Bug#808595: marked as done (vsftpd: Restrict upload and download of files to certain name patterns)

[Debian Bug Tracking System]

Your message dated Wed, 06 Jan 2016 15:57:40 +0000
with message-id <e1agqsy-0007b5...@franck.debian.org>
and subject line Bug#808595: fixed in vsftpd 3.0.3-2
has caused the Debian Bug report #808595,
regarding vsftpd: Restrict upload and download of files to certain name patterns
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
808595: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808595
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: vsftpd
Severity: wishlist
Tags: patch

Dear Maintainer,

vsftpd provides very basic name-based access control via the deny_file option.
Files with names matching a provided pattern cannot be targeted by any
operation other than a directory listing.

The provided patch allows to restrict file uploads and downloads using the
same simple pattern specification as deny_file and hide_file introducing the
new options upload_file and download_file. If these options are specified, a
file is only permitted to be up- or downloaded if its name matches the
corresponding pattern - in addition to not matching deny_file.

The provision of distinct filename patterns for up- and download is useful
in many use cases where the served files (e.g. configurations) are different
from the collected ones (e.g. status reports). Especially in the context of
legacy ftp without SSL-secured access, this avoids risking the server to be
misused as a data relay for third parties.

The provided patch:
 - introduces the new options upload_file and download_file,
   -> tunables.h, tunables.c, parseconf.c
 - provides corresonding access checkers,
   -> access.h, access.c
 - utilizes these access checkers in the corresponding operations, and
   -> postlogin.c
 - documents the new options in the manual page.
   -> vsftpd.conf.5

The patch has been generated on the git repo:
 - cloned on 2015-12-21 and
 - patched with all patches included under debian/patches/.

Thus, the patch should be applied after all other patches in the root of the
repo using:

  patch -p1 < upload_download_filename_pattern.patch


Description: Restrict upload and download of files to certain name patterns.
Author: Thomas B. Preußer <thomas.preus...@utexas.edu>
Last-Update: 2015-12-21
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
===================================================================
Index:  access.c
        access.h
        parseconf.c
        postlogin.c
        tunables.c
        tunables.h
        vsftpd.conf.5

--- vsftpd.orig/access.c
+++ vsftpd/access.c
@@ -12,11 +12,27 @@
 #include "tunables.h"
 #include "str.h"
 
+static int
+vsf_match_filter(struct mystr const *const p_filename_str,
+                struct mystr const *const p_access_str) {
+
+  unsigned  iters = 0;
+  if (vsf_filename_passes_filter(p_filename_str, p_access_str, &iters))
+  {
+    return 1;
+  }
+  else
+  {
+    struct str_locate_result const loc_res =
+      str_locate_str(p_filename_str, p_access_str);
+    return  loc_res.found;
+  }
+}
+
 int
 vsf_access_check_file(const struct mystr* p_filename_str)
 {
   static struct mystr s_access_str;
-  unsigned int iters = 0;
 
   if (!tunable_deny_file)
   {
@@ -26,27 +42,21 @@
   {
     str_alloc_text(&s_access_str, tunable_deny_file);
   }
-  if (vsf_filename_passes_filter(p_filename_str, &s_access_str, &iters))
+
+  if (vsf_match_filter(p_filename_str, &s_access_str))
   {
     return 0;
   }
   else
   {
-    struct str_locate_result loc_res =
-      str_locate_str(p_filename_str, &s_access_str);
-    if (loc_res.found)
-    {
-      return 0;
-    }
+    return 1;
   }
-  return 1;
 }
 
 int
 vsf_access_check_file_visible(const struct mystr* p_filename_str)
 {
   static struct mystr s_access_str;
-  unsigned int iters = 0;
 
   if (!tunable_hide_file)
   {
@@ -56,19 +66,47 @@
   {
     str_alloc_text(&s_access_str, tunable_hide_file);
   }
-  if (vsf_filename_passes_filter(p_filename_str, &s_access_str, &iters))
+
+  if (vsf_match_filter(p_filename_str, &s_access_str))
   {
     return 0;
   }
   else
   {
-    struct str_locate_result loc_res =
-      str_locate_str(p_filename_str, &s_access_str);
-    if (loc_res.found)
-    {
-      return 0;
-    }
+    return 1;
+  }
+}
+
+int
+vsf_access_check_file_upload(const struct mystr* p_filename_str)
+{
+  static struct mystr s_access_str;
+
+  if (!tunable_upload_file)
+  {
+    return 1;
+  }
+  if (str_isempty(&s_access_str))
+  {
+    str_alloc_text(&s_access_str, tunable_upload_file);
   }
-  return 1;
+
+  return  vsf_match_filter(p_filename_str, &s_access_str);
 }
 
+int
+vsf_access_check_file_download(const struct mystr* p_filename_str)
+{
+  static struct mystr s_access_str;
+
+  if (!tunable_download_file)
+  {
+    return 1;
+  }
+  if (str_isempty(&s_access_str))
+  {
+    str_alloc_text(&s_access_str, tunable_download_file);
+  }
+
+  return  vsf_match_filter(p_filename_str, &s_access_str);
+}
--- vsftpd.orig/access.h
+++ vsftpd/access.h
@@ -25,5 +25,27 @@
  */
 int vsf_access_check_file_visible(const struct mystr* p_filename_str);
 
+/* vsf_access_check_file_upload()
+ * PURPOSE
+ * Check whether the current session has permission to upload a file
+ * using the given filename.
+ * PARAMETERS
+ * p_filename_str  - the filename to check upload permission for
+ * RETURNS
+ * Returns 1 if the file may be uploaded, otherwise 0.
+ */
+int vsf_access_check_file_upload(const struct mystr* p_filename_str);
+
+/* vsf_access_check_file_download()
+ * PURPOSE
+ * Check whether the current session has permission to download a file
+ * with the given filename.
+ * PARAMETERS
+ * p_filename_str  - the filename to check download permission for
+ * RETURNS
+ * Returns 1 if the file may be downloaded, otherwise 0.
+ */
+int vsf_access_check_file_download(const struct mystr* p_filename_str);
+
 #endif /* VSF_ACCESS_H */
 
--- vsftpd.orig/parseconf.c
+++ vsftpd/parseconf.c
@@ -171,6 +171,8 @@
   { "cmds_allowed", &tunable_cmds_allowed },
   { "hide_file", &tunable_hide_file },
   { "deny_file", &tunable_deny_file },
+  { "upload_file", &tunable_upload_file },
+  { "download_file", &tunable_download_file },
   { "user_sub_token", &tunable_user_sub_token },
   { "email_password_file", &tunable_email_password_file },
   { "rsa_cert_file", &tunable_rsa_cert_file },
--- vsftpd.orig/postlogin.c
+++ vsftpd/postlogin.c
@@ -671,7 +671,8 @@
   vsf_log_start_entry(p_sess, kVSFLogEntryDownload);
   str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
   prepend_path_to_filename(&p_sess->log_str);
-  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str) ||
+      !vsf_access_check_file_download(&p_sess->ftp_arg_str))
   {
     vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
     return;
@@ -1040,7 +1041,8 @@
   vsf_log_start_entry(p_sess, kVSFLogEntryUpload);
   str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
   prepend_path_to_filename(&p_sess->log_str);
-  if (!vsf_access_check_file(p_filename))
+  if (!vsf_access_check_file(p_filename) ||
+      !vsf_access_check_file_upload(p_filename))
   {
     vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
     return;
--- vsftpd.orig/tunables.c
+++ vsftpd/tunables.c
@@ -135,6 +135,8 @@
 const char* tunable_cmds_denied;
 const char* tunable_hide_file;
 const char* tunable_deny_file;
+const char* tunable_upload_file;
+const char* tunable_download_file;
 const char* tunable_user_sub_token;
 const char* tunable_email_password_file;
 const char* tunable_rsa_cert_file;
@@ -280,6 +282,8 @@
   install_str_setting(0, &tunable_cmds_denied);
   install_str_setting(0, &tunable_hide_file);
   install_str_setting(0, &tunable_deny_file);
+  install_str_setting(0, &tunable_upload_file);
+  install_str_setting(0, &tunable_download_file);
   install_str_setting(0, &tunable_user_sub_token);
   install_str_setting("/etc/vsftpd.email_passwords",
                       &tunable_email_password_file);
--- vsftpd.orig/tunables.h
+++ vsftpd/tunables.h
@@ -137,6 +137,8 @@
 extern const char* tunable_cmds_allowed;
 extern const char* tunable_hide_file;
 extern const char* tunable_deny_file;
+extern const char* tunable_upload_file;
+extern const char* tunable_download_file;
 extern const char* tunable_user_sub_token;
 extern const char* tunable_email_password_file;
 extern const char* tunable_rsa_cert_file;
--- vsftpd.orig/vsftpd.conf.5
+++ vsftpd/vsftpd.conf.5
@@ -847,6 +847,16 @@
 
 Default: (none)
 .TP
+.B download_file
+This option may be set to restrict downloads to files with names matching the
+specified pattern. If a filename also matches the
+.BR deny_file
+pattern, the denial takes precedence. For usage and pattern details, see the
+.BR deny_file
+option.
+
+Default: (none)
+.TP
 .B dsa_cert_file
 This option specifies the location of the DSA certificate to use for SSL
 encrypted connections.
@@ -982,6 +992,16 @@
 
 Default: DES-CBC3-SHA
 .TP
+.B upload_file
+This option may be set to restrict uploads to files with names matching the
+specified pattern. If a filename also matches the
+.BR deny_file
+pattern, the denial takes precedence. For usage and pattern details, see the
+.BR deny_file
+option.
+
+Default: (none)
+.TP
 .B user_config_dir
 This powerful option allows the override of any config option specified in
 the manual page, on a per-user basis. Usage is simple, and is best illustrated

--- End Message ---

--- Begin Message ---

Source: vsftpd
Source-Version: 3.0.3-2

We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 808...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jörg Frings-Fürst <deb...@jff-webhosting.net> (supplier of updated vsftpd 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 25 Dec 2015 19:11:50 +0100
Source: vsftpd
Binary: vsftpd vsftpd-dbg
Architecture: source amd64
Version: 3.0.3-2
Distribution: unstable
Urgency: medium
Maintainer: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Changed-By: Jörg Frings-Fürst <deb...@jff-webhosting.net>
Description:
 vsftpd     - lightweight, efficient FTP server written for security
 vsftpd-dbg - lightweight, efficient FTP server written for security (debug)
Closes: 804777 808595 808803
Changes:
 vsftpd (3.0.3-2) unstable; urgency=medium
 .
   * Improve UTF-8 support:
     - Merge debian/patches/0025-unconditional_utf8_report.patch
       into debian/patches/0007-utf8.patch.
     - debian/patches/0007-utf8.patch:
       + Add comment to utf8_filesystem option in vsftpd.conf (Closes: #804777).
     - Refresh debian/patches/0014-ssl-cert.patch.
   * New debian/patches/0065-upload_download_filename_pattern.patch:
     - Restrict upload and download of files with certain name patterns
       (Closes: #808595).
       Thanks to Thomas B. Preußer <thomas.preus...@utexas.edu>.
   * New debian/patches/0070-realpath_wrapper.patch:
     - Filename pattern filter as used by deny_file can only match
       existing files (Closes: #808803).
       Thanks to Thomas B. Preußer <thomas.preus...@utexas.edu>.
   * Add ftp to Depends in debian/tests/control to fix autopkgtest errors.
Checksums-Sha1:
 4355e72e682d7981ec71e17c6bc11f9d9722bee9 1953 vsftpd_3.0.3-2.dsc
 e78ed7c4e42df91d5aaa965708912558043aad65 34448 vsftpd_3.0.3-2.debian.tar.xz
 44db9074de752ce39773a588e56024a3bc673a74 221668 vsftpd-dbg_3.0.3-2_amd64.deb
 4e963c75e7ffcc79d13397e1dd61623ae21acf37 151542 vsftpd_3.0.3-2_amd64.deb
Checksums-Sha256:
 0e815925ad56ead4191edf4dd35c5758c2855b8efafc8438bba0b195d5336fea 1953 
vsftpd_3.0.3-2.dsc
 d75241c76da01890de3d38b8f7e63b5dfcc226180ca4520e1d5f72c1c206c2c6 34448 
vsftpd_3.0.3-2.debian.tar.xz
 37841a045270bae0a8527f5a00440f6b3977d6e47a6fb58501fc82c26a198456 221668 
vsftpd-dbg_3.0.3-2_amd64.deb
 009494cecd2033282bc2e21ec76f7e9b8789cd874a0a6643628a96f4cffeaa44 151542 
vsftpd_3.0.3-2_amd64.deb
Files:
 2e7892929034f2e4f61681edf5d204b9 1953 net extra vsftpd_3.0.3-2.dsc
 536722db60d35131d696c13d82cb8f11 34448 net extra vsftpd_3.0.3-2.debian.tar.xz
 b0a13a6e4230598598de164de7790763 221668 debug extra 
vsftpd-dbg_3.0.3-2_amd64.deb
 42443ca0471b27c18516c6a7bf2be789 151542 net extra vsftpd_3.0.3-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWjRutAAoJEHQmOzf1tfkTOuwQALDn6WqLXfu+hH+3hfIxA7e6
8dw1Qaij7q8TlP10/DEFtUEeoNt0f1KM3mCG3176JZv77z9C4dzioR8N5zGVtpvx
NmpkRJD2jEglS0ON4H3ypmNmQIoiGsziNym9R472DiL5yvkI8OjVtuboVgzIla5Z
WG4UHpXQMHZBqfNLWnoxJwbzBx4AMAzLZodm3vEZL/bvPZEJZWxoRxkI9VBAEjx8
1KsFVBEKw/Vyo7QhMFIAh3ipOE8a1Aln7O/AOmKxVWouU2eKALp2c6vwOScNAvLD
5Dr9ntw122u5EmK0ox3WBnOhKhPdCAmLmekl2GcSo5axakt9i0gOzEtENlrQUrMK
CHj17tLczf8vAxrLuLcwYLNnINTP5t0Y7wuON+SkMiCVbHPP3huow8CeLsYW6TWr
F9FLjmXo7bElWbEjudSfsvtIeyzMBYPkku8bv0LScgGBaDUjgsqDH9+b4acmlZNj
wyntIrVEC0RuptqIRQesttE+F7oe4aIU3k/PGEVsIza2m1eV89CarEcD5HQ21Ix+
QeiO6ASOR1RKmKs6p9DcoigRN7Ci0VAEFLzW9DyZW5yHIlPOYlQwTnm1iVwGkEv5
tz8WHEF92Ods5X+WhesVqoaoxXoUvaCkSgRJECmEIsQ16YOUdUBLQeG+jntd3l9y
WFzxLo225mTjJJK/oohK
=Nsqo
-----END PGP SIGNATURE-----

--- End Message ---