[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: proposed ftpd patch to modify -A operation on invalid userids
From:       Josh Grosse <josh () jggimi ! homeip ! net>
Date:       2008-09-24 0:53:31
Message-ID: 20080924005331.GA148 () jggimi ! homeip ! net
[Download RAW message or body]

On Mon, Sep 22, 2008 at 02:26:55PM -0400, Josh Grosse wrote:
> On Mon, 22 Sep 2008 14:00:47 -0400, Todd C. Miller wrote
> 
> > I wonder if it wouldn't be better to simpling include "access denied"
> > in the 530 response.  I don't particularly like that solution either,
> > though.
 
Revised patch.  I have changed the message, as Todd suggested, to match 
other "access denied" 530 messages.  I have also replaced the end_login();
with dologout(0); -- this is a cleaner, more logically valid disconnection,
used in several spots in libexec/ftpd/ftpd.c.  It leaves no "Please login 
with USER and PASS" 530 message, which is possible with end_login(); logic.

Index: ftpd.8
===================================================================
RCS file: /cvs/src/libexec/ftpd/ftpd.8,v
retrieving revision 1.65
diff -u -r1.65 ftpd.8
--- ftpd.8	31 May 2007 19:19:39 -0000	1.65
+++ ftpd.8	19 Sep 2008 21:02:04 -0000
@@ -77,7 +77,8 @@
 or users in a login class with the
 .Dq ftp-chroot
 variable set (see below).
-Other connection attempts are refused.
+Other connection attempts are refused and the control connection
+is disconnected.
 .It Fl D
 With this option set,
 .Nm
Index: ftpd.c
===================================================================
RCS file: /cvs/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.184
diff -u -r1.184 ftpd.c
--- ftpd.c	12 Sep 2008 16:12:08 -0000	1.184
+++ ftpd.c	24 Sep 2008 00:40:50 -0000
@@ -824,8 +824,11 @@
 	dochroot = (lc && login_getcapbool(lc, "ftp-chroot", 0)) ||
 	    checkuser(_PATH_FTPCHROOT, name);
 	if (anon_only && !dochroot) {
-		if (anon_ok)
-			reply(530, "Sorry, only anonymous ftp allowed.");
+		if (anon_ok) {
+			reply(530, "User %s access denied.", name);
+			dologout(0);
+			/* NOTREACHED */
+		}
 		else
 			reply(530, "User %s access denied.", name);
 		return;

[prev in list] [next in list] [prev in thread] [next in thread]