From jedgar@fxp.org  Sat Sep  2 04:18:01 2000
Return-Path: <jedgar@fxp.org>
Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235])
	by hub.freebsd.org (Postfix) with ESMTP id 0675937B424
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  2 Sep 2000 04:18:01 -0700 (PDT)
Received: by pawn.primelocation.net (Postfix, from userid 1003)
	id 334569B05; Sat,  2 Sep 2000 07:18:00 -0400 (EDT)
Message-Id: <20000902111800.334569B05@pawn.primelocation.net>
Date: Sat,  2 Sep 2000 07:18:00 -0400 (EDT)
From: jedgar@fxp.org
Reply-To: jedgar@fxp.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: many ftpd commands not limited to logins
X-Send-Pr-Version: 3.2

>Number:         20993
>Category:       bin
>Synopsis:       many ftpd commands not limited to logins
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 02 04:20:03 PDT 2000
>Closed-Date:    Fri Jan 19 17:35:15 PST 2001
>Last-Modified:  Fri Jan 19 17:35:29 PST 2001
>Originator:     Chris D. Faulhaber
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
>Environment:

	FreeBSD 4.1-STABLE i386

>Description:

	many ftpd commands are not limited to users who are logged in.  The
	following patch teaches TYPE, STRU, MODE, ALLO, STAT, ABOR, SITE IDLE,
	SYST, and REST not to talk to strangers.

>How-To-Repeat:

	Issue a SYST command when connected but not logged in

>Fix:

Index: ftpcmd.y
===================================================================
RCS file: /home/ncvs/src/libexec/ftpd/ftpcmd.y,v
retrieving revision 1.17
diff -u -r1.17 ftpcmd.y
--- ftpcmd.y	2000/07/17 22:24:52	1.17
+++ ftpcmd.y	2000/08/15 23:59:40
@@ -351,72 +351,82 @@
 			if ($2)
 				long_passive("EPSV", PF_UNSPEC);
 		}
-	| TYPE SP type_code CRLF
+	| TYPE check_login SP type_code CRLF
 		{
-			switch (cmd_type) {
+			if ($2) {
+				switch (cmd_type) {
+
+				case TYPE_A:
+					if (cmd_form == FORM_N) {
+						reply(200, "Type set to A.");
+						type = cmd_type;
+						form = cmd_form;
+					} else
+						reply(504, "Form must be N.");
+					break;
+
+				case TYPE_E:
+					reply(504, "Type E not implemented.");
+					break;
 
-			case TYPE_A:
-				if (cmd_form == FORM_N) {
-					reply(200, "Type set to A.");
+				case TYPE_I:
+					reply(200, "Type set to I.");
 					type = cmd_type;
-					form = cmd_form;
-				} else
-					reply(504, "Form must be N.");
-				break;
-
-			case TYPE_E:
-				reply(504, "Type E not implemented.");
-				break;
-
-			case TYPE_I:
-				reply(200, "Type set to I.");
-				type = cmd_type;
-				break;
+					break;
 
-			case TYPE_L:
+				case TYPE_L:
 #if NBBY == 8
-				if (cmd_bytesz == 8) {
-					reply(200,
-					    "Type set to L (byte size 8).");
-					type = cmd_type;
-				} else
-					reply(504, "Byte size must be 8.");
+					if (cmd_bytesz == 8) {
+						reply(200,
+						    "Type set to L (byte size 8).");
+						type = cmd_type;
+					} else
+						reply(504, "Byte size must be 8.");
 #else /* NBBY == 8 */
-				UNIMPLEMENTED for NBBY != 8
+					UNIMPLEMENTED for NBBY != 8
 #endif /* NBBY == 8 */
+				}
 			}
 		}
-	| STRU SP struct_code CRLF
+	| STRU check_login SP struct_code CRLF
 		{
-			switch ($3) {
+			if ($2) {
+				switch ($4) {
 
-			case STRU_F:
-				reply(200, "STRU F ok.");
-				break;
+				case STRU_F:
+					reply(200, "STRU F ok.");
+					break;
 
-			default:
-				reply(504, "Unimplemented STRU type.");
+				default:
+					reply(504, "Unimplemented STRU type.");
+				}
 			}
 		}
-	| MODE SP mode_code CRLF
+	| MODE check_login SP mode_code CRLF
 		{
-			switch ($3) {
-
-			case MODE_S:
-				reply(200, "MODE S ok.");
-				break;
+			if ($2) {
+				switch ($4) {
 
-			default:
-				reply(502, "Unimplemented MODE type.");
+				case MODE_S:
+					reply(200, "MODE S ok.");
+					break;
+	
+				default:
+					reply(502, "Unimplemented MODE type.");
+				}
 			}
 		}
-	| ALLO SP NUMBER CRLF
+	| ALLO check_login SP NUMBER CRLF
 		{
-			reply(202, "ALLO command ignored.");
+			if ($2) {
+				reply(202, "ALLO command ignored.");
+			}
 		}
-	| ALLO SP NUMBER SP R SP NUMBER CRLF
+	| ALLO check_login SP NUMBER SP R SP NUMBER CRLF
 		{
-			reply(202, "ALLO command ignored.");
+			if ($2) {
+				reply(202, "ALLO command ignored.");
+			}
 		}
 	| RETR check_login SP pathname CRLF
 		{
@@ -470,9 +480,11 @@
 			if ($4 != NULL)
 				free($4);
 		}
-	| STAT CRLF
+	| STAT check_login CRLF
 		{
-			statcmd();
+			if ($2) {
+				statcmd();
+			}
 		}
 	| DELE check_login SP pathname CRLF
 		{
@@ -494,9 +506,10 @@
 			}
 			free($4);
 		}
-	| ABOR CRLF
+	| ABOR check_login CRLF
 		{
-			reply(225, "ABOR command successful.");
+			if ($2)
+				reply(225, "ABOR command successful.");
 		}
 	| CWD check_login CRLF
 		{
@@ -604,24 +617,28 @@
 			if ($8 != NULL)
 				free($8);
 		}
-	| SITE SP IDLE CRLF
+	| SITE SP check_login IDLE CRLF
 		{
-			reply(200,
-			    "Current IDLE time limit is %d seconds; max %d",
-				timeout, maxtimeout);
-		}
-	| SITE SP IDLE SP NUMBER CRLF
-		{
-			if ($5 < 30 || $5 > maxtimeout) {
-				reply(501,
-			"Maximum IDLE time must be between 30 and %d seconds",
-				    maxtimeout);
-			} else {
-				timeout = $5;
-				(void) alarm((unsigned) timeout);
+			if ($3)
 				reply(200,
-				    "Maximum IDLE time set to %d seconds",
-				    timeout);
+			    	    "Current IDLE time limit is %d seconds; max %d",
+				    timeout, maxtimeout);
+		}
+	| SITE SP check_login IDLE SP NUMBER CRLF
+		{
+			if ($3) {
+				if ($6 < 30 || $6 > maxtimeout) {
+					reply(501,
+					    "Maximum IDLE time must be between "
+					    "30 and %d seconds",
+					    maxtimeout);
+				} else {
+					timeout = $6;
+					(void) alarm((unsigned) timeout);
+					reply(200,
+					    "Maximum IDLE time set to %d seconds",
+					    timeout);
+				}
 			}
 		}
 	| STOU check_login SP pathname CRLF
@@ -631,8 +648,9 @@
 			if ($4 != NULL)
 				free($4);
 		}
-	| SYST CRLF
+	| SYST check_login CRLF
 		{
+			if ($2)
 #ifdef unix
 #ifdef BSD
 			reply(215, "UNIX Type: L%d Version: BSD-%d",
@@ -714,12 +732,15 @@
 				}
 			}
 		}
-	| REST SP byte_size CRLF
+	| REST check_login SP byte_size CRLF
 		{
-			fromname = (char *) 0;
-			restart_point = $3;	/* XXX $3 is only "int" */
-			reply(350, "Restarting at %qd. %s", restart_point,
-			    "Send STORE or RETRIEVE to initiate transfer.");
+			if ($2) {
+				fromname = (char *) 0;
+				restart_point = $4;  /* XXX $4 is only "int" */
+				reply(350, "Restarting at %qd. %s",
+				    restart_point,
+				    "Send STORE or RETRIEVE to initiate transfer.");
+			}
 		}
 	;
 

>Release-Note:
>Audit-Trail:

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: jedgar@fxp.org
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/20993: many ftpd commands not limited to logins 
Date: Tue, 05 Sep 2000 13:36:43 +0200

 On Sat, 02 Sep 2000 07:18:00 -0400, jedgar@fxp.org wrote:
 
 > >Number:         20993
 > >Category:       bin
 > >Synopsis:       many ftpd commands not limited to logins
 
 This would need to spend a _long_ time in CURRENT before being merged
 into RELENG_4.
 
 Ciao,
 Sheldon.
 

From: "Chris D. Faulhaber" <jedgar@fxp.org>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/20993: many ftpd commands not limited to logins 
Date: Tue, 5 Sep 2000 07:43:21 -0400 (EDT)

 On Tue, 5 Sep 2000, Sheldon Hearn wrote:
 
 > On Sat, 02 Sep 2000 07:18:00 -0400, jedgar@fxp.org wrote:
 > 
 > > >Number:         20993
 > > >Category:       bin
 > > >Synopsis:       many ftpd commands not limited to logins
 > 
 > This would need to spend a _long_ time in CURRENT before being merged
 > into RELENG_4.
 > 
 
 Ummm, ok.  The changes are quite trivial, though.
 
 -----
 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org
 --------------------------------------------------------
 FreeBSD: The Power To Serve   -   http://www.FreeBSD.org
 
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: "Chris D. Faulhaber" <jedgar@fxp.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/20993: many ftpd commands not limited to logins 
Date: Tue, 05 Sep 2000 13:56:20 +0200

 On Tue, 05 Sep 2000 07:43:21 -0400, "Chris D. Faulhaber" wrote:
 
 > > This would need to spend a _long_ time in CURRENT before being merged
 > > into RELENG_4.
 > > 
 > 
 > Ummm, ok.  The changes are quite trivial, though.
 
 The deltas are small and simple, but the potential impact is not
 trivial.  How much time have you spent investigating what this will do
 to various software packages that rely on the current behaviour?
 
 I realize that several other FTP daemons behave as you propose that ours
 should.  I just don't think that we should rush the merge into STABLE,
 especially since this doesn't seem to fix any glaring security holes.
 
 Ciao,
 Sheldon.
 

From: "Chris D. Faulhaber" <jedgar@fxp.org>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/20993: many ftpd commands not limited to logins 
Date: Tue, 5 Sep 2000 08:30:16 -0400 (EDT)

 On Tue, 5 Sep 2000, Sheldon Hearn wrote:
 
 > 
 > 
 > On Tue, 05 Sep 2000 07:43:21 -0400, "Chris D. Faulhaber" wrote:
 > 
 > > > This would need to spend a _long_ time in CURRENT before being merged
 > > > into RELENG_4.
 > > > 
 > > 
 > > Ummm, ok.  The changes are quite trivial, though.
 > 
 > The deltas are small and simple, but the potential impact is not
 > trivial.  How much time have you spent investigating what this will do
 > to various software packages that rely on the current behaviour?
 > 
 > I realize that several other FTP daemons behave as you propose that ours
 > should.  I just don't think that we should rush the merge into STABLE,
 > especially since this doesn't seem to fix any glaring security holes.
 > 
 
 a) none of the commands affected should be used if a user is not logged
 in, and the patch does not change the behaviour of commands once a user is
 authenticated
 b) all changes were taken from OpenBSD
 c) we currently allow the SYST command to be issued to anyone who connects
 (comments about which prompted me to make these changes), which some may
 not realize (and others may view as a security concern)
 d) Works Here[tm] (ok, lame excuse)
 e) if these changes are unwanted, I'll gladly close the PR and save the
 gnats bloat.
 
 -----
 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org
 --------------------------------------------------------
 FreeBSD: The Power To Serve   -   http://www.FreeBSD.org
 
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: "Chris D. Faulhaber" <jedgar@fxp.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/20993: many ftpd commands not limited to logins 
Date: Tue, 05 Sep 2000 14:46:19 +0200

 On Tue, 05 Sep 2000 08:30:16 -0400, "Chris D. Faulhaber" wrote:
 
 > e) if these changes are unwanted, I'll gladly close the PR and save the
 > gnats bloat.
 
 I think the change is desirable.  All I said (third time lucky) is that
 we should give this a while to settle in CURRENT before merging it into
 STABLE. :-)
 
 Ciao,
 Sheldon.
 
Responsible-Changed-From-To: freebsd-bugs->jedgar 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Sep 12 06:56:46 PDT 2000 
Responsible-Changed-Why:  
Over to the committer himself. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20993 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: "Chris D. Faulhaber" <jedgar@fxp.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/20993: many ftpd commands not limited to logins 
Date: Tue, 12 Sep 2000 15:56:40 +0200

 On Tue, 05 Sep 2000 08:30:16 -0400, "Chris D. Faulhaber" wrote:
 
 > a) none of the commands affected should be used if a user is not logged
 > in, and the patch does not change the behaviour of commands once a user is
 > authenticated
 > b) all changes were taken from OpenBSD
 > c) we currently allow the SYST command to be issued to anyone who connects
 > (comments about which prompted me to make these changes), which some may
 > not realize (and others may view as a security concern)
 > d) Works Here[tm] (ok, lame excuse)
 > e) if these changes are unwanted, I'll gladly close the PR and save the
 > gnats bloat.
 
 I say go ahead and commit it.  The only thing I could spot that would
 get you into trouble with the style police is the splitting into two
 strings of the following string:
 
 	"Maximum IDLE time must be between 30 and %d seconds"
 
 I'd leave that alone and let it run over the 80 character limit.
 
 Ciao,
 Sheldon.
 	
 
Responsible-Changed-From-To: jedgar->freebsd-bugs 
Responsible-Changed-By: jedgar 
Responsible-Changed-When: Sat Sep 30 05:35:26 PDT 2000 
Responsible-Changed-Why:  
I am not a -src guy 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20993 
State-Changed-From-To: open->closed 
State-Changed-By: jedgar 
State-Changed-When: Fri Jan 19 17:35:15 PST 2001 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20993 
>Unformatted:
