build system: Revert all the recent additions of MK[...] knobs that
allow conditionally disabling the building of certain user space
programs in the 'base' set.

There is not enough consensus that this is the right way and a few
people had strong objections, see source-changes-d@.

mk: Add MKFINGER, MKTALK flags for not building
talk, talkd, finger, fingerd.

mk: Add a MKLFS flag for excluding the log-structured filesystem userspace
tools from the build.

Import the new apropos/whatis.

This code has been developed by Abhinav Upadhyay as part of Google's Summer
of Code 2011. It uses libmandoc to parse man pages and builds a Full
Text Index in a SQLite database. The combination of indexing the full
manual page, filtering out stop words and ranking individual matches
based on the section gives a much improved user experience.

The old makewhatis and friends are kept under MKMAKEMANDB=no for now.

branches: 1.60.4;
Upgrade Heimdal to 1.5pre1 by switching the build from crypto/dist/heimdal
to crypto/external/bsd/heimdal. The latter was just imported as the head
of the Heimdal tree as of a few days ago.

Remove ATF 0.5 from dist/atf and all of the reachover Makefiles used to
build it. 0.6 is going to be imported in external/bsd/atf, with all the
necessary Makefiles in that same hierarchy.

Don't build atf tools with (${MKATF} == no).

branches: 1.57.4;
Import Heimdal-1.1

Add the atf-exec and atf-killpg tools that come with atf 0.4.

Add the atf tools

This adds reachover Makefiles to build and install the atf tools.
Some are public, thus installed in /usr/bin, and others are internal
and therefore installed in /usr/libexec.

Add httpd to the build. Add _httpd to passwd and groups and postinstall.
Add /var/www to mtree, add example line to inetd.conf.

branches: 1.53.2;
Oops. USE_FORT needs to be in Makefile.inc, not Makefile, to cause the
programs in subdirectories here to get -D_FORTIFY_SOURCE.

Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry. RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros. Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.

more uucp cleanup

no more rmail.

move pf reachover makefiles into usr.sbin/pf. ok'ed by itojun.

before:
sbin/pfctl
usr.sbin/authpf
usr.sbin/spamdb
libexec/ftp-proxy
libexec/spamd
libexec/spamd-setup
libexec/spamlogd
after:
usr.sbin/pf/pfctl
usr.sbin/pf/authpf
usr.sbin/pf/spamdb
usr.sbin/pf/ftp-proxy
usr.sbin/pf/spamd
usr.sbin/pf/spamd-setup
usr.sbin/pf/spamlogd

spamlogd(8)

add ftp-proxy from PF OpenBSD 3.5. adjust setlists

Remove added SUBDIR+= settings from a developer's (hi itojun!) machine which
point to directories which do not exist (and are not wanted) in our source tree.

While we're here, was `libexec/spamd' approved for import? It conflicts with the
name of a tool in pkgsrc which a _lot_ of developers and users of NetBSD are using...

spamd-setup, comes with PF for openbsd 3.5

build and install spamd(8)

don't build kfd; there are security issues with heimdal 0.4e, and we
don't actually need it

Add utmp_update

branches: 1.41.2;
Split the notion of building Hesiod, Kerberos, S/key, and YP
infrastructure and using that infrastructure in programs.

* MKHESIOD, MKKERBEROS, MKSKEY, and MKYP control building
of the infratsructure (libraries, support programs, etc.)

* USE_HESIOD, USE_KERBEROS, USE_SKEY, and USE_YP control
building of support for using the corresponding API
in various libraries/programs that can use it.

As discussed on tech-toolchain.

hprop(8) belongs in /usr/sbin, not /usr/libexec.

The Kerberos KDC belongs in /usr/sbin, not in /usr/libexec.

Add MK... variables to enable/disable various aspects of building
crypto support into the system. See share/mk/bsd.README for more
a full description.

branches: 1.37.2;
Merge a bunch of things from crypto-us and crypto-intl into basesrc,
adding support for Heimdal/KTH Kerberos where easy to do so. Eliminate
bsd.crypto.mk.

There is still a bunch more work to do, but crypto is now more-or-less
fully merged into the base NetBSD distribution.

branches: 1.36.6;
added reference to bsd.crypto.mk to Makefile. whoops.

libexec now reaches over into ${CRYPTOPATH} for additional SUBDIRs.

Reenable ld.elf_so on the Alpha. Mycroft fixed the binutils 2.9 problem
which prevented it from working.

Add ld.so hacks for arm32, and reenable ld.aout_so on arm32. As is well
known, XXX this needs a real fix.

Something is making ld.elf_so lose on Alpha and I don't have time to
figure this out until tomorrow. Disable until myself or someone else
clobbers the problem.

Until such time that the arm32 hacks are added to ld.so, or at least
something is done about arm32 shlibs, do not build ld.aout_so on a vanilla
recursive make.

Add ld.aout_so to SUBDIRS

Unlike other domestic bits, telnet and telnetd are never built as a part
of the domestic build process. No domestic program actually builds its
own man pages but instead relies on those built in the exportable tree.
The result is missing telnet(1) and telnet(8) pages.

Fix this problem descending into the telnet and telnetd directories
regardless of whether we're doing an exportable build or not. Once there,
we generate only the man pages if we're building a non-exportable system.

GC alpha's ECOFF_TOOLCHAIN make variable, and related bits. Nobody
should be using an ECOFF toolchain on NetBSD/alpha any more.

merge lite-2 Makefiles (rcsids), and turn on WARNS for all of libexec.

move man pages into share/man.

descend unconditionally for clean and cleandir targets

add rmail

turn Alpha's ELF_TOOLCHAIN checks to ECOFF_TOOLCHAIN checks

telnetd is usually spelled with two "t"s.

RCS id police.

Perform the same "don't build telnet stuff if the domestic counterparts
are present in the source tree" kludge that telnet(1) and libtelnet do.
XXX !!

on the alpha, if ELF_TOOLCHAIN, add ld.elf_so to the subdirs list

Add lfs_cleanerd.

branches: 1.17.2;
Remove: bootpd

compile rpc.rquotad & rpc.sprayd

move bootpd from othersrc to libexec. add bootptab file

add identd

ELVIS IS DEAD, DAMNIT!

there will be no crond (or cron) tomorrow!

Rename crond to cron

add makewhatis

rarpd has moved

add at, by Thomas Koenig, ig25@rz.uni-karlsruhe.de

squish the bugfiler, now that we're using gnats. the bugfiler
wasn't really very useful, anyway...

Added rarpd to the subdir list

Add RCS identifiers.

Uucpd from Net2

Add rpc.rstatd, rpc.rusersd, and rpc.rwalld.

add bugfiler

branches: 1.1.1;
Initial revision

Make WARNS=5 the default here.

branches: 1.8.6;
Default to WARNS=4
Exceptions that need a lower level are:
getty ld.elf_so lfs_cleanerd makewhatis telnetd tftpd
hpropd ipropd-master ipropd-slave kadmind kpasswdd

branches: 1.7.16;
Oops. USE_FORT needs to be in Makefile.inc, not Makefile, to cause the
programs in subdirectories here to get -D_FORTIFY_SOURCE.

WFORMAT is no more...

Format string cleanups by sommerfeld.

branches: 1.4.4; 1.4.12;
merge lite-2 Makefiles (rcsids), and turn on WARNS for all of libexec.

RCS id police.

Add RCS identifiers.

branches: 1.1.1;
Initial revision

Use functions instead of preprocessor abuse.

document non-literal format strings

use bsd.own.mk instead of the (obvious typo of) bsd.obj.mk

Use ${NETBSDSRCDIR}/some/path instead of ${.CURDIR}/../../some/path

Remove useless BINOWN=root

use CPPFLAGS instead of CFLAGS

branches: 1.9.2;
merge lite-2 Makefiles (rcsids), and turn on WARNS for all of libexec.

WARNS?=1.

RCS id police.

specify man pages the new way.

get section right; from Luke Mewburn <lm@rmit.edu.au>

don't need libs hackery any longer

hack to make getloadavg() link properly

make it owned by root so cron doesn't whine...

add at, by Thomas Koenig, ig25@rz.uni-karlsruhe.de

Merge riastradh-drm2 to HEAD.

Use Mt for email addresses.

branches: 1.12.2; 1.12.4;
- Remove redundant argument to (successive) `.Nm' macro;
- copy exact line from root's crontab(5) file (and the user name
is indeed unneeded, as root's crontab(5) file is not the system's
one);
- reword the warning: cron(8) _is_ running, by default.

From patch by Bug Hunting.

While here, remove xref to itself.

branches: 1.11.56;
Formatting improvements, sort SEE ALSO and sections.

fix up various .Nm abuses:
- keep the case consistent between the actual name and what's referenced.
e.g, if it's `foo', don't use '.Nm Foo' at the start of a sentence.
- remove unnecessary `.Nm foo' after the first occurrence (except for
using `.Nm ""' if there's stuff following, or for the 2nd and so on
occurrences in a SYNOPSIS
- use Sx, Ic, Li, Em, Sq, and Xr as appropriate

remove extra period in SEE ALL section

Merge in changes from OpenBSD.

fix typo

branches: 1.6.2;
- Fix .Nm usage.
- Sort SEE ALSO list first by section.

fix typos per pr-3349 submitted by SAITOH Masanobu

RCS id police.

Misc manpages fixes (PR #551)

Fix spelling error in Copyright notice

add at, by Thomas Koenig, ig25@rz.uni-karlsruhe.de

missing <sys/stat.h> include.

branches: 1.22.2;
Use functions instead of preprocessor abuse.

NULL does not need a cast, here

According to the Oxford Dictionary of Etymology, a wether is a male sheep
or ram.

Fix build from dieter roelants

convert __attribute__s to applicable cdefs.h macros

include sys/cdefs.h so that __attribute__ can be fixed later

branches: 1.16.10;
- Don't use a stale errno when printing an error
- Redo all error printing using varargs
- KNF
- More descriptive error messages

Don't use hard-coded values for nobody. Specially ones that don't match
what /etc/group has.

Add (unsigned char) cast to ctype functions

use strlcpy

Call setsid() so that setlogname doesn't affect our parent and siblings.
(approved by christos)

err, fix arg to warn.

jeez, this program included almost everything in /usr/include!

Make scanf parameters and variable types match. This helps archs
where sizeof(int) != sizeof(long).

branches: 1.8.2;
Use LOGIN_NAME_MAX for sizing the mailname buffer. Allows usernames
longer than 8 characters to run jobs instead of aborting because
"File ... is in wrong format".

branches: 1.7.8;
Spell "privilege" correctly (correct spelling from Jonathan Stone).

<sys/fcntl.h> -> <fcntl.h>

Merge in changes from OpenBSD.

branches: 1.4.2;
WARNS?=1.

RCS id police.

properly init group list before running the job.

add at, by Thomas Koenig, ig25@rz.uni-karlsruhe.de

Don't use hard-coded values for nobody. Specially ones that don't match
what /etc/group has.

netbsd.org->NetBSD.org

sweep of my licenses (userland files w/o only my copyright) for
consistency. (no functional changes)

fix up NetBSD RCS Ids to match the standard, and the leading comment as
to match as well. No functional changes.

branches: 1.4.8;
Merge in changes from OpenBSD.

branches: 1.3.2;
RCS id police.

Fix spelling error in Copyright notice

add at, by Thomas Koenig, ig25@rz.uni-karlsruhe.de

Default to WARNS=4
Exceptions that need a lower level are:
getty ld.elf_so lfs_cleanerd makewhatis telnetd tftpd
hpropd ipropd-master ipropd-slave kadmind kpasswdd

branches: 1.6.34;
Forgot to include utmpx support for this one.

WARNS?=1. RCS ids

specify man pages the new way.

Sync with 4.4 lite

branches: 1.2.2;
Add RCS identifiers.

branches: 1.1.1;
Initial revision

s/users/user's

Also, add an xref to services(5)

branches: 1.14.28;
Update outdated comment (and docs) about which header lines are printed.
I appear to have been carrying this patch around since 2002.

2004, not 1994.

Forgot to include utmpx support for this one.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.

Begin new sentences on new lines.
Patch from Robert Elz (kre at munnari oz au).

Sort sections.

remove extra period

More and more .Os cleanups. .Os is defined in the tmac.doc-common file,
so we shouldn't override it with versions in the manpages. Many more to
come.

add -l logging switch.

Fix .Nm usage.

WARNS?=1. RCS ids

Sync with 4.4 lite

branches: 1.2.2;
Add RCS indentifiers.

branches: 1.1.1;
Initial revision

Remove useless cast, probably motivated by an older and stupider lint.

Update outdated comment (and docs) about which header lines are printed.
I appear to have been carrying this patch around since 2002.

Don't launder const

fix sign-compare issue

branches: 1.38.6;
Remove the \n and tabs from the __COPYRIGHT() strings.

Clarify how one is supposed to use the pointers returned by getutentries()
(the utmpentry.c code), specifically with respect to who owns them and
when to free them. Now they're owned by utmpentry.c, only. Abolish the
freeutentries() function, which was the wrong abstraction; add instead
endutentries(), which flushes out the internally managed memory.

Update callers as necessary. Some (e.g. talkd) had been leaking memory;
others (e.g. syslogd) had been accidentally freeing and reloading utmp
more often than necessary. There are a couple untidy bits in users and
rwhod that someone should look after sometime, maybe.

Fixes PR bin/35131, which was about talkd's memory leak.

branches: 1.36.12;
PR/36266: David A. Holland: Don't read and write sig_atomic_t variables in
signal handlers; only write them.

Remove unnecessary ctype.h from libexec/comsat/comsat.c file
From: Slava Semushin <slava.semushin@gmail.com>

Don't do things you are not supposed to inside a signal handler.

PR/30170: Markus W Kilbinger: src/libexec/comsat complains about: '/' in
"/dev/pts/1"

Fix off by one reported by David A. Holland in PR bin/26778.

Whitespace nits.

Use strtoimax rather than strtol to parse a number which represents
an offset in a file. long is insufficient on some architecture.
Problem noticed by Atsushi Onoe while ago.

stat the right file.

No need to pretty print the errno with err() or warn().

Forgot to include utmpx support for this one.

realloc mistake. from openbsd

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.

Rename `sigset' locals to avoid symbol shadowing warning.

strncpy() -> strlcpy()

ignore trailing newline which is included in the message from mail.local.

Use strtol() instead of atoi() for reading the number out of the
datagram that we received, which leads to easier support for
(ignoring) the procmail messages that specify the folder to which
the message was delivered.

When reading the mailbox, if we encounter a "From " line, we should
exit(). This can occur if there are a lot of rapidly arriving, yet
short messages.

Fix output to a tty that is missing ONLCR (eg emacs, vi, mutt,
etc.). This became broken when strvis(3) started being used instead
of simply scanning for "bad" characters.

convert to use getprogname()

fix nested extern

Un-__P and ANSIfy.

No \n in syslog messages.
_exit(-1) -> _exit(1).

Use sockaddr_storage.
Use correct var for strncpy length.

- use an array MAXHOSTNAMELEN+1 size to hold hostnames
- ensure hostname from gethostname() is nul-terminated in all cases
- minor KNF
- use MAXHOSTNAMELEN over various other values/defines
- be safe will buffers that hold hostnames

add -l logging switch.

- remove register
- KNF
- ensure hostname has trailling nul.
- use initgroups/setgid/setuid rather than just setuid, and do this earlier.
- find "from:" and "subject:" as well.
- use strvis(3) rather than some local crufty code.

Need <time.h> for time() prototype.

WARNS?=1. RCS ids

Lseek(2) usage cleanup: the use of L_SET/L_INCR/L_XTND is deprecated,
use SEEK_SET/SEEK_CUR/SEEK_END instead.

Use POSIX tty semantics.

Use POSIX signals.

Sync with 4.4 lite

Include proper header files to bring prototypes into scope

branches: 1.4.2;
better fix for security problems, and minor cleanup

Change from bicknell@csugrad.cs.vt.edu and ceharris@csugrad.cs.vt.edu.
This closes an apparent security problem on systems where users have
write access to the mail spool. Since root actually runs comsat, a
user could link their mail file to a system file that they normally
could not access, and use comsat to view said file. This fix simply
makes sure that the mail file is a REGular file.

Add RCS identifiers.

branches: 1.1.1;
Initial revision

Only compile in IPv6 support if ${USE_INET6} != "no"

MKINET6 is for providing IPv6 infrastructure.
USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6).

dual-stack fingerd. Run it from inetd like:
>>finger stream tcp6 nowait nobody /usr/libexec/fingerd fingerd

Single daemon on tcp6 socket will be able to serve both IPv4 and
IPv6 connections, while you can run both if you wish.

merge lite-2 rcsids

merge lite-2 Makefiles (rcsids), and turn on WARNS for all of libexec.

`-s' for `secure' doesn't make much sense. just note that it disables
forwarding of finger requests. also, log the text of the request if
supplied. cleanup for WARNS=1.

RCS ID police.

specify man pages the new way.

Add RCS identifiers.

branches: 1.1.1;
Initial revision

Fix a sentence.

We don't have any ``name'' program, so remove its reference
and use markup to refer finger(1).

ok wiz@

branches: 1.20.78;
Some improvements from the OpenBSD version of this man page. Forwarded
by jmc@openbsd.

Consistently use 'RFC 1234' instead of 'RFC1234' or 'RFC-1234'.
From jmc@openbsd.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.

Remove some unneeded backslashes.

Bump date for -8.

Sort options.

Replace -i with -8, which enables new 8-bit pass-through on the client.

Add a switch for easy enabling of single-byte 8-bit output.

This is somewhat of a hack, but I find it better than having
to run env(1) from inetd(8), or changing the environment for
inetd(8) itself (and thus all daemons started by it).

Sort sections.

More and more .Os cleanups. .Os is defined in the tmac.doc-common file,
so we shouldn't override it with versions in the manpages. Many more to
come.

Added a "-h" option to fingerd, passed on to finger (show host, not office).

fix bad .Xr references

- Fix .Nm usage.
- Refer finger by .Xr instead of .Nm.

`-s' for `secure' doesn't make much sense. just note that it disables
forwarding of finger requests. also, log the text of the request if
supplied. cleanup for WARNS=1.

add "-g" flag: this just gets passed to finger.

RCS ID police.

PR 3089: fingerd.8 could be misleading.
Patch from Klaus Klein <kleink@layla.inka.de>, with a few minor mods by cjs.

Replace our fingerd with one from OpenBSD, which fixes some security holes
and adds new features.

Add RCS indentifiers.

branches: 1.1.1;
Initial revision

Add __printflike attribution to use vprintf and friends with an argument
as format string.

branches: 1.26.2;
Rename err() to avoid overlap with libc. Mark it dead.

apply some __UNCONST().

branches: 1.24.6;
Remove the \n and tabs from the __COPYRIGHT() strings.

branches: 1.23.20;
change (mostly) int to socklen_t. GCC 4 doesn't like that int and
socklen_t are different signness.

de-__P, ANSIfy function declarations, remove obsolete "register" declarations.

Apply patch from PR 24917 to correct option parse error reporting.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.

Replace -i with -8, which enables new 8-bit pass-through on the client.

tabify

Add a switch for easy enabling of single-byte 8-bit output.

This is somewhat of a hack, but I find it better than having
to run env(1) from inetd(8), or changing the environment for
inetd(8) itself (and thus all daemons started by it).

typo in message. PR 17528

__STDC__ is always defined on NetBSD.

branches: 1.14.2;
Use __COPYRIGHT() and __RCSID() macros.

do not touch __ss_len directly, they are not supposed to be touched.

Need <sys/param.h> for MAXHOSTNAMELEN.

branches: 1.11.2;
dual-stack fingerd. Run it from inetd like:
>>finger stream tcp6 nowait nobody /usr/libexec/fingerd fingerd

Single daemon on tcp6 socket will be able to serve both IPv4 and
IPv6 connections, while you can run both if you wish.

do not use LOG_CONS.

Added a "-h" option to fingerd, passed on to finger (show host, not office).

change <strings.h> to <string.h> to fix compiler warning

Compare a return value of getopt() against -1 instead of EOF.

`-s' for `secure' doesn't make much sense. just note that it disables
forwarding of finger requests. also, log the text of the request if
supplied. cleanup for WARNS=1.

add "-g" flag: this just gets passed to finger.

RCS ID police.

Replace our fingerd with one from OpenBSD, which fixes some security holes
and adds new features.

Add RCS identifiers.

branches: 1.1.1;
Initial revision

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.

RCS ID police.

Add RCS identifiers.

branches: 1.1.1;
Initial revision

Clean up deleted files.

initial import of 386bsd-0.1 sources

ftpd: deduplicate gcc warning avoidance
OK lukem@

bsd.own.mk: rename GCC_NO_* to CC_WNO_*

Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.

GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH

Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.

Rename blacklist -> blocklist

use strncpy...

introduce some common variables for use in GCC warning disables:

GCC_NO_FORMAT_TRUNCATION -Wno-format-truncation (GCC 7/8)
GCC_NO_STRINGOP_TRUNCATION -Wno-stringop-truncation (GCC 8)
GCC_NO_STRINGOP_OVERFLOW -Wno-stringop-overflow (GCC 8)
GCC_NO_CAST_FUNCTION_TYPE -Wno-cast-function-type (GCC 8)

use these to turn off warnings for most GCC-8 complaints. many
of these are false positives, most of the real bugs are already
commited, or are yet to come.


we plan to introduce versions of (some?) of these that use the
"-Wno-error=" form, which still displays the warnings but does
not make it an error, and all of the above will be re-considered
as either being "fix me" (warning still displayed) or "warning
is wrong."

branches: 1.65.4;
add LIBKRB5_LDADD/LIBKRB5_DPADD and their static counterparts
to bsd.prog.mk. use them instead of hard coding various lists
of libraries for krb5.

this fixes static builds.

blacklist hooks

branches: 1.63.20;
remove gcc-4.5 hack

apply some -Wno-error and/or -fno-strict-aliasing.


all of this should be looked at closer, but some of them are not
very trivial.

We no longer need -I/usr/include/krb5.

Fix WARNS=4 issues (const & sign mismatches, etc)
Ensure various ftpd.conf values can't exceed their underlying types.

branches: 1.59.6;
Support building with -DNO_INTERNAL_LS

branches: 1.58.4;
Reorganize USE_PAM support so that the reply(331,) from USER is
performed by the pam_conv (PAM conversation) callback, which then
getline()s the PASS reply internally. This involves calling
auth_pam() from user() and caching the result to use later in pass().
This allows the PAM modules to present a different password prompt
dialog if necesary. For example:
Name (localhost:lukem):
331 User lukem accepted, provide password [ otp-md4 89 xxxx12345 ].
versus
Name (localhost:lukem): root
331 User root accepted, provide password.

This is independent of (and effectively exclusive to) USE_SKEY support.

Previously ftpd with USE_SKEY=yes would provide the skey prompt
if the user had an skey configured, even if /etc/pam.d/ftpd didn't
have pam_skey in use.
I.e., ftpd shouldn't need special support for custom password prompts
(such as skey) if PAM is in use.

Complete the move of string_to_flags() and flags_to_string() from the
bin/ls sources to libutil:
o Bump libutil minor version number
o Fix uses to include <util.h> to pick up the function definitions
o Fix most uses of flags_to_string() to release the now-malloc()ed result

branches: 1.56.4; 1.56.8;
Remove more references to kerberosIV.

Add -lcrypt where -lcrypto is specified.

Introduce PAM_STATIC_LDADD and PAM_STATIC_DPADD. When compiling
with MKPIC=no, possibly because the target does not support shared
libraries, these include libraries required to resolve all symbols
which end up referenced from PAM-using applications. The libraries
presently required are -lcrypt, -lrpcsvc and -lutil.

Add use of these variables which are currently set up to use PAM,
so that they compile when MKPIC=no.

Also, in the telnetd case, reorder the order of the libraries, so
that libtelnet.a comes before -ltermcap and -lutil, again to fix
link error when MKPIC=no.

Discussed with thorpej and christos.

Add PAM and LOGIN_CAP support. Mostly from FreeBSD. If pam is defined,
then we don't fall back to other authentications even if PAM fails due
to a system error (e.g. configuration problem).

Only compile in IPv6 support if ${USE_INET6} != "no"

MKINET6 is for providing IPv6 infrastructure.
USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6).

split MKKERBEROS4 from MKKERBEROS. based on work by lha at stacken.kth.se
(build confirmed with both MKKERBEROS4=yes and MKKERBEROS4=no)

use bsd.own.mk instead of the (obvious typo of) bsd.obj.mk

enable utmpx support. this doesn't work correctly for chrooted ftpd's, but
I am leaving it to luke to fix.

Disable UTMPX support for now, because ftpd might chroot and we need
to keep files open.

Use ${NETBSDSRCDIR}/some/path instead of ${.CURDIR}/../../some/path

branches: 1.46.2;
Split the notion of building Hesiod, Kerberos, S/key, and YP
infrastructure and using that infrastructure in programs.

* MKHESIOD, MKKERBEROS, MKSKEY, and MKYP control building
of the infratsructure (libraries, support programs, etc.)

* USE_HESIOD, USE_KERBEROS, USE_SKEY, and USE_YP control
building of support for using the corresponding API
in various libraries/programs that can use it.

As discussed on tech-toolchain.

- enable case insensitive fnmatch(3)ing for hostname globs in ftpusers(5)
- enable WARNS=2

- move password checking into separate valid_passwd() function, to assist
in porting to other systems.
- don't syslog() or setproctitle() "ACCT" lines (as per "PASS")
- replace #ifdef HASSETPROCTITLE with #if HAVE_SETPROCTITLE, and set the
latter #ifdef BSD4_4
- don't compile in internal `ls' #ifdef NO_INTERNAL_LS. will need Makefile
support if this is to be used on NetBSD.

Make things builds with GCC 2.96

branches: 1.42.2;
Merge a bunch of things from crypto-us and crypto-intl into basesrc,
adding support for Heimdal/KTH Kerberos where easy to do so. Eliminate
bsd.crypto.mk.

There is still a bunch more work to do, but crypto is now more-or-less
fully merged into the base NetBSD distribution.

major overhaul (just before netbsd 1.5 :-):

* implement draft-ietf-ftpext-mlst-10 commands, especially MLST and MLSD.
we already supported SIZE and MDTM. add the appropriate FEAT output lines.

* migrate a lot of the command code from ftpcmd.y and ftpd.c to cmds.c

* make dataconn(), feat(), lookup(), opts() and sizecmd() public

* modify struct tab so that it has a `flags' instead of `implemented' element,
and remove the `hasopts' element. If flags == 1, the command is implemented.
if flags == 2, the command is implemented and takes options

* add macros ISDOTDIR(x) (is x ".") and ISDOTDOTDIR(x) (is x "..")

* modify lreply() so that lreply(-2, ...) just outputs the given info without
a prefix or trailing \r\n. this saves doing b = printf(); total_* += b;

* enhance statcmd(). still needs work in the LPRT status stuff.

* crank version

branches: 1.40.2;
* don't bother with a version[] string, just use the macro as appropriate
* clean some more of the GLOBAL stuff
* fix unused var if -UHASSETPROCTITLE

* move version to separate header file
* use .Dv and .Tn in the man pages as appropriate
* KNF a bit

The following were inspired by similar changes in openbsd, but may
have additional improvements by me:
* add more check_login tests to the parser rules
* nuke a few memory leaks in the parser rules
* clear passwords before free()ing them, for safety
* don't display \r\n in setproctitle() output
* add support for -U, which enables managing /var/run/utmp entries for
connections. solves [bin/2217] by Jason Downs <downsj@teeny.org>
* fix oob handling for STAT command
* use SIG_ERR instead of -1

install ftpusers(5) as ftpchroot(5). more cleanups

separate ftpd.conf(5) and ftpusers(5) out from ftpd(8).

xxx: still needs a bit of work

* change ftpd_popen() to take char *argv[] instead of char *cmd.
the string tokenisation must be performed by the caller (which is
generally easy because it's almost always a static command).
* change do_conversion() to return a char *argv[] instead of char *cmd.
tokenisation of the command is done internally.
* change retrieve() to take char *argv[] instead of char *cmd.
(to take advantage of the above changes). fixes [bin/8173]
* use fparseln() instead of fgetln()
* store conversions in listed order (rather than reverse order)
* use stringlists instead of handrolling code to manage an argv.

branches: 1.35.4;
optionally include CRYPTOPATH Makefile.frag files.

Use bsd.crypto.mk.

dual-stack ftpd. run this from inetd, like:
>>ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll

Remove the .ifdef to compile without optimization on powerpc since the
bug that it was working around doesn't seem to exist in egcs

features/fixes:
* implement xferstats. full stats are displayed for `STAT', and a
summary is displayed upon exit (and syslogged). inspired by wu-ftpd.
* wrap data xfers in {send,receive}_data with alarm() timeouts. this
should remove the majority of the `hanging ftpd' problems that
people were still seeing. inspired by wu-ftpd.
* link with ../../bin/ls, so that bin/ls is not required under a
chroot()ed area for `LIST' to work. based on [bin/4497] from
"Soren S. Jorvang" <soren@t.dk>
* migrate code from util.c into ftpd.c, so that it doesn't conflict
with ls' util.c.
* remove man page comment about ~ftp/bin/ls being necessary.
* bump version to 7.2.0.
* syslog xfer time with xfer stats.
* if appropriate, syslog error message with command.

internal code stuff:
* change arguments of various functions from `char *' to `const char *'.
* define PLURAL(x) macro, which returns `' if x == 1, `s' otherwise.
use macro appropriately
* lreply(): a code of -1 means ``send line as is''. a code of 0
means ``send line with 4 space prefix''. don't print a space after
the `-' for any other code.
* logcmd(): add `const struct timeval *elapsed' and `const char *error'
for more flexible error reporting

Remove the crypto-related bits until such time as we have a fully-
integrated source tree. Export-controlled versions of these are now
built during the domestic build process.

* replace LOG(CMD|BYTES) macros with logcmd(), which is a cleaner
solution with less code replication. use realpath() in logcmd() so
that all logged filenames are sane.
* support `REST STREAM' in `FEAT' reply (from draft-ietf-ftpext-mlst-05)
* in 'HELP', suffix unimplemented commands with `-' instead of `*'; the
former is easier to differentiate from `+'.
* deprecate curdir() now that logcmd() doesn't use it.
* ensure all filename buffers are at least MAXPATHLEN+1 in size.
* move jmp_buf errcatch out of extern.h, removing need to #include <setjmp.h>
in every file.

* complete fix for `multiple replies returned for single parse error'
problem; move `hasyyerrored' state flag out of yylex() so that
check_{login,modify} can also set it.
* check result of check_login for PORT command
* set initial timeout before the "setjmp(); for(;;) yyparse()",
otherwise an invalid command after login incorrectly sets the timeout
to 5 minutes (rather than what was set in ftpd.conf)
* replace (char *)0 with NULL
* move yyerror() from ftpd.c to ftpcmd.y
* remove need for -Dunix, by using the version string from ftpd.c
(instead of `BSD-199506')
* move all extern-ed vars into extern.h

fix disabling of optimization on powerpc (set COPTS *after* <bsd.prog.mk>...)

.y.c <sys.mk> rule fixes. Don't create a y.tab.h file unless asked for,
and use smarter creation of the header file.

add a "checkportcmd <class>" option that stops ftp bounce attacks.

branches: 1.24.2;
SRCS must be defined *before* bsd.prog.mk is included...

Add some krb5 hooks, though it probably doesn't work yet.

Oops; fix typo.

Conditionalize s/key support.

merge lite-2 Makefiles (rcsids), and turn on WARNS for all of libexec.

Add WARNS=1

- Pass gcc -Wall
- Fix incorrect const poisoning
- Fix ftpd_popen to dynamically allocate strings to avoid buffer overruns.

* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.

* fix "cd ~" so that it works (from Simon Burge <simonb@telstra.com.au>
* move resetting of CFLAGS on powerpc to before optional CFLAGS settings
* minor code & man page cleanups

Don't compile this with -O on the PowerPC - cc1 cores.

Changes to make anonymous uploads more secure. For anonymous users:
* Set umask to 707;
* Disable UMASK, CHMOD, DELE, RMD and MKD commands.
Compile-time options let you change that umask and go back to the
old, insecure way if you like.

add -Dunix to CFLAGS

clean up RCS Id's and a couple of stype nits.
Also, fix bug 947 (reported by Luke Mewburn, extraneous vers.c)

specify man pages the new way.

As long as KERBEROS is here at least let it compile cleanly...

branches: 1.9.2;
4.4-lite, plus our local changes

add skey support

use setproctitle

some changes to make Kerberos a bit easier to use. from
Michael Graff <explorer@vorpal.com>, with some work by myself...

always use libcrypt

Add RCS identifiers.

changed to use new libcrypt scheme.

added support for using real crypt

branches: 1.1.1;
Initial revision

PR/50665: David Binderman: move "dir" to the outer scope so it stays alive
when the pointer is used later.

Fix directory stream leaks

check that stat succeeded before testing the guts of struct stat
(Manime Villard)

Fix violations of the sequence point rule.

branches: 1.31.2;
Pass WARNS=5

branches: 1.30.6;
Fix WARNS=4 issues (const & sign mismatches, etc)
Ensure various ftpd.conf values can't exceed their underlying types.

Use LLF (et al) instead of "%lld" (et al).

branches: 1.28.2;
fix for 64 bit time_t and dev_t

Crank copyright dates

Don't use non-standard "u_<foo>" types.
Strip trailing whitespace (as well as ':'s) off PAM password prompts.
Improve some debug logging related to PAM.

branches: 1.25.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.24.18;
debug -> ftpd_debug
xstrdup -> ftpd_strdup

Fixes from (or inspired by) OpenBSD:
* Fix yacc parser error recovery so that setjmp(3)/longjmp(3) is unnecessary.
* Fix SIGURG handler to set an urgflag that's later tested, rather than
abusing setjmp(3)/longjmp(3).
* Use "volatile sig_atomic_t" as the type of variables modified by sig handlers.
* Use sigaction(3) instead of signal(3) to set the signal handlers.
* Only set the main SIGALRM handler once. If we need to change it,
cache the old handler and restore appropriately...
* Remove a bunch of signal races by improving the signal handlers.
* Fix memory leak with 'ESPV ALL'.

My stuff:
* Clean up the debug message in reply(); use vsnprintf(3) instead of vsyslog(3).
* Rework parsing of OOB commands to _not_ use the yacc parser, since the
latter isn't reentrant and the hacks to work around that are ugly.
We now examine urgflag at appropriate locations and call handleoobcmd()
if it's set. Since the only OOB commands we currently implement are
ABOR and STAT, this isn't an issue. (I also can't find the reference in
RFC2228 where MIC, CONF & ENC are OOB-only commands. Go figure.)
I could clean up the is_oob stuff some more, but the remaining stuff
in ftpcmd.y is harmless and it's unnecessary churn right this moment.

branches: 1.22.2;
Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.

Fix uninitialized variable in mlsname()

ftpd was unable to service the pwd request once you entered a directory
without search permission. This confused some ftp clients.

We fix this problem by maitaining a cached path when getcwd() does not work.
The symbolic links and ../ are resolved in the cached path, and it is finnally
checked for accuracy by comparing ./ and the cached path with stat (device
and inode comparison). If the comparison fails, pwd fails as it did before,
and if the comparison succeeds, the cached path is displayed.

If paths are too long, we should just compare ./ with a truncated path and
fail, thus making pwd displaying an error as it did before.

Turns out that our implementation of STAT wasn't RFC 959 compliant.
This version is now RFC 959 compliant, using a patch adapted from one
sent in by david.leonard@eecs.uq.edu.au

openbsd libexec/ftpd/ftpd.c revision 1.69.

(see RFC959 page 36)

* enclose unknown command strings inside a pair of 's to clearly mark the
text as being the 'whole' part received.
* change a HELP reply from 214 to 504 when there is an error looking for
help on a command.

"Command not implemented." is 502, not 501 (RFC959, 4.2.1)

branches: 1.16.2;
Fixes for mlsd/mlst standards conformance issues (noted by Robert Elz):
- mlst shouldn't return cdir or pdir for type, only dir
- mlst should always provide a full path name
- mlsd should provide a full path name for the cdir entry. (providing a
full path name for the pdir entry is optional, and i punted on that).

fix previous, and ensure that closedataconn() is only called after dataconn()
and with a non-NULL file pointer. active transfers now work correctly again,
passive transfers work, and the data stream is only closed after a PASV or
EPSV if a successful connection was initiated with dataconn().

reject SIZE request for ascii file if it exceeds 10k.

crank copyrights of files changed this year
remove superfluous byte_count update in send_file_list
crank version

ensure replydirname() do not truncate the names.
From: Paul Janzen <pjanzen@foatdi.harvard.edu>

make sure we do not return stray " at the end of stirng, like bla"\0.
From: "William C. Allen" <allenwc@home.com>

Features:

* Add ftpd.conf(5) directive `advertise'; change the address that is
advertised to the client for PASV transfers. this may be useful in
certain firewall/NAT environments.

Feature requested in [bin/9606] by Scott Presnell.

* Add -X option; syslog wu-ftpd style xferlog messages, prefixed with
`xferlog: '. An example line from syslog (wrapped):
Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000
2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c

These messages can be converted to a wu-ftpd style xferlog file
suitable for parsing with third-party tools with something like:
grep 'xferlog: ' /var/log/xferlog | \
sed -e 's/^.*xferlog: //' >wuxferlog

The format is the same as the wu-ftpd xferlog entries (with the leading
syslog stuff), but different from the wu-ftpd syslogged xferlog entries
because the latter is not as easy to convert into the standard xferlog
file format.

The choice to only syslog the xferlog messages rather than append to
a /var/log/xferlog file was made because the latter doesn't work to
well in the situation where the logfile is rotated and compressed and
a long-running ftpd still has a file-descriptor to the now nonexistant
xferlog file, and the log message will then get lost.

Feature requested in [bin/11651] by Hubert Feyrer.


Fixes:

* In ftpd(8), clarify the -a and -c options.

* More clarifications in ftpd.conf(5).

* Ensure that all ftpd.conf commands set a parameter back to sane defaults
if an argument of `none' or bad settings are given.

* Support the `chroot' directive for `REAL' users too (for consistency).

* For `GUEST' users, store the supplied password in pw->pw_passwd for use
later in the xferlog.

* If show_chdir_messages() is given a code of -1, flush the cache of
visited directories. Invoke show_chdir_messages(-1) in end_login().

* Only syslog session stats if logging is requested.

* Rename logcmd() -> logxfer(), and dolog() -> logremotehost().

* Use cprintf() instead of fprintf() where appropriate.

* Minor KNF, and make a couple of functions static that were declared static.

in replydirname(), avoid one-byte overrun.
From: Kristian Vlaardingerbroek <kris@obit.nl> (to bugs@openbsd)

- new ftpd.conf directives:
maxfilesize set the maximum size of uploaded files
sanenames if set, only permit uploaded filenames that contain
characters from the set "-+,._A-Za-z0-9" and that
don't start with `.'

- new/changed command line options:
-e emailaddr define email address for %E (see below)
-P dataport use dataport as the dataport (instead of ctrlport-1)
-q use pid files to count users [default]
-Q don't use pid files to count users
-u write entries to utmp
-U don't write entries to utmp [default]
-w write entries to wtmp [default]
-W don't write entries to wtmp

NOTE: -U used to mean `write utmp entries'. Its meaning has changed
so that it's orthogonal with -q/-Q and -w/-W. This isn't
considered a major problem, because using -U isn't going to
enable something you don't want, but will disable something
you did want (which is safer).

- new display file escape sequences:
%E email address
%s literal `s' if the previous %M or %N wasn't ``1''.
%S literal `S' if the previous %M or %N wasn't ``1''.

- expand the description of building ~ftp/incoming to cover the
appropriate ftpd.conf(5) directives (which are defaults, but it pays
to explicitly explain them)

- replace strsuftoi() with strsuftoll(), which returns a long long if
supported, otherwise a long

- rework the way that check_modify and check_upload are done in the yacc
parser; they're merged into a common check_write() function which is
called explicitly

- merge all ftpclass `flag variables' into a single bitfield-based flag element

- move various common bits of parse_conf() into a couple of macros

- clean up some comments

changes to improve portability:
* replace union sockunion {} with struct sockinet {}, and modify the code
accordingly. this is possibly more portable, as it doesn't rely upon
the structure alignment within the union for our own stuff. uses local
su_len unless HAVE_SOCKADDR_SA_LEN is defined (set ifdef BSD4_4)
(XXX: haven't tested the ipv6 stuff)
* always use getaddrinfo() and getnameinfo() instead of maintaining two code
paths. (lukemftpd will provide replacements for these on older systems)
* use lockf() instead of open(.., O_EXLOCK) to lock the pid file
* minor KNF
* clean up long long support: create helper #defines and use as appropriate:
#define NO_LONG_LONG ! NO_LONG_LONG
------- ------------ --------------
LLF "%ld" "%lld"
LLFP(x) "%" x "ld" "%" x "lld"
LLT long long long
ULLF "%lu" "%llu"
ULLFP(x) "%" x "lu" "%" x "llu"
ULLT unsigned long unsigned long long
STRTOLL(x,y,z) strtol(x,y,z) strtoll(x,y,z)

base64_encode(): separate out the special case for the last 2 bytes, and
be a bit safer with signed chars. per discussion with kre.

- base64_encode(): fix garbled output due to fencepost error. output now
appears to match that of 'mimencode' (from metamail).
problem noted by kre@munnari.oz.au.
- fact_unique(): encode a combined dev_t+ino_t chunk rather than separate bits

branches: 1.4.2; 1.4.4;
rewrite method of traversing facttab[]; use size of list to terminate
not NULL terminated entry (since we need to know the size of other
reasons...)

various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()

other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)

include <krb5/krb5.h> before including extern.h, so krb5_context is defined

major overhaul (just before netbsd 1.5 :-):

* implement draft-ietf-ftpext-mlst-10 commands, especially MLST and MLSD.
we already supported SIZE and MDTM. add the appropriate FEAT output lines.

* migrate a lot of the command code from ftpcmd.y and ftpd.c to cmds.c

* make dataconn(), feat(), lookup(), opts() and sizecmd() public

* modify struct tab so that it has a `flags' instead of `implemented' element,
and remove the `hasopts' element. If flags == 1, the command is implemented.
if flags == 2, the command is implemented and takes options

* add macros ISDOTDIR(x) (is x ".") and ISDOTDOTDIR(x) (is x "..")

* modify lreply() so that lreply(-2, ...) just outputs the given info without
a prefix or trailing \r\n. this saves doing b = printf(); total_* += b;

* enhance statcmd(). still needs work in the LPRT status stuff.

* crank version

Fix uninitialized memory usage in count_users()

If the file was previously empty, pids table is not set, the code however used
pids[0] which is uninitialized in this case. In some scenarios it may lead to
propagate garbage value from pids[0] to the file and cause writing outside of
allocated memory.

OK lukem@

branches: 1.64.22; 1.64.32; 1.64.40;
include pwd.h for password stuff

branches: 1.63.2; 1.63.8;
remove gcc-4.5 hack

Fix WARNS=4 issues (const & sign mismatches, etc)
Ensure various ftpd.conf values can't exceed their underlying types.

branches: 1.61.6;
Don't use non-standard "u_<foo>" types.
Strip trailing whitespace (as well as ':'s) off PAM password prompts.
Improve some debug logging related to PAM.

branches: 1.60.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.59.2;
Switch from lockf() to (more portable) fcntl() locking

branches: 1.58.4; 1.58.8;
fix volatile and initialization issues, from Anon Ymous

debug -> ftpd_debug
xstrdup -> ftpd_strdup

Fix comment about DEFAULT_UMASK.
Pointed out in private mail by Tetsuya Isaki and Dmitry Sivachenko.

* Add recvbufsize configuration option
This allows for setting the passive socket's SO_RCVBUF. Option works
similarly to the current sendbufsize configuration option.
* Change how recveive_data() works
When reading data from the socket for passive transfers to the server,
receive_data() now works very similar to send_data_with_read(). Reads
from the network are now done using either the filesystem block size or
the configuration option readsize chunks.
* Crank version.h
[Changes discussed with lukem.]

* Add hidesymlinks configuration option
This adds a -L to all ls command arguments so that the file or directory
the link references is listed rather than the link itself. This was
inspired by IRIX ftpd's -S option.
[Discussed with lukem some time ago.]
* Crank version.h [right Luke? :-)]

change _PATH_FOO to _NAME_FOO where FOO is not a path. I'll discuss with
luke what is the best way to fix this.

Fixes from (or inspired by) OpenBSD:
* Fix yacc parser error recovery so that setjmp(3)/longjmp(3) is unnecessary.
* Fix SIGURG handler to set an urgflag that's later tested, rather than
abusing setjmp(3)/longjmp(3).
* Use "volatile sig_atomic_t" as the type of variables modified by sig handlers.
* Use sigaction(3) instead of signal(3) to set the signal handlers.
* Only set the main SIGALRM handler once. If we need to change it,
cache the old handler and restore appropriately...
* Remove a bunch of signal races by improving the signal handlers.
* Fix memory leak with 'ESPV ALL'.

My stuff:
* Clean up the debug message in reply(); use vsnprintf(3) instead of vsyslog(3).
* Rework parsing of OOB commands to _not_ use the yacc parser, since the
latter isn't reentrant and the hacks to work around that are ugly.
We now examine urgflag at appropriate locations and call handleoobcmd()
if it's set. Since the only OOB commands we currently implement are
ABOR and STAT, this isn't an issue. (I also can't find the reference in
RFC2228 where MIC, CONF & ENC are OOB-only commands. Go figure.)
I could clean up the is_oob stuff some more, but the remaining stuff
in ftpcmd.y is harmless and it's unnecessary churn right this moment.

branches: 1.51.2;
- convert to using libc's strsuftoll(3)
- use LLT (aka 'long long type') for all numeric class parameters
- improve description of various ftpd.conf(5) options
- statcmd(): print out: mmapsize readsize writesize sendbufsize sendlowat

audit use of strto* - beware of ERANGE, as well as typecast on result.

Enable GLOB_BRACE for ftpd.conf(5)'s `notify' directive.
Now it's much easier to list multiple files...

Added CONF_LL macro, which understands raw 'strsuftoll' conf variables.

Add optional mmap(2)/write(2) support for binary file transfer.
The default is read(2)/write(2). Note that the sosend_loan needs
some more work for better performance when a file isn't cached.

branches: 1.46.2;
Add two new ftpd.conf(5) directives:
- 'denyquick'; deny a connection so tagged by ftpusers(5) after the USER
command instead of the PASS command. whilst this might provide some
info leakage of accounts names if you have some `real' or `chroot'
users enabled and not others, it does prevent accidental entering of
such passwords if you have all such users denied. This option is
strongly recommended on anonymous-only servers.
Functionality requested by Rob Windsor in [bin/12602]
- 'private'; don't display class related information in the output of STAT.
For paranoid admins.

- enable case insensitive fnmatch(3)ing for hostname globs in ftpusers(5)
- enable WARNS=2

a few changes from Mike Heffner <mheffner@vt.edu> in private email:
- totally clear a glob buffer before use, because FreeBSD depends on
some of the other fields being cleared (other than just gl_offs)
- in strend(), ensure that the source string isn't too large
- remove unnecessarily complicated sizing of proctitle, since snprintf()
will truncate it anyway

s/tise/tize/ in docco, add "advertize" as synonym for "advertise"

Initialize a pointer needed when expanding the %C "display file escape
sequence".

crank copyrights of files changed this year
remove superfluous byte_count update in send_file_list
crank version

don't leak globbed memory.

Use GLOB_LIMIT. Also fix a bug where gl_offs was not initialized and could
contain trash.

don't support t(erabyte) as a suffix in strsuftoll() #ifdef NO_LONG_LONG

Features:

* Add ftpd.conf(5) directive `advertise'; change the address that is
advertised to the client for PASV transfers. this may be useful in
certain firewall/NAT environments.

Feature requested in [bin/9606] by Scott Presnell.

* Add -X option; syslog wu-ftpd style xferlog messages, prefixed with
`xferlog: '. An example line from syslog (wrapped):
Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000
2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c

These messages can be converted to a wu-ftpd style xferlog file
suitable for parsing with third-party tools with something like:
grep 'xferlog: ' /var/log/xferlog | \
sed -e 's/^.*xferlog: //' >wuxferlog

The format is the same as the wu-ftpd xferlog entries (with the leading
syslog stuff), but different from the wu-ftpd syslogged xferlog entries
because the latter is not as easy to convert into the standard xferlog
file format.

The choice to only syslog the xferlog messages rather than append to
a /var/log/xferlog file was made because the latter doesn't work to
well in the situation where the logfile is rotated and compressed and
a long-running ftpd still has a file-descriptor to the now nonexistant
xferlog file, and the log message will then get lost.

Feature requested in [bin/11651] by Hubert Feyrer.


Fixes:

* In ftpd(8), clarify the -a and -c options.

* More clarifications in ftpd.conf(5).

* Ensure that all ftpd.conf commands set a parameter back to sane defaults
if an argument of `none' or bad settings are given.

* Support the `chroot' directive for `REAL' users too (for consistency).

* For `GUEST' users, store the supplied password in pw->pw_passwd for use
later in the xferlog.

* If show_chdir_messages() is given a code of -1, flush the cache of
visited directories. Invoke show_chdir_messages(-1) in end_login().

* Only syslog session stats if logging is requested.

* Rename logcmd() -> logxfer(), and dolog() -> logremotehost().

* Use cprintf() instead of fprintf() where appropriate.

* Minor KNF, and make a couple of functions static that were declared static.

- new ftpd.conf directives:
maxfilesize set the maximum size of uploaded files
sanenames if set, only permit uploaded filenames that contain
characters from the set "-+,._A-Za-z0-9" and that
don't start with `.'

- new/changed command line options:
-e emailaddr define email address for %E (see below)
-P dataport use dataport as the dataport (instead of ctrlport-1)
-q use pid files to count users [default]
-Q don't use pid files to count users
-u write entries to utmp
-U don't write entries to utmp [default]
-w write entries to wtmp [default]
-W don't write entries to wtmp

NOTE: -U used to mean `write utmp entries'. Its meaning has changed
so that it's orthogonal with -q/-Q and -w/-W. This isn't
considered a major problem, because using -U isn't going to
enable something you don't want, but will disable something
you did want (which is safer).

- new display file escape sequences:
%E email address
%s literal `s' if the previous %M or %N wasn't ``1''.
%S literal `S' if the previous %M or %N wasn't ``1''.

- expand the description of building ~ftp/incoming to cover the
appropriate ftpd.conf(5) directives (which are defaults, but it pays
to explicitly explain them)

- replace strsuftoi() with strsuftoll(), which returns a long long if
supported, otherwise a long

- rework the way that check_modify and check_upload are done in the yacc
parser; they're merged into a common check_write() function which is
called explicitly

- merge all ftpclass `flag variables' into a single bitfield-based flag element

- move various common bits of parse_conf() into a couple of macros

- clean up some comments

changes to improve portability:
* replace union sockunion {} with struct sockinet {}, and modify the code
accordingly. this is possibly more portable, as it doesn't rely upon
the structure alignment within the union for our own stuff. uses local
su_len unless HAVE_SOCKADDR_SA_LEN is defined (set ifdef BSD4_4)
(XXX: haven't tested the ipv6 stuff)
* always use getaddrinfo() and getnameinfo() instead of maintaining two code
paths. (lukemftpd will provide replacements for these on older systems)
* use lockf() instead of open(.., O_EXLOCK) to lock the pid file
* minor KNF
* clean up long long support: create helper #defines and use as appropriate:
#define NO_LONG_LONG ! NO_LONG_LONG
------- ------------ --------------
LLF "%ld" "%lld"
LLFP(x) "%" x "ld" "%" x "lld"
LLT long long long
ULLF "%lu" "%llu"
ULLFP(x) "%" x "lu" "%" x "llu"
ULLT unsigned long unsigned long long
STRTOLL(x,y,z) strtol(x,y,z) strtoll(x,y,z)

* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup

* add two new ftpd.conf(5) directives:
chroot specify dir to chroot to for GUEST and CHROOT users, to
override -a anondir or the user's homedir.
homedir specify dir to change to upon login; also used for ~ expansion
and $HOME for subprocesses)
both of these can take % escapes: %u (username), %d (homedir), %c (class).
* fix NLST to take a pathname not a STRING, so that ~ expansion works
* modify CWD to use the homedir parsed from curclass.homedir
* implement format_path(dst, src), to parse src expanding % escapes (see above)
into dst.
* rename format_file() to display_file()

More -Wformat cleanups.

branches: 1.31.2;
various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()

other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)

branches: 1.30.2;
convert to ANSI C as per style guide

suppress verbose messages from CWD and post-login if the first
character of the anonymous password is `-'.

* add ftpd.conf directive `portrange class min max', which allows specification
of the port range used by passive connections. based on work in [bin/9158]
from Takahiro Kambe <taca@sky.yamashina.kyoto.jp>
* change the way global variables are defined and extern-ed to be more
consistent.

fix problem where ftpd.conf lines would match everything if there was
no template defined. noted by Vebjorn Ljosa <ljosa@initio.no>

* new ftpd.conf directive:
template class [refclass]
following directives for refclass will apply to class as well.
this makes setting up a `template' class with many default settings
easy, whilst allowing for class-specific overrides
* prevent crash when the optional limitfile wasn't given to limit
* document count_users()
* document default setting of limit in ftpd.conf(5)
* crank version

features:
* add connection limits (`limit' keyword in ftpd.conf)
* move initialisation of curclass from parse_conf() to new function
init_curclass()
* implement count_users(), which determines the number of users in a given
class. a file - /var/run/ftpd.pids-<class> - is used to store a list
of pids in use (effectively an array of pid_t's), and its size is reduced
as necessary.
* new % modifiers in format_file:
%c class
%M maximum connection count
%N current connection count
* always end_login()s, even for refused connections

bugs fixed:
* remove \n from %T output
* fix some inconsistencies in the man pages
* ensure that both `ftp' *and* `anonymous' are allowed in ftpusers.
(this was accidently broken in a recent commit to be ``or'' not ``and'')
* use MAXPATHLEN not MAXPATHLEN+1
* crank copyright date on modified files
* crank version

* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.

* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.

* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that

* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.

* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)

* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).

* update & reorder copyrights

* use strlcpy() as appropriate

* change ftpd_popen() to take char *argv[] instead of char *cmd.
the string tokenisation must be performed by the caller (which is
generally easy because it's almost always a static command).
* change do_conversion() to return a char *argv[] instead of char *cmd.
tokenisation of the command is done internally.
* change retrieve() to take char *argv[] instead of char *cmd.
(to take advantage of the above changes). fixes [bin/8173]
* use fparseln() instead of fgetln()
* store conversions in listed order (rather than reverse order)
* use stringlists instead of handrolling code to manage an argv.

check return val of sl_init() and sl_add()

branches: 1.21.4;
more kerberos5 fixes

* fix a problem in retrieve() where arguments to commands weren't working
(this was broken in the last commit). problem noticed by simonb@
* don't display the stderr output of the internal ls.
* modify usage of lreply so that generally only one `XXX-' code per
`block' is displayed; the rest of the lines have four spaces instead.
i find this easier to read.
* fix a couple places where byte accounting wasn't correct

features/fixes:
* implement xferstats. full stats are displayed for `STAT', and a
summary is displayed upon exit (and syslogged). inspired by wu-ftpd.
* wrap data xfers in {send,receive}_data with alarm() timeouts. this
should remove the majority of the `hanging ftpd' problems that
people were still seeing. inspired by wu-ftpd.
* link with ../../bin/ls, so that bin/ls is not required under a
chroot()ed area for `LIST' to work. based on [bin/4497] from
"Soren S. Jorvang" <soren@t.dk>
* migrate code from util.c into ftpd.c, so that it doesn't conflict
with ls' util.c.
* remove man page comment about ~ftp/bin/ls being necessary.
* bump version to 7.2.0.
* syslog xfer time with xfer stats.
* if appropriate, syslog error message with command.

internal code stuff:
* change arguments of various functions from `char *' to `const char *'.
* define PLURAL(x) macro, which returns `' if x == 1, `s' otherwise.
use macro appropriately
* lreply(): a code of -1 means ``send line as is''. a code of 0
means ``send line with 4 space prefix''. don't print a space after
the `-' for any other code.
* logcmd(): add `const struct timeval *elapsed' and `const char *error'
for more flexible error reporting

branches: 1.18.2;
Make this build with KERBEROS5 defined.

* actually commit the changes which add support for recognising RFC 2228
commands (even if we don't do anything with them)
* in logcmd(), syslog why realpath() failed (if it did).

* replace LOG(CMD|BYTES) macros with logcmd(), which is a cleaner
solution with less code replication. use realpath() in logcmd() so
that all logged filenames are sane.
* support `REST STREAM' in `FEAT' reply (from draft-ietf-ftpext-mlst-05)
* in 'HELP', suffix unimplemented commands with `-' instead of `*'; the
former is easier to differentiate from `+'.
* deprecate curdir() now that logcmd() doesn't use it.
* ensure all filename buffers are at least MAXPATHLEN+1 in size.
* move jmp_buf errcatch out of extern.h, removing need to #include <setjmp.h>
in every file.

* complete fix for `multiple replies returned for single parse error'
problem; move `hasyyerrored' state flag out of yylex() so that
check_{login,modify} can also set it.
* check result of check_login for PORT command
* set initial timeout before the "setjmp(); for(;;) yyparse()",
otherwise an invalid command after login incorrectly sets the timeout
to 5 minutes (rather than what was set in ftpd.conf)
* replace (char *)0 with NULL
* move yyerror() from ftpd.c to ftpcmd.y
* remove need for -Dunix, by using the version string from ftpd.c
(instead of `BSD-199506')
* move all extern-ed vars into extern.h

Add the ability to disable passive connects in ftpd.conf (breaks RFC1123,
STD3, but needed in some firewall environments).

Show/log the strerror(errno) string when getcwd fails

Fix some problems with failed getcwd commands, reported in PR bin/5531
by Saitoh Masanobu <msaitoh@spa.is.uec.ac.jp>.

Need <time.h> for time(), localtime() and ctime() prototypes.

log debug stuff using LOG_DEBUG not LOG_INFO

* change checkportcmd syntax to `checkportcmd class [off]' (as per `modify')
* display current setting of checkportcmd in STAT
* ensure that curclass.checkportcmd is initialised to 0
* document default setting of checkportcmd in ftpd(8)
* cleanup code a bit, putting code for "checkportcmd" in alphabetical order

add a "checkportcmd <class>" option that stops ftp bounce attacks.

branches: 1.7.2;
Use S_IS*(), not S_IF*.

implement '-c confdir', which allows the specification of an alternate
directory to look for the various configuration files, overriding /etc.
From Matthias Scheler <tron@lyssa.owl.de> in [bin/4133]

* don't depend upon buffer returned by fgetln() to remain. fix mainly
from Tatoku Ogaito <tacha@tera.fukui-med.ac.jp> in [bin/3967]
* fgetln() doesn't \0 terminate its string. look for the \n and replace
it with \0 (if no \n, ignore the line - it's most likely corrupt)
* more intensive checks on strdup() returns (not a current mem leak,
but depended upon code elsewhere to cleanup - not good)
* cleanup some syslog error messages

Fix files using old TNF copyright notice

missed some warnings.

- Pass gcc -Wall
- Fix incorrect const poisoning
- Fix ftpd_popen to dynamically allocate strings to avoid buffer overruns.

* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.

fix various typos in comments.

bump sizes

branches: 1.64.2; 1.64.4;
No semicolon after macro do ... while (0) wrapper.

branches: 1.63.22; 1.63.28;
Convert from __attribute__(foo) to the __foo equiv in <sys/cdefs.h>

branches: 1.62.2; 1.62.8;
Use __dead

Rename internal getline() function to get_line() so it does
conflict with the soon to be added getline(3) libc function.

Fix WARNS=4 issues (const & sign mismatches, etc)
Ensure various ftpd.conf values can't exceed their underlying types.

branches: 1.59.2;
PR/40339: Ed Ravin: make ftpd log both the hostname and numeric address.

Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.org>

branches: 1.57.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.56.10; 1.56.12;
Rename HAVE_SOCKADDR_SA_LEN to HAVE_STRUCT_SOCKADDR_SA_LEN.
Use defined(HAVE_foo) instead of just testing HAVE_foo.

branches: 1.55.4; 1.55.8;
debug -> ftpd_debug
xstrdup -> ftpd_strdup

* Add recvbufsize configuration option
This allows for setting the passive socket's SO_RCVBUF. Option works
similarly to the current sendbufsize configuration option.
* Change how recveive_data() works
When reading data from the socket for passive transfers to the server,
receive_data() now works very similar to send_data_with_read(). Reads
from the network are now done using either the filesystem block size or
the configuration option readsize chunks.
* Crank version.h
[Changes discussed with lukem.]

cleanup utmp and utmpx support.
- make them symmetric
- add a function to open the wtmp file explicitly very early in the game

branches: 1.52.2; 1.52.4; 1.52.6;
* Add hidesymlinks configuration option
This adds a -L to all ls command arguments so that the file or directory
the link references is listed rather than the link itself. This was
inspired by IRIX ftpd's -S option.
[Discussed with lukem some time ago.]
* Crank version.h [right Luke? :-)]

Don't write trash in ut_ss; either initialize it to 0, or put in the proper
information.

Fixes from (or inspired by) OpenBSD:
* Fix yacc parser error recovery so that setjmp(3)/longjmp(3) is unnecessary.
* Fix SIGURG handler to set an urgflag that's later tested, rather than
abusing setjmp(3)/longjmp(3).
* Use "volatile sig_atomic_t" as the type of variables modified by sig handlers.
* Use sigaction(3) instead of signal(3) to set the signal handlers.
* Only set the main SIGALRM handler once. If we need to change it,
cache the old handler and restore appropriately...
* Remove a bunch of signal races by improving the signal handlers.
* Fix memory leak with 'ESPV ALL'.

My stuff:
* Clean up the debug message in reply(); use vsnprintf(3) instead of vsyslog(3).
* Rework parsing of OOB commands to _not_ use the yacc parser, since the
latter isn't reentrant and the hacks to work around that are ugly.
We now examine urgflag at appropriate locations and call handleoobcmd()
if it's set. Since the only OOB commands we currently implement are
ABOR and STAT, this isn't an issue. (I also can't find the reference in
RFC2228 where MIC, CONF & ENC are OOB-only commands. Go figure.)
I could clean up the is_oob stuff some more, but the remaining stuff
in ftpcmd.y is harmless and it's unnecessary churn right this moment.

branches: 1.49.2;
Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.

Add ftpd_loginx() and ftpd_logwtmpx() and use them to hold wtmpx file
open while a session.

Close bin/21692 by bqt@Krille.Update.UU.SE.

rename local copies of login(), logout() and logwtmp() to
ftpd_login(), ftpd_logout() and ftpd_logwtmp() respectively.
(makes utmp support much easier in tnftpd).

per suggestion in mail from Mike Heffner <mheffner@vt.edu>, who
forwarded patch from Michael Ranner <mranner@inode.at>.

gidlist is nolonger an array.

- convert to using libc's strsuftoll(3)
- use LLT (aka 'long long type') for all numeric class parameters
- improve description of various ftpd.conf(5) options
- statcmd(): print out: mmapsize readsize writesize sendbufsize sendlowat

Add optional mmap(2)/write(2) support for binary file transfer.
The default is read(2)/write(2). Note that the sosend_loan needs
some more work for better performance when a file isn't cached.

branches: 1.43.2;
Add two new ftpd.conf(5) directives:
- 'denyquick'; deny a connection so tagged by ftpusers(5) after the USER
command instead of the PASS command. whilst this might provide some
info leakage of accounts names if you have some `real' or `chroot'
users enabled and not others, it does prevent accidental entering of
such passwords if you have all such users denied. This option is
strongly recommended on anonymous-only servers.
Functionality requested by Rob Windsor in [bin/12602]
- 'private'; don't display class related information in the output of STAT.
For paranoid admins.

use __NetBSD__ instead of BSD4_4 to determine if we should automatically
define HAVE_SETPROCTITLE and HAVE_SOCKADDR_SA_LEN, because certain
operating systems from a vendor which claims to be the biggest unix
vendor as of two months ago #define BSD4_4 and THEN REMOVE BITS OF THE
4.4BSD API!

anyway, this won't affect other systems which use lukemftpd (e.g,
other 4.4BSD derived systems), because autoconf will set HAVE_SETPROCTITLE
as appropriate. the point of this little code fragment is to remove the
need to have -DHAVE_SETPROCTITLE ... in our libexec/ftpd/Makefile

</rant>

crank copyrights of files changed this year
remove superfluous byte_count update in send_file_list
crank version

add 'noreturn' attribute to ftp_loop, to fix a cc warning.

As threatened, handle OOB commands from within ftpcmd.y.
This involved changing the yacc syntax to be line-oriented, rather than
having it run against the entire input at once, and adding a flag to
struct tab, to indicate if or not it's acceptable for a command to occur
OOB.

fix redundant declarations.

Features:

* Add ftpd.conf(5) directive `advertise'; change the address that is
advertised to the client for PASV transfers. this may be useful in
certain firewall/NAT environments.

Feature requested in [bin/9606] by Scott Presnell.

* Add -X option; syslog wu-ftpd style xferlog messages, prefixed with
`xferlog: '. An example line from syslog (wrapped):
Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000
2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c

These messages can be converted to a wu-ftpd style xferlog file
suitable for parsing with third-party tools with something like:
grep 'xferlog: ' /var/log/xferlog | \
sed -e 's/^.*xferlog: //' >wuxferlog

The format is the same as the wu-ftpd xferlog entries (with the leading
syslog stuff), but different from the wu-ftpd syslogged xferlog entries
because the latter is not as easy to convert into the standard xferlog
file format.

The choice to only syslog the xferlog messages rather than append to
a /var/log/xferlog file was made because the latter doesn't work to
well in the situation where the logfile is rotated and compressed and
a long-running ftpd still has a file-descriptor to the now nonexistant
xferlog file, and the log message will then get lost.

Feature requested in [bin/11651] by Hubert Feyrer.


Fixes:

* In ftpd(8), clarify the -a and -c options.

* More clarifications in ftpd.conf(5).

* Ensure that all ftpd.conf commands set a parameter back to sane defaults
if an argument of `none' or bad settings are given.

* Support the `chroot' directive for `REAL' users too (for consistency).

* For `GUEST' users, store the supplied password in pw->pw_passwd for use
later in the xferlog.

* If show_chdir_messages() is given a code of -1, flush the cache of
visited directories. Invoke show_chdir_messages(-1) in end_login().

* Only syslog session stats if logging is requested.

* Rename logcmd() -> logxfer(), and dolog() -> logremotehost().

* Use cprintf() instead of fprintf() where appropriate.

* Minor KNF, and make a couple of functions static that were declared static.

- move password checking into separate valid_passwd() function, to assist
in porting to other systems.
- don't syslog() or setproctitle() "ACCT" lines (as per "PASS")
- replace #ifdef HASSETPROCTITLE with #if HAVE_SETPROCTITLE, and set the
latter #ifdef BSD4_4
- don't compile in internal `ls' #ifdef NO_INTERNAL_LS. will need Makefile
support if this is to be used on NetBSD.

- new ftpd.conf directives:
maxfilesize set the maximum size of uploaded files
sanenames if set, only permit uploaded filenames that contain
characters from the set "-+,._A-Za-z0-9" and that
don't start with `.'

- new/changed command line options:
-e emailaddr define email address for %E (see below)
-P dataport use dataport as the dataport (instead of ctrlport-1)
-q use pid files to count users [default]
-Q don't use pid files to count users
-u write entries to utmp
-U don't write entries to utmp [default]
-w write entries to wtmp [default]
-W don't write entries to wtmp

NOTE: -U used to mean `write utmp entries'. Its meaning has changed
so that it's orthogonal with -q/-Q and -w/-W. This isn't
considered a major problem, because using -U isn't going to
enable something you don't want, but will disable something
you did want (which is safer).

- new display file escape sequences:
%E email address
%s literal `s' if the previous %M or %N wasn't ``1''.
%S literal `S' if the previous %M or %N wasn't ``1''.

- expand the description of building ~ftp/incoming to cover the
appropriate ftpd.conf(5) directives (which are defaults, but it pays
to explicitly explain them)

- replace strsuftoi() with strsuftoll(), which returns a long long if
supported, otherwise a long

- rework the way that check_modify and check_upload are done in the yacc
parser; they're merged into a common check_write() function which is
called explicitly

- merge all ftpclass `flag variables' into a single bitfield-based flag element

- move various common bits of parse_conf() into a couple of macros

- clean up some comments

changes to improve portability:
* replace union sockunion {} with struct sockinet {}, and modify the code
accordingly. this is possibly more portable, as it doesn't rely upon
the structure alignment within the union for our own stuff. uses local
su_len unless HAVE_SOCKADDR_SA_LEN is defined (set ifdef BSD4_4)
(XXX: haven't tested the ipv6 stuff)
* always use getaddrinfo() and getnameinfo() instead of maintaining two code
paths. (lukemftpd will provide replacements for these on older systems)
* use lockf() instead of open(.., O_EXLOCK) to lock the pid file
* minor KNF
* clean up long long support: create helper #defines and use as appropriate:
#define NO_LONG_LONG ! NO_LONG_LONG
------- ------------ --------------
LLF "%ld" "%lld"
LLFP(x) "%" x "ld" "%" x "lld"
LLT long long long
ULLF "%lu" "%llu"
ULLFP(x) "%" x "lu" "%" x "llu"
ULLT unsigned long unsigned long long
STRTOLL(x,y,z) strtol(x,y,z) strtoll(x,y,z)

- improve RFC2428 conformance.
return 522 on unknown protocol identifier on EPRT.
- clarify EPSV/EPRT/LPSV/LPRT behavior.
- repair memory leak and lack of boundary check on EPRT.
- make sure we do not resolve DNS on EPRT.
sync with kame.

Make this compile again without -DINET6 and without get{addr,name}info(3)
This ftpd now compiles and runs on NetBSD/1.4.2 with:

CPPFLAGS+= \
'-Dstrlcpy(a,b,c)=(strncpy(a,b,c),strlen(a))' \
'-Dstrlcat=strncat' \
'-Dsl_add(a,b)=(sl_add(a,b),0)'

* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup

* add two new ftpd.conf(5) directives:
chroot specify dir to chroot to for GUEST and CHROOT users, to
override -a anondir or the user's homedir.
homedir specify dir to change to upon login; also used for ~ expansion
and $HOME for subprocesses)
both of these can take % escapes: %u (username), %d (homedir), %c (class).
* fix NLST to take a pathname not a STRING, so that ~ expansion works
* modify CWD to use the homedir parsed from curclass.homedir
* implement format_path(dst, src), to parse src expanding % escapes (see above)
into dst.
* rename format_file() to display_file()

More format paranoia.

branches: 1.28.2;
various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()

other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)

major overhaul (just before netbsd 1.5 :-):

* implement draft-ietf-ftpext-mlst-10 commands, especially MLST and MLSD.
we already supported SIZE and MDTM. add the appropriate FEAT output lines.

* migrate a lot of the command code from ftpcmd.y and ftpd.c to cmds.c

* make dataconn(), feat(), lookup(), opts() and sizecmd() public

* modify struct tab so that it has a `flags' instead of `implemented' element,
and remove the `hasopts' element. If flags == 1, the command is implemented.
if flags == 2, the command is implemented and takes options

* add macros ISDOTDIR(x) (is x ".") and ISDOTDOTDIR(x) (is x "..")

* modify lreply() so that lreply(-2, ...) just outputs the given info without
a prefix or trailing \r\n. this saves doing b = printf(); total_* += b;

* enhance statcmd(). still needs work in the LPRT status stuff.

* crank version

branches: 1.26.2;
convert to ANSI C as per style guide

* don't bother with a version[] string, just use the macro as appropriate
* clean some more of the GLOBAL stuff
* fix unused var if -UHASSETPROCTITLE

suppress verbose messages from CWD and post-login if the first
character of the anonymous password is `-'.

* add ftpd.conf directive `portrange class min max', which allows specification
of the port range used by passive connections. based on work in [bin/9158]
from Takahiro Kambe <taca@sky.yamashina.kyoto.jp>
* change the way global variables are defined and extern-ed to be more
consistent.

features:
* add connection limits (`limit' keyword in ftpd.conf)
* move initialisation of curclass from parse_conf() to new function
init_curclass()
* implement count_users(), which determines the number of users in a given
class. a file - /var/run/ftpd.pids-<class> - is used to store a list
of pids in use (effectively an array of pid_t's), and its size is reduced
as necessary.
* new % modifiers in format_file:
%c class
%M maximum connection count
%N current connection count
* always end_login()s, even for refused connections

bugs fixed:
* remove \n from %T output
* fix some inconsistencies in the man pages
* ensure that both `ftp' *and* `anonymous' are allowed in ftpusers.
(this was accidently broken in a recent commit to be ``or'' not ``and'')
* use MAXPATHLEN not MAXPATHLEN+1
* crank copyright date on modified files
* crank version

* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.

* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.

* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that

* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.

* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)

* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).

* update & reorder copyrights

* use strlcpy() as appropriate

* change ftpd_popen() to take char *argv[] instead of char *cmd.
the string tokenisation must be performed by the caller (which is
generally easy because it's almost always a static command).
* change do_conversion() to return a char *argv[] instead of char *cmd.
tokenisation of the command is done internally.
* change retrieve() to take char *argv[] instead of char *cmd.
(to take advantage of the above changes). fixes [bin/8173]
* use fparseln() instead of fgetln()
* store conversions in listed order (rather than reverse order)
* use stringlists instead of handrolling code to manage an argv.

branches: 1.19.4;
dual-stack ftpd. run this from inetd, like:
>>ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll

Define types for ILP32/LP64-harmonized %q[du] arguments.

* fix a problem in retrieve() where arguments to commands weren't working
(this was broken in the last commit). problem noticed by simonb@
* don't display the stderr output of the internal ls.
* modify usage of lreply so that generally only one `XXX-' code per
`block' is displayed; the rest of the lines have four spaces instead.
i find this easier to read.
* fix a couple places where byte accounting wasn't correct

features/fixes:
* implement xferstats. full stats are displayed for `STAT', and a
summary is displayed upon exit (and syslogged). inspired by wu-ftpd.
* wrap data xfers in {send,receive}_data with alarm() timeouts. this
should remove the majority of the `hanging ftpd' problems that
people were still seeing. inspired by wu-ftpd.
* link with ../../bin/ls, so that bin/ls is not required under a
chroot()ed area for `LIST' to work. based on [bin/4497] from
"Soren S. Jorvang" <soren@t.dk>
* migrate code from util.c into ftpd.c, so that it doesn't conflict
with ls' util.c.
* remove man page comment about ~ftp/bin/ls being necessary.
* bump version to 7.2.0.
* syslog xfer time with xfer stats.
* if appropriate, syslog error message with command.

internal code stuff:
* change arguments of various functions from `char *' to `const char *'.
* define PLURAL(x) macro, which returns `' if x == 1, `s' otherwise.
use macro appropriately
* lreply(): a code of -1 means ``send line as is''. a code of 0
means ``send line with 4 space prefix''. don't print a space after
the `-' for any other code.
* logcmd(): add `const struct timeval *elapsed' and `const char *error'
for more flexible error reporting

* replace LOG(CMD|BYTES) macros with logcmd(), which is a cleaner
solution with less code replication. use realpath() in logcmd() so
that all logged filenames are sane.
* support `REST STREAM' in `FEAT' reply (from draft-ietf-ftpext-mlst-05)
* in 'HELP', suffix unimplemented commands with `-' instead of `*'; the
former is easier to differentiate from `+'.
* deprecate curdir() now that logcmd() doesn't use it.
* ensure all filename buffers are at least MAXPATHLEN+1 in size.
* move jmp_buf errcatch out of extern.h, removing need to #include <setjmp.h>
in every file.

Make the external declaration of `transflag' match its definition; from R. C.
Dowdeswell <elric@mabelode.imrryr.org> in PR bin/6141.

remove nack() - missed in previous work

new features:
* implement FEAT and OPTS from RFC2389. FEAT returns SIZE and MDTM.
OPTS only works on NOOP (as a test).
* extend format of /etc/ftpchroot similar to /etc/ftpusers; each entry
can take an optional trailing `yes' or `no' which indicates if
chroot should be done (defaults to `yes').
based on patches from Ty Sarna <tsarna@endicor.com> in [bin/4769]

cleanups/bugs:
* reorder and reformat entries in yacc parser to match cmdtab[].
add a blank line between each rule.
* add short hasopts and char *options to struct tab, to support OPTS.
* deprecate upper(); use strcasecmp() instead of strcmp()
* remove unnecessary for (;;) { } in yylex();
* replace copy() and sgetsave() with xstrdup()
* fix a couple of `hasyyerrored = 1' that were accidently removed.

* complete fix for `multiple replies returned for single parse error'
problem; move `hasyyerrored' state flag out of yylex() so that
check_{login,modify} can also set it.
* check result of check_login for PORT command
* set initial timeout before the "setjmp(); for(;;) yyparse()",
otherwise an invalid command after login incorrectly sets the timeout
to 5 minutes (rather than what was set in ftpd.conf)
* replace (char *)0 with NULL
* move yyerror() from ftpd.c to ftpcmd.y
* remove need for -Dunix, by using the version string from ftpd.c
(instead of `BSD-199506')
* move all extern-ed vars into extern.h

const poisoning.

const poisoning.

Add the ability to disable passive connects in ftpd.conf (breaks RFC1123,
STD3, but needed in some firewall environments).

* change checkportcmd syntax to `checkportcmd class [off]' (as per `modify')
* display current setting of checkportcmd in STAT
* ensure that curclass.checkportcmd is initialised to 0
* document default setting of checkportcmd in ftpd(8)
* cleanup code a bit, putting code for "checkportcmd" in alphabetical order

add a "checkportcmd <class>" option that stops ftp bounce attacks.

branches: 1.5.2;
implement '-c confdir', which allows the specification of an alternate
directory to look for the various configuration files, overriding /etc.
From Matthias Scheler <tron@lyssa.owl.de> in [bin/4133]

- Pass gcc -Wall
- Fix incorrect const poisoning
- Fix ftpd_popen to dynamically allocate strings to avoid buffer overruns.

* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.

clean up RCS Id's and a couple of stype nits.
Also, fix bug 947 (reported by Luke Mewburn, extraneous vers.c)

branches: 1.1.1;
4.4-lite, plus our local changes

Remove obsolete code.

Per src/doc/CHANGES.prev support for the NI_WITHSCOPEID flag was removed
in NetBSD 1.6.

Add missing check_login checks for MLST and MLSD

branches: 1.94.8; 1.94.18; 1.94.26;
Use explicit_memset(3) instead of memset(3) to clear password

NULL does not need a cast, here

Fix memcpy usage.

PR/44390: Paul Koning: make code gcc-4.5.1 friendly.

Rename internal getline() function to get_line() so it does
conflict with the soon to be added getline(3) libc function.

Fix WARNS=4 issues (const & sign mismatches, etc)
Ensure various ftpd.conf values can't exceed their underlying types.

branches: 1.88.6;
Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.org>

branches: 1.87.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.86.10; 1.86.12;
Rename HAVE_SOCKADDR_SA_LEN to HAVE_STRUCT_SOCKADDR_SA_LEN.
Use defined(HAVE_foo) instead of just testing HAVE_foo.

Replace references from draft-ietf-ftpext-mlst-NN to RFC 3659.

branches: 1.84.4; 1.84.8;
debug -> ftpd_debug
xstrdup -> ftpd_strdup

branches: 1.83.2; 1.83.4; 1.83.6;
* Add hidesymlinks configuration option
This adds a -L to all ls command arguments so that the file or directory
the link references is listed rather than the link itself. This was
inspired by IRIX ftpd's -S option.
[Discussed with lukem some time ago.]
* Crank version.h [right Luke? :-)]

Reorder some declarations so that parsers generated by bison can compile.
Fix from Michael Richardson.

Add (unsigned char) cast to ctype functions

Fixes from (or inspired by) OpenBSD:
* Fix yacc parser error recovery so that setjmp(3)/longjmp(3) is unnecessary.
* Fix SIGURG handler to set an urgflag that's later tested, rather than
abusing setjmp(3)/longjmp(3).
* Use "volatile sig_atomic_t" as the type of variables modified by sig handlers.
* Use sigaction(3) instead of signal(3) to set the signal handlers.
* Only set the main SIGALRM handler once. If we need to change it,
cache the old handler and restore appropriately...
* Remove a bunch of signal races by improving the signal handlers.
* Fix memory leak with 'ESPV ALL'.

My stuff:
* Clean up the debug message in reply(); use vsnprintf(3) instead of vsyslog(3).
* Rework parsing of OOB commands to _not_ use the yacc parser, since the
latter isn't reentrant and the hacks to work around that are ugly.
We now examine urgflag at appropriate locations and call handleoobcmd()
if it's set. Since the only OOB commands we currently implement are
ABOR and STAT, this isn't an issue. (I also can't find the reference in
RFC2228 where MIC, CONF & ENC are OOB-only commands. Go figure.)
I could clean up the is_oob stuff some more, but the remaining stuff
in ftpcmd.y is harmless and it's unnecessary churn right this moment.

Correctly clamp illegal "SITE CHMOD" mode values. From OpenBSD.

Fix minor memory leak with fromname. Inspired by OpenBSD.

branches: 1.77.2;
Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.

Don't declare "yylex()" static; AFAICT it shouldn't be, and it causes
build problems with the output of some versions of yacc.

Fix typos accidentally introduced in rev 1.70 as part of the large
number support.
(NetBSD yacc didn't barf on these, although Solaris and HP/UX's did...)

use LLT and STRTOLL() instead of off_t and strtoull() for parsing the
"larger than int" arguments from commands. improves portability.

Fixes from Dmitry Sivachenko <demon@freebsd.org>:
- always set "curname" to something appropriate (even when logging is
not in effect).
- fix usage for "PORT" command

- convert to using libc's strsuftoll(3)
- use LLT (aka 'long long type') for all numeric class parameters
- improve description of various ftpd.conf(5) options
- statcmd(): print out: mmapsize readsize writesize sendbufsize sendlowat

* enclose unknown command strings inside a pair of 's to clearly mark the
text as being the 'whole' part received.
* change a HELP reply from 214 to 504 when there is an error looking for
help on a command.

- Change lexer to support numbers > 2^31-1 (stored in an off_t), and allow
RESTart to use the larger numbers.
Fix from Maxim Konovalov <maxim@freebsd.org>
- Update version
- Minor whitespace changes

We really, actually, positively want to apply the ftpd.conf "passive"
option to all possible *PSV commands. Some ftp servers are simply not
capable of passive connections, hence the option....

crank copyright

Implement "SITE UMASK" `enabled command' check with (modified)
check_write(), so that a user who has modify disabled gets an error
message rather than a hung connection.
Noted by M.J. Rutter <mjr19@cus.cam.ac.uk> in private email.

branches: 1.66.2;
- enable case insensitive fnmatch(3)ing for hostname globs in ftpusers(5)
- enable WARNS=2

crank copyrights of files changed this year
remove superfluous byte_count update in send_file_list
crank version

use own code instead of bother with glob() to do ~ expansion in pathname;
there's no need to support glob wildcards in this case when it's not expanded
here in the non-~ case

limit the number of matches in a ~ pathname glob, and complain if more
than one path is matched.

minor knf post aidan's oob rototill

make checkportcmd address family independent, and correct IPv4 case. PR 12558.

As threatened, handle OOB commands from within ftpcmd.y.
This involved changing the yacc syntax to be line-oriented, rather than
having it run against the entire input at once, and adding a flag to
struct tab, to indicate if or not it's acceptable for a command to occur
OOB.

Features:

* Add ftpd.conf(5) directive `advertise'; change the address that is
advertised to the client for PASV transfers. this may be useful in
certain firewall/NAT environments.

Feature requested in [bin/9606] by Scott Presnell.

* Add -X option; syslog wu-ftpd style xferlog messages, prefixed with
`xferlog: '. An example line from syslog (wrapped):
Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000
2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c

These messages can be converted to a wu-ftpd style xferlog file
suitable for parsing with third-party tools with something like:
grep 'xferlog: ' /var/log/xferlog | \
sed -e 's/^.*xferlog: //' >wuxferlog

The format is the same as the wu-ftpd xferlog entries (with the leading
syslog stuff), but different from the wu-ftpd syslogged xferlog entries
because the latter is not as easy to convert into the standard xferlog
file format.

The choice to only syslog the xferlog messages rather than append to
a /var/log/xferlog file was made because the latter doesn't work to
well in the situation where the logfile is rotated and compressed and
a long-running ftpd still has a file-descriptor to the now nonexistant
xferlog file, and the log message will then get lost.

Feature requested in [bin/11651] by Hubert Feyrer.


Fixes:

* In ftpd(8), clarify the -a and -c options.

* More clarifications in ftpd.conf(5).

* Ensure that all ftpd.conf commands set a parameter back to sane defaults
if an argument of `none' or bad settings are given.

* Support the `chroot' directive for `REAL' users too (for consistency).

* For `GUEST' users, store the supplied password in pw->pw_passwd for use
later in the xferlog.

* If show_chdir_messages() is given a code of -1, flush the cache of
visited directories. Invoke show_chdir_messages(-1) in end_login().

* Only syslog session stats if logging is requested.

* Rename logcmd() -> logxfer(), and dolog() -> logremotehost().

* Use cprintf() instead of fprintf() where appropriate.

* Minor KNF, and make a couple of functions static that were declared static.