|
 |
ac8676 |
From ec60588d36f06acdd6a1b3c5959d2102f4f5b230 Mon Sep 17 00:00:00 2001
|
|
|
ac8676 |
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
|
|
ac8676 |
Date: Tue, 6 Feb 2018 13:30:44 +0100
|
|
|
ac8676 |
Subject: [PATCH] Add new filename generation algorithm for STOU command
|
|
|
ac8676 |
|
|
|
ac8676 |
A new configuration option 'better_stou' can be used to enable
|
|
|
ac8676 |
a better algorithm for generating unique filenames.
|
|
|
ac8676 |
|
|
|
ac8676 |
Resolves: rhbz#1479237
|
|
|
ac8676 |
---
|
|
|
ac8676 |
parseconf.c | 1 +
|
|
|
ac8676 |
postlogin.c | 177 +++++++++++++++++++++++++++++++++++++++++++++++++---------
|
|
|
ac8676 |
sysutil.c | 3 +
|
|
|
ac8676 |
sysutil.h | 3 +-
|
|
|
ac8676 |
tunables.c | 2 +
|
|
|
ac8676 |
tunables.h | 3 +
|
|
|
ac8676 |
vsftpd.conf.5 | 10 ++++
|
|
|
ac8676 |
7 files changed, 172 insertions(+), 27 deletions(-)
|
|
|
ac8676 |
|
|
|
ac8676 |
diff --git a/parseconf.c b/parseconf.c
|
|
|
ac8676 |
index 33a1349..47b54f1 100644
|
|
|
ac8676 |
--- a/parseconf.c
|
|
|
ac8676 |
+++ b/parseconf.c
|
|
|
ac8676 |
@@ -111,6 +111,7 @@ parseconf_bool_array[] =
|
|
|
ac8676 |
{ "http_enable", &tunable_http_enable },
|
|
|
ac8676 |
{ "seccomp_sandbox", &tunable_seccomp_sandbox },
|
|
|
ac8676 |
{ "allow_writeable_chroot", &tunable_allow_writeable_chroot },
|
|
|
ac8676 |
+ { "better_stou", &tunable_better_stou },
|
|
|
ac8676 |
{ 0, 0 }
|
|
|
ac8676 |
};
|
|
|
ac8676 |
|
|
|
ac8676 |
diff --git a/postlogin.c b/postlogin.c
|
|
|
ac8676 |
index 869c2a2..3b50af2 100644
|
|
|
ac8676 |
--- a/postlogin.c
|
|
|
ac8676 |
+++ b/postlogin.c
|
|
|
ac8676 |
@@ -29,6 +29,7 @@
|
|
|
ac8676 |
#include "opts.h"
|
|
|
ac8676 |
|
|
|
ac8676 |
#include <errno.h>
|
|
|
ac8676 |
+#include <stdio.h>
|
|
|
ac8676 |
|
|
|
ac8676 |
/* Private local functions */
|
|
|
ac8676 |
static void handle_pwd(struct vsf_session* p_sess);
|
|
|
ac8676 |
@@ -1021,6 +1022,115 @@ handle_stor(struct vsf_session* p_sess)
|
|
|
ac8676 |
handle_upload_common(p_sess, 0, 0);
|
|
|
ac8676 |
}
|
|
|
ac8676 |
|
|
|
ac8676 |
+/* Based on __gen_tempname() from glibc - thanks, glibc! Relicensed
|
|
|
ac8676 |
+ * from LGPL2.1+ to GPL2.
|
|
|
ac8676 |
+ */
|
|
|
ac8676 |
+static int
|
|
|
ac8676 |
+create_unique_file(struct vsf_session* p_sess, struct mystr* p_outstr,
|
|
|
ac8676 |
+ const struct mystr* p_base_str,
|
|
|
ac8676 |
+ int (*access_checker)(const struct mystr*))
|
|
|
ac8676 |
+{
|
|
|
ac8676 |
+ struct mystr s_result = INIT_MYSTR;
|
|
|
ac8676 |
+ const int suffix_len = 6;
|
|
|
ac8676 |
+ unsigned int count;
|
|
|
ac8676 |
+ static unsigned long long int value;
|
|
|
ac8676 |
+ unsigned long long int random_time_bits;
|
|
|
ac8676 |
+ int fd = -1;
|
|
|
ac8676 |
+ /* These are the characters used in temporary file names. */
|
|
|
ac8676 |
+ struct mystr s_letters = INIT_MYSTR;
|
|
|
ac8676 |
+ unsigned int s_letters_len;
|
|
|
ac8676 |
+ int base_len;
|
|
|
ac8676 |
+
|
|
|
ac8676 |
+ str_alloc_text(&s_letters,
|
|
|
ac8676 |
+ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
|
|
|
ac8676 |
+ s_letters_len = str_getlen(&s_letters);
|
|
|
ac8676 |
+
|
|
|
ac8676 |
+ /* A lower bound on the number of temporary files to attempt to
|
|
|
ac8676 |
+ generate. The maximum total number of temporary file names that
|
|
|
ac8676 |
+ can exist for a given template is 62**6. It should never be
|
|
|
ac8676 |
+ necessary to try all of these combinations. Instead if a reasonable
|
|
|
ac8676 |
+ number of names is tried (we define reasonable as 62**3) fail to
|
|
|
ac8676 |
+ give the system administrator the chance to remove the problems. */
|
|
|
ac8676 |
+#define ATTEMPTS_MIN (62 * 62 * 62)
|
|
|
ac8676 |
+
|
|
|
ac8676 |
+ /* The number of times to attempt to generate a temporary file. */
|
|
|
ac8676 |
+#if ATTEMPTS_MIN < TMP_MAX
|
|
|
ac8676 |
+ unsigned int attempts = TMP_MAX;
|
|
|
ac8676 |
+#else
|
|
|
ac8676 |
+ unsigned int attempts = ATTEMPTS_MIN;
|
|
|
ac8676 |
+#endif
|
|
|
ac8676 |
+#undef ATTEMPTS_MIN
|
|
|
ac8676 |
+
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ long sec = vsf_sysutil_get_time_sec();
|
|
|
ac8676 |
+ long usec = vsf_sysutil_get_time_usec();
|
|
|
ac8676 |
+ random_time_bits = ((unsigned long long int) usec << 16) ^ sec;
|
|
|
ac8676 |
+ value += random_time_bits ^ vsf_sysutil_getpid();
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+
|
|
|
ac8676 |
+ if (str_isempty(p_base_str))
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ const char *base = "STOU.";
|
|
|
ac8676 |
+ base_len = vsf_sysutil_strlen(base);
|
|
|
ac8676 |
+ str_reserve(&s_result, base_len + suffix_len);
|
|
|
ac8676 |
+ str_alloc_text(&s_result, base);
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ else
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ str_reserve(&s_result, str_getlen(p_base_str) + suffix_len + 1);
|
|
|
ac8676 |
+ str_copy(&s_result, p_base_str);
|
|
|
ac8676 |
+ str_append_char(&s_result, '.');
|
|
|
ac8676 |
+ base_len = str_getlen(&s_result);
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+
|
|
|
ac8676 |
+ for (count = 0; count < attempts; value += 7777, ++count)
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ unsigned long long v = value;
|
|
|
ac8676 |
+ int i;
|
|
|
ac8676 |
+ str_trunc(&s_result, base_len);
|
|
|
ac8676 |
+ for (i = 0; i < suffix_len; ++i)
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ char c;
|
|
|
ac8676 |
+ c = str_get_char_at(&s_letters, v % s_letters_len);
|
|
|
ac8676 |
+ v /= s_letters_len;
|
|
|
ac8676 |
+ str_append_char(&s_result, c);
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ if (!access_checker(&s_result))
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ /* If we generate a filename which is not allowed, we fail immediatelly,
|
|
|
ac8676 |
+ * without trying any other possibilities. This is to prevent attackers
|
|
|
ac8676 |
+ * from keeping us busy.
|
|
|
ac8676 |
+ */
|
|
|
ac8676 |
+ vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
|
|
|
ac8676 |
+ break;
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ fd = str_create_exclusive(&s_result);
|
|
|
ac8676 |
+ if (vsf_sysutil_retval_is_error(fd))
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ if (kVSFSysUtilErrEXIST == vsf_sysutil_get_error())
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ continue;
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ else
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ vsf_cmdio_write(p_sess, FTP_UPLOADFAIL, "Could not create file.");
|
|
|
ac8676 |
+ break;
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ else
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ break;
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ if (!vsf_sysutil_retval_is_error(fd))
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ str_copy(p_outstr, &s_result);
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ str_free(&s_letters);
|
|
|
ac8676 |
+ str_free(&s_result);
|
|
|
ac8676 |
+ return fd;
|
|
|
ac8676 |
+}
|
|
|
ac8676 |
+
|
|
|
ac8676 |
static void
|
|
|
ac8676 |
handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
|
|
|
ac8676 |
{
|
|
|
ac8676 |
@@ -1042,41 +1152,56 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
|
|
|
ac8676 |
return;
|
|
|
ac8676 |
}
|
|
|
ac8676 |
resolve_tilde(&p_sess->ftp_arg_str, p_sess);
|
|
|
ac8676 |
- p_filename = &p_sess->ftp_arg_str;
|
|
|
ac8676 |
- if (is_unique)
|
|
|
ac8676 |
- {
|
|
|
ac8676 |
- get_unique_filename(&s_filename, p_filename);
|
|
|
ac8676 |
- p_filename = &s_filename;
|
|
|
ac8676 |
- }
|
|
|
ac8676 |
vsf_log_start_entry(p_sess, kVSFLogEntryUpload);
|
|
|
ac8676 |
str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
|
|
|
ac8676 |
prepend_path_to_filename(&p_sess->log_str);
|
|
|
ac8676 |
- if (!vsf_access_check_file(p_filename))
|
|
|
ac8676 |
- {
|
|
|
ac8676 |
- vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
|
|
|
ac8676 |
- return;
|
|
|
ac8676 |
- }
|
|
|
ac8676 |
- /* NOTE - actual file permissions will be governed by the tunable umask */
|
|
|
ac8676 |
- /* XXX - do we care about race between create and chown() of anonymous
|
|
|
ac8676 |
- * upload?
|
|
|
ac8676 |
- */
|
|
|
ac8676 |
- if (is_unique || (p_sess->is_anonymous && !tunable_anon_other_write_enable))
|
|
|
ac8676 |
+ p_filename = &p_sess->ftp_arg_str;
|
|
|
ac8676 |
+ if (is_unique && tunable_better_stou)
|
|
|
ac8676 |
{
|
|
|
ac8676 |
- new_file_fd = str_create_exclusive(p_filename);
|
|
|
ac8676 |
+ new_file_fd = create_unique_file(p_sess, &s_filename, p_filename,
|
|
|
ac8676 |
+ vsf_access_check_file);
|
|
|
ac8676 |
+ if (vsf_sysutil_retval_is_error(new_file_fd))
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ return;
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ p_filename = &s_filename;
|
|
|
ac8676 |
}
|
|
|
ac8676 |
else
|
|
|
ac8676 |
{
|
|
|
ac8676 |
- /* For non-anonymous, allow open() to overwrite or append existing files */
|
|
|
ac8676 |
- new_file_fd = str_create(p_filename);
|
|
|
ac8676 |
- if (!is_append && offset == 0)
|
|
|
ac8676 |
+ if (is_unique)
|
|
|
ac8676 |
{
|
|
|
ac8676 |
- do_truncate = 1;
|
|
|
ac8676 |
+ get_unique_filename(&s_filename, p_filename);
|
|
|
ac8676 |
+ p_filename = &s_filename;
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ if (!vsf_access_check_file(p_filename))
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
|
|
|
ac8676 |
+ return;
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ /* NOTE - actual file permissions will be governed by the tunable umask */
|
|
|
ac8676 |
+ /* XXX - do we care about race between create and chown() of anonymous
|
|
|
ac8676 |
+ * upload?
|
|
|
ac8676 |
+ */
|
|
|
ac8676 |
+ if (is_unique || (p_sess->is_anonymous && !tunable_anon_other_write_enable))
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ new_file_fd = str_create_exclusive(p_filename);
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ else
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ /* For non-anonymous, allow open() to overwrite or append existing
|
|
|
ac8676 |
+ * files
|
|
|
ac8676 |
+ */
|
|
|
ac8676 |
+ new_file_fd = str_create(p_filename);
|
|
|
ac8676 |
+ if (!is_append && offset == 0)
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ do_truncate = 1;
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ }
|
|
|
ac8676 |
+ if (vsf_sysutil_retval_is_error(new_file_fd))
|
|
|
ac8676 |
+ {
|
|
|
ac8676 |
+ vsf_cmdio_write(p_sess, FTP_UPLOADFAIL, "Could not create file.");
|
|
|
ac8676 |
+ return;
|
|
|
ac8676 |
}
|
|
|
ac8676 |
- }
|
|
|
ac8676 |
- if (vsf_sysutil_retval_is_error(new_file_fd))
|
|
|
ac8676 |
- {
|
|
|
ac8676 |
- vsf_cmdio_write(p_sess, FTP_UPLOADFAIL, "Could not create file.");
|
|
|
ac8676 |
- return;
|
|
|
ac8676 |
}
|
|
|
ac8676 |
created = 1;
|
|
|
ac8676 |
vsf_sysutil_fstat(new_file_fd, &s_p_statbuf);
|
|
|
ac8676 |
diff --git a/sysutil.c b/sysutil.c
|
|
|
ac8676 |
index e97f3bd..e6d88dc 100644
|
|
|
ac8676 |
--- a/sysutil.c
|
|
|
ac8676 |
+++ b/sysutil.c
|
|
|
ac8676 |
@@ -1663,6 +1663,9 @@ vsf_sysutil_get_error(void)
|
|
|
ac8676 |
case ENOENT:
|
|
|
ac8676 |
retval = kVSFSysUtilErrNOENT;
|
|
|
ac8676 |
break;
|
|
|
ac8676 |
+ case EEXIST:
|
|
|
ac8676 |
+ retval = kVSFSysUtilErrEXIST;
|
|
|
ac8676 |
+ break;
|
|
|
ac8676 |
default:
|
|
|
ac8676 |
break;
|
|
|
ac8676 |
}
|
|
|
ac8676 |
diff --git a/sysutil.h b/sysutil.h
|
|
|
ac8676 |
index b745d4a..15d4020 100644
|
|
|
ac8676 |
--- a/sysutil.h
|
|
|
ac8676 |
+++ b/sysutil.h
|
|
|
ac8676 |
@@ -18,7 +18,8 @@ enum EVSFSysUtilError
|
|
|
ac8676 |
kVSFSysUtilErrINVAL,
|
|
|
ac8676 |
kVSFSysUtilErrOPNOTSUPP,
|
|
|
ac8676 |
kVSFSysUtilErrACCES,
|
|
|
ac8676 |
- kVSFSysUtilErrNOENT
|
|
|
ac8676 |
+ kVSFSysUtilErrNOENT,
|
|
|
ac8676 |
+ kVSFSysUtilErrEXIST
|
|
|
ac8676 |
};
|
|
|
ac8676 |
enum EVSFSysUtilError vsf_sysutil_get_error(void);
|
|
|
ac8676 |
|
|
|
ac8676 |
diff --git a/tunables.c b/tunables.c
|
|
|
ac8676 |
index 9680528..5ec2bdc 100644
|
|
|
ac8676 |
--- a/tunables.c
|
|
|
ac8676 |
+++ b/tunables.c
|
|
|
ac8676 |
@@ -92,6 +92,7 @@ int tunable_ftp_enable;
|
|
|
ac8676 |
int tunable_http_enable;
|
|
|
ac8676 |
int tunable_seccomp_sandbox;
|
|
|
ac8676 |
int tunable_allow_writeable_chroot;
|
|
|
ac8676 |
+int tunable_better_stou;
|
|
|
ac8676 |
|
|
|
ac8676 |
unsigned int tunable_accept_timeout;
|
|
|
ac8676 |
unsigned int tunable_connect_timeout;
|
|
|
ac8676 |
@@ -239,6 +240,7 @@ tunables_load_defaults()
|
|
|
ac8676 |
tunable_http_enable = 0;
|
|
|
ac8676 |
tunable_seccomp_sandbox = 0;
|
|
|
ac8676 |
tunable_allow_writeable_chroot = 0;
|
|
|
ac8676 |
+ tunable_better_stou = 0;
|
|
|
ac8676 |
|
|
|
ac8676 |
tunable_accept_timeout = 60;
|
|
|
ac8676 |
tunable_connect_timeout = 60;
|
|
|
ac8676 |
diff --git a/tunables.h b/tunables.h
|
|
|
ac8676 |
index a466427..85ea1a8 100644
|
|
|
ac8676 |
--- a/tunables.h
|
|
|
ac8676 |
+++ b/tunables.h
|
|
|
ac8676 |
@@ -93,6 +93,9 @@ extern int tunable_ftp_enable; /* Allow FTP protocol */
|
|
|
ac8676 |
extern int tunable_http_enable; /* Allow HTTP protocol */
|
|
|
ac8676 |
extern int tunable_seccomp_sandbox; /* seccomp filter sandbox */
|
|
|
ac8676 |
extern int tunable_allow_writeable_chroot; /* Allow misconfiguration */
|
|
|
ac8676 |
+extern int tunable_better_stou; /* Use better file name generation
|
|
|
ac8676 |
+ * algorithm for the STOU command
|
|
|
ac8676 |
+ */
|
|
|
ac8676 |
|
|
|
ac8676 |
/* Integer/numeric defines */
|
|
|
ac8676 |
extern unsigned int tunable_accept_timeout;
|
|
|
ac8676 |
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
|
|
ac8676 |
index 43b0435..e9ae474 100644
|
|
|
ac8676 |
--- a/vsftpd.conf.5
|
|
|
ac8676 |
+++ b/vsftpd.conf.5
|
|
|
ac8676 |
@@ -65,6 +65,16 @@ creates an 'etc' directory in the new root directory, they could potentially
|
|
|
ac8676 |
trick the C library into loading a user-created configuration file from the
|
|
|
ac8676 |
/etc/ directory.
|
|
|
ac8676 |
|
|
|
ac8676 |
+Default: NO
|
|
|
ac8676 |
+.TP
|
|
|
ac8676 |
+.B better_stou
|
|
|
ac8676 |
+Use a better file name generation algorithm for the STOU command. The default
|
|
|
ac8676 |
+original algorithm simply adds an increasing number suffix to the file name,
|
|
|
ac8676 |
+which is prone to race conditions if multiple uploaders use the STOU command
|
|
|
ac8676 |
+with the same file name simultaneously, which can result in failure of the
|
|
|
ac8676 |
+command. The new algorithm adds a unique random six character suffix to
|
|
|
ac8676 |
+the file name, which works much better in face of concurrent uploads.
|
|
|
ac8676 |
+
|
|
|
ac8676 |
Default: NO
|
|
|
ac8676 |
.TP
|
|
|
ac8676 |
.B anon_mkdir_write_enable
|
|
|
ac8676 |
--
|
|
|
ac8676 |
2.14.3
|
|
|
ac8676 |
|