ftpd: stop using -g flag for /bin/ls

In 3bfbb521 the behaviour of ls was changed such that -g was no longer
a noop for compatibility with BSD 4.3, but instead changed the output
of long mode to exclude the owner of the file and display only the
group.

Update how FTPd invokes ls to restore the previous behaviour

Reported-by: Andrew Fengler <andrew.fengler@scaleengine.com>
Reviewed-by: jrtc27, des, imp
MFC after: 3 days
Sponsored-by: ScaleEngine Inc.
Fixes: 3bfbb521fef5 ("ls: Improve POSIX compatibility for -g and -n.")

Remove copyright strings ifdef'd out

We've ifdef'd out the copyright strings for some time now. Go ahead and
remove the ifdefs. Plus whatever other detritis was left over from other
recent removals. These copyright strings are present in the comments and
are largely from CSRG's attempt at adding their copyright to every
binary file (which modern interpretations of the license doesn't
require).

Sponsored by: Netflix

libexec: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

Put OPIE to rest.

Differential Revision: https://reviews.freebsd.org/D36592

ftpd: delete dead code

Delete code killed by SVN r13139 in 1996. Little chance that it would
still compile today.

PR: 257317
Reported by: Alan Shearer <sakison@gmail.com>
MFC after: 2 weeks
Sponsored by: Axcient

ftpd: Add missing braces around a statfd check

This was harmless but looked incorrect. No functional change intended.

MFC after: 1 week
Sponsored by: The FreeBSD Foundation

ftpd: Exit during authentication if an error occurs after chroot().

admbug: 969
Security: CVE-2020-7468

Use strlcpy().

MFC after: 2 weeks

General further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.

ftpd(8): fix user context handling.

Apply authenticated user context after update of wtmp(5) at start of session,
so that ftpd process is not killed by kernel with SIGXFSZ when user has
"filesize" limit lower than size of system wtmp file. Same applies
to session finalization: revert to super-user context before update of wtmp.

If ftpd hits limit while writing a file at user request,
do not get killed with SIGXFSZ instantly but apparently ignore the signal,
process error and report it to the user, and continue with the session.

PR: 143570
Approved by: avg (mentor), mav (mentor)
MFC after: 1 week

Fix build when WITHOUT_BLACKLIST=yes is specified

PR: 214409
Submitted by: matthew
Reported by: matteo
MFC after: 3 days
Sponsored by: The FreeBSD Foundation

Revisit blacklistd support in ftpd

Enhance blacklistd support to not log anything by default,
unless blacklistd support is enabled on the command line.
Document new flag in man page, cleanup patches to be less
intrusive in code.

Reported by: Rick Adams
Reviewed by: cem, emaste
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D8374

Update blacklist support in ftpd to clarify fd usage

The ftp daemon dups the control socket to stdin and uses that fd
throughout the code. Clarify this usage slightly by changing from
explicit use of "0" for the fd to a variable, to make it clear what
the zero represents in the non-blacklist code. Make the
blacklist_notify routine use STDIN_FILENO so as to have less of a
"magic number" feel to the code.

Reviewed by: cem
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6716

Add blacklist support to ftpd

Reviewed by: rpaulo
Approved by: rpaulo
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6703

Declare line[] in the outermost scope of retrieve() instead of
declaring it in an inner scope and then using it via a pointer
in the outer scope.

Reported by: Coverity
CID: 605895

Rename getline with get_line to avoid collision with getline(3)

When getline(3) in 2009 was added a _WITH_GETLINE guard has also been added.
This rename is made in preparation for the removal of this guard

libexec: minor spelling fixes in comments.

No functional change.

Remove the 3rd clause ("advertising clause") of the BSD license as
permitted by the University of Berkeley on July 22, 1999.

Reviewed by: imp
MFC after: 1 week

In sgetpwnam(), save and free pw_class like all other char members
of struct passwd. This fixes spurious "login_getclass: unknown class"
errors.

PR: 186439
Submitted by: UEMURA Tetsuya <t_uemura at macome.co.jp>
MFC after: 1 week

Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]

Add an API for alerting internal libc routines to the presence of
"unsafe" paths post-chroot, and use it in ftpd. [11:07]

Fix a buffer overflow in telnetd. [11:08]

Make pam_ssh ignore unpassphrased keys unless the "nullok" option is
specified. [11:09]

Add sanity checking of service names in pam_start. [11:10]

Approved by: so (cperciva)
Approved by: re (bz)
Security: FreeBSD-SA-11:06.bind
Security: FreeBSD-SA-11:07.chroot
Security: FreeBSD-SA-11:08.telnetd
Security: FreeBSD-SA-11:09.pam_ssh
Security: FreeBSD-SA-11:10.pam

Add LOGIN_SETCPUMASK and LOGIN_SETLOGINCLASS to the setusercontext(3)
calls in ftpd(8).

Make format string a string literal. (Discovered by clang.)

MFC After: 1 week

Handle failure from ftpd_popen in statfilecmd().

Reviewed by: attilio
MFC after: 1 week

expand checkuser() to support the propagation of error codes back to
the caller. Currently, checkuser() does not differentiate between the
failure to open the file and the absence of a user in the file. Check
to see if there was an error opening the file. If there are any errors,
terminate the connection. Currently, the only exception to this rule
is ENOENT, since there is nothing that says the /etc/ftpuser
and /etc/ftpchroot has to exist.

MFC after: 3 weeks

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

Really disable wtmp logging when chrooting.

Also perform a small cleanup to ftpd_logwtmp(). Just use a NULL
parameter for the username to indicate a logout, instead of an empty
string.

Reported by: Alexey Shuvaev <shuvaev physik uni-wuerzburg de>

Port ftpd to utmpx.

Unfortunately I have to partially wreck its functionality, though. ftpd
used to keep a file descriptor to the wtmp, which allowed it to work
from within a chroot. The current utmpx implementation doesn't offer a
way to do this. Maybe we can address this in the future, if it turns out
to be a real issue.

Move variable externs into extern.h so they are checked against the definitions.

Prevent cross-site forgery attacks on ftpd(8) due to splitting
long commands into multiple requests. [08:12]

Avoid calling uninitialized function pointers in protocol switch
code. [08:13]

Merry Christmas everybody...

Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-08:12.ftpd, FreeBSD-SA-08:13.protosw

- Import the HEAD csup code which is the basis for the cvsmode work.

Add support for RFC 2389 (FEAT) and RFC 2640 (UTF8) to ftpd(8).

The support for RFC 2640 (UTF8) is optional and rudimentary.
The server just advertises its capability to handle UTF-8 file
names and relies on its own 8-bit cleanness, as well as on
the backward compatibility of UTF-8 with ASCII. So uploaded
files will have UTF-8 names, but the initial server contents
should be prepared in UTF-8 by hand, no on-the-fly conversion
of file names will be done.

PR: bin/111714
Submitted by: Zhang Weiwu <see email in the PR>
MFC after: 1 week

Let automatic TCP send buffer sizing do its job for ftpd(8): stop
setting the SO_SNDBUF socket option. Using a hard-coded value for
it was a poor idea anyway in the face of diverse network conditions.

- Reduce needless DNS query by lookup only appropriate address
family. [1]
- Specify appropriate hints to getaddrinfo(3). [1]
- Obtain address family from peername in inet mode.

Submitted by: Rostislav Krasny <rosti.bsd__at__gmail.com> [1]
Tested by: yar, Rostislav Krasny <rosti.bsd__at__gmail.com>
MFC after: 1 week

In the daemon code, check for and report possible errors
from accept(2) and fork(2). Also close all unneeded fds
in the child process, namely listening sockets for all
address families and the fd initially obtained from accept(2).
(The main ftpd code operates on stdin/stdout anyway as it
has been designed for running from inetd.)

MFC after: 5 days

The daemon's child shouldn't go on with the for loop
over ctl_sock's -- it is solely the parent daemon's
job. So just break out of the loop in the child.

MFC after: 5 days

Use pidfile(3) provided by libutil to manage the deamon's pid file.

By default, create a pid file at the standard location, /var/run/ftpd.pid,
in accord with the expected behavior of a stock system daemon.

MFC after: 5 days

Add some consistency checks to the signal-related code.

MFC: along with rev. 1.202

A call to maskurg() makes sense only when a transfer is under way,
the function will emit an annoying log message otherwise.

Reported by: kris
MFC: along with rev. 1.202

Fix most cases where the address of an int is passed to a function expecting a
socklen_t * argument.

Respect the `logging' flag.

Pointed out by: Nick Leuta
MFC after: 3 days

Improve handling SIGURG and OOB commands on the control channel.

The major change is to process STAT sent as an OOB command w/o
breaking the current data transfer. As a side effect, this gives
better error checking in the code performing data transfers.

A lesser, but in no way cosmetic, change is using the flag `recvurg'
in the only signal-safe way that has been blessed by SUSv3. The
other flag, `transflag,' becomes private to the SIGURG machinery,
serves debugging purposes only, and may be dropped in the future.

The `byte_count' global variable is now accounting bytes actually
transferred over the network. This can give status messages looking
strange, like "X of Y bytes transferred," where X > Y, but that has
more sense than trying to compensate for combinations of data formats
on the server and client when transferring ASCII type data. BTW,
getting the size of a file in advance is unreliable for a number of
reasons in the first place. See question 18.8 of the Infrequently
Asked Questions in comp.lang.c for details.

PR: bin/52072
Tested by: Nick Leuta (earlier versions), a stress-testing tool (final)
MFC after: 1 month

Replace err(3) calls when in daemon mode by syslog(3), too.
A daemon has no stderr to send its complains to.

Pointed out by: Nick Leuta
MFC after: 1 week

Do a small style(9) fix before I'm hacking the code itself.

free(3) is void already.

Never emit a message to stderr: use syslog instead.
When in inetd mode, this prevents bogus messages from
appearing on the control channel. When running as a
daemon, we shouldn't write to the terminal we used to
have at all.

PR: bin/74823
MFC after: 1 week

When looking for a virtual host to handle the connection,
stop the search on the first match for efficiency.

Submitted by: Nick Leuta

Calling pam_chauthtok() isn't really needed since
an FTP user has no chance to change password anyway.

Submitted by: Nick Leuta

Don't log the chroot dir on every command since it's constant for a session.
Log it once at the beginning of the session instead. OTOH, log wd each
time for the sake of better auditing and consistent log format.

Proposed by: Nick Leuta <skynick -at- mail.sc.ru>

Always log remote IP.

PR: bin/59773

Treat host name buffers consistently.

Make chrootdir global and use it in log messages
regarding restricted users.

MFC after: 2 weeks

Nitpicking on style(9) and whitespace.

Tested with: md5(1)

Use __FBSDID.

Don't say, "file: permission denied," if the operation
is disabled entirely.

Use uniform punctuation, capitalization, and language style
in server messages wherever this doesn't contradict to a particular
message format.

Apply __printflike() to the appendf() prototype so the compiler
can detect format errors.

Fix perror_reply() vs. reply() usage.

'\n' needs not to appear in reply() strings.

Log pathname arguments to ftp commands as the user specified them;
add the working directory pathname to the log message if any of
such arguments isn't absolute. This has advantage over the old
way of logging that an admin can see what users are actually trying
to do, and where. The old code was also not too robust when it
came to a chrooted session and an absolute pathname.

Pointed out by: Nick Leuta
MFC after: 2 weeks

Use S_ISDIR() macro instead of a hand-rolled test.

getcwd() won't leave a error string in the buffer, unlike getwd().

Use POSIX functions instead of legacy ones:
getwd() -> getcwd()
wait3() -> waitpid()

Kill more unneeded casts found.

Noticed by: Nick Leuta <skynick -at- mail.sc.ru> (some of them)

Don't invent ways of capitalization orthogonal to the English grammar.

RFC 959 states that the following codes should be used
for status replies on file system objects:

212 Directory status.
213 File status.

Reported by: Oleg Koreshkov <okor -at- zone.salut.ru>
MFC after: 1 week

Using off_t to pass a block size is obvious overkill.
The size_t type is better suited for that, particularly because
the "blksize" argument is to be passed to malloc() and read().
On 64-bit archs it's more to a style issue, but the good style
of coding in C is also important.

Kill ancient casts to integral types left from the K&R era.
They're unneeded and sometimes erroneous now.

Fix logxfer() by using realpath(3) instead of playing with getwd(3).
Previously logxfer() used to record bogus pathnames to the log
in some cases, namely, when cwd was / or "name" was absolute.

Noticed by: Nick Leuta
MFC after: 2 weeks

Replace the last occurence of (long long) and %qd with
(intmax_t) and %jd, which is the right way to printf
an off_t in the presence of <stdint.h>.

Submitted by: Nick Leuta

OpenPAM allows passing a NULL "pamh" to pam_strerror() to indicate
that the creation of a PAM context has failed.

N.B. This does not apply to pam_strerror() in RELENG_4, it
will mishandle a NULL "pamh".

Discussed with: des

- Stop shadowing global "pamh" by a local variable in auth_pam().
- Stop calling pam_strerror() with NULL pamh.
- Add a missing call to pam_end().

PR: bin/59776
Submitted by: Nick Leuta <see PR for email>
MFC after: 2 weeks

Describe the semantics of the sgetpwnam() helper function
in the comment above it so that nobody will save pointers
returned inside "struct passwd" across the calls to the function.

Log the actual number of bytes sent on the wire to /var/log/ftpd
instead of the disk size of the file sent. Since the log file
is intended to provide data for anonymous ftp traffic accounting,
the disk size of the file isn't really informative in this case.

PR: bin/72687
Submitted by: Oleg Koreshkov
MFC after: 1 week

We must not fall back to the old way (read-write)
if sendfile() transferred some data before throwing
a error condition because sendfile() won't move the
file offset for read() to start from.

MFC after: 2 weeks

Clean-up around sendfile(): drop an excessive check for error condition.

Account for the fact that sendfile(2) may hit the end of file
prematurely, e.g., if the file has been truncated by someone else.

PR: bin/72649
Submitted by: Oleg Koreshkov (portions)
MFC after: 2 weeks

Indent.

o Merge rev. 1.5 libexec/ftpd/ftpd.c from DragonflyBSD:

Do not unconditionally fork() after accept(). accept() can
return -1 due to an interrupted system call (i.e. SIGCHLD).
If we fork in that case ftpd can get into an
accept()/SIGCHLD/fork/[fail]/repeat loop.

Reported-by: fabian <fabian.duelli@bluewin.ch>

Obtained from: DragonflyBSD
MFC after: 1 month

Change ``(foo *)0'' to ``NULL'' where it's possible
(and it appears possible throughout ftpd(8) source.)

It is not a mere issue of style: Null pointers in C
seem to have been mistaken one way or another quite often.

Kill a small herd of casts to off_t where they were not needed.
Thank Fortune, the C compiler can figure out by itself the proper
conversion for assignments, comparisons, and prototyped function
arguments.

Printf(3) off_t values through conversion to intmax_t since
we've got <stdint.h> et al now. (This makes ftpd(8) WARNS=2 clean.)

Kill an unused variable (heading to WARNS=2.)

Ditto for (gid_t).

Kill casts to (uid_t) obviously left from the K&R era.
Prototyping library functions in header files has rendered
them superfluous.

Add a comment to explain that the loop around the call to bind(2)
is not a hack, but it has a clear purpose.

Open a socket for a data transfer in active mode using euid
of the current user, not root. This will allow neat things
like matching anonymous FTP data traffic with a single ipfw(8)
rule:
ipfw add ... tcp from any to any uid ftp

Note that the control connection socket still belongs to the
user ftpd(8) was started from, usually root.

PR: bin/65928
Submitted by: Eugene Grosbein <eugen at grosbein.pp.ru>
MFC after: 1 month

Simplify conditional compilation logic some.

Handle variable argument lists correctly in reply() and lreply().
In particular, do not pass the same va_list to both vprintf() and
vsyslog() without first reinitializing it. This fixes ftpd -d
on amd64.

NULL looks better than (char *)0 unless we're passing
an unprototyped argument to a function.

Deny attempts to rename a file from guest users if the policy
says they may not modify existing files through FTP.

Renaming a file is effectively a way to modify it.
For instance, if a malicious party is unable to delete or overwrite
a sensitive file, they can nevertheless rename it to a hidden name
and then upload a troyan horse under the guise of the old file name.

perror_reply() should not be used where errno isn't meaningful.

Work around a bug in some clients by never returning raw directory
contents in reply to a RETR command. Such clients consider RETR
as a way to tell a file from a directory. Mozilla is an example.

PR: bin/62232
Submitted by: Bob Finch <bob+freebsd <at> nas <dot> com>
MFC after: 1 week

add missing setusershell() calls.

PR: bin/2442
Reviewed by: Friedemann Becker <zxmxy33@mail.uni-tuebingen.de>

man ftpd says that "by default, anonymous users cannot modify existing files."
However, the code did allow deletion of files. Make deleting require the -m
flag, too.

PR: bin/60809
Submitted by: Alexander Melkov <melkov@comptek.ru>

If a file to send in ASCII mode already has CRLF as end-of-line,
don't add excessive CR on the wire.

PR: bin/59285
Submitted by: Andrey Beresovsky <and at rsu.ru>
MFC after: 1 week

Don't depend on IPv4-mapped IPv6 address to bind to both IPv4
and IPv6.

Wrote at: Hakone.
Powered by: Warner Losh's scotch whisky.
Requested by: nork

Make a malloced copy of "chrootdir" even if it points to an absolute
pathname inside "residue" so "chrootdir" can be simply freed later.

PR: bin/53435
Submitted by: Yutaka Ishihara <yutaka at fandc.co.jp>
MFC after: 1 week

Kill unnecessary vertical whitespace.

Use LOG_AUTHPRIV to hide the username attempted during an invalid login
from everyone but sysadmins.

PR: bin/29487
MFC after: 3 days

RFC 959 doesn't list reply code 550 as a valid responce to STOR/STOU,
so return reply code 553 to indicate a error from open(2) for consistency,
as long as the code is used in the rest of the STOR/STOU handler.

Let real users access special files through FTP
if allowed by their filesystem permissions.

This doesn't break anything since using sendfile(2)
is triggered later by a separate S_ISREG conditional.

PR: bin/20824
MFC after: 1 week

When searching for a unique file name in guniquefd(),
distinguish between the cases of an existing file and
a real system error, such as I/O failure, no access etc.

MFC after: 3 days

Add a new option to ftpd(8), "-h", to disable printing any
host-specific information in FTP server messages (so paranoid
admins can sleep at night :-)

PR: bin/16705
MFC after: 1 week

Give the code around chroot(2)/chdir(2) a major overhaul by
separating its part around chroot(2) from that around initial
chdir(2). This makes the below changes really easy.

Move seteuid(to user's uid) to before calling chdir(2). There are
two goals to achieve by that. First, NFS mounted home directories
with restrictive permissions become accessible (local superuser
can't access them if not mapped to uid 0 on the remote side
explicitly.) Second, all the permissions to the home directory
pathname components become effective; previously a user could be
carried to any local directory despite its permissions since the
chdir(2) was done with euid 0. This reduces possible impact from
FTP server misconfiguration, e.g., assigning a wrong home directory
to a user.

Implement the "/./" feature. Now a guest or user subject to chrooting
may have "/./" in his login directory, which separates his chroot
directory from his home directory inside the chrooted environment.
This works for ftpchroot(5) as well.

PR: bin/17843 bin/23944

Actually extract the second field from a line in ftpchroot(5)
instead of just using the rest of the line behind the first field.

Allow more than one separator character between fields in ftpchroot(5).

Extend the format of /etc/ftpchroot so an alternative chroot
directory can be specified for a user or a group.

Add the manpage ftpchroot(5) since the file's format has grown
complex enough.

PR: bin/45327
Portions submitted by: Hideki SAKAMOTO <sakamoto@hlla.is.tsukuba.ac.jp>
MFC after: 1 week

- Add a new option, ``-P port'', to specify the port for ftpd(8)
to listen at in daemon mode.
- Use the port by 1 less than the control port as the default
data port instead of always using hard-coded port 20.

Submitted by: roam
MFC after: 1 week

The FTP daemon was vulnerable to a DoS where an attacker could bind()
up port 20 for an extended period of time and thus lock out all other
users from establishing PORT data connections. Don't hold on to the
bind() while we loop around waiting to see if we can make our
connection.

Being a DoS, it has security implications, giving it a short MFC
time.

MFC after: 1 day

Prepend a space character if a line begins with a digit
in the output to the "STAT file" request.

This closes one discrepancy with RFC 959 (page 36.)

See also http://www.kb.cert.org/vuls/id/328867

Obtained from: OpenBSD

Don't free the current addrinfo list, or else a pointer to a freed
memory area would arise. Only an addrinfo list from an earlier
call to getaddrinfo() should be freed there because it will be
substituted by the current list referenced by "res".

Reported by: John Long <fbsd1@pruam.com>
MFC after: 5 days

Have ftpd specify the LOGIN_SETMAC flag to setlogincontext() so that
MAC labels are set if MAC is enabled and configured for the user
logging in.

Note that lukemftpd is not considered a supported application when
MAC is enabled, as it does not use the standard system interfaces for
managing user contexts; if lukemftpd is used with labeled MAC policies,
it will not properly give up privileges when switching to the user
account.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Use the standardized CHAR_BIT constant instead of NBBY in userland.

The mode can be "r+" as well on PUT, but only "a" on APPE.

Remove variables no longer used.

More inithosts() fixes:
o Don't free(3) memory occupied by host structures
already in the host list.
o Set hrp->hostinfo to NULL if a host record has to stay in
the host list, but is to be ignored. Selecthost() knows that.
o Reduce the pollution with excessive NULL checks.
o Close a couple of memory leaks.

MFC after: 1 week

Fix an inconsistency between a printf-like format and its argument list.

Submitted by: kris
MFC after: 3 days

Add option '-W': don't log FTP sessions to wtmp.

Submitted by: maxim
MFC after: 1 week

Clean up hostname and hostinfo handling in inithosts():
o check getaddrinfo(3) return value, not result pointer
o getaddrinfo(3) returns int, not pointer
o don't leak memory allocated for hostnames and hostinfo structures
o initialize pointers that will be checked for NULL somewhere

MFC after: 1 week

Fix a wrong comment on (hopefully) right code.

MFC after: 3 days

Rework storing files thoroughly. This includes:

o Remove the race between stat(2) & fopen(3) when creating
a unique file.

o Improve bound checking when generating a unique name from
a given pathname.

o Ignore REST marker on APPE. No RFC specifies this case,
but the idea of resuming APPE's implies this.

o By default, deny upload resumes and appends by anonymous users.
Previously these commands were translated to STOU silently,
which led to broken files on server without any notification
to the user.

o Add an option, -m, to allow anonymous users to modify
existing files (e.g., to resume uploads) if filesystem
permissions permit.

Portions obrainded from: OpenBSD
MFC after: 3 weeks

Conform to RFC 959, Appendix II, when replying
to a successful MKD command.

MFC after: 1 week

Make the `-v' option a synonym for `-d'
(as it was intended initially)
and document it in the manpage.

MFC after: 2 weeks

Sort command-line options according to the mostly used style:
alphabetical order, lower and upper case of the same letter
stick together, lower case first.

MFC after: 2 weeks

Re-use passive data ports with the SO_REUSEADDR
socket option to avoid exausting the passive port
space by TIME_WAIT'ing connections.

PR: bin/36955
Submitted by: Maxim Konovalov <maxim@FreeBSD.org>
MFC after: 2 weeks

Remove the outdated casts to "char *" from the setsockopt(2),
write(2), and getipnodebyaddr(3) calls. Now all the above functions
accept "void *" in that arguments and have prototypes. Thus, the
casts are useless under the normal circumstances (and would be harmful
if the functions had no prototypes.)

MFC after: 2 weeks

Clean up the syslog(3) messages on the setsockopt(2) errors:

o Always check a setsockopt(2) return value
o Use a consistent message format
o Don't abort if the failed setsockopt(2) was actually not vital
o Use LOG_WARNING, not LOG_ERR, in non-fatal cases

MFC after: 1 week

use IPV6_V6ONLY instead of non standard IPV6_BINDV6ONLY.

MFC after: 1 week

Fix one RFC 959 incompliance:
Double double-quotes in a PWD result
if they appear in the directory pathname.

PR: misc/18365
MFC after: 1 week

Allow deleting and renaming stale symlinks and
deleting symlinks pointing to directories.

PR: bin/37250
Submitted by: Nino Dehne <TeCeEm@gmx.de>
MFC after: 1 week

Avoid passing NULL to freehostent(3).

MFC after: 1 week

Fix setting parameters for getipnodebyaddr(3):
o "struct addrinfo" contains a pointer to "struct sockaddr,"
not "struct sockaddr" itself
o the function takes a pointer to "struct in*_addr", not to
"struct sockaddr," so the address length must be corresponding

MFC after: 1 week

GLOB_QUOTE has been retired.

Use the right indent for the closing brace: it belongs to `if',
not to `for'. The previous indent was reather misleading for
the code reader.

MFC after: 1 week

Replace the awkward hackery about strtok(3)
by conventional one-way parsing of ftphosts(5).
Don't let NULL hostname pointers into virtual
host records as well.

PR: bin/18410
MFC after: 1 month

Use fgetln(3) to read lines from configuration files (ftpusers, ftphosts.)
Thus lines of any length can be handled, unlike before.

Don't assume that each line read from the files ends with a newline.

As a side effect in inithosts(), don't use automatic buffer at all,
utilize malloc(3) when getting local host name instead.

PR: misc/21494
Reviewed by: maxim, mikeh
MFC after: 1 month

Make sure to reset transflag back to zero upon succesfully using sendfile()
to transfer a file.

PR: 39362
Submitted by: TANAKA Hiroyuki <kattyo@abk.nu>
MFC after: 1 week

Cope with 2292bis-01 getaddrinfo (no NI_WITHSCOPEID, always attach
scope identifier).

MFC after: 3 weeks

Remove trailing whitespaces.

Move 'byte_count' calculation just before 'recvurg' check. It is a global
variable and used in myoob().

PR: bin/38928
Submitted by: Oliver Fromme <olli@secnetix.de>
MFC after: 1 month

Implement a flag to disable directory creation for anonymous users.

PR: misc/38987
Submitted by: Peter da Silva <peter@abbnm.com>
MFC after: 1 week

Assume __STDC__, remove non-__STDC__ code.

Rewrite the part of the conversation function that allocates the reply array;
it was inelegant and neglected to check the return value from malloc(3).

Sponsored by: DARPA, NAI Labs

Fix infinite loop around sendfile(2) after sending >4GB file.

PR: bin/33770
Submitted by: Vladislav Shabanov <vs@rambler-co.ru>
Reviewed by: ru
Approved by: ru
MFC after: 1 month

o Eliminate __P
o Use new-style function definitions
o remove some !__STDC__ code
o eliminate register

Remove the setjmp/longjmp stuff completely. Use signal
handlers to set flags only (with exception for sigquit(),
which still seems to call some non-reentrant functions on
its way to _exit(2).) That must eliminate the possibility
of catching SIGSEGV from following non-reentrant paths from
signal handlers.

PR: bin/32740 bin/33846
Submitted by: Maxim Konovalov <maxim@macomnet.ru>
Obtained from: OpenBSD

Log wtmp according to an address family properly.

Reported by: matusita
Reviewed by: matusita
MFC after: 1 week

Remove my workaround fallback since PAM now do it properly.

Really back out ache's commits. These files are now precisely as they were
twentyfour hours ago, except for RCS ids.

Back out PAM_CRED_ERR addition

Add PAM_CRED_ERR as valid failure case

Call opieunlock() only if we skip opieverify() part

Remove conditional 'pwok' fallback for PAM which now
is implemented in pam_opie module

For non-PAM variant rewrite empty password checking code to do the right thing
and not disallow empty passwords in all cases.

Fix OPIE auth

Eliminate another instance of the old and well-known
DoS bug that the select(2)/accept(2) pair is called on
a socket that is in the blocking I/O mode. The bug is
triggered if a selected connection dies before the accept(2)
leading to the accept(2) blocking virtually forever.

MFC after: 1 week

Don't let a user name in ftpd's proctitle
be mistaken for a status message.

PR: misc/25217
MFC after: 7 days

Be consistent about indent at least within one block of code.

1) Use OPIE response only when OPIE keys really used
2) Use commonly used OPIE response form instead of self-made one

Remove a field width specifier that's not doing anything more than
what using snprintf() achieves. It was also being used incorrectly.

Extend the functionality offered by the -o option into a new option
-O, which limits the impact of the write-only restriction to guest
users.

*) The existing manual page's SYNOPSIS and option listing in the
DESCRIPTION are already horribly disordered. No attempt has been
made to fix this.

*) The existing source's getopt() optstring and option handling switch
are already horribly disordered. No attempt has been made to fix
this.

Discussed with: nik, -audit

long -> off_t
long -> time_t
%ld -> %qd
fseek -> fseeko

NOTE: that fseek not works for >long offsets per POSIX:

[EOVERFLOW] For fseek( ), the resulting file offset would be a value which
cannot be represented correctly in an object of type long.

Add a new option, '-o', for "Write-only". Disables the RETR command,
preventing anyone from downloading files. In conjunction with -A, and some
appropriate file permissions, this lets you create an anonymous FTP drop
box for people to upload files to.

The more obvious "-w" flag is already taken by NetBSD's ftpd. "-o" was
available as an option letter in all three BSDs.

Rename the GLOB_MAXPATH flag of glob(3) to GLOB_LIMIT to be compatible
with NetBSD and OpenBSD. glob(3) will now return GLOB_NOSPACE with
errno set to 0 instead of GLOB_LIMIT when we match more than `gl_matchc'
patterns. GLOB_MAXPATH has been left as an alias of GLOB_LIMIT to
maintain backwards compatibility.

Reviewed by: sheldonh, assar
Obtained from: NetBSD/OpenBSD

Remove S/Key. PAM can do its job. Well, not quite - there is an issue
with the conversation function and challenges which needs to be
revisited, so in the interim a hack is introduced to provide
an OPIE challenge (which is random if OPIE does not apply)
at all non-anonymnous logins.

Move the definition of epsvall out of #ifdef VIRTUAL_HOSTING so that
the latter is not required for ftpd to compile.

Change names of functions and variables with global scope that are
in conflict with library values of the same name. This allows static
linking.

Add full PAM support for account management and sessions.

The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c

Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>

Teach ftpd about the new GLOB_MAXPATH flag.

When the file was transferred using sendfile(2), we forgot to keep track
of the transferred byte count. MFC candidate.

PR: bin/25699

In send_data(), use sendfile() instead of the mmap() algorithm.

Add option -E to disable EPSV which throws certain stateful firewalls
into confusion.

Add option -r to make ftpd support only read-only operations.

Submitted by: Flemming (F3) Jacobsen <fj@batmule.dk>
Reviewed by: phk

Format string paranoia

Fix broken PAM with SKEY behaviour: the skey.access file checks
were broken because the code failed to set PAM_RHOST.

Don't depend on <sys/stat.h> bogusly including <sys/time.h> (and thereby
<time.h>).

Don't set an arbitrary limit on username lengths; use MAXLOGNAME
instead.

PR: 20675
Submitted by: Vladimir B Grebenschikov <vova@express.ru>

Fix `control socket: Protocol not supported' failure in
standalone -D mode when neither -4 nor -6 is specified.

Honour skey.access(5) by allowing UNIX passwords when skeyaccess(3)
has set pwok to a non-zero value.

Previously, the fact that skey.access(5) allowed UNIX passwords for
this connection attempt was ignored, even in the NOPAM case.

This only addresses the NOPAM case; when libpam is used, the problem
will persist.

PR: 20333

Fix a problem in the virtual host address compare code which caused
duplicated host entries in /etc/ftphosts not to be folded. Make sure
we exit the loop on a match.

PR: bin/19390

1. Add IPv6 portrange restriction code (-U flag) to passive().

2. Add portrange restriction code (for both v4 and v6) to the EPSV
processing stuff.

Add more dual stack consideration.

-ftpd need to know each of AF_INET and AF_INET6 addr for hosts specified in
/etc/ftphosts.

Approved by: jkh

Fix ftpd core dump when hostname is not set.

When hostname is not set, ftpd core dumps, because there is no
NULL check for freeing name resolving information for its own
hostname.
So the check is added.

Approved by: jkh

another tcp apps IPv6 updates.(should be make world safe)
ftp, telnet, ftpd, faithd
also telnet related sync with crypto, secure, kerberosIV

Obtained from: KAME project

Fix for new Kerberos4. Make a fist cut at PAM-ising while I'm here.

When a STAT command is sent to ftpd as an out-of-band transmission during
a file transfer, the command was mishandled on every other receipt of the
command.

PR: 13261
Submitted by: Ian Lepore <ian@plutotech.com>

$Id$ -> $FreeBSD$

unifdef -DINTERNAL_LS - it's too useful to be off by default. If anyone
really dislikes this, we could add a switch to disable it at runtime and
check in popen.c.

More egcs warning fixes:
o main returns int not void
o use return 0 at end of main when needed
o use braces to avoid potentially ambiguous else
o don't default to type int (and also remove a useless register
modifier).

Reviewed by: obrien and chuckr

Ensure that things returned by gethostname() and
friends are terminated and allow for a maximum
host name length of MAXHOSTNAMELEN - 1.
Put parenthesis around sizeof args.
Make some variables static.
Fix telnetd -u (broken by my last commit)

Prompted by: bde

Use realhostname() rather than various combinations of
gethostbyaddr() & gethostbyname().

Remove brokeness in ftpd for hosts of MAXHOSTNAMELEN length.

Set the user context correctly so that cd ~ does the right thing.

PR: bin/7943 bin/8293
Submitted by: Bill Fenner <fenner@parc.xerox.com>
Approved by: jkh

signal() returns SIG_ERR on error, not int.

time() requires a time_t pointer, not a long.

Make ftpd(8) honor its default group setting in the config files.

PR: 6682
Submitted by: Max Euston <meuston@jmrodgers.com>

Return back initial tzset() must be before first chroot

Move TZ="" assignment just before exec to not touch other time stuff

Do TZ= as first thing, since FTP protocol is unable to tell zone offset in
any case.

It makes no difference for anon account (since chroot already makes it GMT),
but if you do mirror with special non-anon login, in old variant
your mirror will be wholy retransmitted twice in the year due to
time zone changes (/etc/localtime plays bad role here)

Set TCP_NODELAY on the control channel to improve performance a bit.

Make ftpd log IP-addresses in addition to hostnames.

Various sprintf -> snprintf fixes.
Minor style fix (strcpy(foo,"") -> *foo = '\0')
Obtained from: OpenBSD(?)

Cosmetics in man page. Exit(-1) -> exit(1).

Hopefully better fix for logwtmp(): rename to a private
version ftpd_logwtmp().

Import Lite2's src/libexec, except for makekey (which was spammed
by a repository copy from 1.1.5 and patched back to Lite1) and
rbootd/bootdir/SYSHPBSD (which is binary). All changed files have
already left the vendor branch.

Make useage of hostname global variable consistent.
PR: 4135
Based on submitted patch by: blank@fox.uni-trier.de

Tell the chroot()ed user that "access restrictions apply".

login_getclass() -> login_getpwclass().

Adds anon ftp virtual host capability to ftpd, using /etc/ftphosts for
definition of a system's virtual hosts.

YAMF2.2: Allow @group entries in /etc/ftpusers & /etc/ftpchroot to deny
and allow chroot access to entire groups.

Adds optional "internal ls" support for ftpd, by collecting
modules from src/bin/ls, and handling exec(_PATH_LS,..) as a
special case, very useful in an environment where many users
are given chroot access. "~/etc/{s}pwd.db" files are still
needed if uid/gid->user/group translation is desired.

To enable this it must be compiled with the make variable
FTP_INTERNAL_LS defined, either in /etc/make.conf or the
environment.

Add basic login.conf (sans authentication) support.

compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.

Revert $FreeBSD$ to $Id$

Actually allow the -R flag.

Oops, fix white space in last commit.

Fix signal handler race condition.

Sweep through the tree fixing mmap() usage:

- Use MAP_FAILED instead of the constant -1 to indicate
failure (required by POSIX).
- Removed flag arguments of '0' (required by POSIX).
- Fixed code which expected an error return of 0.
- Fixed code which thought any address with the high bit set
was an error.
- Check for failure where no checks were present.

Discussed with: bde

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

add flag to allow only anonymous ftp logins

Reviewed by: pst

Conditionalize setsockopt IP_PORTRANGE to make ftpd portable.

Implement alternative strategy if it is impossible to confirm
password: ask for it, but don't tell that S/key password required.
It looks like non-s/key system from outside.

Additionally tell that s/key required when it is so for normal case

Don't ever ask for password if it is impossible to confirm it
It happens if 1) regular passwords not allowed, 2) skey database
not activated for given user.
Under some rare circumstanes skey_challenge can return empty
diagnostic or even previous buffer, fix it.

Reviewed by: various
Submitted by: archie@whistle.com

allow ftpd to bind to a single address/interface
this allows easy split services.

Tidy up the Kerberised bits. While I'm here, fix some -Wall complaints.

Fix another bogon.

Make password checking in ftpd work again.

Convert STATS and PARANOID to run-time options.
Document the new -R (relax paranoia) option.

From NetBSD/Lite2: code and man page cleanups, Kerberos IV hooks
(relax, we're still exportable), and /etc/ftpchroot feature for
semi-anonymous accounts

If PARANOID is set, do not allow PORT commands to remote ports less than 1024
or addresses other than the requestor's address. This violates the FTP
protocol (hmm...as I write this, I'm going to change this to a run-time var.)

Require login before PASV and RNTO commands.

Close unused PASV ports so they don't hang around forever.

Do not allow file overwrites via rename or STOR when anonymous
(suspenders).

Clean up buffer utilization.

My code, but heavily inspired by Hobbit's changes to wu-ftpd as pointed out
by Mike Prettejohn and Kit Knox.

Use the sysctl settable data port ranges rather than the statically
compiled values. see sysctl net.inet.ip.portrange.* and the IP_PORTRANGE
discussion in <netinet/in.h>

Implemented a "-D" option that causes ftpd to detach and become a daemon -
accepting connections on the FTP port and forking children processes to
handling them. This is lower overhead than spawning ftpd from inetd and
can be a significant win on busy FTP servers. Be sure to disable ftpd in
inetd.conf if you decide to use this option.
These changes are based on similar changes I made to wu-ftpd and have
been in use on wcarchive for several months.

Fix bug that caused a coredump when attempting to enter passive mode when
not logged in. Original fix slightly altered by me to return the correct
reply code.

Submitted by: Vadim Kolontsov <vadim@tversu.ac.ru>

Make ftpd use setproctitle() from libutil

I've left the old code in there under #ifdef OLD_SETPROCTITLE in case
somebody wants to try to compile out ftpd on some other machine.

Timeout when an expected accept does not happen after all.
This gets rids of dozens of hanging ftpd's because some broken
pc implementation `forgets' to open a passive connection.
Obtained from: Wietse Venema

Check for expired passwords before allowing access to the system.

Use data ports in the range 40000..44999 by default to enhance FTP usability
in a firewall environment. Original idea by Mark Tracy (?).

Reviewed by: wollman
Submitted by: pst

Remove trailing whitespace.

Make last change a little more robust by checking for failure of getcwd().

Set "HOME" so that tilde expands correctly. It previously was always root's
directory /root.

Speed up ftpd and make it more efficient:

- set TCP_NOPUSH to keep from sending short packets at each write(2) boundary
- set SO_SNDBUF to 64k so we have a reasonable amount of buffer space
- for a regular file in binary mode which is not being restarted and is
. smaller than 16 Meg, use mmap(2) and write(2) the whole file in one big
gulp

In the most common circumstances, this should dramatically reduce the
system-call load from ftpd, since the call to write() will not return until
the entire file has been written, rather than writing just a few K at a time
in a loop.

Add some functionality to ftpd so it logs all anonymous file
transfers. It only does this when -S is set.
Reviewed by:
Submitted by:
Obtained from: logdaemon package

recommit rev 1.5 of ftpd, I fatfingered a command

Use new skey access routines

Fixed bug where /etc/ftpusers was ineffective. Caused by the wrong
pointer being passed to strcmp(). Bug noticed by Matthew Green.

Put skey support in ftpd.
Reviewed by:
Submitted by: guido

BSD 4.4 Lite Libexec Sources