From owner-freebsd-arch Thu Jul 19 11:23: 8 2001 Delivered-To: freebsd-arch@freebsd.org Received: from dragon.nuxi.com (trang.nuxi.com [206.40.252.115]) by hub.freebsd.org (Postfix) with ESMTP id B10DF37B403 for ; Thu, 19 Jul 2001 11:22:59 -0700 (PDT) (envelope-from obrien@NUXI.com) Received: (from obrien@localhost) by dragon.nuxi.com (8.11.3/8.11.1) id f6JIMLu84507; Thu, 19 Jul 2001 11:22:21 -0700 (PDT) (envelope-from obrien) Date: Thu, 19 Jul 2001 11:22:21 -0700 From: "David O'Brien" To: Kris Kennaway Cc: Mike Heffner , arch@FreeBSD.ORG Subject: Re: Importing lukemftpd Message-ID: <20010719112221.A84356@dragon.nuxi.com> Reply-To: obrien@FreeBSD.ORG References: <20010717103604.B79329@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010717103604.B79329@xor.obsecurity.org>; from kris@obsecurity.org on Tue, Jul 17, 2001 at 10:36:05AM -0700 X-Operating-System: FreeBSD 5.0-CURRENT Organization: The NUXI BSD group X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Rsa-Keyid: 1024/34F9F9D5 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jul 17, 2001 at 10:36:05AM -0700, Kris Kennaway wrote: > On Mon, Jul 16, 2001 at 09:24:54PM -0400, Mike Heffner wrote: > > I would like to import Luke Mewburn's ftpd from NetBSD as the ftpd > > for FreeBSD. > > This has been discussed extensively over on -audit in the past. Discussed slightly with no action on -audits part. :-( > The > FreeBSD ftpd is used on far too many installed systems out there to > risk introducing new root vulnerabilities, no matter how good the > lukemftpd code is or how small that risk. I don't think it is installed on as many as you thing. Our stock ftpd has so little functionality we send our users to wu-ftpd or ProFTPd and we know the number of security vulnerabilities those have had! > The last > time this came up I offered the compromise solution of importing it > into FreeBSD to work on feature parity and to give auditors a known > base to work from, Ok, your bluff has been called. The code has been imported and I'm attaching the diff for libexec/ftpd/Makefile and usr.bin/ftp/Makefile. To build the LukeM versions, apply my diff and remove all files other than `Makefile' and `config.h'. Some of the features in our ftpd we can loose. "SITE MD5" for instance. When it was added, it was well known that LukeM did not agree with that functionality and was not going to put it into his versions. Other functionality is antiquated and not really used. Some, like OPIE and PAM, support is missing and we certainly need to get that added. > but it is not to become the default ftpd until I've > signed off on it. Are you now holding all daemon hostage? I think you're being too strong on this statement. If this is going to be the case, please document that from now on daemon changes (or new ones) must be pre-approved by the S.O. > We now have funding to perform in-depth auditing > work on FreeBSD, so I think this would be achieved in a reasonable > timeframe (probably by 5.0-RELEASE). I want a _commitment_ for 5.0-RELEASE. I provide pointers to the source, explained the advantages of doing this; and still none of them reviewed the source. So lets set a timeline that your auditors have until November 1st to audit this. On November 1st we go live with LukeM ftpd. -- -- David (obrien@FreeBSD.org) --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ftpd-Makefile.patch" Index: Makefile =================================================================== RCS file: /home/ncvs/src/libexec/ftpd/Makefile,v retrieving revision 1.44 diff -u -r1.44 Makefile --- Makefile 2001/07/09 17:46:24 1.44 +++ Makefile 2001/07/19 18:08:15 @@ -1,13 +1,16 @@ # @(#)Makefile 8.2 (Berkeley) 4/4/94 # $FreeBSD: src/libexec/ftpd/Makefile,v 1.44 2001/07/09 17:46:24 markm Exp $ +MAINTAINER= obrien + +LUKEMFTPD= ${.CURDIR}/../../contrib/lukemftpd +.PATH: ${LUKEMFTPD}/src + PROG= ftpd -MAN= ftpd.8 -SRCS= ftpd.c ftpcmd.y logwtmp.c popen.c +MAN= ftpd.8 ftpd.conf.5 ftpusers.5 +SRCS= cmds.c conf.c ftpd.c ftpcmd.y popen.c -CFLAGS+=-DSETPROCTITLE -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -CFLAGS+=-DINET6 -CFLAGS+=-I${.CURDIR} +CFLAGS+=-I${.CURDIR} -I${LUKEMFTPD} YFLAGS= LDADD= -lmd -lcrypt -lutil @@ -18,14 +21,20 @@ DPADD+= ${LIBOPIE} LSDIR= ../../bin/ls -.PATH: ${.CURDIR}/${LSDIR} -SRCS+= ls.c cmp.c print.c util.c -CFLAGS+=-Dmain=ls_main -I${.CURDIR}/${LSDIR} +.PATH: ${.CURDIR}/${LSDIR} +SRCS+= ls-hacked.c cmp.c print.c util.c +CFLAGS+=-I${.CURDIR}/${LSDIR} +CLEANFILES+= ls-hacked.c +ls-hacked.c: ls.c + sed -e 's/^main(/ls_main(/g' ${.ALLSRC} > ${.TARGET} + .if !defined(NOPAM) CFLAGS+=-DUSE_PAM DPADD+= ${LIBPAM} LDADD+= ${MINUSLPAM} .endif + +ftpd.o ftpcmd.o: version.h .include --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ftp-Makefile.patch" Index: Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/ftp/Makefile,v retrieving revision 1.12 diff -u -r1.12 Makefile --- Makefile 2000/05/16 04:23:54 1.12 +++ Makefile 2001/07/19 17:48:39 @@ -6,17 +6,59 @@ # #CFLAGS+=-DGATE_SERVER=\"ftp-gw.host\" # -DGATE_PORT=21 +LUKEMFTP= ${.CURDIR}/../../contrib/lukemftp +.PATH: ${LUKEMFTP}/src ${LUKEMFTP}/libedit + PROG= ftp SRCS= cmds.c cmdtab.c complete.c domacro.c fetch.c ftp.c main.c ruserpass.c \ util.c +SRCS+= chared.c common.c el.c emacs.c hist.c key.c map.c \ + parse.c prompt.c read.c refresh.c search.c sig.c term.c tty.c vi.c \ + tokenizer.c history.c -CFLAGS+=-DINET6 -LDADD+= -ledit -ltermcap -DPADD+= ${LIBEDIT} ${LIBTERMCAP} +CFLAGS+=-I${.CURDIR} -I${LUKEMFTP} -I${LUKEMFTP}/libedit -I. +LDADD+= -ltermcap -lutil +DPADD+= ${LIBTERMCAP} ${LIBUTIL} LINKS= ${BINDIR}/ftp ${BINDIR}/pftp \ ${BINDIR}/ftp ${BINDIR}/gate-ftp MLINKS= ftp.1 pftp.1 \ ftp.1 gate-ftp.1 + +EDT= vi.h emacs.h common.h fcns.h fcns.c help.c help.h +SRCS+= ${EDT} +CLEANFILES+= ${EDT} makelist +.BEGIN: ${EDT} makelist + +makelist: makelist.in + sed -e 's/@AWK@/gawk/g' ${.ALLSRC} > ${.TARGET} + +vi.h: vi.c + cd ${.CURDIR} ; ${MAKE} makelist + sh ./makelist -h ${.ALLSRC} > ${.TARGET} + +emacs.h: emacs.c + cd ${.CURDIR} ; ${MAKE} makelist + sh ./makelist -h ${.ALLSRC} > ${.TARGET} + +common.h: common.c + cd ${.CURDIR} ; ${MAKE} makelist + sh ./makelist -h ${.ALLSRC} > ${.TARGET} + +fcns.h: vi.h emacs.h common.h + cd ${.CURDIR} ; ${MAKE} makelist + sh ./makelist -fh ${.ALLSRC} > ${.TARGET} + +fcns.c: vi.h emacs.h common.h + cd ${.CURDIR} ; ${MAKE} makelist + sh ./makelist -fc ${.ALLSRC} > ${.TARGET} + +help.c: vi.c emacs.c common.c + cd ${.CURDIR} ; ${MAKE} makelist + sh ./makelist -bc ${.ALLSRC} > ${.TARGET} + +help.h: vi.c emacs.c common.c + cd ${.CURDIR} ; ${MAKE} makelist + sh ./makelist -bh ${.ALLSRC} > ${.TARGET} .include --sdtB3X0nJg68CQEu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message