ctime(3) and ctime_r(3) can fail when timestamps are way off.
Add missing error checks to all calls under libexec/

Input kettenis, millert
OK millert

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Constify function parameters.

OK martijn@

Remove useless fflush(3) calls. lreply() already called fflush(3).

OK martijn@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Simplify globbing of ftpd(8)s list and nlst commands.
Also avoid command option injection for ls(1).

OK martijn@

snprintf/vsnprintf return < 0 on error, rather than -1.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

rm dead code and simplify ftpd_popen. this code has only called
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt

Flip snprintf(3) error check to align it with the man page example.
No functional change.
suggested by tb@; from Jan Klemkow

Convert some variables with non-negative values to unsigned type
to avoid comparison of integers of different signs.
from Jan Klemkow; OK tb@

Use a single "opt" variable for all setsockopt calls in getdatasock().

on = 65536;
if (setsockopt(... &on ...)

is slightly misleading.

Set "lowdelay" and "throughput" Traffic Class on command & data IPv6 sockets.

Don't attempt to support IPv4-mapped IPv6 addresses.

We don't consider support for those addreses as desirable, so let's not
give a bad example by keeping application code to handle them. This is
dead code on OpenBSD anyway since we do not support IPv4-mapped stuff.
But let's keep the check to log and warn the admin if the code gets
ported elsewhere. Porters of this code should ensure that IPv6 sockets
can't see IPv4-mapped addresses by using the IPV6_V6ONLY sockopt.

Discussed with & ok tedu@

For a rationale, see https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02

remove ifdef for all the features we have.
retain disabled ip4in6 code until its future is decided.
ok deraadt jca

trim down some NBBY references. 8 bits ought to be enough for anyone.

Convert %q to %ll with long long casts for printf()
Delete pointless casts to off_t, void*, and uid_t

ok krw@

Use fstatat() instead of crafting a filename to use with stat()

ok millert@

Kill #ifdef INET6 occurrences in userland.

Prompted by and ok millert@

(tcpdump and libpcap left untouched, the #ifdef force is too strong with
those)

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

compare pointer to NULL instead of 0

from fritjof ! alokat.org

ok ratchov@ natano@

More "(<blah> *)0" -> NULL, avoiding any stdarg functions.

Feedback millert@ kettenis@

Remove NULL-checks before free(). ok tb@

don't need to ifdef setproctitle

No longer create /var/run/ftpd.pid in daemon mode; OK jung@ jca@

fix custom popen to return pid to caller instead of tracking in a giant
array. this implies we can't use a function pointer for close, but also
means we get to repair some abuse of the comma operator.
ok miod

test pointers with NULL not '\0'

CMASK went out of scope with the recent <sys/param.h> removal. But oh
golly gee, ftpd can handle that itself due to the glorious old practice
of #ifndef #define. Remove that junk.
ok guenther

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Remove unnecessary netinet/in_systm.h include.

ok millert@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

remove tcpwrappers support. ok deraadt

args! fix argstr. from LEVAI Daniel.

typo, spotted by okan@

Add an option to disallow ftp access to accounts with uid below a certain
number (idea borrowed from pure-ftpd). Enabled by default with minimum uid
1000 to prevent access to admin accounts. tweak/OK millert@, OK deraadt@,
gsoares@ and aja@ like it too.

If the file size is zero, there's nothing to transmit so avoid spamming
syslog with mmap failures. Noticed by and ok henning@, "looks right"
deraadt@

Correct format string mismatches turned up by -Wformat=2

suggestions and ok millert@

Make sure tmpline[] is always NUL terminated, to avoid possible
read-beyond-end in get_line().

Analysis and patch by Maxime Villard (rustyBSD (at) gmx.fr)
ok millert@ deraadt@

remove some unnecessary sys/param.h inclusions

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

Add a new '-W' option to prevent saving login records to /var/run/wtmp.
This can become pretty handy on busy anonymous servers to avoid filling
up /var with unused wtmp records.
Note that 'U' and 'W' are mutually exclusive.

ok sthen@ millert@

Set SO_KEEPALIVE on sockets. OK miod@. Also tested by landry@
"Makes sense" markus@ and "i don't see a reason not to" henning@

In revision 1.14 of ftpd.c the ident variable was removed from its only meaningful usage when a snprintf call was removed, rendering ident useless. Time to remove remaining code.

ok tobias@

Properly reset states when a login phase is interrupted by another one.
Prevents ftpd from letting regular users logging in during anonymous-only
mode (-A).

ok millert, ray

Don't set "success" flags before error checks.
Add check for login_getclass() failure, pointed out by tobias.

OK tobias

Prevent a segmentation fault on ftpd_popen error (memory, file descriptor,
pipe ...) during status command.

ok millert

Adjust FTP reply codes (in error conditions) to conform to RFC 959.

ok millert, schwarze

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

When receiving a new connection, log the remote IP number
in addition to the remote hostname.

Feature requested by Mark Bucciarelli mkbucc at gmail dot com on misc@.
"seems OK" millert@

Always say "User %s access denied", in all cases, to avoid some stupid
spinny things which parse those messages. Do not close the connection
as requested by Josh Grosse, since a 530 is not supposed to do that.
ok millert

Don't split large commands into multiple commands on a 512-byte
boundary but just fail on them. This prevents CSRF-like attacks,
when a web browser is used to access an ftp server.

Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.

ok millert@ martynas@

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Use arc4random_buf() when requesting more than a single word of output

Use arc4random_uniform() when the desired random number upper bound
is not a power of two

ok deraadt@ millert@

use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg

From Gilles Chehade:
- Use strtonum instead of atoi.
- Improve strtol error checking.
- Change strchr calls to strcspn and eliminating some unused
variables as a result.

OK moritz

Fix potential memory leak, when snprintf(3) returns an empty buffer.

OK ray@

Adjust spacing, combine malloc + strlcpy + strlcat into a single
asprintf call.

OK moritz

Make sure perror_reply() is only called when errno is set. When
changing perror_reply() -> reply(), increase error message detail
for ftp client. Move free() statement to prevent errno clobbering.

OK moritz

Do not advertise version in the ftp banner, because there is no reason to.
OK mbalmer@, xsa@, henning@, idea prompted by deraadt

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

'tranfer' -> 'transfer' in comments.

Avoid double fclose() of a file if we exceed retries. Coverity ID 2669.
OK cloder@

you do not call fclose() on a file descriptor; ok cloder

lint cleanup; ok ray moritz dhill

remove shadowing variables; ok pval

fix double var declarations in same scope, found by lint; ok deraadt cloder

EOF in ascii mode may also mean EOF so avoid printing a bogus error and behave same as bin mode; beck@ deraadt@ millert@ ok

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

make code prettier so we can tell it is safe when we read it; ok beck cloder

branches: 1.163.2;
better handling of cases where getnameinfo() returns non-zero.
upon failure, don't try to print the contents of the char buffers we passed it.

ok & feedback henning@, moritz@ (thanks!)

seperate reply_r, like earlier change but safer; moritz ok

reply() used to play a lot with stdout, expecially fflush(stdout).
The recent change is to avoid stdio. That's good, except there are
nearly 130 calls to this function, yet what if one of them depended on
fflush() or something else in this code? The semantic change was
never checked. That is not how we do development -- back this out
until we know that checking work has been done.

make reply() reentrant. fixes a signal race.
ok henning@

logging fixes:
-don't prefix ftpd: in syslog(), it does that for us
-replace a bad (too late) err() by syslog + exit
from moritz

bump version

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

More sensible error when both the -n and -A flags are used. Text OK jmc@

cope nicer with accept() failures, from freebsd; millert ok

knf

spacing

knf

fix PR 3596 by making root create the socket, ok millert@

ftpd.8:
- simpler macros
- sort options
- some updates

ftpd.c:
- sync usage()

Don't hold on to the bind() while we loop around waiting to see if we can
make our connection. Adapted from FreeBSD via danh@

listen to bodh IPv4/v6 ftp port on -D by default. deraadt ok.
comments from markus, millert. tested by fries

usage():

- add missing -n (from Jeff Ito PR 3496)
- remove deprecated -h
- sort -T and -t to match man page

branches: 1.145.2;
spaces

make this match protos; millert ok

ansi cleanup; ok ian markus

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Replace strcpy() w/ strlcpy() from espie@

Don't try to free pw_dir -- it is no longer allocated separately.
Instead, add an extra param to sgetpwnam() to allow it to dupe an
existing struct passwd * (instead of doing a lookup by username)
and use this to reallocate pw in the case where pw_dir is the NULL
string. deraadt@ OK

branches: 1.140.2;
reply() -> perror_reply().

millert@ ok

Change a setuid() that should be seteuid(), not iced by grange@
Move a va_end so it gets called in an error condition as well

o Once a user is logged in, don't allow a change to another user.
o Run more code with the effective uid of the logged in user.
From Frank Denis

Avoid potential printf format string problem with challenge from
auth_challenge(). Currently, none of the auth modules put non-sanitized
data in the prompt so there are no real security implications with
this fix. Patch from Moritz Jodeit.

branches: 1.136.2;
remove extra arg; jmegq@post.harvard.edu

-n: disallow anon ftp even if ftp account exists

Also check for snprintf() returning < 0

What on earth possessed me to use %p instead of %m in syslog() to
indicate the error string?

Exit on setusercontext() failure; noticed by deraadt@

make ftpd always listen to a high tcp port for passive data connections.
deprecate and ignore the -h option. ok deraadt@.

* use lostconn() as the SIGALRM handler in receive_data() as originally
done by downsj@ in revision 1.54.

* some -Wall cleanup
- only declare check_host() if TCPWRAPPERS is defined.
- use socklen_t where appropriate instead of int (pointer signedness
warnings).
- {u_}char * pointer signedness warnings.

ok millert@

Initialize SIGALRM handler once in main(), instead of in several
different locations.

This fixes a problem where the SIGALRM handler was being set to an
uninitialized pointer in receive_data(). Originally reported to the
misc@ list by Colin Harford.

ok millert@

do not present scopeid on wire format (as it is local to a node).

a few more strlcat

pid_t cleanup

correct an auth_close() misuse; millert ok

o Don't allow password-less accounts to login (like in 2.9 and below)
o Stash copy of struct passwd via auth_setpwd() to avoid extra needless
getpwnam() calls.

bsd_auth.h requires other headers so it can't be first

Fix a couple mis-sorted headers and sync usage() with man page.
From Brian Poole

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

strlcpy

make sure pw_dir is big enough for strcpy(pw->pw_dir, "/").

Plug login_cap and bsd_auth related memory leaks. Problem noticed
by mpech@.

fix potential memory leak.

millert@ ok

Use always '.' in the end of the fatal() message. Consistency is good.

millert@ ok.

don't use \n in reply().

millert@ ok

To disable a SIGCHLD signal handler use SIG_DFL, *not* SIG_IGN
which now has a different meaning.

Don't use sigprocmask() in signal handlers when we can just set the
mask to be what we want with sigaction. Pointed out by Yar Tikhiy.

Add missing sigaction() call from last commit

kill more registers;

millert@ ok

Kill setjmp/longjmp
o fix error recovery in the parser so there is no longer a need for jmping
o make SIGURG handler interupt syscalls and just set a flag that we test
for later.

Use waitpid() not wait3() for portability. Restart waitpid() loop
if another signal interrupts us.

Calling dologout() from signal handlers is safe because it doesn't
use stdio, nor do the two functions it calls (logout and ftpdlogwtmp).

Use pidfile() instead of doing the equivalent thing by hand, and sometimes
forgetting to unlink the pid file at exit.
ok millert@ deraadt@

volatile sig_atomic_t

more signal marks, and some syslog_r in handlers

as is aleady closed and freed by auth_userresponse, ok millert@

make sure that va_start() has matching va_end()

-Wall

Use the 'welcome' variable from login.conf instead of hard-coding
/etc/motd.

millert didn't compile this.

Set "login" and "notickets" BSD auth options. We don't need to get
a kerb ticket but we do need AFS tokens.

more va_start/end fixes, ok deraadt@

strncpy vs strlcpy, some strlen missuse.
some other related minor cleanups, and spaces.
millert@ ok

use BSD authentication

mmap returns MAP_FAILED on error, not 0.

use GLOB_LIMIT

Block all signals in lostconn() and sigprocmask() since we are headed
for _exit(). Fixes a signal handler race condition.

do not strerror() a signo

Whoops, don't use strlcpy with utmp; millert@

Long usernames; also some simple strncpy->strlcpy.

mark remaining signal races

make sure replydirname() do not truncate names, even if the filename
is MAXPATHLEN doublequotes.
From: Paul Janzen <pjanzen@foatdi.harvard.edu>

make sure we do not return stray " at the end of stirng, like bla"\0.
From: "William C. Allen" <allenwc@home.com>

Make the -P option effective (rjmooney@mediaone.net)

Expand tilde (~) in ftp-dir login.conf variable. Closes PR 1382

Log the actual bytes transfered, rather than the original file size.

in replydirname(), avoid one-byte overrun.
From: Kristian Vlaardingerbroek <kris@obit.nl>

The man page says the default umask is 027 but it is really 022 since
that is the value of CMASK.

Have setusercontext() set the umask unless the -u flag was specified.
This allows the admin to set the umask either via -u or via a login
class in login.conf.

setusercontext should not set umask as this interferes with the
umask specified for ftpd on the command line. Closed PR #1530

typo in LPSV printing. From: Hiroyuki YAMAMORI <h-yamamo@db3.so-net.ne.jp>

cleanup EPSV/EPRT error handling. avoid possible memory leak (getaddrinfo).
correct error code on unsupported protocol parameter against EPRT (522).

branches: 1.79.2;
check return value for setenv(3) for failure, and deal appropriately

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

crank version to 6.5

another setproctitle

always setproctitle with %s if using a variable

pr 772; -u blocks chmod command, michaels@inet.no

correct STAT command output for LPSV output.

address PR 1274 (-h does not work on EPSV).
the committed code handles IPv6 case too.

branches: 1.71.2;
strerror

do not lose descriptors; Takahiro Kambe

Turns out that our implementation of STAT wasn't RFC 959 compliant.
This version is now RFC 959 compliant, using a patch adapted from one
sent in by david.leonard@eecs.uq.edu.au

Fix a pasto in the last commit. The genesis of this bug is actually
somewhat interesting. The getwd() function has historically placed
an error message in the buffer on failure, but getcwd() does not.
Therefor, a bulk search and replace of getwd() with getcwd() can
create bugs like this one.

"pwd" should print an error, not garbage, if getcwd() fails; form@vell.nsc.ru

call dologout() with 1. not -1

using u_char * is a lot more convenient than doing & 0xff 80+ times

close passive mode data socket.
From: deraadt

IPv6 support from KAME.
XXX kerberos and tcp_wrapper needs checking

Write pid to /var/run/ftpd.pid if running in daemon mode.

Fix thinko on my part, we want to avoid setting mode to "r+" for
append, not for ascii.

Move initialization of ttyline to be after the fork() so that when
we are in daemon mode it contains the pid of the child, not the parent.
This fixes utmp/wtmp updates in daemon mode.

When restarting a STOR, open with "r+", not "w" so we don't truncate.
Based on a patch from rmooney@iss.net; closed PR #993

warning about getpeername() failing is useless

correct oob handling for STAT command; ian@plutotech.com

bad umask is an error, syslog; pointed out by form@

do not proceed if incorrect args are found; found by form

Work around the blocking read() that causes so many hung ftpd processes.

This has been extensively tested.

implement internal ls

indent

use getcwd()

check for out-of-range umask bits from strtol()

add replydirname() from netbsd; fixes 257 directory replies; problem noted by kstailey

ftpd: sleep for an indeterminate amount for non-existant logins
to simulate a crypt, like login does.
Use SEEK_* not L_* and kill some 0L's used in lseek while we're there.

allow ftpchroot-ed users to also be multihomed

use SIG_ERR

default to violating the RFC wrt the PORT command. Use -P to conform to the
RFC and possibly open up non-OpenBSD boxes in a trust relationship on your
network to possible ftp bounce attacks...

Errno save/restore.

save errno in sigchld handlers

#if __STDC__ --> #ifdef __STDC__

tabify

crank version

partial Wall

attempt to realpath() log entries

bigger buf

Support integrated tcp wrappers when in daemon mode.

change -A to let in anon | chroot accounts

do not allow connect to a 2049 either, helps firewall cases; adam@math.tau.ac.il

Splat .message file if it exists when user cd's to a directory
like wu-ftpd. Based on changes from Oliver.

crank version number

getopt(3) returns -1 when out of args, not EOF, whee!

Signals are now blocked while ftpd runs with euid 0, as suggested by
Weiste Venema. If this triggers any problems (most likely with ABOR not
working at certain times) let me know.

avoid SIGURG race; dg@root.com

stop gunique() open/fopen race

solve /tmp-style race spotted by bitblt

ftpd now eventually times out if a ftp client does:
pasv
list
and then crashes.
The timeout should only apply the the accept(), so that transfers can
take as long as necessary to complete.
Thanks to Theo for moving toolong() to extern.h so that it can be used
in ftpd.c as well as in ftpcmd.y.

-A for anon only; from freebsd

add ')'.

forget old password nicely

fd leak spotted by bitblt

s/key (otp) challenge is now rfc 1938 compliant.

vis log entries; noted by bitblt

no, bad commit

clear passwd, for safety

strncpy correctly

hide our base dir

log non-anon stuff for -S too, from downsj

Add multihome support (-M) and make stats logging look like wu-ftpd.

Handle signals better.

STATS is not an option.

strcpy -> strncpy, kill off a strdup() clone.

sprintf -> snprintf

Remove some FreeBSD cruft.

Add -h, causing passive mode connections to request the high port range.

Also a few other changes.

Add setenv for HOME (from FreeBSD).

Add daemon mode (from FreeBSD), moving a lot of things around.

Also change the advertised version to '6.1/OpenBSD'; using the old version
number from 4.4BSD seems rather silly at this point.

Add anonymous statistics logging, based on FreeBSD but with the really
obvious bugs fixed.

New mmap(2)-using send_data() from FreeBSD.

No more ftpd bounce attacks.

my netbsd pr#2217: add utmp support to ftpd, some other small changes/fixes.

branches: 1.1.1;
Initial revision

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Constify function parameters.

OK martijn@

Remove useless fflush(3) calls. lreply() already called fflush(3).

OK martijn@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Simplify globbing of ftpd(8)s list and nlst commands.
Also avoid command option injection for ls(1).

OK martijn@

snprintf/vsnprintf return < 0 on error, rather than -1.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

rm dead code and simplify ftpd_popen. this code has only called
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt

Flip snprintf(3) error check to align it with the man page example.
No functional change.
suggested by tb@; from Jan Klemkow

Convert some variables with non-negative values to unsigned type
to avoid comparison of integers of different signs.
from Jan Klemkow; OK tb@

Use a single "opt" variable for all setsockopt calls in getdatasock().

on = 65536;
if (setsockopt(... &on ...)

is slightly misleading.

Set "lowdelay" and "throughput" Traffic Class on command & data IPv6 sockets.

Don't attempt to support IPv4-mapped IPv6 addresses.

We don't consider support for those addreses as desirable, so let's not
give a bad example by keeping application code to handle them. This is
dead code on OpenBSD anyway since we do not support IPv4-mapped stuff.
But let's keep the check to log and warn the admin if the code gets
ported elsewhere. Porters of this code should ensure that IPv6 sockets
can't see IPv4-mapped addresses by using the IPV6_V6ONLY sockopt.

Discussed with & ok tedu@

For a rationale, see https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02

remove ifdef for all the features we have.
retain disabled ip4in6 code until its future is decided.
ok deraadt jca

trim down some NBBY references. 8 bits ought to be enough for anyone.

Convert %q to %ll with long long casts for printf()
Delete pointless casts to off_t, void*, and uid_t

ok krw@

Use fstatat() instead of crafting a filename to use with stat()

ok millert@

Kill #ifdef INET6 occurrences in userland.

Prompted by and ok millert@

(tcpdump and libpcap left untouched, the #ifdef force is too strong with
those)

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

compare pointer to NULL instead of 0

from fritjof ! alokat.org

ok ratchov@ natano@

More "(<blah> *)0" -> NULL, avoiding any stdarg functions.

Feedback millert@ kettenis@

Remove NULL-checks before free(). ok tb@

don't need to ifdef setproctitle

No longer create /var/run/ftpd.pid in daemon mode; OK jung@ jca@

fix custom popen to return pid to caller instead of tracking in a giant
array. this implies we can't use a function pointer for close, but also
means we get to repair some abuse of the comma operator.
ok miod

test pointers with NULL not '\0'

CMASK went out of scope with the recent <sys/param.h> removal. But oh
golly gee, ftpd can handle that itself due to the glorious old practice
of #ifndef #define. Remove that junk.
ok guenther

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Remove unnecessary netinet/in_systm.h include.

ok millert@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

remove tcpwrappers support. ok deraadt

args! fix argstr. from LEVAI Daniel.

typo, spotted by okan@

Add an option to disallow ftp access to accounts with uid below a certain
number (idea borrowed from pure-ftpd). Enabled by default with minimum uid
1000 to prevent access to admin accounts. tweak/OK millert@, OK deraadt@,
gsoares@ and aja@ like it too.

If the file size is zero, there's nothing to transmit so avoid spamming
syslog with mmap failures. Noticed by and ok henning@, "looks right"
deraadt@

Correct format string mismatches turned up by -Wformat=2

suggestions and ok millert@

Make sure tmpline[] is always NUL terminated, to avoid possible
read-beyond-end in get_line().

Analysis and patch by Maxime Villard (rustyBSD (at) gmx.fr)
ok millert@ deraadt@

remove some unnecessary sys/param.h inclusions

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

Add a new '-W' option to prevent saving login records to /var/run/wtmp.
This can become pretty handy on busy anonymous servers to avoid filling
up /var with unused wtmp records.
Note that 'U' and 'W' are mutually exclusive.

ok sthen@ millert@

Set SO_KEEPALIVE on sockets. OK miod@. Also tested by landry@
"Makes sense" markus@ and "i don't see a reason not to" henning@

In revision 1.14 of ftpd.c the ident variable was removed from its only meaningful usage when a snprintf call was removed, rendering ident useless. Time to remove remaining code.

ok tobias@

Properly reset states when a login phase is interrupted by another one.
Prevents ftpd from letting regular users logging in during anonymous-only
mode (-A).

ok millert, ray

Don't set "success" flags before error checks.
Add check for login_getclass() failure, pointed out by tobias.

OK tobias

Prevent a segmentation fault on ftpd_popen error (memory, file descriptor,
pipe ...) during status command.

ok millert

Adjust FTP reply codes (in error conditions) to conform to RFC 959.

ok millert, schwarze

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

When receiving a new connection, log the remote IP number
in addition to the remote hostname.

Feature requested by Mark Bucciarelli mkbucc at gmail dot com on misc@.
"seems OK" millert@

Always say "User %s access denied", in all cases, to avoid some stupid
spinny things which parse those messages. Do not close the connection
as requested by Josh Grosse, since a 530 is not supposed to do that.
ok millert

Don't split large commands into multiple commands on a 512-byte
boundary but just fail on them. This prevents CSRF-like attacks,
when a web browser is used to access an ftp server.

Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.

ok millert@ martynas@

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Use arc4random_buf() when requesting more than a single word of output

Use arc4random_uniform() when the desired random number upper bound
is not a power of two

ok deraadt@ millert@

use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsg

From Gilles Chehade:
- Use strtonum instead of atoi.
- Improve strtol error checking.
- Change strchr calls to strcspn and eliminating some unused
variables as a result.

OK moritz

Fix potential memory leak, when snprintf(3) returns an empty buffer.

OK ray@

Adjust spacing, combine malloc + strlcpy + strlcat into a single
asprintf call.

OK moritz

Make sure perror_reply() is only called when errno is set. When
changing perror_reply() -> reply(), increase error message detail
for ftp client. Move free() statement to prevent errno clobbering.

OK moritz

Do not advertise version in the ftp banner, because there is no reason to.
OK mbalmer@, xsa@, henning@, idea prompted by deraadt

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

'tranfer' -> 'transfer' in comments.

Avoid double fclose() of a file if we exceed retries. Coverity ID 2669.
OK cloder@

you do not call fclose() on a file descriptor; ok cloder

lint cleanup; ok ray moritz dhill

remove shadowing variables; ok pval

fix double var declarations in same scope, found by lint; ok deraadt cloder

EOF in ascii mode may also mean EOF so avoid printing a bogus error and behave same as bin mode; beck@ deraadt@ millert@ ok

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

make code prettier so we can tell it is safe when we read it; ok beck cloder

branches: 1.163.2;
better handling of cases where getnameinfo() returns non-zero.
upon failure, don't try to print the contents of the char buffers we passed it.

ok & feedback henning@, moritz@ (thanks!)

seperate reply_r, like earlier change but safer; moritz ok

reply() used to play a lot with stdout, expecially fflush(stdout).
The recent change is to avoid stdio. That's good, except there are
nearly 130 calls to this function, yet what if one of them depended on
fflush() or something else in this code? The semantic change was
never checked. That is not how we do development -- back this out
until we know that checking work has been done.

make reply() reentrant. fixes a signal race.
ok henning@

logging fixes:
-don't prefix ftpd: in syslog(), it does that for us
-replace a bad (too late) err() by syslog + exit
from moritz

bump version

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

More sensible error when both the -n and -A flags are used. Text OK jmc@

cope nicer with accept() failures, from freebsd; millert ok

knf

spacing

knf

fix PR 3596 by making root create the socket, ok millert@

ftpd.8:
- simpler macros
- sort options
- some updates

ftpd.c:
- sync usage()

Don't hold on to the bind() while we loop around waiting to see if we can
make our connection. Adapted from FreeBSD via danh@

listen to bodh IPv4/v6 ftp port on -D by default. deraadt ok.
comments from markus, millert. tested by fries

usage():

- add missing -n (from Jeff Ito PR 3496)
- remove deprecated -h
- sort -T and -t to match man page

branches: 1.145.2;
spaces

make this match protos; millert ok

ansi cleanup; ok ian markus

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Replace strcpy() w/ strlcpy() from espie@

Don't try to free pw_dir -- it is no longer allocated separately.
Instead, add an extra param to sgetpwnam() to allow it to dupe an
existing struct passwd * (instead of doing a lookup by username)
and use this to reallocate pw in the case where pw_dir is the NULL
string. deraadt@ OK

branches: 1.140.2;
reply() -> perror_reply().

millert@ ok

Change a setuid() that should be seteuid(), not iced by grange@
Move a va_end so it gets called in an error condition as well

o Once a user is logged in, don't allow a change to another user.
o Run more code with the effective uid of the logged in user.
From Frank Denis

Avoid potential printf format string problem with challenge from
auth_challenge(). Currently, none of the auth modules put non-sanitized
data in the prompt so there are no real security implications with
this fix. Patch from Moritz Jodeit.

branches: 1.136.2;
remove extra arg; jmegq@post.harvard.edu

-n: disallow anon ftp even if ftp account exists

Also check for snprintf() returning < 0

What on earth possessed me to use %p instead of %m in syslog() to
indicate the error string?

Exit on setusercontext() failure; noticed by deraadt@

make ftpd always listen to a high tcp port for passive data connections.
deprecate and ignore the -h option. ok deraadt@.

* use lostconn() as the SIGALRM handler in receive_data() as originally
done by downsj@ in revision 1.54.

* some -Wall cleanup
- only declare check_host() if TCPWRAPPERS is defined.
- use socklen_t where appropriate instead of int (pointer signedness
warnings).
- {u_}char * pointer signedness warnings.

ok millert@

Initialize SIGALRM handler once in main(), instead of in several
different locations.

This fixes a problem where the SIGALRM handler was being set to an
uninitialized pointer in receive_data(). Originally reported to the
misc@ list by Colin Harford.

ok millert@

do not present scopeid on wire format (as it is local to a node).

a few more strlcat

pid_t cleanup

correct an auth_close() misuse; millert ok

o Don't allow password-less accounts to login (like in 2.9 and below)
o Stash copy of struct passwd via auth_setpwd() to avoid extra needless
getpwnam() calls.

bsd_auth.h requires other headers so it can't be first

Fix a couple mis-sorted headers and sync usage() with man page.
From Brian Poole

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

strlcpy

make sure pw_dir is big enough for strcpy(pw->pw_dir, "/").

Plug login_cap and bsd_auth related memory leaks. Problem noticed
by mpech@.

fix potential memory leak.

millert@ ok

Use always '.' in the end of the fatal() message. Consistency is good.

millert@ ok.

don't use \n in reply().

millert@ ok

To disable a SIGCHLD signal handler use SIG_DFL, *not* SIG_IGN
which now has a different meaning.

Don't use sigprocmask() in signal handlers when we can just set the
mask to be what we want with sigaction. Pointed out by Yar Tikhiy.

Add missing sigaction() call from last commit

kill more registers;

millert@ ok

Kill setjmp/longjmp
o fix error recovery in the parser so there is no longer a need for jmping
o make SIGURG handler interupt syscalls and just set a flag that we test
for later.

Use waitpid() not wait3() for portability. Restart waitpid() loop
if another signal interrupts us.

Calling dologout() from signal handlers is safe because it doesn't
use stdio, nor do the two functions it calls (logout and ftpdlogwtmp).

Use pidfile() instead of doing the equivalent thing by hand, and sometimes
forgetting to unlink the pid file at exit.
ok millert@ deraadt@

volatile sig_atomic_t

more signal marks, and some syslog_r in handlers

as is aleady closed and freed by auth_userresponse, ok millert@

make sure that va_start() has matching va_end()

-Wall

Use the 'welcome' variable from login.conf instead of hard-coding
/etc/motd.

millert didn't compile this.

Set "login" and "notickets" BSD auth options. We don't need to get
a kerb ticket but we do need AFS tokens.

more va_start/end fixes, ok deraadt@

strncpy vs strlcpy, some strlen missuse.
some other related minor cleanups, and spaces.
millert@ ok

use BSD authentication

mmap returns MAP_FAILED on error, not 0.

use GLOB_LIMIT

Block all signals in lostconn() and sigprocmask() since we are headed
for _exit(). Fixes a signal handler race condition.

do not strerror() a signo

Whoops, don't use strlcpy with utmp; millert@

Long usernames; also some simple strncpy->strlcpy.

mark remaining signal races

make sure replydirname() do not truncate names, even if the filename
is MAXPATHLEN doublequotes.
From: Paul Janzen <pjanzen@foatdi.harvard.edu>

make sure we do not return stray " at the end of stirng, like bla"\0.
From: "William C. Allen" <allenwc@home.com>

Make the -P option effective (rjmooney@mediaone.net)

Expand tilde (~) in ftp-dir login.conf variable. Closes PR 1382

Log the actual bytes transfered, rather than the original file size.

in replydirname(), avoid one-byte overrun.
From: Kristian Vlaardingerbroek <kris@obit.nl>

The man page says the default umask is 027 but it is really 022 since
that is the value of CMASK.

Have setusercontext() set the umask unless the -u flag was specified.
This allows the admin to set the umask either via -u or via a login
class in login.conf.

setusercontext should not set umask as this interferes with the
umask specified for ftpd on the command line. Closed PR #1530

typo in LPSV printing. From: Hiroyuki YAMAMORI <h-yamamo@db3.so-net.ne.jp>

cleanup EPSV/EPRT error handling. avoid possible memory leak (getaddrinfo).
correct error code on unsupported protocol parameter against EPRT (522).

branches: 1.79.2;
check return value for setenv(3) for failure, and deal appropriately

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

crank version to 6.5

another setproctitle

always setproctitle with %s if using a variable

pr 772; -u blocks chmod command, michaels@inet.no

correct STAT command output for LPSV output.

address PR 1274 (-h does not work on EPSV).
the committed code handles IPv6 case too.

branches: 1.71.2;
strerror

do not lose descriptors; Takahiro Kambe

Turns out that our implementation of STAT wasn't RFC 959 compliant.
This version is now RFC 959 compliant, using a patch adapted from one
sent in by david.leonard@eecs.uq.edu.au

Fix a pasto in the last commit. The genesis of this bug is actually
somewhat interesting. The getwd() function has historically placed
an error message in the buffer on failure, but getcwd() does not.
Therefor, a bulk search and replace of getwd() with getcwd() can
create bugs like this one.

"pwd" should print an error, not garbage, if getcwd() fails; form@vell.nsc.ru

call dologout() with 1. not -1

using u_char * is a lot more convenient than doing & 0xff 80+ times

close passive mode data socket.
From: deraadt

IPv6 support from KAME.
XXX kerberos and tcp_wrapper needs checking

Write pid to /var/run/ftpd.pid if running in daemon mode.

Fix thinko on my part, we want to avoid setting mode to "r+" for
append, not for ascii.

Move initialization of ttyline to be after the fork() so that when
we are in daemon mode it contains the pid of the child, not the parent.
This fixes utmp/wtmp updates in daemon mode.

When restarting a STOR, open with "r+", not "w" so we don't truncate.
Based on a patch from rmooney@iss.net; closed PR #993

warning about getpeername() failing is useless

correct oob handling for STAT command; ian@plutotech.com

bad umask is an error, syslog; pointed out by form@

do not proceed if incorrect args are found; found by form

Work around the blocking read() that causes so many hung ftpd processes.

This has been extensively tested.

implement internal ls

indent

use getcwd()

check for out-of-range umask bits from strtol()

add replydirname() from netbsd; fixes 257 directory replies; problem noted by kstailey

ftpd: sleep for an indeterminate amount for non-existant logins
to simulate a crypt, like login does.
Use SEEK_* not L_* and kill some 0L's used in lseek while we're there.

allow ftpchroot-ed users to also be multihomed

use SIG_ERR

default to violating the RFC wrt the PORT command. Use -P to conform to the
RFC and possibly open up non-OpenBSD boxes in a trust relationship on your
network to possible ftp bounce attacks...

Errno save/restore.

save errno in sigchld handlers

#if __STDC__ --> #ifdef __STDC__

tabify

crank version

partial Wall

attempt to realpath() log entries

bigger buf

Support integrated tcp wrappers when in daemon mode.

change -A to let in anon | chroot accounts

do not allow connect to a 2049 either, helps firewall cases; adam@math.tau.ac.il

Splat .message file if it exists when user cd's to a directory
like wu-ftpd. Based on changes from Oliver.

crank version number

getopt(3) returns -1 when out of args, not EOF, whee!

Signals are now blocked while ftpd runs with euid 0, as suggested by
Weiste Venema. If this triggers any problems (most likely with ABOR not
working at certain times) let me know.

avoid SIGURG race; dg@root.com

stop gunique() open/fopen race

solve /tmp-style race spotted by bitblt

ftpd now eventually times out if a ftp client does:
pasv
list
and then crashes.
The timeout should only apply the the accept(), so that transfers can
take as long as necessary to complete.
Thanks to Theo for moving toolong() to extern.h so that it can be used
in ftpd.c as well as in ftpcmd.y.

-A for anon only; from freebsd

add ')'.

forget old password nicely

fd leak spotted by bitblt

s/key (otp) challenge is now rfc 1938 compliant.

vis log entries; noted by bitblt

no, bad commit

clear passwd, for safety

strncpy correctly

hide our base dir

log non-anon stuff for -S too, from downsj

Add multihome support (-M) and make stats logging look like wu-ftpd.

Handle signals better.

STATS is not an option.

strcpy -> strncpy, kill off a strdup() clone.

sprintf -> snprintf

Remove some FreeBSD cruft.

Add -h, causing passive mode connections to request the high port range.

Also a few other changes.

Add setenv for HOME (from FreeBSD).

Add daemon mode (from FreeBSD), moving a lot of things around.

Also change the advertised version to '6.1/OpenBSD'; using the old version
number from 4.4BSD seems rather silly at this point.

Add anonymous statistics logging, based on FreeBSD but with the really
obvious bugs fixed.

New mmap(2)-using send_data() from FreeBSD.

No more ftpd bounce attacks.

my netbsd pr#2217: add utmp support to ftpd, some other small changes/fixes.