look in the ultimate source file
(ie, the .y file)'s directory as told by the "#line" directive. Some were
misspellings of "-I${.CURDIR}" as "-I.".

There is no src/contrib-crypto/ anything directory. So don't look for
include files in subdirs of it.

Prevent leakage of information about anonymous user's homedir
via 'QUOTE CWD'.

Reviewed by: des

mdoc(7) police: use the new features of the Nm macro.

Format string paranoia

Fix broken PAM with SKEY behaviour: the skey.access file checks
were broken because the code failed to set PAM_RHOST.

Don't depend on <sys/stat.h> bogusly including <sys/time.h> (and thereby
<time.h>).

remove redundant optreset declaration

Don't set an arbitrary limit on username lengths; use MAXLOGNAME
instead.

PR: 20675
Submitted by: Vladimir B Grebenschikov <vova@express.ru>

Fix `control socket: Protocol not supported' failure in
standalone -D mode when neither -4 nor -6 is specified.

Honour skey.access(5) by allowing UNIX passwords when skeyaccess(3)
has set pwok to a non-zero value.

Previously, the fact that skey.access(5) allowed UNIX passwords for
this connection attempt was ignored, even in the NOPAM case.

This only addresses the NOPAM case; when libpam is used, the problem
will persist.

PR: 20333

Don't reply "not a plain file" when the requested file doesn't exist.

Explain that the -S option only logs file downloads, not all transfers.

PR: 16934
Submitted by: Kurt Zeilenga <kurt@OpenLDAP.org>

Fix a problem in the virtual host address compare code which caused
duplicated host entries in /etc/ftphosts not to be folded. Make sure
we exit the loop on a match.

PR: bin/19390

Switch over to using the new fflagstostr and strtofflags library calls.

1. Add IPv6 portrange restriction code (-U flag) to passive().

2. Add portrange restriction code (for both v4 and v6) to the EPSV
processing stuff.

Finally unifdef -DINTERNAL_LS.

Doc fix: remove references to ~ftp/bin/ls as we have FTPD_INTERNAL_LS
unconditionally active already.

Noticed by: obrien

Add more dual stack consideration.

-ftpd need to know each of AF_INET and AF_INET6 addr for hosts specified in
/etc/ftphosts.

Approved by: jkh

Revert part of the last commit, remove {g|s}etflags from the libc
interface, and statically link them to the programs using them.
These functions, upon reflection and discussion, are too generically
named for a library interface with such specific functionality.
Also the api that they use, whilst ok for private use, isn't good
enough for a libc function.

Additionally there were complications with the build/install-world
process. It depends heavily upon xinstall, which got broken by
the change in api, and caused bootstrap problems and general mayhem.

There is work in progress to address future problems that may be
caused by changes in install-chain tools, and better names for
{g|s}etflags can be derived when some future program requires them.
For now the code has been left in src/lib/libc/gen (it started off
in src/bin/ls).

It's important to provide library functions for manipulating file
flag strings if we ever want this interface to be adopted outside
of the source tree, but now isn't necessarily the right moment
with 4.0-release just around the corner.

Approved: jkh

Remove unnecessary -g for CFLAGS.

-g for CFLAGS which was set at debugging time was mistakenly committed,
so removed it.

Approved by: jkh

Fix ftpd core dump when hostname is not set.

When hostname is not set, ftpd core dumps, because there is no
NULL check for freeing name resolving information for its own
hostname.
So the check is added.

Approved by: jkh

another tcp apps IPv6 updates.(should be make world safe)
ftp, telnet, ftpd, faithd
also telnet related sync with crypto, secure, kerberosIV

Obtained from: KAME project

Moved flags_to_string and string_to_flags into libutil. It's used in
many places nowadays.

sync with netbsd PR 8534, fix undefined C code.
Pointed out by: David A. Holland

Fix for new Kerberos4. Make a fist cut at PAM-ising while I'm here.

When a STAT command is sent to ftpd as an out-of-band transmission during
a file transfer, the command was mishandled on every other receipt of the
command.

PR: 13261
Submitted by: Ian Lepore <ian@plutotech.com>

Add common error lib for the Kerberos case.

$Id$ -> $FreeBSD$

unifdef -DINTERNAL_LS - it's too useful to be off by default. If anyone
really dislikes this, we could add a switch to disable it at runtime and
check in popen.c.

Update the SYNOPSIS to reflect that the -l option can be specified
more than once.

Pointed-out-by: sheldonh

Add missing -A option to SYNOPSIS.

PR: docs/10771

More egcs warning fixes:
o main returns int not void
o use return 0 at end of main when needed
o use braces to avoid potentially ambiguous else
o don't default to type int (and also remove a useless register
modifier).

Reviewed by: obrien and chuckr

Ensure that things returned by gethostname() and
friends are terminated and allow for a maximum
host name length of MAXHOSTNAMELEN - 1.
Put parenthesis around sizeof args.
Make some variables static.
Fix telnetd -u (broken by my last commit)

Prompted by: bde

Use realhostname() rather than various combinations of
gethostbyaddr() & gethostbyname().

Remove brokeness in ftpd for hosts of MAXHOSTNAMELEN length.

Oops, I missed a few more /etc/nologin references yesterday. It appears
my check of the tree was incomplete. Sorry guys.

Reported by: Ben Smithurst <ben@scientia.demon.co.uk>

Update to correctly reflect the default values of
net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast

PR: docs/6745
Submitted by: Masachika Ishizuka <ishizuka@ish.org>

Find "klogin.c" in "src/lib/libpam/modules/pam_kerberosIV" instead
of in "src/usr.bin/login". The latter instance is going away. As
soon as ftpd is PAMized, it won't need to use klogin.c at all.

Set the user context correctly so that cd ~ does the right thing.

PR: bin/7943 bin/8293
Submitted by: Bill Fenner <fenner@parc.xerox.com>
Approved by: jkh

Added double quotes around CHMOD description to prevent garbled output.

PR: 8094
Submitted by: Christoph Weber-Fahr <wefa@callcenter.systemhaus.net>

Document the use of lines beginning with a '#' as comment lines.

PR: 5676

signal() returns SIG_ERR on error, not int.

time() requires a time_t pointer, not a long.

Make ftpd(8) honor its default group setting in the config files.

PR: 6682
Submitted by: Max Euston <meuston@jmrodgers.com>

Back out "always UTC" fix since some people want visually identical 'ls'
output for local users. FTP protocol RFC also says that 'ls' output is
not machine-readable. "always UTC" still possible with TZ= in ftpd
environment by price of having UTC in log files too.

Fix INTERNAL_LS to sense new /etc/localtime after chroot

Return back initial tzset() must be before first chroot

Return back vfork and use execve with TZ="" environment in vfork case

Use fork instead of vfork since setenv clobber parent environment
Fork already used for INTERNAL_LS in anycase

Move TZ="" assignment just before exec to not touch other time stuff

Do TZ= as first thing, since FTP protocol is unable to tell zone offset in
any case.

It makes no difference for anon account (since chroot already makes it GMT),
but if you do mirror with special non-anon login, in old variant
your mirror will be wholy retransmitted twice in the year due to
time zone changes (/etc/localtime plays bad role here)

Simplified by using new yacc rules and by not generating y.tab.h.

Set TCP_NODELAY on the control channel to improve performance a bit.

Fixed a bug where if MAXUSRARGS amount of args were passed in, the argv[]
array would end up without the NULL pointer termination, causing the glob
code to glob whatever garbage happend to follow on the stack.

PR: 5812
Pointed-in-the-right-driection-by: Mike Smith and Steve Price

Close syslogging before calling ls_main()

Make ftpd log IP-addresses in addition to hostnames.

MFS.

Various sprintf -> snprintf fixes.
Minor style fix (strcpy(foo,"") -> *foo = '\0')
Obtained from: OpenBSD(?)

FTP_INTERNAL_LS -> FTPD_INTERNAL_LS

Pointed out by: Jaye Mathisen <mrcpu@cdsnet.net>

Cosmetics in man page. Exit(-1) -> exit(1).

Changes to support full make parallelism (-j<n>) in the world
target.
Reviewed by: <many different folks>
Submitted by: Nickolay N. Dudorov" <nnd@nnd.itfs.nsk.su>

Many places in the code NULL is used in integer context, where
plain 0 should be used. This happens to work because we #define
NULL to 0, but is stylistically wrong and can cause problems
for people trying to port bits of code to other environments.

PR: 2752
Submitted by: Arne Henrik Juul <arnej@imf.unit.no>

Hopefully better fix for logwtmp(): rename to a private
version ftpd_logwtmp().

logwtmp() prototype is in <libutil.h>.

Make useage of hostname global variable consistent.
PR: 4135
Based on submitted patch by: blank@fox.uni-trier.de

Tell the chroot()ed user that "access restrictions apply".

login_getclass() -> login_getpwclass().

Adds anon ftp virtual host capability to ftpd, using /etc/ftphosts for
definition of a system's virtual hosts.

YAMF2.2: Allow @group entries in /etc/ftpusers & /etc/ftpchroot to deny
and allow chroot access to entire groups.

Document internal ls, how to compile it in and what it changes wrt
anon ftp and chrooted users.

Adds optional "internal ls" support for ftpd, by collecting
modules from src/bin/ls, and handling exec(_PATH_LS,..) as a
special case, very useful in an environment where many users
are given chroot access. "~/etc/{s}pwd.db" files are still
needed if uid/gid->user/group translation is desired.

To enable this it must be compiled with the make variable
FTP_INTERNAL_LS defined, either in /etc/make.conf or the
environment.

Add basic login.conf (sans authentication) support.

compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.

Remove some incorrect text on how passwords are validated.
Closes PR# 3050.

Submitted by: Dmitrij Tejblum <dima@tejblum.dnttm.rssi.ru>

Revert $FreeBSD$ to $Id$

#include <string.h> to help silence -Wall.

Actually allow the -R flag.

Oops, fix white space in last commit.

Fix signal handler race condition.

Sweep through the tree fixing mmap() usage:

- Use MAP_FAILED instead of the constant -1 to indicate
failure (required by POSIX).
- Removed flag arguments of '0' (required by POSIX).
- Fixed code which expected an error return of 0.
- Fixed code which thought any address with the high bit set
was an error.
- Check for failure where no checks were present.

Discussed with: bde

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Document the fact that the administrator may have
to change syslog's config file in order for all of
ftpd's log messages to be displayed by syslogd.

Closes PR# 1559.

add flag to allow only anonymous ftp logins

Reviewed by: pst

Conditionalize setsockopt IP_PORTRANGE to make ftpd portable.

Truncate argument list to avoid buffer overflows.

Cannidate for: 2.1 and 2.2

Implement alternative strategy if it is impossible to confirm
password: ask for it, but don't tell that S/key password required.
It looks like non-s/key system from outside.

Additionally tell that s/key required when it is so for normal case

Oops, fix my previous commit, now tell user his s/key parameters

Don't ever ask for password if it is impossible to confirm it
It happens if 1) regular passwords not allowed, 2) skey database
not activated for given user.
Under some rare circumstanes skey_challenge can return empty
diagnostic or even previous buffer, fix it.

add forgotten $Id$

Fix some compilation warnings.

Reviewed by: various
Submitted by: archie@whistle.com

allow ftpd to bind to a single address/interface
this allows easy split services.

Tidy up the Kerberised bits. While I'm here, fix some -Wall complaints.

Fix another bogon.

Make password checking in ftpd work again.

Convert STATS and PARANOID to run-time options.
Document the new -R (relax paranoia) option.

From NetBSD/Lite2: code and man page cleanups, Kerberos IV hooks
(relax, we're still exportable), and /etc/ftpchroot feature for
semi-anonymous accounts

If PARANOID is set, do not allow PORT commands to remote ports less than 1024
or addresses other than the requestor's address. This violates the FTP
protocol (hmm...as I write this, I'm going to change this to a run-time var.)

Require login before PASV and RNTO commands.

Close unused PASV ports so they don't hang around forever.

Do not allow file overwrites via rename or STOR when anonymous
(suspenders).

Clean up buffer utilization.

My code, but heavily inspired by Hobbit's changes to wu-ftpd as pointed out
by Mike Prettejohn and Kit Knox.

If hostname > UT_HOSTSIZE, use its numerical address instead to keep
valid utmp and wtmp entries

backout yacc changes

Use the sysctl settable data port ranges rather than the statically
compiled values. see sysctl net.inet.ip.portrange.* and the IP_PORTRANGE
discussion in <netinet/in.h>

Fix yacc rule usage.

Implemented a "-D" option that causes ftpd to detach and become a daemon -
accepting connections on the FTP port and forking children processes to
handling them. This is lower overhead than spawning ftpd from inetd and
can be a significant win on busy FTP servers. Be sure to disable ftpd in
inetd.conf if you decide to use this option.
These changes are based on similar changes I made to wu-ftpd and have
been in use on wcarchive for several months.

Fix bug that caused a coredump when attempting to enter passive mode when
not logged in. Original fix slightly altered by me to return the correct
reply code.

Submitted by: Vadim Kolontsov <vadim@tversu.ac.ru>

Make ftpd use setproctitle() from libutil

I've left the old code in there under #ifdef OLD_SETPROCTITLE in case
somebody wants to try to compile out ftpd on some other machine.

Timeout when an expected accept does not happen after all.
This gets rids of dozens of hanging ftpd's because some broken
pc implementation `forgets' to open a passive connection.
Obtained from: Wietse Venema

Check for expired passwords before allowing access to the system.

Use data ports in the range 40000..44999 by default to enhance FTP usability
in a firewall environment. Original idea by Mark Tracy (?).

Reviewed by: wollman
Submitted by: pst

Remove trailing whitespace.

Make last change a little more robust by checking for failure of getcwd().

Set "HOME" so that tilde expands correctly. It previously was always root's
directory /root.

Speed up ftpd and make it more efficient:

- set TCP_NOPUSH to keep from sending short packets at each write(2) boundary
- set SO_SNDBUF to 64k so we have a reasonable amount of buffer space
- for a regular file in binary mode which is not being restarted and is
. smaller than 16 Meg, use mmap(2) and write(2) the whole file in one big
gulp

In the most common circumstances, this should dramatically reduce the
system-call load from ftpd, since the call to write() will not return until
the entire file has been written, rather than writing just a few K at a time
in a loop.

Fix two more references to /etc/motd that I overlooked. PR #29

Close PR #29. The file should be /etc/ftpmotd, not /etc/motd.

Change the library order so libcrypt is the last library in the list.
libskey contains references to _crypt and can't resolve it unless
-lcrypt occurs after it in the link command. This only occurs when
linking statically.

Add some functionality to ftpd so it logs all anonymous file
transfers. It only does this when -S is set.
Reviewed by:
Submitted by:
Obtained from: logdaemon package

recommit rev 1.5 of ftpd, I fatfingered a command

Printing out /etc/motd when a ftp login occurs is a security hole
(as is printing out a version number at the telnet login banner).

Don't print out /etc/motd when people login, instead if present,
print out /etc/ftpmotd. It looks like 4.4lite2 has done something similar
(perhaps for different reasons) because /etc/motd no longer shows up
on vangogh.

Folks who like the old behavior can create a symbolic link to motd.

Figured it out, misapplied a patch, ftpd now works again.

Fix broken command parser (fall back 10 yards and scratch head).

Include most of the logdaemon v4.4 S/key changes

Clean up makefile

Use new skey access routines

Fixed bug where /etc/ftpusers was ineffective. Caused by the wrong
pointer being passed to strcmp(). Bug noticed by Matthew Green.

Put skey support to ftpd
Reviewed by:
Submitted by: guido

Put skey support in ftpd.
Reviewed by:
Submitted by: guido

LDADD= -lcrypt
Submitted by: Geoff

Update to new make macros and disable Kerberos because we haven't got it
set up right yet.

This commit was generated by cvs2svn to compensate for changes in r1592,
which included commits to RCS files with non-trunk default branches.