diff options
Diffstat (limited to '0005-Use-hostname-when-calling-PAM-authentication-module.patch')
| -rw-r--r-- | 0005-Use-hostname-when-calling-PAM-authentication-module.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/0005-Use-hostname-when-calling-PAM-authentication-module.patch b/0005-Use-hostname-when-calling-PAM-authentication-module.patch new file mode 100644 index 0000000..af842f5 --- /dev/null +++ b/0005-Use-hostname-when-calling-PAM-authentication-module.patch @@ -0,0 +1,75 @@ +From 08c49b78942d40c99fae8c40e7668aa73e1bd695 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka <msehnout@redhat.com> +Date: Tue, 6 Sep 2016 15:01:23 +0200 +Subject: [PATCH 05/59] Use hostname when calling PAM authentication module. + +Currently the vsftpd passes all logins as IP addresses +into PAM. This prevents administrators from setting up +ACLs based on domain (e.g. .example.com). This patch +enables reverse host lookup and use hostname instead +of address if there is one. +--- + sysdeputil.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/sysdeputil.c b/sysdeputil.c +index 06f01f4..b2782da 100644 +--- a/sysdeputil.c ++++ b/sysdeputil.c +@@ -16,6 +16,10 @@ + #include "tunables.h" + #include "builddefs.h" + ++/* For gethostbyaddr, inet_addr */ ++#include <netdb.h> ++#include <arpa/inet.h> ++ + /* For Linux, this adds nothing :-) */ + #include "port/porting_junk.h" + +@@ -323,6 +327,10 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, + const struct mystr* p_remote_host) + { + int retval = -1; ++#ifdef PAM_RHOST ++ struct sockaddr_in sin; ++ struct hostent *host; ++#endif + pam_item_t item; + const char* pam_user_name = 0; + struct pam_conv the_conv = +@@ -346,7 +354,12 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, + return 0; + } + #ifdef PAM_RHOST +- retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); ++ sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); ++ host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); ++ if (host != (struct hostent*)0) ++ retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); ++ else ++ retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); + if (retval != PAM_SUCCESS) + { + (void) pam_end(s_pamh, retval); +@@ -559,7 +572,7 @@ vsf_sysdep_has_capabilities(void) + } + return s_runtime_has_caps; + } +- ++ + #ifndef VSF_SYSDEP_HAVE_LIBCAP + static int + do_checkcap(void) +@@ -1081,7 +1094,7 @@ vsf_sysutil_recv_fd(const int sock_fd) + msg.msg_flags = 0; + /* In case something goes wrong, set the fd to -1 before the syscall */ + p_fd = (int*)CMSG_DATA(CMSG_FIRSTHDR(&msg)); +- *p_fd = -1; ++ *p_fd = -1; + retval = recvmsg(sock_fd, &msg, 0); + if (retval != 1) + { +-- +2.14.4 + |