From owner-freebsd-bugs@FreeBSD.ORG  Fri Nov 28 15:30:36 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 415BD16A4CF
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 28 Nov 2003 15:30:36 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 31FB943FAF
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 28 Nov 2003 15:30:21 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hASNULFY048231
	for <freebsd-bugs@freefall.freebsd.org>;
	Fri, 28 Nov 2003 15:30:21 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hASNULnd048230;
	Fri, 28 Nov 2003 15:30:21 -0800 (PST)
	(envelope-from gnats)
Resent-Date: Fri, 28 Nov 2003 15:30:21 -0800 (PST)
Resent-Message-Id: <200311282330.hASNULnd048230@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Nick Leuta <skynick@mail.sc.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9341516A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 28 Nov 2003 15:23:21 -0800 (PST)
Received: from falcon.lipetsk.ru (falcon.lipetsk.ru [195.34.224.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 39A5743F3F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 28 Nov 2003 15:23:19 -0800 (PST)
	(envelope-from skynick@stu.lipetsk.ru)
Received: from lstu by falcon.lipetsk.ru with UUCP id <S203934AbTK1XXG>;
	Sat, 29 Nov 2003 02:23:06 +0300
Received: from chuck2.lstu (chuck2.lstu [192.168.15.7]) 
	by maverick.stu.int (8.9.3/8.8.5) with ESMTP id CAA22992 +0300 (MSK)
Received: by chuck2.lstu (Postfix, from userid 1000)
	id BFA9049A29; Sat, 29 Nov 2003 02:25:33 +0300 (MSK)
Message-Id: <20031128232533.BFA9049A29@chuck2.lstu>
Date: Sat, 29 Nov 2003 02:25:33 +0300 (MSK)
From: Nick Leuta <skynick@mail.sc.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/59772: ftpd(8)/FreeBSD 5: support for tcp_wrappers in daemon
	mode
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Nick Leuta <skynick@mail.sc.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2003 23:30:36 -0000


>Number:         59772
>Category:       bin
>Synopsis:       ftpd(8)/FreeBSD 5: support for tcp_wrappers in daemon mode
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 28 15:30:20 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Nick Leuta
>Release:        FreeBSD 4.9-RC i386
>Organization:
Lipetsk State Technical University
>Environment:
System: FreeBSD skynick.stu.lipetsk.ru 4.9-RC FreeBSD 4.9-RC #0: Sun Nov 23 19:53:55 MSK 2003 root@skynick.stu.lipetsk.ru:/usr/src/sys/compile/CORSAIR i386
>Description:
If ftpd(8) is started from inetd(8), inetd(8) itself can do access control with
help of libwrap. But if ftpd(8) runs in daemon mode, such possibility is
unavailable.
>How-To-Repeat:
>Fix:
diff -urN ftpd.ORI/Makefile ftpd/Makefile
--- ftpd.ORI/Makefile	Sun Jan 26 22:02:56 2003
+++ ftpd/Makefile	Wed Nov 26 02:04:56 2003
@@ -5,14 +5,14 @@
 MAN=	ftpd.8 ftpchroot.5
 SRCS=	ftpd.c ftpcmd.y logwtmp.c popen.c
 
-CFLAGS+=-DSETPROCTITLE -DLOGIN_CAP -DVIRTUAL_HOSTING
+CFLAGS+=-DSETPROCTITLE -DLOGIN_CAP -DVIRTUAL_HOSTING -DTCPWRAPPERS
 CFLAGS+=-DINET6
 CFLAGS+=-I${.CURDIR}
 YFLAGS=
 WFORMAT=0
 
-DPADD=	${LIBMD} ${LIBCRYPT} ${LIBUTIL}
-LDADD=	-lmd -lcrypt -lutil
+DPADD=	${LIBMD} ${LIBCRYPT} ${LIBUTIL} ${LIBWRAP}
+LDADD=	-lmd -lcrypt -lutil -lwrap
 
 # XXX Kluge! Conversation mechanism needs to be fixed.
 DPADD+=	${LIBOPIE}
diff -urN ftpd.ORI/ftpcmd.y ftpd/ftpcmd.y
--- ftpd.ORI/ftpcmd.y	Sun Oct 26 07:30:05 2003
+++ ftpd/ftpcmd.y	Wed Nov 26 02:07:25 2003
@@ -80,7 +80,7 @@
 extern	struct passwd *pw;
 extern	int guest;
 extern	char *homedir;
-extern 	int paranoid;
+extern 	int ftpdparanoid;
 extern	int logging;
 extern	int type;
 extern	int form;
@@ -1630,7 +1630,7 @@
 			reply(500, "Invalid address rejected.");
 			return 1;
 		}
-		if (paranoid &&
+		if (ftpdparanoid &&
 		    ((ntohs(data_dest.su_port) < IPPORT_RESERVED) ||
 		     memcmp(&data_dest.su_sin.sin_addr,
 			    &his_addr.su_sin.sin_addr,
@@ -1757,7 +1757,7 @@
 			reply(500, "Invalid address rejected.");
 			return 1;
 		}
-		if (paranoid &&
+		if (ftpdparanoid &&
 		    ((ntohs(data_dest.su_port) < IPPORT_RESERVED) ||
 		     memcmp(&data_dest.su_sin6.sin6_addr,
 			    &his_addr.su_sin6.sin6_addr,
diff -urN ftpd.ORI/ftpd.c ftpd/ftpd.c
--- ftpd.ORI/ftpd.c	Sat Nov 15 14:08:26 2003
+++ ftpd/ftpd.c	Wed Nov 26 02:09:43 2003
@@ -95,6 +95,10 @@
 #include <security/pam_appl.h>
 #endif
 
+#ifdef TCPWRAPPERS
+#include <tcpd.h>
+#endif /* TCPWRAPPERS */
+
 #include "pathnames.h"
 #include "extern.h"
 
@@ -124,7 +128,7 @@
 int	maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */
 int	logging;
 int	restricted_data_ports = 1;
-int	paranoid = 1;	  /* be extra careful about security */
+int	ftpdparanoid = 1;	  /* be extra careful about security */
 int	anon_only = 0;    /* Only anonymous ftp allowed */
 int	guest;
 int	dochroot;
@@ -186,6 +190,12 @@
 static char opieprompt[OPIE_CHALLENGE_MAX+1];
 static int pwok;
 
+#ifdef TCPWRAPPERS
+static int check_host(struct sockaddr *);
+int	allow_severity = LOG_INFO;
+int	deny_severity = LOG_NOTICE;
+#endif /* TCPWRAPPERS */
+
 char	*pid_file = NULL;
 
 /*
@@ -367,7 +377,7 @@
 			break;
 
 		case 'R':
-			paranoid = 0;
+			ftpdparanoid = 0;
 			break;
 
 		case 'S':
@@ -580,6 +590,16 @@
 		syslog(LOG_ERR, "fcntl F_SETOWN: %m");
 #endif
 	dolog((struct sockaddr *)&his_addr);
+#ifdef TCPWRAPPERS
+	/* If ftpd runs in daemon mode, this code is reachable only in the
+	 * child process */
+	if (daemon_mode) {
+		/* Use tcp_wrappers to filter incoming requests */
+		if (!check_host((struct sockaddr *)&his_addr))
+			exit(1);
+	}
+#endif /* TCPWRAPPERS */
+
 	/*
 	 * Set up default state
 	 */
@@ -3212,3 +3232,40 @@
 	}
 	return(socks);
 }
+
+#ifdef TCPWRAPPERS
+static int
+check_host(struct sockaddr *sa)
+{
+    struct request_info req;
+
+    int error_name, error_addr;
+    char sa_name[MAXHOSTNAMELEN], sa_addr[NI_MAXHOST];
+
+	error_name = getnameinfo(sa, sa->sa_len,
+		sa_name, sizeof(sa_name) - 1, NULL, 0, NI_NAMEREQD);
+	error_addr = getnameinfo(sa, sa->sa_len,
+		sa_addr, sizeof(sa_addr) - 1, NULL, 0, NI_NUMERICHOST);
+
+    /* fill req struct with port name and fd number */
+    if (!error_name) {
+	request_init(&req, RQ_DAEMON, "ftpd", RQ_CLIENT_NAME, sa_name,
+		    RQ_CLIENT_ADDR, error_addr == 0 ? sa_addr : "", RQ_USER,
+		    STRING_UNKNOWN, NULL);
+    } else {
+	request_init(&req, RQ_DAEMON, "ftpd", RQ_CLIENT_NAME, STRING_UNKNOWN,
+		    RQ_CLIENT_ADDR, error_addr == 0 ? sa_addr : "", RQ_USER,
+		    STRING_UNKNOWN, NULL);
+    }
+
+    if (!hosts_access(&req)) {
+	syslog(LOG_NOTICE, "connection from %.256s rejected by tcp_wrappers",
+	      eval_client(&req));
+	return (0);
+    }
+
+    syslog(LOG_INFO, "connection from %.256s granted by tcp_wrappers",
+	  eval_client(&req));
+    return (1);
+}
+#endif /* TCPWRAPPERS */
>Release-Note:
>Audit-Trail:
>Unformatted: