Correct PPTP server firewall rules chain.
[tomato/davidwu.git] / release / src / router / vsftpd / privops.c
blob4ed17168fe9a5a2b1975572177e7b26f1f31af47
1 /*
2 * Part of Very Secure FTPd
3 * License: GPL v2
4 * Author: Chris Evans
5 * privops.c
7 * Code implementing the privileged operations that the unprivileged client
8 * might request.
9 * Look for suitable paranoia in this file.
12 #include "privops.h"
13 #include "session.h"
14 #include "sysdeputil.h"
15 #include "sysutil.h"
16 #include "utility.h"
17 #include "str.h"
18 #include "tunables.h"
19 #include "defs.h"
20 #include "logging.h"
22 /* File private functions */
23 static enum EVSFPrivopLoginResult handle_anonymous_login(
24 struct vsf_session* p_sess, const struct mystr* p_pass_str);
25 static enum EVSFPrivopLoginResult handle_local_login(
26 struct vsf_session* p_sess, struct mystr* p_user_str,
27 const struct mystr* p_pass_str);
28 static void setup_username_globals(struct vsf_session* p_sess,
29 const struct mystr* p_str);
30 static enum EVSFPrivopLoginResult handle_login(
31 struct vsf_session* p_sess, struct mystr* p_user_str,
32 const struct mystr* p_pass_str);
34 int
35 vsf_privop_get_ftp_port_sock(struct vsf_session* p_sess,
36 unsigned short remote_port,
37 int use_port_sockaddr)
39 static struct vsf_sysutil_sockaddr* p_sockaddr;
40 const struct vsf_sysutil_sockaddr* p_connect_to;
41 int retval;
42 int i;
43 int s = vsf_sysutil_get_ipsock(p_sess->p_local_addr);
44 int port = 0;
45 if (vsf_sysutil_is_port_reserved(remote_port))
47 die("Illegal port request");
49 if (tunable_connect_from_port_20)
51 port = tunable_ftp_data_port;
53 vsf_sysutil_activate_reuseaddr(s);
54 /* A report of failure here on Solaris, presumably buggy address reuse
55 * support? We'll retry.
57 for (i = 0; i < 2; ++i)
59 double sleep_for;
60 vsf_sysutil_sockaddr_clone(&p_sockaddr, p_sess->p_local_addr);
61 vsf_sysutil_sockaddr_set_port(p_sockaddr, port);
62 retval = vsf_sysutil_bind(s, p_sockaddr);
63 if (retval == 0)
65 break;
67 if (vsf_sysutil_get_error() != kVSFSysUtilErrADDRINUSE || i == 1)
69 die("vsf_sysutil_bind");
71 sleep_for = vsf_sysutil_get_random_byte();
72 sleep_for /= 256.0;
73 sleep_for += 1.0;
74 vsf_sysutil_sleep(sleep_for);
76 if (use_port_sockaddr)
78 p_connect_to = p_sess->p_port_sockaddr;
80 else
82 vsf_sysutil_sockaddr_set_port(p_sess->p_remote_addr, remote_port);
83 p_connect_to = p_sess->p_remote_addr;
85 retval = vsf_sysutil_connect_timeout(s, p_connect_to,
86 tunable_connect_timeout);
87 if (vsf_sysutil_retval_is_error(retval))
89 vsf_sysutil_close(s);
90 s = -1;
92 return s;
95 void
96 vsf_privop_pasv_cleanup(struct vsf_session* p_sess)
98 if (p_sess->pasv_listen_fd != -1)
100 vsf_sysutil_close(p_sess->pasv_listen_fd);
101 p_sess->pasv_listen_fd = -1;
106 vsf_privop_pasv_active(struct vsf_session* p_sess)
108 if (p_sess->pasv_listen_fd != -1)
110 return 1;
112 return 0;
115 unsigned short
116 vsf_privop_pasv_listen(struct vsf_session* p_sess)
118 static struct vsf_sysutil_sockaddr* s_p_sockaddr;
119 int bind_retries = 10;
120 unsigned short the_port = 0;
121 /* IPPORT_RESERVED */
122 unsigned short min_port = 1024;
123 unsigned short max_port = 65535;
124 int is_ipv6 = vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr);
125 if (is_ipv6)
127 p_sess->pasv_listen_fd = vsf_sysutil_get_ipv6_sock();
129 else
131 p_sess->pasv_listen_fd = vsf_sysutil_get_ipv4_sock();
133 vsf_sysutil_activate_reuseaddr(p_sess->pasv_listen_fd);
135 if (tunable_pasv_min_port > min_port && tunable_pasv_min_port <= max_port)
137 min_port = tunable_pasv_min_port;
139 if (tunable_pasv_max_port >= min_port && tunable_pasv_max_port < max_port)
141 max_port = tunable_pasv_max_port;
144 while (--bind_retries)
146 int retval;
147 double scaled_port;
148 the_port = vsf_sysutil_get_random_byte();
149 the_port <<= 8;
150 the_port |= vsf_sysutil_get_random_byte();
151 scaled_port = (double) min_port;
152 scaled_port += ((double) the_port / (double) 65536) *
153 ((double) max_port - min_port + 1);
154 the_port = (unsigned short) scaled_port;
155 vsf_sysutil_sockaddr_clone(&s_p_sockaddr, p_sess->p_local_addr);
156 vsf_sysutil_sockaddr_set_port(s_p_sockaddr, the_port);
157 retval = vsf_sysutil_bind(p_sess->pasv_listen_fd, s_p_sockaddr);
158 if (!vsf_sysutil_retval_is_error(retval))
160 retval = vsf_sysutil_listen(p_sess->pasv_listen_fd, 1);
161 if (!vsf_sysutil_retval_is_error(retval))
163 break;
166 /* SELinux systems can give you an inopportune EACCES, it seems. */
167 if (vsf_sysutil_get_error() == kVSFSysUtilErrADDRINUSE ||
168 vsf_sysutil_get_error() == kVSFSysUtilErrACCES)
170 continue;
172 die("vsf_sysutil_bind / listen");
174 if (!bind_retries)
176 die("vsf_sysutil_bind");
178 return the_port;
182 vsf_privop_accept_pasv(struct vsf_session* p_sess)
184 struct vsf_sysutil_sockaddr* p_accept_addr = 0;
185 int remote_fd;
186 vsf_sysutil_sockaddr_alloc(&p_accept_addr);
187 remote_fd = vsf_sysutil_accept_timeout(p_sess->pasv_listen_fd, p_accept_addr,
188 tunable_accept_timeout);
189 if (vsf_sysutil_retval_is_error(remote_fd))
191 vsf_sysutil_sockaddr_clear(&p_accept_addr);
192 return -1;
194 /* SECURITY:
195 * Reject the connection if it wasn't from the same IP as the
196 * control connection.
198 if (!tunable_pasv_promiscuous)
200 if (!vsf_sysutil_sockaddr_addr_equal(p_sess->p_remote_addr, p_accept_addr))
202 vsf_sysutil_close(remote_fd);
203 vsf_sysutil_sockaddr_clear(&p_accept_addr);
204 return -2;
207 vsf_sysutil_sockaddr_clear(&p_accept_addr);
208 return remote_fd;
211 void
212 vsf_privop_do_file_chown(struct vsf_session* p_sess, int fd)
214 static struct vsf_sysutil_statbuf* s_p_statbuf;
215 vsf_sysutil_fstat(fd, &s_p_statbuf);
216 /* Do nothing if it is already owned by the desired user. */
217 if (vsf_sysutil_statbuf_get_uid(s_p_statbuf) ==
218 p_sess->anon_upload_chown_uid)
220 return;
222 /* Drop it like a hot potato unless it's a regular file owned by
223 * the the anonymous ftp user
225 if (p_sess->anon_upload_chown_uid == -1 ||
226 !vsf_sysutil_statbuf_is_regfile(s_p_statbuf) ||
227 (vsf_sysutil_statbuf_get_uid(s_p_statbuf) != p_sess->anon_ftp_uid &&
228 vsf_sysutil_statbuf_get_uid(s_p_statbuf) != p_sess->guest_user_uid))
230 die("invalid fd in cmd_process_chown");
232 /* SECURITY! You need an OS which strips SUID/SGID bits on chown(),
233 * otherwise a compromise of the FTP user will lead to compromise of
234 * the "anon_upload_chown_uid" user (think chmod +s).
236 vsf_sysutil_fchown(fd, p_sess->anon_upload_chown_uid, -1);
239 enum EVSFPrivopLoginResult
240 vsf_privop_do_login(struct vsf_session* p_sess,
241 const struct mystr* p_pass_str)
243 enum EVSFPrivopLoginResult result =
244 handle_login(p_sess, &p_sess->user_str, p_pass_str);
245 vsf_log_start_entry(p_sess, kVSFLogEntryLogin);
246 if (result == kVSFLoginFail)
248 vsf_log_do_log(p_sess, 0);
249 if (tunable_delay_failed_login)
251 vsf_sysutil_sleep((double) tunable_delay_failed_login);
254 else
256 vsf_log_do_log(p_sess, 1);
257 if (tunable_delay_successful_login)
259 vsf_sysutil_sleep((double) tunable_delay_successful_login);
262 return result;
265 static enum EVSFPrivopLoginResult
266 handle_login(struct vsf_session* p_sess, struct mystr* p_user_str,
267 const struct mystr* p_pass_str)
269 /* Do not assume PAM can cope with dodgy input, even though it
270 * almost certainly can.
272 int anonymous_login = 0;
273 char first_char;
274 unsigned int len = str_getlen(p_user_str);
275 if (len == 0 || len > VSFTP_USERNAME_MAX)
277 return kVSFLoginFail;
279 /* Throw out dodgy start characters */
280 first_char = str_get_char_at(p_user_str, 0);
281 if (!vsf_sysutil_isalnum(first_char) &&
282 first_char != '_' &&
283 first_char != '.')
285 return kVSFLoginFail;
287 /* Throw out non-printable characters and space in username */
288 if (str_contains_space(p_user_str) ||
289 str_contains_unprintable(p_user_str))
291 return kVSFLoginFail;
293 /* Throw out excessive length passwords */
294 len = str_getlen(p_pass_str);
295 if (len > VSFTP_PASSWORD_MAX)
297 return kVSFLoginFail;
299 /* Check for an anonymous login or "real" login */
300 if (tunable_anonymous_enable)
302 struct mystr upper_str = INIT_MYSTR;
303 str_copy(&upper_str, p_user_str);
304 str_upper(&upper_str);
305 if (str_equal_text(&upper_str, "FTP") ||
306 str_equal_text(&upper_str, "ANONYMOUS"))
308 anonymous_login = 1;
310 str_free(&upper_str);
313 enum EVSFPrivopLoginResult result = kVSFLoginFail;
314 if (anonymous_login)
316 result = handle_anonymous_login(p_sess, p_pass_str);
318 else
320 if (!tunable_local_enable)
322 die("unexpected local login in handle_login");
324 result = handle_local_login(p_sess, p_user_str, p_pass_str);
326 return result;
330 static enum EVSFPrivopLoginResult
331 handle_anonymous_login(struct vsf_session* p_sess,
332 const struct mystr* p_pass_str)
334 if (!str_isempty(&p_sess->banned_email_str) &&
335 str_contains_line(&p_sess->banned_email_str, p_pass_str))
337 return kVSFLoginFail;
339 if (!str_isempty(&p_sess->email_passwords_str) &&
340 (!str_contains_line(&p_sess->email_passwords_str, p_pass_str) ||
341 str_isempty(p_pass_str)))
343 return kVSFLoginFail;
345 /* Store the anonymous identity string */
346 str_copy(&p_sess->anon_pass_str, p_pass_str);
347 if (str_isempty(&p_sess->anon_pass_str))
349 str_alloc_text(&p_sess->anon_pass_str, "?");
351 /* "Fix" any characters which might upset the log processing */
352 str_replace_char(&p_sess->anon_pass_str, ' ', '_');
353 str_replace_char(&p_sess->anon_pass_str, '\n', '?');
355 struct mystr ftp_username_str = INIT_MYSTR;
356 str_alloc_text(&ftp_username_str, tunable_ftp_username);
357 setup_username_globals(p_sess, &ftp_username_str);
358 str_free(&ftp_username_str);
360 str_free(&p_sess->banned_email_str);
361 str_free(&p_sess->email_passwords_str);
362 return kVSFLoginAnon;
365 static enum EVSFPrivopLoginResult
366 handle_local_login(struct vsf_session* p_sess,
367 struct mystr* p_user_str,
368 const struct mystr* p_pass_str)
370 if (!vsf_sysdep_check_auth(p_user_str, p_pass_str, &p_sess->remote_ip_str))
372 return kVSFLoginFail;
374 setup_username_globals(p_sess, p_user_str);
375 return kVSFLoginReal;
378 static void
379 setup_username_globals(struct vsf_session* p_sess, const struct mystr* p_str)
381 str_copy(&p_sess->user_str, p_str);
382 if (tunable_setproctitle_enable)
384 struct mystr prefix_str = INIT_MYSTR;
385 str_copy(&prefix_str, &p_sess->remote_ip_str);
386 str_append_char(&prefix_str, '/');
387 str_append_str(&prefix_str, p_str);
388 vsf_sysutil_set_proctitle_prefix(&prefix_str);
389 str_free(&prefix_str);