1 diff -ur pure-ftpd-1.0.49.org/config.h.in pure-ftpd-1.0.49/config.h.in
2 --- pure-ftpd-1.0.49.org/config.h.in 2019-03-25 18:00:47.000000000 +0100
3 +++ pure-ftpd-1.0.49/config.h.in 2019-06-10 11:13:52.181133752 +0200
5 /* Define if building universal (internal helper macro) */
6 #undef AC_APPLE_UNIVERSAL_BUILD
11 /* display only boring messages */
14 diff -ur pure-ftpd-1.0.49.org/configure.ac pure-ftpd-1.0.49/configure.ac
15 --- pure-ftpd-1.0.49.org/configure.ac 2019-04-03 12:41:30.000000000 +0200
16 +++ pure-ftpd-1.0.49/configure.ac 2019-06-10 11:13:52.181133752 +0200
18 AC_DEFINE(QUOTAS,,[with quotas])
21 +AC_ARG_WITH(apparmor,
22 +[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)],
23 +[ if test "x$withval" = "xyes" ; then
24 + AC_DEFINE(APPARMOR,,[with apparmor])
25 + LIBS="$LIBS -lapparmor"
29 [AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)],
30 [ if test "x$withval" = "xyes" ; then
31 Only in pure-ftpd-1.0.49: configure.ac.orig
32 diff -ur pure-ftpd-1.0.49.org/pureftpd-mysql.conf pure-ftpd-1.0.49/pureftpd-mysql.conf
33 --- pure-ftpd-1.0.49.org/pureftpd-mysql.conf 2019-06-10 11:13:16.120061167 +0200
34 +++ pure-ftpd-1.0.49/pureftpd-mysql.conf 2019-06-10 11:13:52.181133752 +0200
36 # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
39 +# Optional : Apparmor Hat to use.
40 +# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L'
42 # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
43 # 1) You know what you are doing.
44 # 2) Real and virtual users match.
45 diff -ur pure-ftpd-1.0.49.org/README.Authentication-Modules pure-ftpd-1.0.49/README.Authentication-Modules
46 --- pure-ftpd-1.0.49.org/README.Authentication-Modules 2019-03-25 18:10:06.000000000 +0100
47 +++ pure-ftpd-1.0.49/README.Authentication-Modules 2019-06-10 11:17:27.140847844 +0200
50 The maximal authorized number of concurrent sessions.
52 +* apparmor_hat:xxx (optional)
56 ------------------------ EXAMPLE ------------------------
58 diff -ur pure-ftpd-1.0.49.org/src/ftpd.c pure-ftpd-1.0.49/src/ftpd.c
59 --- pure-ftpd-1.0.49.org/src/ftpd.c 2019-06-10 11:13:16.123394599 +0200
60 +++ pure-ftpd-1.0.49/src/ftpd.c 2019-06-10 11:13:52.184467185 +0200
66 +# include <sys/apparmor.h>
68 #ifdef WITH_DIRALIASES
69 # include "diraliases.h"
72 result.ratio_download = ratio_download;
73 result.ratio_ul_changed = result.ratio_dl_changed = 0;
76 + result.apparmor_hat = NULL;
78 #ifdef PER_USER_LIMITS
79 result.per_user_max = per_user_max;
81 @@ -1944,6 +1950,16 @@
87 + if (authresult.apparmor_hat != NULL) {
88 + if (change_hat(authresult.apparmor_hat, zrand()) < 0)
89 + die(421, LOG_ERR, MSG_CHROOT_FAILED);
90 + logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat);
91 + free(authresult.apparmor_hat);
95 logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account);
97 if (shm_data_cur != NULL) {
98 diff -ur pure-ftpd-1.0.49.org/src/ftpd.h pure-ftpd-1.0.49/src/ftpd.h
99 --- pure-ftpd-1.0.49.org/src/ftpd.h 2019-06-10 11:13:16.123394599 +0200
100 +++ pure-ftpd-1.0.49/src/ftpd.h 2019-06-10 11:13:52.184467185 +0200
102 #ifdef PER_USER_LIMITS
103 unsigned int per_user_max;
106 + const char *apparmor_hat;
110 typedef struct PureFileInfo_ {
111 diff -ur pure-ftpd-1.0.49.org/src/log_extauth.c pure-ftpd-1.0.49/src/log_extauth.c
112 --- pure-ftpd-1.0.49.org/src/log_extauth.c 2019-04-03 12:38:36.000000000 +0200
113 +++ pure-ftpd-1.0.49/src/log_extauth.c 2019-06-10 11:15:54.581435088 +0200
118 +static void callback_reply_apparmor_hat(const char *str, AuthResult * const result)
122 + free((void *) (result->apparmor_hat));
123 + result->apparmor_hat = strdup(str);
131 static void callback_reply_end(const char *str, AuthResult * const result)
135 result->uid = (uid_t) 0;
136 result->gid = (gid_t) 0;
139 + result->apparmor_hat = NULL;
141 result->slow_tilde_expansion = 1;
143 if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) {
144 diff -ur pure-ftpd-1.0.49.org/src/log_extauth.h pure-ftpd-1.0.49/src/log_extauth.h
145 --- pure-ftpd-1.0.49.org/src/log_extauth.h 2019-03-25 18:11:33.000000000 +0100
146 +++ pure-ftpd-1.0.49/src/log_extauth.h 2019-06-10 11:14:18.448581707 +0200
148 #define EXTAUTH_REPLY_RATIO_UPLOAD "ratio_upload" EXTAUTH_KEYWORD_SEP
149 #define EXTAUTH_REPLY_RATIO_DOWNLOAD "ratio_download" EXTAUTH_KEYWORD_SEP
150 #define EXTAUTH_REPLY_PER_USER_MAX "per_user_max" EXTAUTH_KEYWORD_SEP
151 +#define EXTAUTH_REPLY_APPARMOR_HAT "apparmor_hat" EXTAUTH_KEYWORD_SEP
152 #define EXTAUTH_REPLY_END "end"
155 diff -ur pure-ftpd-1.0.49.org/src/log_extauth_p.h pure-ftpd-1.0.49/src/log_extauth_p.h
156 --- pure-ftpd-1.0.49.org/src/log_extauth_p.h 2018-09-19 23:53:06.000000000 +0200
157 +++ pure-ftpd-1.0.49/src/log_extauth_p.h 2019-06-10 11:15:04.449947766 +0200
159 static void callback_reply_ratio_upload(const char *str, AuthResult * const result);
160 static void callback_reply_ratio_download(const char *str, AuthResult * const result);
161 static void callback_reply_per_user_max(const char *str, AuthResult * const result);
162 +static void callback_reply_apparmor_hat(const char *str, AuthResult * const result);
163 static void callback_reply_end(const char *str, AuthResult * const result);
165 static ExtauthCallBack extauth_callbacks[] = {
167 { EXTAUTH_REPLY_RATIO_UPLOAD, callback_reply_ratio_upload },
168 { EXTAUTH_REPLY_RATIO_DOWNLOAD, callback_reply_ratio_download },
169 { EXTAUTH_REPLY_PER_USER_MAX, callback_reply_per_user_max },
170 + { EXTAUTH_REPLY_APPARMOR_HAT, callback_reply_apparmor_hat },
171 { EXTAUTH_REPLY_END, callback_reply_end },
172 { NULL, callback_reply_end }
174 diff -ur pure-ftpd-1.0.49.org/src/log_ldap.c pure-ftpd-1.0.49/src/log_ldap.c
175 --- pure-ftpd-1.0.49.org/src/log_ldap.c 2019-04-02 16:00:40.000000000 +0200
176 +++ pure-ftpd-1.0.49/src/log_ldap.c 2019-06-10 11:13:52.184467185 +0200
178 if ((result->dir = strdup(pw->pw_dir)) == NULL) {
182 + result->apparmor_hat = NULL;
184 result->slow_tilde_expansion = 1;
185 result->auth_ok = 1; /* User found, authentication ok */
187 diff -ur pure-ftpd-1.0.49.org/src/log_mysql.c pure-ftpd-1.0.49/src/log_mysql.c
188 --- pure-ftpd-1.0.49.org/src/log_mysql.c 2019-06-10 11:13:16.126728032 +0200
189 +++ pure-ftpd-1.0.49/src/log_mysql.c 2019-06-10 11:13:52.184467185 +0200
191 const char *bandwidth_ul = NULL; /* stored bandwidth UL */
192 const char *bandwidth_dl = NULL; /* stored bandwidth DL */
195 + const char *apparmor_hat = NULL; /* Apparmor hat name */
197 char *escaped_account = NULL;
198 char *escaped_ip = NULL;
199 char *escaped_port = NULL;
205 + if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat,
206 + escaped_account, escaped_ip,
207 + escaped_port, escaped_peer_ip,
208 + escaped_decimal_ip)) != NULL) {
209 + result->apparmor_hat = apparmor_hat;
210 + apparmor_hat = NULL;
213 result->slow_tilde_expansion = !tildexp;
214 result->auth_ok = -result->auth_ok;
217 free((void *) bandwidth_ul);
218 free((void *) bandwidth_dl);
221 + free((void *) apparmor_hat);
223 free((void *) escaped_account);
224 free((void *) escaped_ip);
225 free((void *) escaped_port);
227 ZFREE(sqlreq_getbandwidth_ul);
228 ZFREE(sqlreq_getbandwidth_dl);
231 + ZFREE(sqlreq_getapparmor_hat);
235 extern signed char v6ready;
236 diff -ur pure-ftpd-1.0.49.org/src/log_mysql_p.h pure-ftpd-1.0.49/src/log_mysql_p.h
237 --- pure-ftpd-1.0.49.org/src/log_mysql_p.h 2018-09-19 23:53:06.000000000 +0200
238 +++ pure-ftpd-1.0.49/src/log_mysql_p.h 2019-06-10 11:13:52.184467185 +0200
240 static char *sqlreq_getbandwidth_ul;
241 static char *sqlreq_getbandwidth_dl;
244 +static char *sqlreq_getapparmor_hat;
246 static signed char server_down;
248 static ConfigKeywords mysql_config_keywords[] = {
250 { "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
251 { "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
254 + { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat },
259 diff -ur pure-ftpd-1.0.49.org/src/log_pam.c pure-ftpd-1.0.49/src/log_pam.c
260 --- pure-ftpd-1.0.49.org/src/log_pam.c 2019-04-02 16:00:40.000000000 +0200
261 +++ pure-ftpd-1.0.49/src/log_pam.c 2019-06-10 11:13:52.184467185 +0200
263 (void) pam_close_session(pamh, PAM_SILENT); /* It doesn't matter if it fails */
267 + result->apparmor_hat = NULL;
270 result->uid = pw.pw_uid;
271 result->gid = pw.pw_gid;
272 diff -ur pure-ftpd-1.0.49.org/src/log_pgsql.c pure-ftpd-1.0.49/src/log_pgsql.c
273 --- pure-ftpd-1.0.49.org/src/log_pgsql.c 2019-06-10 11:13:16.120061167 +0200
274 +++ pure-ftpd-1.0.49/src/log_pgsql.c 2019-06-10 11:13:52.184467185 +0200
276 const char *bandwidth_ul = NULL; /* stored bandwidth UL */
277 const char *bandwidth_dl = NULL; /* stored bandwidth DL */
280 + const char *apparmor_hat = NULL; /* Apparmor hat name */
282 char *escaped_account = NULL;
283 char *escaped_ip = NULL;
284 char *escaped_port = NULL;
290 + if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat,
291 + escaped_account, escaped_ip,
292 + escaped_port, escaped_peer_ip,
293 + escaped_decimal_ip)) != NULL) {
294 + result->apparmor_hat = apparmor_hat;
295 + apparmor_hat = NULL;
298 result->slow_tilde_expansion = 1;
299 result->auth_ok = -result->auth_ok;
302 free((void *) bandwidth_ul);
303 free((void *) bandwidth_dl);
306 + free((void *) apparmor_hat);
308 free((void *) escaped_account);
309 free((void *) escaped_ip);
310 free((void *) escaped_port);
312 ZFREE(sqlreq_getbandwidth_ul);
313 ZFREE(sqlreq_getbandwidth_dl);
316 + ZFREE(sqlreq_getapparmor_hat);
320 extern signed char v6ready;
321 diff -ur pure-ftpd-1.0.49.org/src/log_pgsql_p.h pure-ftpd-1.0.49/src/log_pgsql_p.h
322 --- pure-ftpd-1.0.49.org/src/log_pgsql_p.h 2018-09-19 23:53:06.000000000 +0200
323 +++ pure-ftpd-1.0.49/src/log_pgsql_p.h 2019-06-10 11:13:52.184467185 +0200
325 static char *sqlreq_getbandwidth_ul;
326 static char *sqlreq_getbandwidth_dl;
329 +static char *sqlreq_getapparmor_hat;
331 static signed char server_down;
333 static ConfigKeywords pgsql_config_keywords[] = {
335 { "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
336 { "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
339 + { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat },
344 diff -ur pure-ftpd-1.0.49.org/src/log_puredb.c pure-ftpd-1.0.49/src/log_puredb.c
345 --- pure-ftpd-1.0.49.org/src/log_puredb.c 2019-04-02 16:00:40.000000000 +0200
346 +++ pure-ftpd-1.0.49/src/log_puredb.c 2019-06-10 11:13:52.187800617 +0200
348 result->user_quota_size = strtoull(line, NULL, 10);
352 + result->apparmor_hat = NULL;
354 if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) { /* allowed local ip */
357 diff -ur pure-ftpd-1.0.49.org/src/log_unix.c pure-ftpd-1.0.49/src/log_unix.c
358 --- pure-ftpd-1.0.49.org/src/log_unix.c 2019-04-02 16:00:40.000000000 +0200
359 +++ pure-ftpd-1.0.49/src/log_unix.c 2019-06-10 11:13:52.187800617 +0200
361 result->uid = pw.pw_uid;
362 result->gid = pw.pw_gid;
365 + result->apparmor_hat = NULL;
367 result->slow_tilde_expansion = 0;
368 result->auth_ok = -result->auth_ok;
370 diff -ur pure-ftpd-1.0.49.org/src/Makefile.am pure-ftpd-1.0.49/src/Makefile.am
371 --- pure-ftpd-1.0.49.org/src/Makefile.am 2019-03-25 16:48:42.000000000 +0100
372 +++ pure-ftpd-1.0.49/src/Makefile.am 2019-06-10 11:13:52.187800617 +0200
376 ../puredb/src/libpuredb_read.a \
378 @LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@
380 pure_ftpd_SOURCES = \
381 diff -ur pure-ftpd-1.0.49.org/src/messages_en.h pure-ftpd-1.0.49/src/messages_en.h
382 --- pure-ftpd-1.0.49.org/src/messages_en.h 2019-06-10 11:13:16.126728032 +0200
383 +++ pure-ftpd-1.0.49/src/messages_en.h 2019-06-10 11:13:52.187800617 +0200
385 #define MSG_CURRENT_DIR_IS "OK. Current directory is %s"
386 #define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s"
387 #define MSG_IS_NOW_LOGGED_IN "%s is now logged in"
388 +#define MSG_APPARMOR_HAT "User %s apparmor hat is %s"
389 #define MSG_CANT_CHANGE_DIR "Can't change directory to %s"
390 #define MSG_PATH_TOO_LONG "Path too long"
391 #define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead."