Date: Tue, 8 Nov 2016 20:12:13 +0000 (UTC) From: Kurt Lidl <lidl@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r308446 - stable/11/libexec/ftpd Message-ID: <201611082012.uA8KCDbo080031@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: lidl Date: Tue Nov 8 20:12:13 2016 New Revision: 308446 URL: https://svnweb.freebsd.org/changeset/base/308446 Log: MFC r308175: Revisit blacklistd support in ftpd Enhance blacklistd support to not log anything by default, unless blacklistd support is enabled on the command line. Document new flag in man page, cleanup patches to be less intrusive in code. Sponsored by: The FreeBSD Foundation Modified: stable/11/libexec/ftpd/blacklist.c stable/11/libexec/ftpd/blacklist_client.h stable/11/libexec/ftpd/ftpd.8 stable/11/libexec/ftpd/ftpd.c Directory Properties: stable/11/ (props changed) Modified: stable/11/libexec/ftpd/blacklist.c ============================================================================== --- stable/11/libexec/ftpd/blacklist.c Tue Nov 8 17:36:19 2016 (r308445) +++ stable/11/libexec/ftpd/blacklist.c Tue Nov 8 20:12:13 2016 (r308446) @@ -37,16 +37,20 @@ #include <blacklist.h> static struct blacklist *blstate; +extern int use_blacklist; void blacklist_init(void) { - blstate = blacklist_open(); + + if (use_blacklist) + blstate = blacklist_open(); } void blacklist_notify(int action, int fd, char *msg) { + if (blstate == NULL) return; (void)blacklist_r(blstate, action, fd, msg); Modified: stable/11/libexec/ftpd/blacklist_client.h ============================================================================== --- stable/11/libexec/ftpd/blacklist_client.h Tue Nov 8 17:36:19 2016 (r308445) +++ stable/11/libexec/ftpd/blacklist_client.h Tue Nov 8 20:12:13 2016 (r308446) @@ -28,5 +28,26 @@ /* $FreeBSD$ */ -void blacklist_notify(int, int, char *); +#ifndef BLACKLIST_CLIENT_H +#define BLACKLIST_CLIENT_H + +enum { + BLACKLIST_AUTH_OK = 0, + BLACKLIST_AUTH_FAIL +}; + +#ifdef USE_BLACKLIST void blacklist_init(void); +void blacklist_notify(int, int, char *); + +#define BLACKLIST_INIT() blacklist_init() +#define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z) + +#else + +#define BLACKLIST_INIT() +#define BLACKLIST_NOTIFY(x, y, z) + +#endif + +#endif /* BLACKLIST_CLIENT_H */ Modified: stable/11/libexec/ftpd/ftpd.8 ============================================================================== --- stable/11/libexec/ftpd/ftpd.8 Tue Nov 8 17:36:19 2016 (r308445) +++ stable/11/libexec/ftpd/ftpd.8 Tue Nov 8 20:12:13 2016 (r308446) @@ -36,7 +36,7 @@ .Nd Internet File Transfer Protocol server .Sh SYNOPSIS .Nm -.Op Fl 468ADdEhMmOoRrSUvW +.Op Fl 468ABDdEhMmOoRrSUvW .Op Fl l Op Fl l .Op Fl a Ar address .Op Fl P Ar port @@ -95,6 +95,14 @@ When .Fl D is specified, accept connections only on the specified .Ar address . +.It Fl B +With this option set, +.Nm +sends authentication success and failure messages to the +.Xr blacklistd 8 +daemon. If this option is not specified, no communcation with the +.Xr blacklistd 8 +daemon is attempted. .It Fl D With this option set, .Nm Modified: stable/11/libexec/ftpd/ftpd.c ============================================================================== --- stable/11/libexec/ftpd/ftpd.c Tue Nov 8 17:36:19 2016 (r308445) +++ stable/11/libexec/ftpd/ftpd.c Tue Nov 8 20:12:13 2016 (r308446) @@ -144,6 +144,7 @@ int noretr = 0; /* RETR command is disa int noguestretr = 0; /* RETR command is disabled for anon users. */ int noguestmkd = 0; /* MKD command is disabled for anon users. */ int noguestmod = 1; /* anon users may not modify existing files. */ +int use_blacklist = 0; off_t file_size; off_t byte_count; @@ -305,7 +306,7 @@ main(int argc, char *argv[], char **envp openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP); while ((ch = getopt(argc, argv, - "468a:AdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) { + "468a:ABdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) { switch (ch) { case '4': family = (family == AF_INET6) ? AF_UNSPEC : AF_INET; @@ -327,6 +328,14 @@ main(int argc, char *argv[], char **envp anon_only = 1; break; + case 'B': +#ifdef USE_BLACKLIST + use_blacklist = 1; +#else + syslog(LOG_WARNING, "not compiled with USE_BLACKLIST support"); +#endif + break; + case 'd': ftpdebug++; break; @@ -644,9 +653,7 @@ gotchild: reply(220, "%s FTP server (%s) ready.", hostname, version); else reply(220, "FTP server ready."); -#ifdef USE_BLACKLIST - blacklist_init(); -#endif + BLACKLIST_INIT(); for (;;) (void) yyparse(); /* NOTREACHED */ @@ -1422,9 +1429,7 @@ skip: */ if (rval) { reply(530, "Login incorrect."); -#ifdef USE_BLACKLIST - blacklist_notify(1, STDIN_FILENO, "Login incorrect"); -#endif + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, STDIN_FILENO, "Login incorrect"); if (logging) { syslog(LOG_NOTICE, "FTP LOGIN FAILED FROM %s", @@ -1441,12 +1446,9 @@ skip: exit(0); } return; + } else { + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, STDIN_FILENO, "Login successful"); } -#ifdef USE_BLACKLIST - else { - blacklist_notify(0, STDIN_FILENO, "Login successful"); - } -#endif } login_attempts = 0; /* this time successful */ if (setegid(pw->pw_gid) < 0) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611082012.uA8KCDbo080031>