From 83955f6abd0dc3f8ca08794233ff5b5053e6f144 Mon Sep 17 00:00:00 2001 From: lukem Date: Tue, 11 Nov 1997 12:42:24 +0000 Subject: [PATCH] * change checkportcmd syntax to `checkportcmd class [off]' (as per `modify') * display current setting of checkportcmd in STAT * ensure that curclass.checkportcmd is initialised to 0 * document default setting of checkportcmd in ftpd(8) * cleanup code a bit, putting code for "checkportcmd" in alphabetical order --- libexec/ftpd/conf.c | 19 ++++++++++++------- libexec/ftpd/extern.h | 4 ++-- libexec/ftpd/ftpd.8 | 34 ++++++++++++++++++++-------------- libexec/ftpd/ftpd.c | 8 +++++--- 4 files changed, 39 insertions(+), 26 deletions(-) diff --git a/libexec/ftpd/conf.c b/libexec/ftpd/conf.c index 38e57517de09..b4389732d682 100644 --- a/libexec/ftpd/conf.c +++ b/libexec/ftpd/conf.c @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.8 1997/11/11 05:48:05 mrg Exp $ */ +/* $NetBSD: conf.c,v 1.9 1997/11/11 12:42:24 lukem Exp $ */ /*- * Copyright (c) 1997 The NetBSD Foundation, Inc. @@ -38,7 +38,7 @@ #include #ifndef lint -__RCSID("$NetBSD: conf.c,v 1.8 1997/11/11 05:48:05 mrg Exp $"); +__RCSID("$NetBSD: conf.c,v 1.9 1997/11/11 12:42:24 lukem Exp $"); #endif /* not lint */ #include @@ -93,17 +93,18 @@ parse_conf(findclass) cnext = conv->next; free(conv); } + curclass.checkportcmd = 0; curclass.conversions = NULL; REASSIGN(curclass.display, NULL); - curclass.modify = 1; curclass.maxtimeout = 7200; /* 2 hours */ + curclass.modify = 1; REASSIGN(curclass.notify, NULL); curclass.timeout = 900; /* 15 minutes */ curclass.umask = 027; if (strcasecmp(findclass, "guest") == 0) { - curclass.umask = 0707; curclass.modify = 0; + curclass.umask = 0707; } infile = conffilename(_PATH_FTPDCONF); @@ -138,7 +139,13 @@ parse_conf(findclass) !none && strcasecmp(class, "all") != 0) continue; - if (strcasecmp(word, "conversion") == 0) { + if (strcasecmp(word, "checkportcmd") == 0) { + if (none || + (!EMPTYSTR(arg) && strcasecmp(arg, "off") == 0)) + curclass.checkportcmd = 0; + else + curclass.checkportcmd = 1; + } else if (strcasecmp(word, "conversion") == 0) { char *suffix, *types, *disable, *convcmd; if (EMPTYSTR(arg)) { @@ -274,8 +281,6 @@ parse_conf(findclass) continue; } curclass.umask = umask; - } else if (strcasecmp(word, "checkportcmd") == 0) { - curclass.checkportcmd = 1; } else { syslog(LOG_WARNING, "%s line %d: unknown directive '%s'", diff --git a/libexec/ftpd/extern.h b/libexec/ftpd/extern.h index d0f60f28dd85..740989f075be 100644 --- a/libexec/ftpd/extern.h +++ b/libexec/ftpd/extern.h @@ -1,4 +1,4 @@ -/* $NetBSD: extern.h,v 1.6 1997/11/11 05:48:06 mrg Exp $ */ +/* $NetBSD: extern.h,v 1.7 1997/11/11 12:42:30 lukem Exp $ */ /*- * Copyright (c) 1992, 1993 @@ -82,6 +82,7 @@ struct ftpconv { }; struct ftpclass { + int checkportcmd; /* Check PORT commands are valid */ char *classname; /* Current class */ struct ftpconv *conversions; /* List of conversions */ char *display; /* Files to display upon chdir */ @@ -90,5 +91,4 @@ struct ftpclass { char *notify; /* Files to notify about upon chdir */ unsigned int timeout; /* Default timeout */ mode_t umask; /* Umask to use */ - int checkportcmd; /* check PORT commands are valid */ }; diff --git a/libexec/ftpd/ftpd.8 b/libexec/ftpd/ftpd.8 index bef238389b61..62bdf9ce16f6 100644 --- a/libexec/ftpd/ftpd.8 +++ b/libexec/ftpd/ftpd.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: ftpd.8,v 1.18 1997/11/11 05:48:09 mrg Exp $ +.\" $NetBSD: ftpd.8,v 1.19 1997/11/11 12:42:35 lukem Exp $ .\" .\" Copyright (c) 1985, 1988, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -300,16 +300,21 @@ as configuration directives. .Pp Each configuration line may be one of: .Bl -tag -width 4n -.It Sy checkportcmd Ar class -Check the ftp protocol -.Sy PORT +.It Sy checkportcmd Ar class Op Sy off +Check the +PORT command for validity. The -.Sy PORT +PORT command will fail if the IP address specified does not match the ftp -command connection, or if the TCP port number is less than +command connection, or if the remote TCP port number is less than .Dv IPPORT_RESERVED . This option should be used for sites concerned with potential security problems with ftp bounce attacks. +If class is +.Dq none +or +.Sy off +is given, disable this feature, otherwise enable it. .It Xo Sy conversion Ar class .Ar suffix Op Ar "type disable command" .Xc @@ -436,14 +441,15 @@ Matches no class. .Pp The following defaults are used: .Bd -literal -offset indent -compact -display none -maxtimeout all 7200 # 2 hours -modify all -modify guest off -notify none -timeout all 900 # 15 minutes -umask all 027 -umask guest 0707 +checkportcmd none +display none +maxtimeout all 7200 # 2 hours +modify all +modify guest off +notify none +timeout all 900 # 15 minutes +umask all 027 +umask guest 0707 .Ed .Pp Directives that appear later in the file override settings by previous diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c index 4adda7d8d8ad..d7cb70fec909 100644 --- a/libexec/ftpd/ftpd.c +++ b/libexec/ftpd/ftpd.c @@ -1,4 +1,4 @@ -/* $NetBSD: ftpd.c,v 1.40 1997/11/11 06:32:17 mrg Exp $ */ +/* $NetBSD: ftpd.c,v 1.41 1997/11/11 12:42:39 lukem Exp $ */ /* * Copyright (c) 1985, 1988, 1990, 1992, 1993, 1994 @@ -44,7 +44,7 @@ __COPYRIGHT( #if 0 static char sccsid[] = "@(#)ftpd.c 8.5 (Berkeley) 4/28/95"; #else -__RCSID("$NetBSD: ftpd.c,v 1.40 1997/11/11 06:32:17 mrg Exp $"); +__RCSID("$NetBSD: ftpd.c,v 1.41 1997/11/11 12:42:39 lukem Exp $"); #endif #endif /* not lint */ @@ -1302,13 +1302,15 @@ printaddr: lreply(211, ""); lreply(211, "Class: %s", curclass.classname); + lreply(211, "Check PORT commands: %sabled", + curclass.checkportcmd ? "en" : "dis"); if (curclass.display) lreply(211, "Display file: %s", curclass.display); if (curclass.notify) lreply(211, "Notify fileglob: %s", curclass.notify); lreply(211, "Idle timeout: %d, maximum timeout: %d", curclass.timeout, curclass.maxtimeout); - lreply(211, "dele, mkd, rmd, umask, chmod: %sabled", + lreply(211, "DELE, MKD, RMD, UMASK, CHMOD commands: %sabled", curclass.modify ? "en" : "dis"); lreply(211, "Umask: %.04o", curclass.umask); for (cp = curclass.conversions; cp != NULL; cp=cp->next) {