diff options
author | davidn <davidn@FreeBSD.org> | 1997-04-23 04:56:39 +0000 |
---|---|---|
committer | davidn <davidn@FreeBSD.org> | 1997-04-23 04:56:39 +0000 |
commit | a3b6ff71437d61f1a709992587c278833036f33b (patch) | |
tree | 150805761bd522b0cc557ab9678fe5b511df5377 /libexec/ftpd | |
parent | 24026ebd29c627edf00e75e4001f3eeaf937ea62 (diff) | |
download | FreeBSD-src-a3b6ff71437d61f1a709992587c278833036f33b.zip FreeBSD-src-a3b6ff71437d61f1a709992587c278833036f33b.tar.gz |
Add basic login.conf (sans authentication) support.
Diffstat (limited to 'libexec/ftpd')
-rw-r--r-- | libexec/ftpd/Makefile | 4 | ||||
-rw-r--r-- | libexec/ftpd/ftpd.8 | 9 | ||||
-rw-r--r-- | libexec/ftpd/ftpd.c | 52 |
3 files changed, 58 insertions, 7 deletions
diff --git a/libexec/ftpd/Makefile b/libexec/ftpd/Makefile index 75df272..20fc19f 100644 --- a/libexec/ftpd/Makefile +++ b/libexec/ftpd/Makefile @@ -1,11 +1,11 @@ # @(#)Makefile 8.2 (Berkeley) 4/4/94 -# $Id$ +# $Id: Makefile,v 1.19 1997/02/22 14:21:26 peter Exp $ PROG= ftpd MAN8= ftpd.8 SRCS= ftpd.c ftpcmd.c logwtmp.c popen.c skey-stuff.c -CFLAGS+=-DSETPROCTITLE -DSKEY -Wall +CFLAGS+=-DSETPROCTITLE -DSKEY -DLOGIN_CAP -Wall LDADD= -lskey -lmd -lcrypt -lutil DPADD= ${LIBSKEY} ${LIBMD} ${LIBCRYPT} ${LIBUTIL} diff --git a/libexec/ftpd/ftpd.8 b/libexec/ftpd/ftpd.8 index 16beca2..b50a472 100644 --- a/libexec/ftpd/ftpd.8 +++ b/libexec/ftpd/ftpd.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 -.\" $Id: ftpd.8,v 1.13 1997/02/22 14:21:27 peter Exp $ +.\" $Id: ftpd.8,v 1.14 1997/03/25 03:45:52 mpp Exp $ .\" .Dd April 19, 1994 .Dt FTPD 8 @@ -272,7 +272,11 @@ as for an .Dq anonymous or .Dq ftp -account (see next item). However, the user must still supply a password. +account (see next item). +This facility may also be used by using the boolean "ftp-chroot" +capability in +.Xr login.conf 5 . +However, the user must still supply a password. This feature is intended as a compromise between a fully anonymous account and a fully privileged account. The account should also be set up as for an anonymous account. @@ -362,6 +366,7 @@ Log file for anonymous transfers. .Xr ftp 1 , .Xr key 1 , .Xr getusershell 3 , +.Xr login.conf 5 , .Xr inetd 8 , .Xr syslogd 8 .Sh BUGS diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c index a8d67c5..36fbbab 100644 --- a/libexec/ftpd/ftpd.c +++ b/libexec/ftpd/ftpd.c @@ -30,7 +30,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: ftpd.c,v 1.33 1997/02/22 14:21:28 peter Exp $ + * $Id: ftpd.c,v 1.34 1997/03/28 15:48:09 imp Exp $ */ #if 0 @@ -85,6 +85,9 @@ static char sccsid[] = "@(#)ftpd.c 8.4 (Berkeley) 4/16/94"; #include <time.h> #include <unistd.h> #include <libutil.h> +#ifdef LOGIN_CAP +#include <login_cap.h> +#endif #ifdef SKEY #include <skey.h> @@ -689,6 +692,10 @@ end_login() if (logged_in) logwtmp(ttyline, "", ""); pw = NULL; +#ifdef LOGIN_CAP + setusercontext(NULL, getpwuid(0), (uid_t)0, + LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK); +#endif logged_in = 0; guest = 0; dochroot = 0; @@ -700,6 +707,9 @@ pass(passwd) { int rval; FILE *fd; +#ifdef LOGIN_CAP + login_cap_t *lc = NULL; +#endif static char homedir[MAXPATHLEN]; if (logged_in || askpasswd == 0) { @@ -755,7 +765,34 @@ skip: reply(550, "Can't set gid."); return; } + /* May be overridden by login.conf */ + (void) umask(defumask); +#ifdef LOGIN_CAP + if ((lc = login_getclass(pw)) != NULL) { + char remote_ip[MAXHOSTNAMELEN]; + + strncpy(remote_ip, inet_ntoa(his_addr.sin_addr), + sizeof(remote_ip) - 1); + remote_ip[sizeof(remote_ip) - 1] = 0; + if (!auth_hostok(lc, remotehost, remote_ip)) { + syslog(LOG_INFO|LOG_AUTH, + "FTP LOGIN FAILED (HOST) as %s: permission denied.", + pw->pw_name); + reply(530, "Permission denied.\n"); + pw = NULL; + return; + } + if (!auth_timeok(lc, time(NULL))) { + reply(530, "Login not available right now.\n"); + pw = NULL; + return; + } + } + setusercontext(lc, pw, (uid_t)0, + LOGIN_SETGROUP|LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK); +#else (void) initgroups(pw->pw_name, pw->pw_gid); +#endif /* open wtmp before chroot */ logwtmp(ttyline, pw->pw_name, remotehost); @@ -765,7 +802,11 @@ skip: if ((statfd = open(_PATH_FTPDSTATFILE, O_WRONLY|O_APPEND)) < 0) stats = 0; - dochroot = checkuser(_PATH_FTPCHROOT, pw->pw_name); + dochroot = +#ifdef LOGIN_CAP /* Allow login.conf configuration as well */ + login_getcapbool(lc, "ftp-chroot", 0) || +#endif + checkuser(_PATH_FTPCHROOT, pw->pw_name); if (guest) { /* * We MUST do a chdir() after the chroot. Otherwise @@ -844,10 +885,15 @@ skip: syslog(LOG_INFO, "FTP LOGIN FROM %s as %s", remotehost, pw->pw_name); } - (void) umask(defumask); +#ifdef LOGIN_CAP + login_close(lc); +#endif return; bad: /* Forget all about it... */ +#ifdef LOGIN_CAP + login_close(lc); +#endif end_login(); } |