]>
Commit | Line | Data |
---|---|---|
f129099d AM |
1 | diff -ur pure-ftpd-1.0.40.org/config.h.in pure-ftpd-1.0.40/config.h.in |
2 | --- pure-ftpd-1.0.40.org/config.h.in 2015-06-13 16:45:49.000000000 +0200 | |
3 | +++ pure-ftpd-1.0.40/config.h.in 2015-06-16 13:13:38.628079468 +0200 | |
4b1c459f AM |
4 | @@ -3,6 +3,9 @@ |
5 | /* Define if building universal (internal helper macro) */ | |
6 | #undef AC_APPLE_UNIVERSAL_BUILD | |
7 | ||
8 | +/* with apparmor */ | |
9 | +#undef APPARMOR | |
10 | + | |
11 | /* display only boring messages */ | |
12 | #undef BORING_MODE | |
13 | ||
f129099d AM |
14 | diff -ur pure-ftpd-1.0.40.org/configure.ac pure-ftpd-1.0.40/configure.ac |
15 | --- pure-ftpd-1.0.40.org/configure.ac 2015-06-13 13:59:00.000000000 +0200 | |
16 | +++ pure-ftpd-1.0.40/configure.ac 2015-06-16 13:13:38.628079468 +0200 | |
17 | @@ -792,6 +792,13 @@ | |
4b1c459f AM |
18 | AC_DEFINE(QUOTAS,,[with quotas]) |
19 | fi ]) | |
20 | ||
21 | +AC_ARG_WITH(apparmor, | |
22 | +[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)], | |
23 | +[ if test "x$withval" = "xyes" ; then | |
24 | + AC_DEFINE(APPARMOR,,[with apparmor]) | |
25 | + LIBS="$LIBS -lapparmor" | |
26 | + fi ]) | |
27 | + | |
28 | AC_ARG_WITH(ftpwho, | |
29 | [AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)], | |
30 | [ if test "x$withval" = "xyes" ; then | |
f129099d AM |
31 | diff -ur pure-ftpd-1.0.40.org/pureftpd-mysql.conf pure-ftpd-1.0.40/pureftpd-mysql.conf |
32 | --- pure-ftpd-1.0.40.org/pureftpd-mysql.conf 2015-05-21 12:18:58.000000000 +0200 | |
33 | +++ pure-ftpd-1.0.40/pureftpd-mysql.conf 2015-06-16 13:13:38.644746557 +0200 | |
34 | @@ -112,6 +112,9 @@ | |
4b1c459f AM |
35 | # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L' |
36 | ||
f129099d | 37 | |
4b1c459f AM |
38 | +# Optional : Apparmor Hat to use. |
39 | +# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L' | |
40 | + | |
41 | # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS : | |
42 | # 1) You know what you are doing. | |
43 | # 2) Real and virtual users match. | |
f129099d AM |
44 | diff -ur pure-ftpd-1.0.40.org/src/ftpd.c pure-ftpd-1.0.40/src/ftpd.c |
45 | --- pure-ftpd-1.0.40.org/src/ftpd.c 2015-06-13 12:26:37.000000000 +0200 | |
46 | +++ pure-ftpd-1.0.40/src/ftpd.c 2015-06-16 13:13:38.644746557 +0200 | |
4b1c459f AM |
47 | @@ -18,6 +18,9 @@ |
48 | #ifdef QUOTAS | |
49 | # include "quotas.h" | |
50 | #endif | |
51 | +#ifdef APPARMOR | |
52 | +# include <sys/apparmor.h> | |
53 | +#endif | |
54 | #ifdef WITH_DIRALIASES | |
55 | # include "diraliases.h" | |
56 | #endif | |
f129099d | 57 | @@ -1544,6 +1547,9 @@ |
4b1c459f AM |
58 | result.ratio_download = ratio_download; |
59 | result.ratio_ul_changed = result.ratio_dl_changed = 0; | |
60 | #endif | |
61 | +#ifdef APPARMOR | |
62 | + result.apparmor_hat = NULL; | |
63 | +#endif | |
64 | #ifdef PER_USER_LIMITS | |
65 | result.per_user_max = per_user_max; | |
66 | #endif | |
f129099d | 67 | @@ -1982,6 +1988,16 @@ |
4b1c459f AM |
68 | # endif |
69 | enablesignals(); | |
70 | #endif | |
71 | + | |
72 | +#ifdef APPARMOR | |
73 | + if (authresult.apparmor_hat != NULL) { | |
74 | + if (change_hat(authresult.apparmor_hat, zrand()) < 0) | |
75 | + die(421, LOG_ERR, MSG_CHROOT_FAILED); | |
76 | + logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat); | |
77 | + free(authresult.apparmor_hat); | |
78 | + } | |
79 | +#endif | |
80 | + | |
81 | logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account); | |
82 | #ifdef FTPWHO | |
83 | if (shm_data_cur != NULL) { | |
f129099d AM |
84 | diff -ur pure-ftpd-1.0.40.org/src/ftpd.h pure-ftpd-1.0.40/src/ftpd.h |
85 | --- pure-ftpd-1.0.40.org/src/ftpd.h 2015-05-21 10:08:42.000000000 +0200 | |
86 | +++ pure-ftpd-1.0.40/src/ftpd.h 2015-06-16 13:13:38.644746557 +0200 | |
4b1c459f AM |
87 | @@ -294,6 +294,9 @@ |
88 | #ifdef PER_USER_LIMITS | |
89 | unsigned int per_user_max; | |
90 | #endif | |
91 | +#ifdef APPARMOR | |
92 | + const char *apparmor_hat; | |
93 | +#endif | |
94 | } AuthResult; | |
95 | ||
96 | typedef struct PureFileInfo_ { | |
f129099d AM |
97 | diff -ur pure-ftpd-1.0.40.org/src/log_extauth.c pure-ftpd-1.0.40/src/log_extauth.c |
98 | --- pure-ftpd-1.0.40.org/src/log_extauth.c 2015-02-17 19:12:45.000000000 +0100 | |
99 | +++ pure-ftpd-1.0.40/src/log_extauth.c 2015-06-16 13:15:07.670333578 +0200 | |
4b1c459f AM |
100 | @@ -215,6 +215,9 @@ |
101 | result->uid = (uid_t) 0; | |
102 | result->gid = (gid_t) 0; | |
103 | result->dir = NULL; | |
104 | +#ifdef APPARMOR_HAT | |
105 | + result->apparmor_hat = NULL; | |
106 | +#endif | |
f129099d | 107 | result->slow_tilde_expansion = 1; |
4b1c459f AM |
108 | auth_finalized = 0; |
109 | if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) { | |
f129099d AM |
110 | diff -ur pure-ftpd-1.0.40.org/src/log_ldap.c pure-ftpd-1.0.40/src/log_ldap.c |
111 | --- pure-ftpd-1.0.40.org/src/log_ldap.c 2015-06-11 00:26:19.000000000 +0200 | |
112 | +++ pure-ftpd-1.0.40/src/log_ldap.c 2015-06-16 13:13:38.644746557 +0200 | |
113 | @@ -627,6 +627,9 @@ | |
4b1c459f AM |
114 | if ((result->dir = strdup(pw->pw_dir)) == NULL) { |
115 | return; | |
116 | } | |
117 | +#ifdef APPARMOR | |
118 | + result->apparmor_hat = NULL; | |
119 | +#endif | |
120 | result->slow_tilde_expansion = 1; | |
121 | result->auth_ok = 1; /* User found, authentication ok */ | |
122 | } | |
f129099d AM |
123 | diff -ur pure-ftpd-1.0.40.org/src/log_mysql.c pure-ftpd-1.0.40/src/log_mysql.c |
124 | --- pure-ftpd-1.0.40.org/src/log_mysql.c 2015-05-21 12:52:57.000000000 +0200 | |
125 | +++ pure-ftpd-1.0.40/src/log_mysql.c 2015-06-16 13:16:21.692207444 +0200 | |
126 | @@ -322,6 +322,9 @@ | |
4b1c459f AM |
127 | const char *bandwidth_ul = NULL; /* stored bandwidth UL */ |
128 | const char *bandwidth_dl = NULL; /* stored bandwidth DL */ | |
129 | #endif | |
130 | +#ifdef APPARMOR | |
131 | + const char *apparmor_hat = NULL; /* Apparmor hat name */ | |
132 | +#endif | |
133 | char *escaped_account = NULL; | |
134 | char *escaped_ip = NULL; | |
135 | char *escaped_port = NULL; | |
f129099d | 136 | @@ -605,6 +608,15 @@ |
4b1c459f AM |
137 | } |
138 | } | |
139 | #endif | |
140 | +#ifdef APPARMOR | |
141 | + if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat, | |
142 | + escaped_account, escaped_ip, | |
143 | + escaped_port, escaped_peer_ip, | |
144 | + escaped_decimal_ip)) != NULL) { | |
145 | + result->apparmor_hat = apparmor_hat; | |
146 | + apparmor_hat = NULL; | |
147 | + } | |
148 | +#endif | |
149 | result->slow_tilde_expansion = !tildexp; | |
150 | result->auth_ok = -result->auth_ok; | |
151 | bye: | |
f129099d | 152 | @@ -634,6 +646,9 @@ |
4b1c459f AM |
153 | free((void *) bandwidth_ul); |
154 | free((void *) bandwidth_dl); | |
f129099d | 155 | #endif |
4b1c459f AM |
156 | +#ifdef APPARMOR |
157 | + free((void *) apparmor_hat); | |
158 | +#endif | |
159 | free((void *) escaped_account); | |
160 | free((void *) escaped_ip); | |
161 | free((void *) escaped_port); | |
f129099d | 162 | @@ -702,6 +717,9 @@ |
4b1c459f | 163 | ZFREE(sqlreq_getbandwidth_ul); |
f129099d | 164 | ZFREE(sqlreq_getbandwidth_dl); |
4b1c459f AM |
165 | #endif |
166 | +#ifdef APPARMOR | |
167 | + ZFREE(sqlreq_getapparmor_hat); | |
168 | +#endif | |
169 | } | |
170 | #else | |
171 | extern signed char v6ready; | |
f129099d AM |
172 | diff -ur pure-ftpd-1.0.40.org/src/log_mysql_p.h pure-ftpd-1.0.40/src/log_mysql_p.h |
173 | --- pure-ftpd-1.0.40.org/src/log_mysql_p.h 2015-02-17 19:12:45.000000000 +0100 | |
174 | +++ pure-ftpd-1.0.40/src/log_mysql_p.h 2015-06-16 13:13:38.648079974 +0200 | |
4b1c459f AM |
175 | @@ -38,6 +38,9 @@ |
176 | static char *sqlreq_getbandwidth_ul; | |
177 | static char *sqlreq_getbandwidth_dl; | |
178 | #endif | |
179 | +#ifdef APPARMOR | |
180 | +static char *sqlreq_getapparmor_hat; | |
181 | +#endif | |
182 | static signed char server_down; | |
183 | ||
184 | static ConfigKeywords mysql_config_keywords[] = { | |
185 | @@ -68,6 +71,9 @@ | |
186 | { "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul }, | |
187 | { "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl }, | |
188 | #endif | |
189 | +#ifdef APPARMOR | |
190 | + { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat }, | |
191 | +#endif | |
192 | { NULL, NULL } | |
193 | }; | |
194 | ||
f129099d AM |
195 | diff -ur pure-ftpd-1.0.40.org/src/log_pam.c pure-ftpd-1.0.40/src/log_pam.c |
196 | --- pure-ftpd-1.0.40.org/src/log_pam.c 2015-02-17 19:12:45.000000000 +0100 | |
197 | +++ pure-ftpd-1.0.40/src/log_pam.c 2015-06-16 13:13:38.654746809 +0200 | |
4b1c459f AM |
198 | @@ -202,6 +202,9 @@ |
199 | (void) pam_close_session(pamh, PAM_SILENT); /* It doesn't matter if it fails */ | |
200 | #endif | |
201 | result->dir = dir; | |
202 | +#ifdef APPARMOR | |
203 | + result->apparmor_hat = NULL; | |
204 | +#endif | |
205 | dir = NULL; | |
206 | result->uid = pw.pw_uid; | |
207 | result->gid = pw.pw_gid; | |
f129099d AM |
208 | diff -ur pure-ftpd-1.0.40.org/src/log_pgsql.c pure-ftpd-1.0.40/src/log_pgsql.c |
209 | --- pure-ftpd-1.0.40.org/src/log_pgsql.c 2015-05-22 16:29:27.000000000 +0200 | |
210 | +++ pure-ftpd-1.0.40/src/log_pgsql.c 2015-06-16 13:18:14.645066852 +0200 | |
211 | @@ -402,6 +402,9 @@ | |
4b1c459f AM |
212 | const char *bandwidth_ul = NULL; /* stored bandwidth UL */ |
213 | const char *bandwidth_dl = NULL; /* stored bandwidth DL */ | |
214 | #endif | |
215 | +#ifdef APPARMOR | |
216 | + const char *apparmor_hat = NULL; /* Apparmor hat name */ | |
217 | +#endif | |
218 | char *escaped_account = NULL; | |
219 | char *escaped_ip = NULL; | |
220 | char *escaped_port = NULL; | |
f129099d | 221 | @@ -651,6 +654,15 @@ |
4b1c459f AM |
222 | } |
223 | } | |
f129099d | 224 | #endif |
4b1c459f AM |
225 | +#ifdef APPARMOR |
226 | + if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat, | |
f129099d AM |
227 | + escaped_account, escaped_ip, |
228 | + escaped_port, escaped_peer_ip, | |
229 | + escaped_decimal_ip)) != NULL) { | |
4b1c459f AM |
230 | + result->apparmor_hat = apparmor_hat; |
231 | + apparmor_hat = NULL; | |
232 | + } | |
233 | +#endif | |
4b1c459f AM |
234 | result->slow_tilde_expansion = 1; |
235 | result->auth_ok = -result->auth_ok; | |
236 | bye: | |
f129099d | 237 | @@ -681,6 +693,9 @@ |
4b1c459f AM |
238 | free((void *) bandwidth_ul); |
239 | free((void *) bandwidth_dl); | |
f129099d | 240 | #endif |
4b1c459f AM |
241 | +#ifdef APPARMOR |
242 | + free((void *) apparmor_hat); | |
f129099d | 243 | +#endif |
4b1c459f AM |
244 | free((void *) escaped_account); |
245 | free((void *) escaped_ip); | |
246 | free((void *) escaped_port); | |
f129099d | 247 | @@ -735,6 +750,9 @@ |
4b1c459f | 248 | ZFREE(sqlreq_getbandwidth_ul); |
f129099d | 249 | ZFREE(sqlreq_getbandwidth_dl); |
4b1c459f AM |
250 | #endif |
251 | +#ifdef APPARMOR | |
252 | + ZFREE(sqlreq_getapparmor_hat); | |
253 | +#endif | |
254 | } | |
255 | #else | |
256 | extern signed char v6ready; | |
f129099d AM |
257 | diff -ur pure-ftpd-1.0.40.org/src/log_pgsql_p.h pure-ftpd-1.0.40/src/log_pgsql_p.h |
258 | --- pure-ftpd-1.0.40.org/src/log_pgsql_p.h 2015-02-17 19:12:45.000000000 +0100 | |
259 | +++ pure-ftpd-1.0.40/src/log_pgsql_p.h 2015-06-16 13:13:38.658080227 +0200 | |
4b1c459f AM |
260 | @@ -28,6 +28,9 @@ |
261 | static char *sqlreq_getbandwidth_ul; | |
262 | static char *sqlreq_getbandwidth_dl; | |
263 | #endif | |
264 | +#ifdef APPARMOR | |
265 | +static char *sqlreq_getapparmor_hat; | |
266 | +#endif | |
267 | static signed char server_down; | |
268 | ||
269 | static ConfigKeywords pgsql_config_keywords[] = { | |
270 | @@ -55,6 +58,9 @@ | |
271 | { "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul }, | |
272 | { "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl }, | |
273 | #endif | |
274 | +#ifdef APPARMOR | |
275 | + { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat }, | |
276 | +#endif | |
277 | { NULL, NULL } | |
278 | }; | |
279 | ||
f129099d AM |
280 | diff -ur pure-ftpd-1.0.40.org/src/log_puredb.c pure-ftpd-1.0.40/src/log_puredb.c |
281 | --- pure-ftpd-1.0.40.org/src/log_puredb.c 2015-05-21 12:51:56.000000000 +0200 | |
282 | +++ pure-ftpd-1.0.40/src/log_puredb.c 2015-06-16 13:13:38.658080227 +0200 | |
283 | @@ -333,6 +333,9 @@ | |
4b1c459f AM |
284 | result->user_quota_size = strtoull(line, NULL, 10); |
285 | } | |
286 | #endif | |
287 | +#ifdef APPARMOR | |
288 | + result->apparmor_hat = NULL; | |
289 | +#endif | |
290 | if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) { /* allowed local ip */ | |
291 | return 0; | |
292 | } | |
f129099d AM |
293 | diff -ur pure-ftpd-1.0.40.org/src/log_unix.c pure-ftpd-1.0.40/src/log_unix.c |
294 | --- pure-ftpd-1.0.40.org/src/log_unix.c 2015-05-21 12:51:38.000000000 +0200 | |
295 | +++ pure-ftpd-1.0.40/src/log_unix.c 2015-06-16 13:13:38.658080227 +0200 | |
296 | @@ -81,6 +81,9 @@ | |
4b1c459f AM |
297 | result->uid = pw.pw_uid; |
298 | result->gid = pw.pw_gid; | |
299 | result->dir = dir; | |
300 | +#ifdef APPARMOR | |
301 | + result->apparmor_hat = NULL; | |
302 | +#endif | |
303 | result->slow_tilde_expansion = 0; | |
304 | result->auth_ok = -result->auth_ok; | |
305 | return; | |
f129099d AM |
306 | diff -ur pure-ftpd-1.0.40.org/src/Makefile.am pure-ftpd-1.0.40/src/Makefile.am |
307 | --- pure-ftpd-1.0.40.org/src/Makefile.am 2015-05-21 16:25:39.000000000 +0200 | |
308 | +++ pure-ftpd-1.0.40/src/Makefile.am 2015-06-16 13:13:38.658080227 +0200 | |
309 | @@ -136,6 +136,7 @@ | |
4b1c459f AM |
310 | pure_ftpd_LDADD = \ |
311 | libpureftpd.a \ | |
312 | ../puredb/src/libpuredb_read.a \ | |
313 | + -lapparmor \ | |
314 | @LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@ | |
315 | ||
316 | pure_ftpd_SOURCES = \ | |
f129099d AM |
317 | diff -ur pure-ftpd-1.0.40.org/src/messages_en.h pure-ftpd-1.0.40/src/messages_en.h |
318 | --- pure-ftpd-1.0.40.org/src/messages_en.h 2015-05-20 16:23:20.000000000 +0200 | |
319 | +++ pure-ftpd-1.0.40/src/messages_en.h 2015-06-16 13:13:38.658080227 +0200 | |
4b1c459f AM |
320 | @@ -57,6 +57,7 @@ |
321 | #define MSG_CURRENT_DIR_IS "OK. Current directory is %s" | |
322 | #define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s" | |
323 | #define MSG_IS_NOW_LOGGED_IN "%s is now logged in" | |
324 | +#define MSG_APPARMOR_HAT "User %s apparmor hat is %s" | |
325 | #define MSG_CANT_CHANGE_DIR "Can't change directory to %s" | |
326 | #define MSG_PATH_TOO_LONG "Path too long" | |
327 | #define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead." |