From owner-svn-src-stable@freebsd.org Tue Nov 8 20:12:15 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50515C3719B; Tue, 8 Nov 2016 20:12:15 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 11D7A5F7; Tue, 8 Nov 2016 20:12:14 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uA8KCEBl080035; Tue, 8 Nov 2016 20:12:14 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uA8KCDbo080031; Tue, 8 Nov 2016 20:12:13 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201611082012.uA8KCDbo080031@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Tue, 8 Nov 2016 20:12:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r308446 - stable/11/libexec/ftpd X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2016 20:12:15 -0000 Author: lidl Date: Tue Nov 8 20:12:13 2016 New Revision: 308446 URL: https://svnweb.freebsd.org/changeset/base/308446 Log: MFC r308175: Revisit blacklistd support in ftpd Enhance blacklistd support to not log anything by default, unless blacklistd support is enabled on the command line. Document new flag in man page, cleanup patches to be less intrusive in code. Sponsored by: The FreeBSD Foundation Modified: stable/11/libexec/ftpd/blacklist.c stable/11/libexec/ftpd/blacklist_client.h stable/11/libexec/ftpd/ftpd.8 stable/11/libexec/ftpd/ftpd.c Directory Properties: stable/11/ (props changed) Modified: stable/11/libexec/ftpd/blacklist.c ============================================================================== --- stable/11/libexec/ftpd/blacklist.c Tue Nov 8 17:36:19 2016 (r308445) +++ stable/11/libexec/ftpd/blacklist.c Tue Nov 8 20:12:13 2016 (r308446) @@ -37,16 +37,20 @@ #include static struct blacklist *blstate; +extern int use_blacklist; void blacklist_init(void) { - blstate = blacklist_open(); + + if (use_blacklist) + blstate = blacklist_open(); } void blacklist_notify(int action, int fd, char *msg) { + if (blstate == NULL) return; (void)blacklist_r(blstate, action, fd, msg); Modified: stable/11/libexec/ftpd/blacklist_client.h ============================================================================== --- stable/11/libexec/ftpd/blacklist_client.h Tue Nov 8 17:36:19 2016 (r308445) +++ stable/11/libexec/ftpd/blacklist_client.h Tue Nov 8 20:12:13 2016 (r308446) @@ -28,5 +28,26 @@ /* $FreeBSD$ */ -void blacklist_notify(int, int, char *); +#ifndef BLACKLIST_CLIENT_H +#define BLACKLIST_CLIENT_H + +enum { + BLACKLIST_AUTH_OK = 0, + BLACKLIST_AUTH_FAIL +}; + +#ifdef USE_BLACKLIST void blacklist_init(void); +void blacklist_notify(int, int, char *); + +#define BLACKLIST_INIT() blacklist_init() +#define BLACKLIST_NOTIFY(x, y, z) blacklist_notify(x, y, z) + +#else + +#define BLACKLIST_INIT() +#define BLACKLIST_NOTIFY(x, y, z) + +#endif + +#endif /* BLACKLIST_CLIENT_H */ Modified: stable/11/libexec/ftpd/ftpd.8 ============================================================================== --- stable/11/libexec/ftpd/ftpd.8 Tue Nov 8 17:36:19 2016 (r308445) +++ stable/11/libexec/ftpd/ftpd.8 Tue Nov 8 20:12:13 2016 (r308446) @@ -36,7 +36,7 @@ .Nd Internet File Transfer Protocol server .Sh SYNOPSIS .Nm -.Op Fl 468ADdEhMmOoRrSUvW +.Op Fl 468ABDdEhMmOoRrSUvW .Op Fl l Op Fl l .Op Fl a Ar address .Op Fl P Ar port @@ -95,6 +95,14 @@ When .Fl D is specified, accept connections only on the specified .Ar address . +.It Fl B +With this option set, +.Nm +sends authentication success and failure messages to the +.Xr blacklistd 8 +daemon. If this option is not specified, no communcation with the +.Xr blacklistd 8 +daemon is attempted. .It Fl D With this option set, .Nm Modified: stable/11/libexec/ftpd/ftpd.c ============================================================================== --- stable/11/libexec/ftpd/ftpd.c Tue Nov 8 17:36:19 2016 (r308445) +++ stable/11/libexec/ftpd/ftpd.c Tue Nov 8 20:12:13 2016 (r308446) @@ -144,6 +144,7 @@ int noretr = 0; /* RETR command is disa int noguestretr = 0; /* RETR command is disabled for anon users. */ int noguestmkd = 0; /* MKD command is disabled for anon users. */ int noguestmod = 1; /* anon users may not modify existing files. */ +int use_blacklist = 0; off_t file_size; off_t byte_count; @@ -305,7 +306,7 @@ main(int argc, char *argv[], char **envp openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP); while ((ch = getopt(argc, argv, - "468a:AdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) { + "468a:ABdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) { switch (ch) { case '4': family = (family == AF_INET6) ? AF_UNSPEC : AF_INET; @@ -327,6 +328,14 @@ main(int argc, char *argv[], char **envp anon_only = 1; break; + case 'B': +#ifdef USE_BLACKLIST + use_blacklist = 1; +#else + syslog(LOG_WARNING, "not compiled with USE_BLACKLIST support"); +#endif + break; + case 'd': ftpdebug++; break; @@ -644,9 +653,7 @@ gotchild: reply(220, "%s FTP server (%s) ready.", hostname, version); else reply(220, "FTP server ready."); -#ifdef USE_BLACKLIST - blacklist_init(); -#endif + BLACKLIST_INIT(); for (;;) (void) yyparse(); /* NOTREACHED */ @@ -1422,9 +1429,7 @@ skip: */ if (rval) { reply(530, "Login incorrect."); -#ifdef USE_BLACKLIST - blacklist_notify(1, STDIN_FILENO, "Login incorrect"); -#endif + BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, STDIN_FILENO, "Login incorrect"); if (logging) { syslog(LOG_NOTICE, "FTP LOGIN FAILED FROM %s", @@ -1441,12 +1446,9 @@ skip: exit(0); } return; + } else { + BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, STDIN_FILENO, "Login successful"); } -#ifdef USE_BLACKLIST - else { - blacklist_notify(0, STDIN_FILENO, "Login successful"); - } -#endif } login_attempts = 0; /* this time successful */ if (setegid(pw->pw_gid) < 0) {