Enhance -C to support an optional @host ('-C user[@host]'):

checks whether user as connecting from host would be granted access by ftpusers(5). Support IPv6 in the host directive of ftpusers(5). (May resolve PR 26555) Both features from Rudolf Cejka <cejkar@fit.vutbr.cz> (FreeBSD's tnftpd port maintainer).
2008-09-16 12:30:38 +00:00 · 2008-09-16 12:30:38 +00:00 · d451eab1e2
parent de99131c2b
commit d451eab1e2
3 changed files with 61 additions and 18 deletions
--- a/libexec/ftpd/ftpd.8
+++ b/libexec/ftpd/ftpd.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: ftpd.8,v 1.80 2008/05/02 18:11:05 martin Exp $
+.\"	$NetBSD: ftpd.8,v 1.81 2008/09/16 12:30:38 lukem Exp $
 .\"
 .\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -56,7 +56,7 @@
 .\"
 .\"     @(#)ftpd.8	8.2 (Berkeley) 4/19/94
 .\"
-.Dd January 30, 2008
+.Dd September 16, 2008
 .Dt FTPD 8
 .Os
 .Sh NAME
@ -67,7 +67,7 @@ Internet File Transfer Protocol server
 .Nm
 .Op Fl 46DdHlnQqrsUuWwX
 .Op Fl a Ar anondir
-.Op Fl C Ar user
+.Op Fl C Ar user Ns Op @ Ns Ar host
 .Op Fl c Ar confdir
 .Op Fl e Ar emailaddr
 .Op Fl h Ar hostname
@ -105,12 +105,17 @@ This can also be specified with the
 .Xr ftpd.conf 5
 .Sy chroot
 directive.
-.It Fl C Ar user
+.It Fl C Ar user Ns Op @ Ns Ar host
 Check whether
 .Ar user
+.Po
+as if connecting from
+.Ar host ,
+if provided
+.Pc
 would be granted access under
 the restrictions given in
-.Xr ftpusers 5
+.Xr ftpusers 5 ,
 and exit without attempting a connection.
 .Nm
 exits with an exit code of 0 if access would be granted, or 1 otherwise.
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ftpd.c,v 1.187 2008/09/13 03:30:35 lukem Exp $	*/
+/*	$NetBSD: ftpd.c,v 1.188 2008/09/16 12:30:38 lukem Exp $	*/

 /*
 * Copyright (c) 1997-2008 The NetBSD Foundation, Inc.
@ -97,7 +97,7 @@ __COPYRIGHT("@(#) Copyright (c) 1985, 1988, 1990, 1992, 1993, 1994\
 #if 0
 static char sccsid[] = "@(#)ftpd.c	8.5 (Berkeley) 4/28/95";
 #else
-__RCSID("$NetBSD: ftpd.c,v 1.187 2008/09/13 03:30:35 lukem Exp $");
+__RCSID("$NetBSD: ftpd.c,v 1.188 2008/09/16 12:30:38 lukem Exp $");
 #endif
 #endif /* not lint */

@ -340,6 +340,24 @@ main(int argc, char *argv[])
 			break;

 		case 'C':
+			if ((p = strchr(optarg, '@')) != NULL) {
+				*p++ = '\0';
+				strlcpy(remotehost, p, MAXHOSTNAMELEN + 1);
+				if (inet_pton(AF_INET, p,
+				    &his_addr.su_addr) == 1) {
+					his_addr.su_family = AF_INET;
+					his_addr.su_len =
+					    sizeof(his_addr.si_su.su_sin);
+#ifdef INET6
+				} else if (inet_pton(AF_INET6, p,
+				    &his_addr.su_6addr) == 1) {
+					his_addr.su_family = AF_INET6;
+					his_addr.su_len =
+					    sizeof(his_addr.si_su.su_sin6);
+#endif
+				} else
+					his_addr.su_family = AF_UNSPEC;
+			}
 			pw = sgetpwnam(optarg);
 			exit(checkaccess(optarg) ? 0 : 1);
 			/* NOTREACHED */
@ -1075,18 +1093,38 @@ checkuser(const char *fname, const char *name, int def, int nofile,

 					/* have a host specifier */
 		if ((p = strchr(word, '@')) != NULL) {
-			unsigned long	net, mask, addr;
-			int		bits;
+			unsigned char	net[16], mask[16], *addr;
+			int		addrlen, bits, bytes, a;

 			*p++ = '\0';
 					/* check against network or CIDR */
-			if (isdigit((unsigned char)*p) &&
-			    (bits = inet_net_pton(AF_INET, p,
-			    &net, sizeof(net))) != -1) {
-				net = ntohl(net);
-				mask = 0xffffffffU << (32 - bits);
-				addr = ntohl(his_addr.su_addr.s_addr);
-				if ((addr & mask) != net)
+			memset(net, 0x00, sizeof(net));
+			if ((bits = inet_net_pton(his_addr.su_family, p, net,
+			    sizeof(net))) != -1) {
+#ifdef INET6
+				if (his_addr.su_family == AF_INET) {
+#endif
+					addrlen = 4;
+					addr = (unsigned char *)&his_addr.su_addr;
+#ifdef INET6
+				} else {
+					addrlen = 16;
+					addr = (unsigned char *)&his_addr.su_6addr;
+				}
+#endif
+				bytes = bits / 8;
+				bits = bits % 8;
+				if (bytes > 0)
+					memset(mask, 0xFF, bytes);
+				if (bytes < addrlen)
+					mask[bytes] = 0xFF << (8 - bits);
+				if (bytes + 1 < addrlen)
+					memset(mask + bytes + 1, 0x00,
+					    addrlen - bytes - 1);
+				for (a = 0; a < addrlen; a++)
+					if ((addr[a] & mask[a]) != net[a])
+						break;
+				if (a < addrlen)
 					continue;

 					/* check against hostname glob */
--- a/libexec/ftpd/version.h
+++ b/libexec/ftpd/version.h
@ -1,4 +1,4 @@
-/*	$NetBSD: version.h,v 1.69 2008/09/13 03:30:35 lukem Exp $	*/
+/*	$NetBSD: version.h,v 1.70 2008/09/16 12:30:38 lukem Exp $	*/
 /*-
 * Copyright (c) 1999-2008 The NetBSD Foundation, Inc.
 * All rights reserved.
@ -29,5 +29,5 @@
 */

 #ifndef FTPD_VERSION
-#define	FTPD_VERSION	"NetBSD-ftpd 20080913"
+#define	FTPD_VERSION	"NetBSD-ftpd 20080916"
 #endif