MFC r308175: Revisit blacklistd support in ftpd

Enhance blacklistd support to not log anything by default,
unless blacklistd support is enabled on the command line.
Document new flag in man page, cleanup patches to be less
intrusive in code.

Sponsored by:	The FreeBSD Foundation

4 files changed, 50 insertions, 15 deletions

diff --git a/libexec/ftpd/blacklist.c b/libexec/ftpd/blacklist.c
index b66a1cd..85f90b5 100644
--- a/libexec/ftpd/blacklist.c
+++ b/libexec/ftpd/blacklist.c
@@ -37,16 +37,20 @@
 #include <blacklist.h>
 
 static struct blacklist *blstate;
+extern int use_blacklist;
 
 void
 blacklist_init(void)
 {
-	blstate = blacklist_open();
+
+	if (use_blacklist)
+		blstate = blacklist_open();
 }
 
 void
 blacklist_notify(int action, int fd, char *msg)
 {
+
 	if (blstate == NULL)
 		return;
 	(void)blacklist_r(blstate, action, fd, msg);
diff --git a/libexec/ftpd/blacklist_client.h b/libexec/ftpd/blacklist_client.h
index 596b2bc..7ac6fd1 100644
--- a/libexec/ftpd/blacklist_client.h
+++ b/libexec/ftpd/blacklist_client.h
@@ -28,5 +28,26 @@
 
 /* $FreeBSD$ */
 
-void blacklist_notify(int, int, char *);
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+enum {
+	BLACKLIST_AUTH_OK = 0,
+	BLACKLIST_AUTH_FAIL
+};
+
+#ifdef USE_BLACKLIST
 void blacklist_init(void);
+void blacklist_notify(int, int, char *);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x, y, z)
+
+#endif
+
+#endif /* BLACKLIST_CLIENT_H */
diff --git a/libexec/ftpd/ftpd.8 b/libexec/ftpd/ftpd.8
index 50565e9..0cd6289 100644
--- a/libexec/ftpd/ftpd.8
+++ b/libexec/ftpd/ftpd.8
@@ -36,7 +36,7 @@
 .Nd Internet File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm
-.Op Fl 468ADdEhMmOoRrSUvW
+.Op Fl 468ABDdEhMmOoRrSUvW
 .Op Fl l Op Fl l
 .Op Fl a Ar address
 .Op Fl P Ar port
@@ -95,6 +95,14 @@ When
 .Fl D
 is specified, accept connections only on the specified
 .Ar address .
+.It Fl B
+With this option set,
+.Nm
+sends authentication success and failure messages to the
+.Xr blacklistd 8
+daemon.  If this option is not specified, no communcation with the
+.Xr blacklistd 8
+daemon is attempted.
 .It Fl D
 With this option set,
 .Nm
diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index 16c7523..95682d5 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -144,6 +144,7 @@ int	noretr = 0;		/* RETR command is disabled.	*/
 int	noguestretr = 0;	/* RETR command is disabled for anon users. */
 int	noguestmkd = 0;		/* MKD command is disabled for anon users. */
 int	noguestmod = 1;		/* anon users may not modify existing files. */
+int	use_blacklist = 0;
 
 off_t	file_size;
 off_t	byte_count;
@@ -305,7 +306,7 @@ main(int argc, char *argv[], char **envp)
 	openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
 
 	while ((ch = getopt(argc, argv,
-	                    "468a:AdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
+	                    "468a:ABdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
 		switch (ch) {
 		case '4':
 			family = (family == AF_INET6) ? AF_UNSPEC : AF_INET;
@@ -327,6 +328,14 @@ main(int argc, char *argv[], char **envp)
 			anon_only = 1;
 			break;
 
+		case 'B':
+#ifdef USE_BLACKLIST
+			use_blacklist = 1;
+#else
+			syslog(LOG_WARNING, "not compiled with USE_BLACKLIST support");
+#endif
+			break;
+
 		case 'd':
 			ftpdebug++;
 			break;
@@ -644,9 +653,7 @@ gotchild:
 		reply(220, "%s FTP server (%s) ready.", hostname, version);
 	else
 		reply(220, "FTP server ready.");
-#ifdef USE_BLACKLIST
-	blacklist_init();
-#endif
+	BLACKLIST_INIT();
 	for (;;)
 		(void) yyparse();
 	/* NOTREACHED */
@@ -1422,9 +1429,7 @@ skip:
 		 */
 		if (rval) {
 			reply(530, "Login incorrect.");
-#ifdef USE_BLACKLIST
-			blacklist_notify(1, STDIN_FILENO, "Login incorrect");
-#endif
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, STDIN_FILENO, "Login incorrect");
 			if (logging) {
 				syslog(LOG_NOTICE,
 				    "FTP LOGIN FAILED FROM %s",
@@ -1441,12 +1446,9 @@ skip:
 				exit(0);
 			}
 			return;
+		} else {
+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, STDIN_FILENO, "Login successful");
 		}
-#ifdef USE_BLACKLIST
-		 else {
-			blacklist_notify(0, STDIN_FILENO, "Login successful");
-		}
-#endif
 	}
 	login_attempts = 0;		/* this time successful */
 	if (setegid(pw->pw_gid) < 0) {