bin/62811: libexec/ftpd patch (broken clients & "anonymous" account)
Craig Boston
craig at olyun.gank.org
Fri Feb 13 19:50:15 PST 2004
>Number: 62811
>Category: bin
>Synopsis: libexec/ftpd patch (broken clients & "anonymous" account)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 13 19:50:14 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Craig Boston
>Release: FreeBSD 5.2-RELEASE i386
>Organization:
>Environment:
System: FreeBSD darth-laptop 5.2-RELEASE FreeBSD 5.2-RELEASE #0: Sun Jan 18 22:04:41 CST 2004 root at darth-laptop:/mnt/compile/obj/mnt/compile/src/sys/DARTH-LAPTOP i386
>Description:
The attached patch adds a -G option to libexec/ftpd, which disables
special treatment of the "anonymous" and "ftp" user names. This
has two main applications:
1) Some popular graphical FTP clients (Internet Explorer and Mozilla,
to name two), try anomymous automatically and misbehave if a 530
error is sent back in response to the USER command. As a result,
if anonymous FTP is disabled, they pop up an unhelpful error
message rather than prompting for login. With this patch enabled,
these clients act as expected.
2) It also allows for normal user accounts named "anonymous" or "ftp"
to be accessed with a password.
Arguably, (1) is a bug in the browser, however this behavior
persists across multiple versions and is not likely to be changed
soon. Several "other" FTP servers work around this problem,
so not having an option to do so puts us at a disadvantage from
the end-user's perspective.
A quick review of the relevant RFCs didn't turn up any conflicts.
As far as I can tell, the special handling for these users is not
part of the official specification, and as such should be optional.
>How-To-Repeat:
>Fix:
--- ftpd-noguest.patch begins here ---
Index: ftpd.8
===================================================================
--- ftpd.8 (revision 1949)
+++ ftpd.8 (working copy)
@@ -100,6 +100,12 @@
.It Fl E
Disable the EPSV command.
This is useful for servers behind older firewalls.
+.It Fl G
+Disable special treatment of the
+.Dq anonymous
+and
+.Dq ftp
+user names, enabling them to be used as normal accounts.
.It Fl h
Disable printing host-specific information, such as the
server software version or hostname, in server messages.
Index: ftpd.c
===================================================================
--- ftpd.c (revision 1949)
+++ ftpd.c (working copy)
@@ -138,6 +138,7 @@
int usedefault = 1; /* for data transfers */
int pdata = -1; /* for passive mode */
int readonly=0; /* Server is in readonly mode. */
+int noguest=0; /* Don't treat 'anonymous' user as special */
int noepsv=0; /* EPSV command is disabled. */
int noretr=0; /* RETR command is disabled. */
int noguestretr=0; /* RETR command is disabled for anon users. */
@@ -300,7 +301,7 @@
while ((ch = getopt(argc, argv,
- "46a:AdDEhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
+ "46a:AdDEGhlmMoOp:P:rRSt:T:u:UvW")) != -1) {
switch (ch) {
case '4':
family = (family == AF_INET6) ? AF_UNSPEC : AF_INET;
@@ -330,6 +331,10 @@
noepsv = 1;
break;
+ case 'G':
+ noguest = 1;
+ break;
+
case 'h':
hostinfo = 0;
break;
@@ -987,7 +992,8 @@
}
guest = 0;
- if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) {
+ if (!noguest &&
+ (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0)) {
if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL) ||
checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL))
reply(530, "User %s access denied.", name);
--- ftpd-noguest.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list