first commit

Makefile

@@ -0,0 +1,33 @@
+# Makefile for systems with GNU tools
+CC 	=	gcc
+INSTALL	=	install
+IFLAGS  = -idirafter dummyinc
+#CFLAGS = -g
+CFLAGS	=	-O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
+	-Wall -W -Wshadow -Werror -Wformat-security \
+	-D_FORTIFY_SOURCE=2 \
+	#-pedantic -Wconversion
+
+LIBS	=	`./vsf_findlibs.sh`
+LINK	=	-Wl,-s
+LDFLAGS	=	-fPIE -pie -Wl,-z,relro -Wl,-z,now
+
+OBJS	=	main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
+		tunables.o ftpdataio.o secbuf.o ls.o \
+		postprivparent.o logging.o str.o netstr.o sysstr.o strlist.o \
+		banner.o filestr.o parseconf.o secutil.o \
+    		ascii.o oneprocess.o twoprocess.o privops.o standalone.o hash.o \
+    		tcpwrap.o ipaddrparse.o access.o features.o readwrite.o opts.o \
+    		ssl.o sslslave.o ptracesandbox.o ftppolicy.o sysutil.o sysdeputil.o \
+    		seccompsandbox.o
+
+
+.c.o:
+	$(CC) -c $*.c $(CFLAGS) $(IFLAGS)
+
+ftpz: $(OBJS) 
+	$(CC) -o ftpz $(OBJS) $(LINK) $(LDFLAGS) $(LIBS)
+
+clean:
+	rm -f *.o *.swp ftpz
+

RedHat/README.spec

@@ -0,0 +1,3 @@
+The .spec files have gone because they are old and buggy.
+All modern versions of RedHat now include vsftpd packages anyway.
+

RedHat/vsftpd.log

@@ -0,0 +1,5 @@
+/var/log/vsftpd.log {
+    # ftpd doesn't handle SIGHUP properly
+    nocompress
+    missingok
+}

RedHat/vsftpd.pam

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       required	/lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
+auth       required	/lib/security/pam_unix.so shadow nullok
+auth       required	/lib/security/pam_shells.so
+account    required	/lib/security/pam_unix.so
+session    required	/lib/security/pam_unix.so

SECURITY/DESIGN

@@ -0,0 +1,146 @@
+This document explains the design goals and decisions behind vsftpd.
+
+The importance of a secure design
+=================================
+
+In a world full of good, careful coders who do not make mistakes, a secure
+design would not be necessary. After all, in the absence of any programming
+errors, security would not differ no matter how the program is arranged.
+
+Unfortunately, this is not an ideal world, and coders make plenty of mistakes.
+Even the careful coders make mistakes. Code auditing is important, and goes
+some way towards eliminating coding mistakes after the fact. However, we
+have no guarantee that an audit will catch all the flaws.
+
+So, a secure design acknowledges the possibility of undiscovered flaws, and
+takes steps to minimise the security impact these flaws can have. An obvious
+example of something we want to do is to apply the principle of least
+privilege, which ensure that every part of the program runs with the privilege
+it needs and no more.
+
+An example of insecure design
+=============================
+
+Examples of insecure design may be found in most other ftpd's. That's one of
+the reasons vsftpd has been written. We'll pick on wu-ftpd as a specific
+example, since it is rumoured to run about half of all ftp services.
+
+If I log on to wu-ftpd as an anonymous user, a process is run on my behalf to
+serve my ftp session. Unfortunately, this process typically runs with full
+root privileges on the remote machine. This means that any security flaw
+present in parsing the copious ftp protocol will lead to full compromise of
+that machine. Two concrete examples are the recent wu-ftpd format string bug
+(June 1999), and a buffer overflow dealing with large paths a few months
+beforehand.
+
+Even OpenBSD's ftpd-BSD had a format string bug leading to remote root
+compromise of the affected machine, illustrating an earlier point about the
+requirement for secure design even in the presence of heavy auditing.
+
+Secure design under UNIX
+========================
+
+vsftpd is written to run under UNIX-like operating systems, and so its secure
+design is constrained by the facilities offered by UNIX. Ideally, UNIX would
+have a proper security model which would offer fine grained access control
+to all system interactions (files, network, etc). It doesn't, but it does
+offer some useful and often overlooked facilities which help us to implement
+the principle of least privilege:
+
+- Strong inter-process communication facilities
+
+In UNIX, the process is a strongly defined boundary. Different privilege
+credentials may be assigned to different processes, which are not able to
+interfere with each other. This is a very basic facility of UNIX.
+
+It makes sense to use this facility to totally separate parts of a program
+which do not need to be privileged (most) from those parts that do (typically
+minimal).
+
+The privileged and unprivileged parts of the program then communicate via
+one of many UNIX IPC mechanisms - perhaps a socketpair or IPC (the former
+is attractive because UNIX lets you pass file handles over a socket).
+
+The minimal privileged process exercises the "principle of distrust" - it
+carefully filters what the unprivileged process asks it to do, so that even
+if the unprivileged process is compromised, it cannot ask the privileged
+process to do anything we don't want to allow.
+
+- chroot()
+
+chroot() is an often overlooked but useful tool. It can be used very
+effectively as a damage limitation tool.
+
+Imagine a remotely compromised process which does not run as root, but also
+does not use chroot(). Now look at what the attacker can do. Amongst the worst
+items are pilfering of all publicly readable files, and also attempting to
+execute any publicly executable suid-root programs to try and elevate
+privilege.
+
+Now imagine the same compromised process with a chroot() to an empty directory.
+The attackers options to do unpleasant things are substantially diminished.
+
+No, chroot() is not the ideal way to do what we have just accomplished, but
+it is what we have got to work with. In an ideal environment with fine
+grained security, we would default to having access to _no_ files at all, and
+deliberately not ask for access to any.
+
+- Capabilities (Linux 2.2+)
+
+Like chroot(), capabilities are essentially a damage limitation excercise.
+They are also much less widespread than the other UNIX facilities detailled
+above. Nonetheless, they warrant mentioning because Linux has them, and they
+are used in vsftpd because that is the primary devlopment platform.
+
+Capabilities split up the all powerful root privilege into lots of sometimes
+orthogonal privileges. Some of the capabilities represent privileges which
+are often the basis for requiring a program to run with full root privileges.
+Examples include CAP_NET_RAW (ping, traceroute) and CAP_NET_BIND_SERVICE
+(rlogin).
+
+By using capabilities to ensure we only have the privilege we need (within
+the somewhat disappointing granularity they offer), we again limit the
+potential damage of security holes.
+
+Presenting vsftpd's secure design
+=================================
+
+vsftpd employs a secure design. The UNIX facilities outlined above are used
+to good effect. The design decisions taken are as follows:
+
+1) All parsing and acting on potentially malicious remote network data is
+done in a process running as an unprivileged user. Furthermore, this process
+runs in a chroot() jail, ensuring only the ftp files area is accessible.
+
+2) Any privileged operations are handled in a privileged parent process. The
+code for this privileged parent process is as small as possible for safety.
+
+3) This same privileged parent process receives requests from the unprivileged
+child over a socket. All requests are distrusted. Here are example requests:
+- Login request. The child sends username and password. Only if the details
+are correct does the privileged parent launch a new child with the appropriate
+user credentials.
+- chown() request. The child may request a recently uploaded file gets
+chown'ed() to root for security purposes. The parent is careful to only allow
+chown() to root, and only from files owned by the ftp user.
+- Get privileged socket request. The ftp protocol says we are supposed to
+emit data connections from port 20. This requires privilege. The privileged
+parent process creates the privileged socket and passes it to child over
+the socket.
+
+4) This same privileged parent process makes use of capabilities and chroot(),
+to run with the least privilege required. After login, depending on what
+options have been selected, the privileged parent dynamically calculates what
+privileges it requires. In some cases, this amounts to no privilege, and the
+privileged parent just exits, leaving no part of vsftpd running with
+privilege.
+
+5) vsftpd-2.0.0 introduces SSL / TLS support using OpenSSL. ALL SSL
+protocol parsing is performed in a chroot() jail, running under an unprivileged
+user. This means both pre-authenticated and post-authenticated SSL protocol
+parsing; it's actually quite hard to do, but vsftpd manages it in the name of
+being secure. I'm unaware of any other FTP server which supports both SSL / TLS
+and privilege separation, and gets this right.
+
+Comments on this document are welcomed.
+

SECURITY/IMPLEMENTATION

@@ -0,0 +1,44 @@
+This document details a few steps and decisions taken to ensure vsftpd is free
+of common implementation flaws.
+
+Tackling the buffer overflow
+============================
+
+Probably the most common implementation flaw causing security problems is the
+buffer overflow. Buffer overflows come in many shapes and sizes - overflows
+onto the stack, overflows off the end of dynamically malloc()'ed areas,
+overflows into static data areas. They range from easy to spot (where a user
+can put an arbitrary length string into a fixed size buffer), to very
+difficult to spot - buffer size miscalculations or single byte overflows. Or
+convoluted code where the buffer's definition and various usages are far
+apart.
+
+The problem is that people insist on replicating buffer size handling code
+and buffer size security checks many times (or, of course, they omit size
+checks altogther). It is little surprise, then, that sometimes errors creep
+in to the checks.
+
+The correct solution is to hide the buffer handling code behind an API. All
+buffer allocating, copying, size calculations, extending, etc. are done by
+a single piece of generic code. The size security checks need to be written
+once. You can concentrate on getting this one instance of code correct.
+
+From the client's point of view, they are no longer dealing with a buffer. The
+buffer is encapsulated within the buffer API. All modifications to the buffer
+safely go through the API. If this sounds familiar, it is because what vsftpd
+implements is very similar to a C++ string class. You can do OO programming
+in C too, you know ;-)
+
+A key point of having the buffer API in place is that it is MORE DIFFICULT to
+abuse the API than it is to use it properly. Try and create a buffer memory
+corruption or overflow scenario using just the buffer API.
+
+
+Unfortunately, secure string/buffer usage through a common API has not caught
+on much, despite the benefits it brings. Is it under publicised as a solution?
+Or do people have too much sentimental attachment to strcpy(), strlen(),
+malloc(), strcat() etc? Of notable exception, it is my understanding that at
+least the rather secure qmail program uses secure buffer handling, and I'd
+expect that to extend to all Dan Bernstein software. (Let me know of other good
+examples).
+

SECURITY/OVERVIEW

@@ -0,0 +1,12 @@
+The documents in this directory contain information about the security of
+vsftpd. They explain why various aspects of vsftpd were coded the way they
+are.
+
+File                Contents
+
+DESIGN              Comments on the overall architecture of vsftpd, from a
+                    security standpoint.
+IMPLEMENTATION      Comments on steps taken to ensure a secure implementation.
+TRUST               Comments on external components trusted or distrusted by
+                    vsftpd.
+

SECURITY/TRUST

@@ -0,0 +1,118 @@
+This document describes what the vsftpd code trusts, what it doesn't trust, and
+the reasoning behind any trust decisions.
+
+The importance of trust and trust relationships
+===============================================
+
+Imagine a largely well written and secure piece of code. Now imagine that this
+piece of code delegates a task to an external program, perhaps in the name of
+code reuse. Now, if this external program is sloppily coded and insecure, we've
+wasted a lot of effort making our original program secure; our erroneous trust
+of the buggy external program means we have a security leak, even though we
+were careful in _our_ code.
+
+There is a very similar situation with buggy library APIs. Imagine our secure
+program calling some complex library function which lets the side down by
+containing a security hole.
+
+Lets put some concrete examples on the two similar above considerations. We can
+even give examples in the context of FTP daemons.
+
+1) External /bin/ls helper
+
+A very common operation asked of FTP servers is to provide a directory listing.
+Unfortunately, convention seems to be to emit the directory listing in UNIX
+"/bin/ls -l" format. Even the Microsoft FTP service can be observed to do this.
+When writing an FTP server for the UNIX platform, then, this leads to the
+temptation to reuse /bin/ls as a child process, to avoid having to rewrite a
+load of code to handle directory listings.
+
+Even more unfortunately, FTP server writers seem to want to adopt the
+versatility of the average /bin/ls implementation. This means they allow
+clients to specify arbitrary parameters to /bin/ls.
+
+By using an external /bin/ls command, we would tie the security of our FTP
+server to that of the /bin/ls code. Be careful not to underestimate the amount
+of code paths in /bin/ls which are explorable by a remote malicious user. GNU
+/bin/ls has a myriad of options. Some of these options are complex such as -I
+or the various formatting options. All it takes is a single coding flaw in the
+handling of one of these options, and your FTP security is in trouble.
+
+By using an external /bin/ls, you also inherit the risk of any dangerous or
+complex APIs it uses. For example, calls to libc's complex fnmatch() or
+glob() functions, which will get given arbitrary malicious user controlled
+data as the search patterns. Also remember that users (and sometimes remote
+users) can upload/create files, and filenames are a very prominent input
+to /bin/ls.
+
+To conclude: vsftpd has no intention of using an external /bin/ls program
+because of the risks outlined above. Even if I were to audit e.g. GNU
+fileutils /bin/ls, and also important parts of glibc, this would still leave
+security in an unknown state on other platforms. The solution I have employed
+is to write a minimal internal implementation of a /bin/ls listing generator;
+it's hardly difficult. As a happy side effect, this will boost performance by
+avoiding unneccesary fork()s and exec()s!
+
+Here's some quick data about FTP servers which tend to use external ls
+programs:
+
+ftp.wuftpd.org:
+ftp> ls --version
+227 Entering Passive Mode (x.x.x.x.x.x)
+150 Opening ASCII mode data connection for /bin/ls.
+ls (GNU fileutils) 3.16
+226 Transfer complete.
+
+ftp.digital.com:
+ftp> ls -v
+227 Entering Passive Mode (x.x.x.x.x.x)
+150 Opening ASCII mode data connection for /bin/ls.
+/bin/ls: illegal option -- v
+usage: ls [ -1ACFLRabcdfgilmnopqrstux ]  [files]
+226 Transfer complete.
+
+Note that /bin/ls is not the only external program invoked by common FTP
+servers such as wu-ftpd. wu-ftpd also has the ability to invoke "tar" and
+"gzip" on the fly, so there are trust relationships there too.
+
+
+2) Complex library APIs
+
+vsftpd is very careful to avoid using library calls which are potentially
+dangerous. I would typically classify calls as dangerous if they interact
+with the network non-trivially, or take malicious user supplied data and
+start parsing it in a major way.
+
+Some examples are clearly required (vsftpd avoids using any of the following):
+
+1) fnmatch(). This is the libc glob pattern matcher. The danger comes
+from the fact that the user supplies the glob pattern - "ls *.mp3" would
+be a simple example. Furthermore, glob pattern matching is complex and
+involves a lot of string handling.
+
+2) gethostbyaddr(). This is a libc call to resolve an IP address to a hostname.
+Unfortunately, doing this is quite complicated. When you call gethostbyaddr(),
+a lot of work goes on under the covers. This usually involves making a network
+call out to the DNS server, and, dangerously, parsing the response.
+
+For clarity (and clarity is a very important part of security), all external
+APIs used by vsftpd are encapsulated within two "system interaction" files,
+named "sysutil.c", and "sysdeputil.c" (for the more variable/system dependent
+calls). This provides a convenient audit point for ascertaining which calls
+vsftpd trusts.
+
+vsftpd-2.0.0 introduces SSL / TLS support using OpenSSL. OpenSSL is a massive
+quantity of code which is essentially parsing complex protocol under the full
+control of remote malicious clients. SSL / TLS is disabled by default, both
+at compile time and run time. This forces packagers and administrators to make
+the decision that they trust the OpenSSL library. I personally haven't yet
+formed an opinion on whether I consider the OpenSSL code trustworthy.
+
+
+Summary
+=======
+
+Be very aware of what APIs and/or programs you are trusting, or you might end
+up creating a trust relationship which makes your program exploitable --
+through no direct fault of your own.
+

access.c

@@ -0,0 +1,74 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * access.c
+ *
+ * Routines to do very very simple access control based on filenames.
+ */
+
+#include "access.h"
+#include "ls.h"
+#include "tunables.h"
+#include "str.h"
+
+int
+vsf_access_check_file(const struct mystr* p_filename_str)
+{
+  static struct mystr s_access_str;
+  unsigned int iters = 0;
+
+  if (!tunable_deny_file)
+  {
+    return 1;
+  }
+  if (str_isempty(&s_access_str))
+  {
+    str_alloc_text(&s_access_str, tunable_deny_file);
+  }
+  if (vsf_filename_passes_filter(p_filename_str, &s_access_str, &iters))
+  {
+    return 0;
+  }
+  else
+  {
+    struct str_locate_result loc_res =
+      str_locate_str(p_filename_str, &s_access_str);
+    if (loc_res.found)
+    {
+      return 0;
+    }
+  }
+  return 1;
+}
+
+int
+vsf_access_check_file_visible(const struct mystr* p_filename_str)
+{
+  static struct mystr s_access_str;
+  unsigned int iters = 0;
+
+  if (!tunable_hide_file)
+  {
+    return 1;
+  }
+  if (str_isempty(&s_access_str))
+  {
+    str_alloc_text(&s_access_str, tunable_hide_file);
+  }
+  if (vsf_filename_passes_filter(p_filename_str, &s_access_str, &iters))
+  {
+    return 0;
+  }
+  else
+  {
+    struct str_locate_result loc_res =
+      str_locate_str(p_filename_str, &s_access_str);
+    if (loc_res.found)
+    {
+      return 0;
+    }
+  }
+  return 1;
+}
+

access.h

@@ -0,0 +1,29 @@
+#ifndef VSF_ACCESS_H
+#define VSF_ACCESS_H
+
+struct mystr;
+
+/* vsf_access_check_file()
+ * PURPOSE
+ * Check whether the current session has permission to access the given
+ * filename.
+ * PARAMETERS
+ * p_filename_str  - the filename to check access for
+ * RETURNS
+ * Returns 1 if access is granted, otherwise 0.
+ */
+int vsf_access_check_file(const struct mystr* p_filename_str);
+
+/* vsf_access_check_file_visible()
+ * PURPOSE
+ * Check whether the current session has permission to view the given
+ * filename in directory listings.
+ * PARAMETERS
+ * p_filename_str  - the filename to check visibility for
+ * RETURNS
+ * Returns 1 if the file should be visible, otherwise 0.
+ */
+int vsf_access_check_file_visible(const struct mystr* p_filename_str);
+
+#endif /* VSF_ACCESS_H */
+

ascii.c

@@ -0,0 +1,99 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * ascii.c
+ *
+ * Routines to handle ASCII mode tranfers. Yuk.
+ */
+
+#include "ascii.h"
+
+struct ascii_to_bin_ret
+vsf_ascii_ascii_to_bin(char* p_buf, unsigned int in_len, int prev_cr)
+{
+  /* Task: translate all \r\n into plain \n. A plain \r not followed by \n must
+   * not be removed.
+   */
+  struct ascii_to_bin_ret ret;
+  unsigned int indexx = 0;
+  unsigned int written = 0;
+  char* p_out = p_buf + 1;
+  ret.last_was_cr = 0;
+  if (prev_cr && (!in_len || p_out[0] != '\n'))
+  {
+    p_buf[0] = '\r';
+    ret.p_buf = p_buf;
+    written++;
+  }
+  else
+  {
+    ret.p_buf = p_out;
+  }
+  while (indexx < in_len)
+  {
+    char the_char = p_buf[indexx + 1];
+    if (the_char != '\r')
+    {
+      *p_out++ = the_char;
+      written++;
+    }
+    else if (indexx == in_len - 1)
+    {
+      ret.last_was_cr = 1;
+    }
+    else if (p_buf[indexx + 2] != '\n')
+    {
+      *p_out++ = the_char;
+      written++;
+    }
+    indexx++;
+  }
+  ret.stored = written;
+  return ret;
+}
+
+struct bin_to_ascii_ret
+vsf_ascii_bin_to_ascii(const char* p_in,
+                       char* p_out,
+                       unsigned int in_len,
+                       int prev_cr)
+{
+  /* Task: translate all \n not preceeded by \r into \r\n.
+   * Note that \r\n stays as \r\n. We used to map it to \r\r\n like wu-ftpd
+   * but have switched to leaving it, like the more popular proftpd.
+   */
+  struct bin_to_ascii_ret ret = { 0, 0 };
+  unsigned int indexx = 0;
+  unsigned int written = 0;
+  char last_char = 0;
+  if (prev_cr)
+  {
+    last_char = '\r';
+    ret.last_was_cr = 1;
+  }
+  while (indexx < in_len)
+  {
+    char the_char = p_in[indexx];
+    if (the_char == '\n' && last_char != '\r')
+    {
+      *p_out++ = '\r';
+      written++;
+    }
+    *p_out++ = the_char;
+    written++;
+    indexx++;
+    last_char = the_char;
+    if (the_char == '\r')
+    {
+      ret.last_was_cr = 1;
+    }
+    else
+    {
+      ret.last_was_cr = 0;
+    }
+  }
+  ret.stored = written;
+  return ret;
+}
+

ascii.h

@@ -0,0 +1,58 @@
+#ifndef VSFTP_ASCII_H
+#define VSFTP_ASCII_H
+
+struct mystr;
+
+/* vsf_ascii_ascii_to_bin()
+ * PURPOSE
+ * This function converts an input buffer from ascii format to binary format.
+ * This entails ripping out all occurences of '\r' that are followed by '\n'.
+ *  The result is stored in "p_out".
+ * PARAMETERS
+ * p_in         - the input and output buffer, which MUST BE at least as big as
+ *                "in_len" PLUS ONE. This is to cater for a leading '\r' in the
+ *                buffer if certain conditions are met.
+ * in_len       - the length in bytes of the  buffer.
+ * prev_cr      - set to non-zero if this buffer fragment was immediately
+ *                preceeded by a '\r'.
+ * RETURNS
+ * The number of characters stored in the buffer, the buffer address, and
+ * if we ended on a '\r'.
+ */
+struct ascii_to_bin_ret
+{
+  unsigned int stored;
+  int last_was_cr;
+  char* p_buf;
+};
+struct ascii_to_bin_ret vsf_ascii_ascii_to_bin(
+  char* p_in, unsigned int in_len, int prev_cr);
+
+/* vsf_ascii_bin_to_ascii()
+ * PURPOSE
+ * This function converts an input buffer from binary format to ascii format.
+ * This entails replacing all occurences of '\n' with '\r\n'. The result is
+ * stored in "p_out".
+ * PARAMETERS
+ * p_in         - the input buffer, which is not modified
+ * p_out        - the output buffer, which MUST BE at least TWICE as big as
+ *                "in_len"
+ * in_len       - the length in bytes of the input buffer
+ * prev_cr      - set to non-zero if this buffer fragment was immediately
+ *                preceeded by a '\r'.
+ * RETURNS
+ * The number of characters stored in the output buffer, and whether the last
+ * character stored was '\r'.
+ */
+struct bin_to_ascii_ret
+{
+  unsigned int stored;
+  int last_was_cr;
+};
+struct bin_to_ascii_ret vsf_ascii_bin_to_ascii(const char* p_in,
+                                               char* p_out,
+                                               unsigned int in_len,
+                                               int prev_cr);
+
+#endif /* VSFTP_ASCII_H */
+

banner.c

@@ -0,0 +1,79 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * banner.c
+ *
+ * Calls exposed to handle the junk a typical FTP server has to do upon
+ * entering a new directory (messages, etc), as well as general banner
+ * writing support.
+ */
+
+#include "banner.h"
+#include "strlist.h"
+#include "str.h"
+#include "sysstr.h"
+#include "tunables.h"
+#include "ftpcmdio.h"
+#include "filestr.h"
+#include "session.h"
+#include "sysutil.h"
+
+/* Definitions */
+#define VSFTP_MAX_VISIT_REMEMBER 100
+#define VSFTP_MAX_MSGFILE_SIZE 4000
+
+void
+vsf_banner_dir_changed(struct vsf_session* p_sess, int ftpcode)
+{
+  struct mystr dir_str = INIT_MYSTR;
+  /* Do nothing if .message support is off */
+  if (!tunable_dirmessage_enable)
+  {
+    return;
+  }
+  if (p_sess->p_visited_dir_list == 0)
+  {
+    struct mystr_list the_list = INIT_STRLIST;
+    p_sess->p_visited_dir_list = vsf_sysutil_malloc(sizeof(struct mystr_list));
+    *p_sess->p_visited_dir_list = the_list;
+  }
+  str_getcwd(&dir_str);
+  /* Do nothing if we already visited this directory */
+  if (!str_list_contains_str(p_sess->p_visited_dir_list, &dir_str))
+  {
+    /* Just in case, cap the max. no of visited directories we'll remember */
+    if (str_list_get_length(p_sess->p_visited_dir_list) <
+        VSFTP_MAX_VISIT_REMEMBER)
+    {
+      str_list_add(p_sess->p_visited_dir_list, &dir_str, 0);
+    }
+    /* If we have a .message file, squirt it out prepended by the ftpcode and
+     * the continuation mark '-'
+     */
+    {
+      struct mystr msg_file_str = INIT_MYSTR;
+      if (tunable_message_file)
+      {
+        (void) str_fileread(&msg_file_str, tunable_message_file,
+                            VSFTP_MAX_MSGFILE_SIZE);
+      }
+      vsf_banner_write(p_sess, &msg_file_str, ftpcode);
+      str_free(&msg_file_str);
+    }
+  }
+  str_free(&dir_str);
+}
+
+void
+vsf_banner_write(struct vsf_session* p_sess, struct mystr* p_str, int ftpcode)
+{
+  struct mystr msg_line_str = INIT_MYSTR;
+  unsigned int str_pos = 0;
+  while (str_getline(p_str, &msg_line_str, &str_pos))
+  {
+    vsf_cmdio_write_str_hyphen(p_sess, ftpcode, &msg_line_str);
+  }
+  str_free(&msg_line_str);
+}
+

banner.h

@@ -0,0 +1,33 @@
+#ifndef VSF_BANNER_H
+#define VSF_BANNER_H
+
+struct vsf_session;
+struct mystr;
+
+/* vsf_banner_dir_changed()
+ * PURPOSE
+ * This function, when called, will check if the current directory has just
+ * been entered for the first time in this session. If so, and message file
+ * support is on, a message file is looked for (default .message), and output
+ * to the FTP control connection with the FTP code prefix specified by
+ * "ftpcode".
+ * PARAMETERS
+ * p_sess         - the current FTP session object
+ * ftpcode        - the FTP code to show with the message
+ */
+void vsf_banner_dir_changed(struct vsf_session* p_sess, int ftpcode);
+
+/* vsf_banner_write()
+ * PURPOSE
+ * This function, when called, will write the specified string as a multiline
+ * FTP banner, using the specified FTP response code.
+ * PARAMETERS
+ * p_sess         - the current FTP session object
+ * p_str          - the string to write
+ * ftpcode        - the FTP code to show with the message
+ */
+void vsf_banner_write(struct vsf_session* p_sess, struct mystr* p_str,
+                      int ftpcode);
+
+#endif /* VSF_BANNER_H */
+

builddefs.h

@@ -0,0 +1,9 @@
+#ifndef VSF_BUILDDEFS_H
+#define VSF_BUILDDEFS_H
+
+#undef VSF_BUILD_TCPWRAPPERS
+#define VSF_BUILD_PAM
+#undef VSF_BUILD_SSL
+
+#endif /* VSF_BUILDDEFS_H */
+

defs.h

@@ -0,0 +1,24 @@
+#ifndef VSF_DEFS_H
+#define VSF_DEFS_H
+
+#define VSFTP_DEFAULT_CONFIG    "/etc/ftpz.conf"
+
+#define VSFTP_COMMAND_FD        0
+
+#define VSFTP_PASSWORD_MAX      128
+#define VSFTP_USERNAME_MAX      128
+#define VSFTP_MAX_COMMAND_LINE  4096
+#define VSFTP_DATA_BUFSIZE      65536
+#define VSFTP_DIR_BUFSIZE       16384
+#define VSFTP_MATCHITERS_MAX    1000
+#define VSFTP_PATH_MAX          4096
+#define VSFTP_CONF_FILE_MAX     100000
+#define VSFTP_LISTEN_BACKLOG    32
+#define VSFTP_SECURE_UMASK      077
+#define VSFTP_ROOT_UID          0
+/* Must be at least the size of VSFTP_MAX_COMMAND_LINE, VSFTP_DIR_BUFSIZE and
+   VSFTP_DATA_BUFSIZE*2 */
+#define VSFTP_PRIVSOCK_MAXSTR   VSFTP_DATA_BUFSIZE * 2
+#define VSFTP_AS_LIMIT          200UL * 1024 * 1024
+
+#endif /* VSF_DEFS_H */

dummyinc/crypt.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_CRYPT_H
+#define VSF_DUMMYINC_CRYPT_H
+
+extern char* crypt(const char*, const char*);
+
+#endif /* VSF_DUMMYINC_CRYPT_H */
+

dummyinc/openssl/ssl.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_SSL_H
+#define VSF_DUMMYINC_SSL_H
+
+#undef VSF_BUILD_SSL
+
+#endif /* VSF_DUMMYINC_SSL_H */
+

dummyinc/security/pam_appl.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_PAM_APPL_H
+#define VSF_DUMMYINC_PAM_APPL_H
+
+#undef VSF_SYSDEP_HAVE_PAM
+
+#endif /* VSF_DUMMYINC_PAM_APPL_H */
+

dummyinc/shadow.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_SHADOW_H
+#define VSF_DUMMYINC_SHADOW_H
+
+#undef VSF_SYSDEP_HAVE_SHADOW
+
+#endif /* VSF_DUMMYINC_SHADOW_H */
+

dummyinc/sys/capability.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_CAPABILITY_H
+#define VSF_DUMMYINC_CAPABILITY_H
+
+#undef VSF_SYSDEP_HAVE_LIBCAP
+
+#endif /* VSF_DUMMYINC_CAPABILITY_H */
+

dummyinc/sys/prctl.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_PRCTL_H
+#define VSF_DUMMYINC_PRCTL_H
+
+/* Deliberate nothing; we're just avoiding a compile error. */
+
+#endif /* VSF_DUMMYINC_PRCTL_H */
+

dummyinc/sys/sendfile.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_SENDFILE_H
+#define VSF_DUMMYINC_SENDFILE_H
+
+#undef VSF_SYSDEP_HAVE_SOLARIS_SENDFILE
+
+#endif /* VSF_DUMMYINC_SENDFILE_H */
+

dummyinc/utmpx.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_UTMPX_H
+#define VSF_DUMMYINC_UTMPX_H
+
+#undef VSF_SYSDEP_HAVE_UTMPX
+
+#endif /* VSF_DUMMYINC_UTMPX_H */
+

features.c

@@ -0,0 +1,54 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * features.c
+ *
+ * Routines to tell the client what features we support.
+ */
+
+#include "features.h"
+#include "ftpcodes.h"
+#include "ftpcmdio.h"
+#include "tunables.h"
+
+void
+handle_feat(struct vsf_session* p_sess)
+{
+  vsf_cmdio_write_hyphen(p_sess, FTP_FEAT, "Features:");
+  if (tunable_ssl_enable)
+  {
+    if (tunable_sslv2 || tunable_sslv3)
+    {
+      vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
+    }
+    if (tunable_tlsv1)
+    {
+      vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
+    }
+  }
+  if (tunable_port_enable)
+  {
+    vsf_cmdio_write_raw(p_sess, " EPRT\r\n");
+  }
+  if (tunable_pasv_enable)
+  {
+    vsf_cmdio_write_raw(p_sess, " EPSV\r\n");
+  }
+  vsf_cmdio_write_raw(p_sess, " MDTM\r\n");
+  if (tunable_pasv_enable)
+  {
+    vsf_cmdio_write_raw(p_sess, " PASV\r\n");
+  }
+  if (tunable_ssl_enable)
+  {
+    vsf_cmdio_write_raw(p_sess, " PBSZ\r\n");
+    vsf_cmdio_write_raw(p_sess, " PROT\r\n");
+  }
+  vsf_cmdio_write_raw(p_sess, " REST STREAM\r\n");
+  vsf_cmdio_write_raw(p_sess, " SIZE\r\n");
+  vsf_cmdio_write_raw(p_sess, " TVFS\r\n");
+  vsf_cmdio_write_raw(p_sess, " UTF8\r\n");
+  vsf_cmdio_write(p_sess, FTP_FEAT, "End");
+}
+

features.h

@@ -0,0 +1,9 @@
+#ifndef VSF_FEATURES_H
+#define VSF_FEATURES_H
+
+struct vsf_session;
+
+void handle_feat(struct vsf_session* p_sess);
+
+#endif /* VSF_FEATURES_H */
+

filesize.h

@@ -0,0 +1,7 @@
+#ifndef VSF_FILESIZE_H
+#define VSF_FILESIZE_H
+
+typedef long long filesize_t;
+
+#endif /* VSF_FILESIZE_H */
+

filestr.c

@@ -0,0 +1,61 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * filestr.c
+ *
+ * This file contains extensions to the string/buffer API, to load a file
+ * into a buffer. 
+ */
+
+#include "filestr.h"
+/* Get access to "private" functions */
+#define VSFTP_STRING_HELPER
+#include "str.h"
+#include "sysutil.h"
+#include "secbuf.h"
+#include "utility.h"
+
+int
+str_fileread(struct mystr* p_str, const char* p_filename, unsigned int maxsize)
+{
+  int fd;
+  int retval = 0;
+  filesize_t size;
+  char* p_sec_buf = 0;
+  struct vsf_sysutil_statbuf* p_stat = 0;
+  /* In case we fail, make sure we return an empty string */
+  str_empty(p_str);
+  fd = vsf_sysutil_open_file(p_filename, kVSFSysUtilOpenReadOnly);
+  if (vsf_sysutil_retval_is_error(fd))
+  {
+    return fd;
+  }
+  vsf_sysutil_fstat(fd, &p_stat);
+  if (vsf_sysutil_statbuf_is_regfile(p_stat))
+  {
+    size = vsf_sysutil_statbuf_get_size(p_stat);
+    if (size > maxsize)
+    {
+      size = maxsize;
+    }
+    vsf_secbuf_alloc(&p_sec_buf, (unsigned int) size);
+
+    retval = vsf_sysutil_read_loop(fd, p_sec_buf, (unsigned int) size);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      goto free_out;
+    }
+    else if ((unsigned int) retval != size)
+    {
+      die("read size mismatch");
+    }
+    str_alloc_memchunk(p_str, p_sec_buf, (unsigned int) size);
+  }
+free_out:
+  vsf_sysutil_free(p_stat);
+  vsf_secbuf_free(&p_sec_buf);
+  vsf_sysutil_close(fd);
+  return retval;
+}
+

filestr.h

@@ -0,0 +1,26 @@
+#ifndef VSF_FILESTR_H
+#define VSF_FILESTR_H
+
+/* Forward declares */
+struct mystr;
+
+/* str_fileread()
+ * PURPOSE
+ * Read the contents of a file into a string buffer, up to a size limit of
+ * "maxsize"
+ * PARAMETERS
+ * p_str        - destination buffer object to contain the file
+ * p_filename   - the filename to try and read into the buffer
+ * maxsize      - the maximum amount of buffer we will fill. Larger files will
+ *                be truncated.
+ * RETURNS
+ * An integer representing the success/failure of opening the file
+ * "p_filename". Zero indicates success. If successful, the file is read into
+ * the "p_str" string object. If not successful, "p_str" will point to an
+ * empty buffer.
+ */
+int str_fileread(struct mystr* p_str, const char* p_filename,
+                 unsigned int maxsize);
+
+#endif /* VSF_FILESTR_H */
+

ftpcmdio.c

@@ -0,0 +1,248 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * ftpcmdio.c
+ *
+ * Routines applicable to reading and writing the FTP command stream.
+ */
+
+#include "ftpcmdio.h"
+#include "ftpcodes.h"
+#include "str.h"
+#include "netstr.h"
+#include "sysutil.h"
+#include "tunables.h"
+#include "defs.h"
+#include "secbuf.h"
+#include "utility.h"
+#include "logging.h"
+#include "session.h"
+#include "readwrite.h"
+
+/* Internal functions */
+static int control_getline(struct mystr* p_str, struct vsf_session* p_sess);
+static void ftp_write_text_common(struct vsf_session* p_sess, int status,
+                                  const char* p_text, char sep);
+static void ftp_write_str_common(struct vsf_session* p_sess, int status,
+                                 char sep, const struct mystr* p_str);
+static void handle_alarm_timeout(void* p_private);
+
+void
+vsf_cmdio_sock_setup(void)
+{
+  vsf_sysutil_activate_keepalive(VSFTP_COMMAND_FD);
+  vsf_sysutil_set_nodelay(VSFTP_COMMAND_FD);
+  vsf_sysutil_activate_oobinline(VSFTP_COMMAND_FD);
+}
+
+static void
+handle_alarm_timeout(void* p_private)
+{
+  struct vsf_session* p_sess = (struct vsf_session*) p_private;
+  p_sess->idle_timeout = 1;
+  vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
+  vsf_sysutil_shutdown_read_failok(VSFTP_COMMAND_FD);
+}
+
+void
+vsf_cmdio_write(struct vsf_session* p_sess, int status, const char* p_text)
+{
+  ftp_write_text_common(p_sess, status, p_text, ' ');
+}
+
+void
+vsf_cmdio_write_hyphen(struct vsf_session* p_sess, int status,
+                       const char* p_text)
+{
+  ftp_write_text_common(p_sess, status, p_text, '-');
+}
+
+void
+vsf_cmdio_write_raw(struct vsf_session* p_sess, const char* p_text)
+{
+  static struct mystr s_the_str;
+  int retval;
+  str_alloc_text(&s_the_str, p_text);
+  if (tunable_log_ftp_protocol)
+  {
+    vsf_log_line(p_sess, kVSFLogEntryFTPOutput, &s_the_str);
+  }
+  retval = ftp_write_str(p_sess, &s_the_str, kVSFRWControl);
+  if (retval != 0)
+  {
+    die("ftp_write_str");
+  }
+}
+
+void
+vsf_cmdio_write_exit(struct vsf_session* p_sess, int status, const char* p_text,
+                     int exit_val)
+{
+  /* Unblock any readers on the dying control channel. This is needed for SSL
+   * connections, where the SSL control channel slave is in a separate
+   * process.
+   */
+  vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
+  vsf_sysutil_shutdown_read_failok(VSFTP_COMMAND_FD);
+  vsf_cmdio_write(p_sess, status, p_text);
+  vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD);
+  vsf_sysutil_exit(exit_val);
+}
+
+static void
+ftp_write_text_common(struct vsf_session* p_sess, int status,
+                      const char* p_text, char sep)
+{
+  /* XXX - could optimize */
+  static struct mystr s_the_str;
+  str_alloc_text(&s_the_str, p_text);
+  ftp_write_str_common(p_sess, status, sep, &s_the_str);
+}
+
+void
+vsf_cmdio_write_str_hyphen(struct vsf_session* p_sess, int status,
+                           const struct mystr* p_str)
+{
+  ftp_write_str_common(p_sess, status, '-', p_str);
+}
+
+void
+vsf_cmdio_write_str(struct vsf_session* p_sess, int status,
+                    const struct mystr* p_str)
+{
+  ftp_write_str_common(p_sess, status, ' ', p_str);
+}
+
+static void
+ftp_write_str_common(struct vsf_session* p_sess, int status, char sep,
+                     const struct mystr* p_str)
+{
+  static struct mystr s_write_buf_str;
+  static struct mystr s_text_mangle_str;
+  int retval;
+  if (tunable_log_ftp_protocol)
+  {
+    str_alloc_ulong(&s_write_buf_str, (unsigned long) status);
+    str_append_char(&s_write_buf_str, sep);
+    str_append_str(&s_write_buf_str, p_str);
+    vsf_log_line(p_sess, kVSFLogEntryFTPOutput, &s_write_buf_str);
+  }
+  str_copy(&s_text_mangle_str, p_str);
+  /* Process the output response according to the specifications.. */
+  /* Escape telnet characters properly */
+  str_replace_text(&s_text_mangle_str, "\377", "\377\377");
+  /* Change \n for \0 in response */
+  str_replace_char(&s_text_mangle_str, '\n', '\0');
+  /* Build string to squirt down network */
+  str_alloc_ulong(&s_write_buf_str, (unsigned long) status);
+  str_append_char(&s_write_buf_str, sep);
+  str_append_str(&s_write_buf_str, &s_text_mangle_str);
+  str_append_text(&s_write_buf_str, "\r\n");
+  retval = ftp_write_str(p_sess, &s_write_buf_str, kVSFRWControl);
+  if (retval != 0)
+  {
+    die("ftp_write");
+  }
+}
+
+void
+vsf_cmdio_set_alarm(struct vsf_session* p_sess)
+{
+  if (tunable_idle_session_timeout > 0)
+  {
+    vsf_sysutil_install_sighandler(kVSFSysUtilSigALRM,
+                                   handle_alarm_timeout,
+                                   p_sess,
+                                   1);
+    vsf_sysutil_set_alarm(tunable_idle_session_timeout);
+  }
+}
+
+void
+vsf_cmdio_get_cmd_and_arg(struct vsf_session* p_sess, struct mystr* p_cmd_str,
+                          struct mystr* p_arg_str, int set_alarm)
+{
+  int ret;
+  /* Prepare an alarm to timeout the session.. */
+  if (set_alarm)
+  {
+    vsf_cmdio_set_alarm(p_sess);
+  }
+  /* Blocks */
+  ret = control_getline(p_cmd_str, p_sess);
+  if (p_sess->idle_timeout)
+  {
+    vsf_cmdio_write_exit(p_sess, FTP_IDLE_TIMEOUT, "Timeout.", 1);
+  }
+  if (ret == 0)
+  {
+    /* Remote end hung up without a polite QUIT. The shutdown is to make
+     * sure buggy clients don't ever see an OOPS message.
+     */
+    vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD);
+    vsf_sysutil_exit(1);
+  }
+  /* View a single space as a command of " ", which although a useless command,
+   * permits the caller to distinguish input of "" from " ".
+   */
+  if (str_getlen(p_cmd_str) == 1 && str_get_char_at(p_cmd_str, 0) == ' ')
+  {
+    str_empty(p_arg_str);
+  }
+  else
+  {
+    str_split_char(p_cmd_str, p_arg_str, ' ');
+  }
+  str_upper(p_cmd_str);
+  if (tunable_log_ftp_protocol)
+  {
+    static struct mystr s_log_str;
+    if (str_equal_text(p_cmd_str, "PASS"))
+    {
+      str_alloc_text(&s_log_str, "PASS <password>");
+    }
+    else
+    {
+      str_copy(&s_log_str, p_cmd_str);
+      if (!str_isempty(p_arg_str))
+      {
+        str_append_char(&s_log_str, ' ');
+        str_append_str(&s_log_str, p_arg_str);
+      }
+    }
+    vsf_log_line(p_sess, kVSFLogEntryFTPInput, &s_log_str);
+  }
+}
+
+static int
+control_getline(struct mystr* p_str, struct vsf_session* p_sess)
+{
+  int ret;
+  if (p_sess->p_control_line_buf == 0)
+  {
+    vsf_secbuf_alloc(&p_sess->p_control_line_buf, VSFTP_MAX_COMMAND_LINE);
+  }
+  ret = ftp_getline(p_sess, p_str, p_sess->p_control_line_buf);
+  if (ret == 0)
+  {
+    return ret;
+  }
+  else if (ret < 0)
+  {
+    vsf_cmdio_write_exit(p_sess, FTP_BADCMD, "Input line too long.", 1);
+  }
+  /* As mandated by the FTP specifications.. */
+  str_replace_char(p_str, '\0', '\n');
+  /* If the last character is a \r, strip it */
+  {
+    unsigned int len = str_getlen(p_str);
+    while (len > 0 && str_get_char_at(p_str, len - 1) == '\r')
+    {
+      str_trunc(p_str, len - 1);
+      --len;
+    }
+  }
+  return 1;
+}
+

ftpcmdio.h

@@ -0,0 +1,97 @@
+#ifndef VSF_FTPCMDIO_H
+#define VSF_FTPCMDIO_H
+
+struct mystr;
+struct vsf_session;
+
+/* vsf_cmdio_sock_setup()
+ * PURPOSE
+ * Initialise a few socket settings (keepalive, nonagle, etc). on the FTP
+ * control connection.
+ */
+void vsf_cmdio_sock_setup(void);
+
+/* vsf_cmdio_write()
+ * PURPOSE
+ * Write a response to the FTP control connection.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * status       - the status code to report
+ * p_text       - the text to report
+ */
+void vsf_cmdio_write(struct vsf_session* p_sess, int status,
+                     const char* p_text);
+
+/* vsf_cmdio_write_hyphen()
+ * PURPOSE
+ * Write a response to the FTP control connection, with a hyphen '-'
+ * continuation indicator.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * status       - the status code to report
+ * p_text       - the text to report
+ */
+void vsf_cmdio_write_hyphen(struct vsf_session* p_sess, int status,
+                            const char* p_text);
+
+/* vsf_cmdio_write_raw()
+ * PURPOSE
+ * Write a raw response to the FTP control connection. A status code is
+ * not prepended, and it is also the client's responsibility to include
+ * newline characters if required.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * p_text       - the text to report
+ */
+void vsf_cmdio_write_raw(struct vsf_session* p_sess, const char* p_text);
+
+/* vsf_cmdio_write_exit()
+ * PURPOSE
+ * The same as vsf_cmdio_write(), and then the calling process is exited. The
+ * write is _guaranteed_ to not block (ditching output if neccessary).
+ */
+void vsf_cmdio_write_exit(struct vsf_session* p_sess, int status,
+                          const char* p_text, int exit_val);
+
+/* vsf_cmdio_write_str()
+ * PURPOSE
+ * The same as vsf_cmdio_write(), apart from the text is specified as a
+ * string buffer object "p_str".
+ */
+void vsf_cmdio_write_str(struct vsf_session* p_sess, int status,
+                         const struct mystr* p_str);
+
+/* vsf_cmdio_write_str_hyphen()
+ * PURPOSE
+ * The same as vsf_cmdio_write_str(), apart from the response line is
+ * output with the continuation indicator '-' between the response code and
+ * the response text. This indicates there are more lines of response.
+ */
+void vsf_cmdio_write_str_hyphen(struct vsf_session* p_sess, int status,
+                                const struct mystr* p_str);
+
+/* vsf_cmdio_set_alarm()
+ * PURPOSE
+ * Activate the control connection inactivity timeout. This is explicitly
+ * exposed in the API so that we can play it safe, and activate the alarm
+ * before _any_ potentially blocking calls.
+ * PARAMETERS
+ * p_sess       - The current session object
+ */
+void vsf_cmdio_set_alarm(struct vsf_session* p_sess);
+
+/* vsf_cmdio_get_cmd_and_arg()
+ * PURPOSE
+ * Read an FTP command (and optional argument) from the FTP control connection.
+ * PARAMETERS
+ * p_sess       - The current session object
+ * p_cmd_str    - Where to put the FTP command string (may be empty)
+ * p_arg_str    - Where to put the FTP argument string (may be empty)
+ * set_alarm    - If true, the control connection inactivity monitor is used
+ */
+void vsf_cmdio_get_cmd_and_arg(struct vsf_session* p_sess,
+                               struct mystr* p_cmd_str,
+                               struct mystr* p_arg_str, int set_alarm);
+
+#endif /* VSF_FTPCMDIO_H */
+

ftpcodes.h

@@ -0,0 +1,77 @@
+#ifndef VSF_FTPCODES_H
+#define VSF_FTPCODES_H
+
+#define FTP_DATACONN          150
+
+#define FTP_NOOPOK            200
+#define FTP_TYPEOK            200
+#define FTP_PORTOK            200
+#define FTP_EPRTOK            200
+#define FTP_UMASKOK           200
+#define FTP_CHMODOK           200
+#define FTP_EPSVALLOK         200
+#define FTP_STRUOK            200
+#define FTP_MODEOK            200
+#define FTP_PBSZOK            200
+#define FTP_PROTOK            200
+#define FTP_OPTSOK            200
+#define FTP_ALLOOK            202
+#define FTP_FEAT              211
+#define FTP_STATOK            211
+#define FTP_SIZEOK            213
+#define FTP_MDTMOK            213
+#define FTP_STATFILE_OK       213
+#define FTP_SITEHELP          214
+#define FTP_HELP              214
+#define FTP_SYSTOK            215
+#define FTP_GREET             220
+#define FTP_GOODBYE           221
+#define FTP_ABOR_NOCONN       225
+#define FTP_TRANSFEROK        226
+#define FTP_ABOROK            226
+#define FTP_PASVOK            227
+#define FTP_EPSVOK            229
+#define FTP_LOGINOK           230
+#define FTP_AUTHOK            234
+#define FTP_CWDOK             250
+#define FTP_RMDIROK           250
+#define FTP_DELEOK            250
+#define FTP_RENAMEOK          250
+#define FTP_PWDOK             257
+#define FTP_MKDIROK           257
+
+#define FTP_GIVEPWORD         331
+#define FTP_RESTOK            350
+#define FTP_RNFROK            350
+
+#define FTP_IDLE_TIMEOUT      421
+#define FTP_DATA_TIMEOUT      421
+#define FTP_TOO_MANY_USERS    421
+#define FTP_IP_LIMIT          421
+#define FTP_IP_DENY           421
+#define FTP_TLS_FAIL          421
+#define FTP_BADSENDCONN       425
+#define FTP_BADSENDNET        426
+#define FTP_BADSENDFILE       451
+
+#define FTP_BADCMD            500
+#define FTP_BADOPTS           501
+#define FTP_COMMANDNOTIMPL    502
+#define FTP_NEEDUSER          503
+#define FTP_NEEDRNFR          503
+#define FTP_BADPBSZ           503
+#define FTP_BADPROT           503
+#define FTP_BADSTRU           504
+#define FTP_BADMODE           504
+#define FTP_BADAUTH           504
+#define FTP_NOSUCHPROT        504
+#define FTP_NEEDENCRYPT       522
+#define FTP_EPSVBAD           522
+#define FTP_DATATLSBAD        522
+#define FTP_LOGINERR          530
+#define FTP_NOHANDLEPROT      536
+#define FTP_FILEFAIL          550
+#define FTP_NOPERM            550
+#define FTP_UPLOADFAIL        553
+
+#endif /* VSF_FTPCODES_H */

ftpdataio.c

@@ -0,0 +1,659 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * ftpdataio.c
+ *
+ * Code to handle FTP data connections. This includes both PORT (server
+ * connects) and PASV (client connects) modes of data transfer. This
+ * includes sends and receives, files and directories.
+ */
+
+#include "ftpdataio.h"
+#include "session.h"
+#include "ftpcmdio.h"
+#include "ftpcodes.h"
+#include "utility.h"
+#include "tunables.h"
+#include "defs.h"
+#include "str.h"
+#include "strlist.h"
+#include "sysutil.h"
+#include "logging.h"
+#include "secbuf.h"
+#include "sysstr.h"
+#include "sysdeputil.h"
+#include "ascii.h"
+#include "oneprocess.h"
+#include "twoprocess.h"
+#include "ls.h"
+#include "ssl.h"
+#include "readwrite.h"
+#include "privsock.h"
+
+static void init_data_sock_params(struct vsf_session* p_sess, int sock_fd);
+static filesize_t calc_num_send(int file_fd, filesize_t init_offset);
+static struct vsf_transfer_ret do_file_send_sendfile(
+  struct vsf_session* p_sess, int net_fd, int file_fd,
+  filesize_t curr_file_offset, filesize_t bytes_to_send);
+static struct vsf_transfer_ret do_file_send_rwloop(
+  struct vsf_session* p_sess, int file_fd, int is_ascii);
+static struct vsf_transfer_ret do_file_recv(
+  struct vsf_session* p_sess, int file_fd, int is_ascii);
+static void handle_sigalrm(void* p_private);
+static void start_data_alarm(struct vsf_session* p_sess);
+static void handle_io(int retval, int fd, void* p_private);
+static int transfer_dir_internal(
+  struct vsf_session* p_sess, int is_control, struct vsf_sysutil_dir* p_dir,
+  const struct mystr* p_base_dir_str, const struct mystr* p_option_str,
+  const struct mystr* p_filter_str, int is_verbose);
+static int write_dir_list(struct vsf_session* p_sess,
+                          struct mystr_list* p_dir_list,
+                          enum EVSFRWTarget target);
+static unsigned int get_chunk_size();
+
+int
+vsf_ftpdataio_dispose_transfer_fd(struct vsf_session* p_sess)
+{
+  int dispose_ret = 1;
+  int retval;
+  if (p_sess->data_fd == -1)
+  {
+    bug("no data descriptor in vsf_ftpdataio_dispose_transfer_fd");
+  }
+  vsf_sysutil_uninstall_io_handler();
+  if (p_sess->data_use_ssl && p_sess->ssl_slave_active)
+  {
+    char result;
+    start_data_alarm(p_sess);
+    priv_sock_send_cmd(p_sess->ssl_consumer_fd, PRIV_SOCK_DO_SSL_CLOSE);
+    result = priv_sock_get_result(p_sess->ssl_consumer_fd);
+    if (result != PRIV_SOCK_RESULT_OK)
+    {
+      dispose_ret = 0;
+    }
+  }
+  else if (p_sess->p_data_ssl)
+  {
+    start_data_alarm(p_sess);
+    dispose_ret = ssl_data_close(p_sess);
+  }
+  if (!p_sess->abor_received && !p_sess->data_timeout && dispose_ret == 1)
+  {
+    /* If we didn't get a failure, linger on the close() in order to get more
+     * accurate transfer times.
+     */
+    start_data_alarm(p_sess);
+    vsf_sysutil_activate_linger(p_sess->data_fd);
+  }
+  /* This close() blocks because we set SO_LINGER */
+  retval = vsf_sysutil_close_failok(p_sess->data_fd);
+  if (vsf_sysutil_retval_is_error(retval))
+  {
+    /* Do it again without blocking. */
+    vsf_sysutil_deactivate_linger_failok(p_sess->data_fd);
+    (void) vsf_sysutil_close_failok(p_sess->data_fd);
+  }
+  p_sess->data_fd = -1;
+  if (tunable_data_connection_timeout > 0)
+  {
+    vsf_sysutil_clear_alarm();
+  }
+  if (p_sess->abor_received || p_sess->data_timeout)
+  {
+    dispose_ret = 0;
+  }
+  return dispose_ret;
+}
+
+int
+vsf_ftpdataio_get_pasv_fd(struct vsf_session* p_sess)
+{
+  int remote_fd;
+  if (tunable_one_process_model)
+  {
+    remote_fd = vsf_one_process_get_pasv_fd(p_sess);
+  }
+  else
+  {
+    remote_fd = vsf_two_process_get_pasv_fd(p_sess);
+  }
+  /* Yes, yes, hardcoded bad I know. */
+  if (remote_fd == -1)
+  {
+    vsf_cmdio_write(p_sess, FTP_BADSENDCONN,
+                    "Failed to establish connection.");
+    return remote_fd;
+  }
+  else if (remote_fd == -2)
+  {
+    vsf_cmdio_write(p_sess, FTP_BADSENDCONN, "Security: Bad IP connecting.");
+    return -1;
+  }
+  init_data_sock_params(p_sess, remote_fd);
+  return remote_fd;
+}
+
+int
+vsf_ftpdataio_get_port_fd(struct vsf_session* p_sess)
+{
+  int remote_fd;
+  if (tunable_one_process_model || tunable_port_promiscuous)
+  {
+    remote_fd = vsf_one_process_get_priv_data_sock(p_sess);
+  }
+  else
+  {
+    remote_fd = vsf_two_process_get_priv_data_sock(p_sess);
+  }
+  if (vsf_sysutil_retval_is_error(remote_fd))
+  {
+    vsf_cmdio_write(p_sess, FTP_BADSENDCONN,
+                    "Failed to establish connection.");
+    return -1;
+  }
+  init_data_sock_params(p_sess, remote_fd);
+  return remote_fd;
+}
+
+int
+vsf_ftpdataio_post_mark_connect(struct vsf_session* p_sess)
+{
+  int ret = 0;
+  if (!p_sess->data_use_ssl)
+  {
+    return 1;
+  }
+  if (!p_sess->ssl_slave_active)
+  {
+    ret = ssl_accept(p_sess, p_sess->data_fd);
+  }
+  else
+  {
+    int sock_ret;
+    priv_sock_send_cmd(p_sess->ssl_consumer_fd, PRIV_SOCK_DO_SSL_HANDSHAKE);
+    priv_sock_send_fd(p_sess->ssl_consumer_fd, p_sess->data_fd);
+    sock_ret = priv_sock_get_result(p_sess->ssl_consumer_fd);
+    if (sock_ret == PRIV_SOCK_RESULT_OK)
+    {
+      ret = 1;
+    }
+  }
+  if (ret != 1)
+  {
+    if (tunable_require_ssl_reuse)
+    {
+      vsf_cmdio_write_exit(p_sess, FTP_DATATLSBAD,
+                           "SSL connection failed: session reuse required", 1);
+    } else {
+      vsf_cmdio_write(p_sess, FTP_DATATLSBAD, "SSL connection failed");
+    }
+  }
+  return ret;
+}
+
+static void
+handle_sigalrm(void* p_private)
+{
+  struct vsf_session* p_sess = (struct vsf_session*) p_private;
+  if (!p_sess->data_progress)
+  {
+    p_sess->data_timeout = 1;
+    vsf_sysutil_shutdown_failok(p_sess->data_fd);
+    vsf_sysutil_shutdown_read_failok(VSFTP_COMMAND_FD);
+    vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
+  }
+  else
+  {
+    p_sess->data_progress = 0;
+    start_data_alarm(p_sess);
+  }
+}
+
+void
+start_data_alarm(struct vsf_session* p_sess)
+{
+  if (tunable_data_connection_timeout > 0)
+  {
+    vsf_sysutil_install_sighandler(kVSFSysUtilSigALRM,
+                                   handle_sigalrm,
+                                   p_sess,
+                                   1);
+    vsf_sysutil_set_alarm(tunable_data_connection_timeout);
+  }
+  else if (tunable_idle_session_timeout > 0)
+  {
+    vsf_sysutil_clear_alarm();
+  }
+}
+
+static void
+init_data_sock_params(struct vsf_session* p_sess, int sock_fd)
+{
+  if (p_sess->data_fd != -1)
+  {
+    bug("data descriptor still present in init_data_sock_params");
+  }
+  p_sess->data_fd = sock_fd;
+  p_sess->data_progress = 0;
+  vsf_sysutil_activate_keepalive(sock_fd);
+  /* And in the vague hope it might help... */
+  vsf_sysutil_set_iptos_throughput(sock_fd);
+  /* Start the timeout monitor */
+  vsf_sysutil_install_io_handler(handle_io, p_sess);
+  start_data_alarm(p_sess);
+}
+
+static void
+handle_io(int retval, int fd, void* p_private)
+{
+  long curr_sec;
+  long curr_usec;
+  unsigned int bw_rate;
+  double elapsed;
+  double pause_time;
+  double rate_ratio;
+  struct vsf_session* p_sess = (struct vsf_session*) p_private;
+  if (p_sess->data_fd != fd || vsf_sysutil_retval_is_error(retval) ||
+      retval == 0)
+  {
+    return;
+  }
+  /* Note that the session hasn't stalled, i.e. don't time it out */
+  p_sess->data_progress = 1;
+  /* Apply bandwidth quotas via a little pause, if necessary */
+  if (p_sess->bw_rate_max == 0)
+  {
+    return;
+  }
+  /* Calculate bandwidth rate */
+  curr_sec = vsf_sysutil_get_time_sec();
+  curr_usec = vsf_sysutil_get_time_usec();
+  elapsed = (double) (curr_sec - p_sess->bw_send_start_sec);
+  elapsed += (double) (curr_usec - p_sess->bw_send_start_usec) /
+             (double) 1000000;
+  if (elapsed <= (double) 0)
+  {
+    elapsed = (double) 0.01;
+  }
+  bw_rate = (unsigned int) ((double) retval / elapsed);
+  if (bw_rate <= p_sess->bw_rate_max)
+  {
+    p_sess->bw_send_start_sec = curr_sec;
+    p_sess->bw_send_start_usec = curr_usec;
+    return;
+  }
+  /* Tut! Rate exceeded, calculate a pause to bring things back into line */
+  rate_ratio = (double) bw_rate / (double) p_sess->bw_rate_max;
+  pause_time = (rate_ratio - (double) 1) * elapsed;
+  vsf_sysutil_sleep(pause_time);
+  p_sess->bw_send_start_sec = vsf_sysutil_get_time_sec();
+  p_sess->bw_send_start_usec = vsf_sysutil_get_time_usec();
+}
+
+int
+vsf_ftpdataio_transfer_dir(struct vsf_session* p_sess, int is_control,
+                           struct vsf_sysutil_dir* p_dir,
+                           const struct mystr* p_base_dir_str,
+                           const struct mystr* p_option_str,
+                           const struct mystr* p_filter_str,
+                           int is_verbose)
+{
+  return transfer_dir_internal(p_sess, is_control, p_dir, p_base_dir_str,
+                               p_option_str, p_filter_str, is_verbose);
+}
+
+static int
+transfer_dir_internal(struct vsf_session* p_sess, int is_control,
+                      struct vsf_sysutil_dir* p_dir,
+                      const struct mystr* p_base_dir_str,
+                      const struct mystr* p_option_str,
+                      const struct mystr* p_filter_str,
+                      int is_verbose)
+{
+  struct mystr_list dir_list = INIT_STRLIST;
+  struct mystr_list subdir_list = INIT_STRLIST;
+  struct mystr dir_prefix_str = INIT_MYSTR;
+  struct mystr_list* p_subdir_list = 0;
+  struct str_locate_result loc_result = str_locate_char(p_option_str, 'R');
+  int failed = 0;
+  enum EVSFRWTarget target = kVSFRWData;
+  if (is_control)
+  {
+    target = kVSFRWControl;
+  }
+  if (loc_result.found && tunable_ls_recurse_enable)
+  {
+    p_subdir_list = &subdir_list;
+  }
+  vsf_ls_populate_dir_list(&dir_list, p_subdir_list, p_dir, p_base_dir_str,
+                           p_option_str, p_filter_str, is_verbose);
+  if (p_subdir_list)
+  {
+    int retval;
+    str_copy(&dir_prefix_str, p_base_dir_str);
+    str_append_text(&dir_prefix_str, ":\r\n");
+    retval = ftp_write_str(p_sess, &dir_prefix_str, target);
+    if (retval != 0)
+    {
+      failed = 1;
+    }
+  }
+  if (!failed)
+  {
+    failed = write_dir_list(p_sess, &dir_list, target);
+  }
+  /* Recurse into the subdirectories if required... */
+  if (!failed)
+  {
+    struct mystr sub_str = INIT_MYSTR;
+    unsigned int num_subdirs = str_list_get_length(&subdir_list);
+    unsigned int subdir_index;
+    for (subdir_index = 0; subdir_index < num_subdirs; subdir_index++)
+    {
+      int retval;
+      struct vsf_sysutil_dir* p_subdir;
+      const struct mystr* p_subdir_str = 
+        str_list_get_pstr(&subdir_list, subdir_index);
+      if (str_equal_text(p_subdir_str, ".") ||
+          str_equal_text(p_subdir_str, ".."))
+      {
+        continue;
+      }
+      str_copy(&sub_str, p_base_dir_str);
+      str_append_char(&sub_str, '/');
+      str_append_str(&sub_str, p_subdir_str);
+      p_subdir = str_opendir(&sub_str);
+      if (p_subdir == 0)
+      {
+        /* Unreadable, gone missing, etc. - no matter */
+        continue;
+      }
+      str_alloc_text(&dir_prefix_str, "\r\n");
+      retval = ftp_write_str(p_sess, &dir_prefix_str, target);
+      if (retval != 0)
+      {
+        failed = 1;
+        vsf_sysutil_closedir(p_subdir);
+        break;
+      }
+      retval = transfer_dir_internal(p_sess, is_control, p_subdir, &sub_str,
+                                     p_option_str, p_filter_str, is_verbose);
+      vsf_sysutil_closedir(p_subdir);
+      if (retval != 0)
+      {
+        failed = 1;
+        break;
+      }
+    }
+    str_free(&sub_str);
+  }
+  str_list_free(&dir_list);
+  str_list_free(&subdir_list);
+  str_free(&dir_prefix_str);
+  if (!failed)
+  {
+    return 0;
+  }
+  else
+  {
+    return -1;
+  }
+}
+
+/* XXX - really, this should be refactored into a "buffered writer" object */
+static int
+write_dir_list(struct vsf_session* p_sess, struct mystr_list* p_dir_list,
+               enum EVSFRWTarget target)
+{
+  /* This function writes out a list of strings to the client, over the
+   * data socket. We now coalesce the strings into fewer write() syscalls,
+   * which saved 33% CPU time writing a large directory.
+   */
+  int retval = 0;
+  unsigned int dir_index_max = str_list_get_length(p_dir_list);
+  unsigned int dir_index;
+  struct mystr buf_str = INIT_MYSTR;
+  str_reserve(&buf_str, VSFTP_DIR_BUFSIZE);
+  for (dir_index = 0; dir_index < dir_index_max; dir_index++)
+  {
+    str_append_str(&buf_str, str_list_get_pstr(p_dir_list, dir_index));
+    if (dir_index == dir_index_max - 1 ||
+        str_getlen(&buf_str) +
+          str_getlen(str_list_get_pstr(p_dir_list, dir_index + 1)) >
+            VSFTP_DIR_BUFSIZE)
+    {
+      /* Writeout needed - we're either at the end, or we filled the buffer */
+      int writeret = ftp_write_str(p_sess, &buf_str, target);
+      if (writeret != 0)
+      {
+        retval = 1;
+        break;
+      }
+      str_empty(&buf_str);
+    }
+  }
+  str_free(&buf_str);
+  return retval;
+}
+
+struct vsf_transfer_ret
+vsf_ftpdataio_transfer_file(struct vsf_session* p_sess, int remote_fd,
+                            int file_fd, int is_recv, int is_ascii)
+{
+  if (!is_recv)
+  {
+    if (is_ascii || p_sess->data_use_ssl)
+    {
+      return do_file_send_rwloop(p_sess, file_fd, is_ascii);
+    }
+    else
+    {
+      filesize_t curr_offset = vsf_sysutil_get_file_offset(file_fd);
+      filesize_t num_send = calc_num_send(file_fd, curr_offset);
+      return do_file_send_sendfile(
+        p_sess, remote_fd, file_fd, curr_offset, num_send);
+    }
+  }
+  else
+  {
+    return do_file_recv(p_sess, file_fd, is_ascii);
+  }
+}
+
+static struct vsf_transfer_ret
+do_file_send_rwloop(struct vsf_session* p_sess, int file_fd, int is_ascii)
+{
+  static char* p_readbuf;
+  static char* p_asciibuf;
+  struct vsf_transfer_ret ret_struct = { 0, 0 };
+  unsigned int chunk_size = get_chunk_size();
+  char* p_writefrom_buf;
+  int prev_cr = 0;
+  if (p_readbuf == 0)
+  {
+    vsf_secbuf_alloc(&p_readbuf, VSFTP_DATA_BUFSIZE);
+  }
+  if (is_ascii)
+  {
+    if (p_asciibuf == 0)
+    {
+      /* NOTE!! * 2 factor because we can double the data by doing our ASCII
+       * linefeed mangling
+       */
+      vsf_secbuf_alloc(&p_asciibuf, VSFTP_DATA_BUFSIZE * 2);
+    }
+    p_writefrom_buf = p_asciibuf;
+  }
+  else
+  {
+    p_writefrom_buf = p_readbuf;
+  }
+  while (1)
+  {
+    unsigned int num_to_write;
+    int retval = vsf_sysutil_read(file_fd, p_readbuf, chunk_size);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      ret_struct.retval = -1;
+      return ret_struct;
+    }
+    else if (retval == 0)
+    {
+      /* Success - cool */
+      return ret_struct;
+    }
+    if (is_ascii)
+    {
+      struct bin_to_ascii_ret ret =
+          vsf_ascii_bin_to_ascii(p_readbuf,
+                                 p_asciibuf,
+                                 (unsigned int) retval,
+                                 prev_cr);
+      num_to_write = ret.stored;
+      prev_cr = ret.last_was_cr;
+    }
+    else
+    {
+      num_to_write = (unsigned int) retval;
+    }
+    retval = ftp_write_data(p_sess, p_writefrom_buf, num_to_write);
+    if (!vsf_sysutil_retval_is_error(retval))
+    {
+      ret_struct.transferred += (unsigned int) retval;
+    }
+    if (vsf_sysutil_retval_is_error(retval) ||
+        (unsigned int) retval != num_to_write)
+    {
+      ret_struct.retval = -2;
+      return ret_struct;
+    }
+  }
+}
+
+static struct vsf_transfer_ret
+do_file_send_sendfile(struct vsf_session* p_sess, int net_fd, int file_fd,
+                      filesize_t curr_file_offset, filesize_t bytes_to_send)
+{
+  int retval;
+  unsigned int chunk_size = 0;
+  struct vsf_transfer_ret ret_struct = { 0, 0 };
+  filesize_t init_file_offset = curr_file_offset;
+  filesize_t bytes_sent;
+  if (p_sess->bw_rate_max)
+  {
+    chunk_size = get_chunk_size();
+  }
+  /* Just because I can ;-) */
+  retval = vsf_sysutil_sendfile(net_fd, file_fd, &curr_file_offset,
+                                bytes_to_send, chunk_size);
+  bytes_sent = curr_file_offset - init_file_offset;
+  ret_struct.transferred = bytes_sent;
+  if (vsf_sysutil_retval_is_error(retval))
+  {
+    ret_struct.retval = -2;
+    return ret_struct;
+  }
+  else if (bytes_sent != bytes_to_send)
+  {
+    ret_struct.retval = -2;
+    return ret_struct;
+  }
+  return ret_struct; 
+}
+
+static filesize_t
+calc_num_send(int file_fd, filesize_t init_offset)
+{
+  static struct vsf_sysutil_statbuf* s_p_statbuf;
+  filesize_t bytes_to_send;
+  /* Work out how many bytes to send based on file size minus current offset */
+  vsf_sysutil_fstat(file_fd, &s_p_statbuf);
+  bytes_to_send = vsf_sysutil_statbuf_get_size(s_p_statbuf);
+  if (init_offset < 0 || bytes_to_send < 0)
+  {
+    die("calc_num_send: negative file offset or send count");
+  }
+  /* Don't underflow if some bonehead sets a REST greater than the file size */
+  if (init_offset > bytes_to_send)
+  {
+    bytes_to_send = 0;
+  }
+  else
+  {
+    bytes_to_send -= init_offset;
+  }
+  return bytes_to_send;
+}
+
+static struct vsf_transfer_ret
+do_file_recv(struct vsf_session* p_sess, int file_fd, int is_ascii)
+{
+  static char* p_recvbuf;
+  unsigned int num_to_write;
+  struct vsf_transfer_ret ret_struct = { 0, 0 };
+  unsigned int chunk_size = get_chunk_size();
+  int prev_cr = 0;
+  if (p_recvbuf == 0)
+  {
+    /* Now that we do ASCII conversion properly, the plus one is to cater for
+     * the fact we may need to stick a '\r' at the front of the buffer if the
+     * last buffer fragment eneded in a '\r' and the current buffer fragment
+     * does not start with a '\n'.
+     */
+    vsf_secbuf_alloc(&p_recvbuf, VSFTP_DATA_BUFSIZE + 1);
+  }
+  while (1)
+  {
+    const char* p_writebuf = p_recvbuf + 1;
+    int retval = ftp_read_data(p_sess, p_recvbuf + 1, chunk_size);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      ret_struct.retval = -2;
+      return ret_struct;
+    }
+    else if (retval == 0 && !prev_cr)
+    {
+      /* Transfer done, nifty */
+      return ret_struct;
+    }
+    num_to_write = (unsigned int) retval;
+    ret_struct.transferred += num_to_write;
+    if (is_ascii)
+    {
+      /* Handle ASCII conversion if we have to. Note that using the same
+       * buffer for source and destination is safe, because the ASCII ->
+       * binary transform only ever results in a smaller file.
+       */
+      struct ascii_to_bin_ret ret =
+        vsf_ascii_ascii_to_bin(p_recvbuf, num_to_write, prev_cr);
+      num_to_write = ret.stored;
+      prev_cr = ret.last_was_cr;
+      p_writebuf = ret.p_buf;
+    }
+    retval = vsf_sysutil_write_loop(file_fd, p_writebuf, num_to_write);
+    if (vsf_sysutil_retval_is_error(retval) ||
+        (unsigned int) retval != num_to_write)
+    {
+      ret_struct.retval = -1;
+      return ret_struct;
+    }
+  }
+}
+
+static unsigned int
+get_chunk_size()
+{
+  unsigned int ret = VSFTP_DATA_BUFSIZE;
+  if (tunable_trans_chunk_size < VSFTP_DATA_BUFSIZE &&
+      tunable_trans_chunk_size > 0)
+  {
+    ret = tunable_trans_chunk_size;
+    if (ret < 4096)
+    {
+      ret = 4096;
+    }
+  }
+  return ret;
+}
+

ftpdataio.h

@@ -0,0 +1,102 @@
+#ifndef VSF_FTPDATAIO_H
+#define VSF_FTPDATAIO_H
+
+#include "filesize.h"
+
+struct mystr;
+struct vsf_sysutil_sockaddr;
+struct vsf_sysutil_dir;
+struct vsf_session;
+
+/* vsf_ftpdataio_dispose_transfer_fd()
+ * PURPOSE
+ * Close down the remote data transfer file descriptor. If unsent data reamins
+ * on the connection, this method blocks until it is transferred (or the data
+ * timeout goes off, or the connection is severed).
+ * PARAMETERS
+ * p_sess       - the current FTP session object
+ * RETURNS
+ * 1 on success, 0 otherwise.
+ * 
+ */
+int vsf_ftpdataio_dispose_transfer_fd(struct vsf_session* p_sess);
+
+/* vsf_ftpdataio_get_pasv_fd()
+ * PURPOSE
+ * Return a connection data file descriptor obtained by the PASV connection
+ * method. This includes accept()'ing a connection from the remote.
+ * PARAMETERS
+ * p_sess       - the current FTP session object
+ * RETURNS
+ * The file descriptor upon success, or -1 upon error.
+ */
+int vsf_ftpdataio_get_pasv_fd(struct vsf_session* p_sess);
+
+/* vsf_ftpdataio_get_pasv_fd()
+ * PURPOSE
+ * Return a connection data file descriptor obtained by the PORT connection
+ * method. This includes connect()'ing to the remote.
+ * PARAMETERS
+ * p_sess       - the current FTP session object
+ * RETURNS
+ * The file descriptor upon success, or -1 upon error.
+ */
+int vsf_ftpdataio_get_port_fd(struct vsf_session* p_sess);
+
+/* vsf_ftpdataio_post_mark_connect()
+ * PURPOSE
+ * Perform any post-150-status-mark setup on the data connection. For example,
+ * the negotiation of SSL.
+ * PARAMETERS
+ * p_sess       - the current FTP session object
+ * RETURNS
+ * 1 on success, 0 otherwise.
+ */
+int vsf_ftpdataio_post_mark_connect(struct vsf_session* p_sess);
+
+/* vsf_ftpdataio_transfer_file()
+ * PURPOSE
+ * Send data between the network and a local file. Send and receive are
+ * supported, as well as ASCII mangling.
+ * PARAMETERS
+ * remote_fd    - the file descriptor of the remote data connection
+ * file_fd      - the file descriptor of the local file
+ * is_recv      - 0 for sending to the remote, otherwise receive
+ * is_ascii     - non zero for ASCII mangling
+ * RETURNS
+ * A structure, containing
+ * retval       - 0 for success, failure otherwise
+ *                (-1 = local problem -2 = remote problem)
+ * transferred  - number of bytes transferred
+ */
+struct vsf_transfer_ret
+{
+  int retval;
+  filesize_t transferred;
+};
+struct vsf_transfer_ret vsf_ftpdataio_transfer_file(
+  struct vsf_session* p_sess,
+  int remote_fd, int file_fd, int is_recv, int is_ascii);
+
+/* vsf_ftpdataio_transfer_dir()
+ * PURPOSE
+ * Send an ASCII directory lising of the requested directory to the remote
+ * client.
+ * PARAMETERS
+ * p_sess         - the current session object
+ * is_control     - whether to send on the control connection or data connection
+ * p_dir          - the local directory object
+ * p_base_dir_str - the directory we opened relative to the current one
+ * p_option_str   - the options list provided to "ls"
+ * p_filter_str   - the filter string provided to "ls"
+ * is_verbose     - set to 0 if NLST used, 1 if LIST used
+ */
+int vsf_ftpdataio_transfer_dir(struct vsf_session* p_sess, int is_control,
+                               struct vsf_sysutil_dir* p_dir,
+                               const struct mystr* p_base_dir_str,
+                               const struct mystr* p_option_str,
+                               const struct mystr* p_filter_str,
+                               int is_verbose);
+
+#endif /* VSF_FTPDATAIO_H */
+

ftppolicy.c

@@ -0,0 +1,328 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * ftppolicy.c
+ *
+ * Code to build a sandbox policy based on current session options.
+ */
+
+#include "ftppolicy.h"
+#include "ptracesandbox.h"
+#include "tunables.h"
+#include "session.h"
+#include "sysutil.h"
+
+/* For AF_INET etc. network constants. */
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+static int socket_validator(struct pt_sandbox* p_sandbox, void* p_arg);
+static int connect_validator(struct pt_sandbox* p_sandbox, void* p_arg);
+static int getsockopt_validator(struct pt_sandbox* p_sandbox, void* p_arg);
+static int setsockopt_validator(struct pt_sandbox* p_sandbox, void* p_arg);
+
+void
+policy_setup(struct pt_sandbox* p_sandbox, const struct vsf_session* p_sess)
+{
+  int is_anon = p_sess->is_anonymous;
+  /* Always need to be able to exit! */
+  ptrace_sandbox_permit_exit(p_sandbox);
+  /* Needed for memory management. */
+  ptrace_sandbox_permit_mmap(p_sandbox);
+  ptrace_sandbox_permit_mprotect(p_sandbox);
+  ptrace_sandbox_permit_brk(p_sandbox);
+  /* Simple reads and writes are required. Permitting write does not imply
+   * filesystem write access because access control is done at open time.
+   */
+  ptrace_sandbox_permit_read(p_sandbox);
+  ptrace_sandbox_permit_write(p_sandbox);
+  /* Reading FTP commands from the network. */
+  ptrace_sandbox_permit_recv(p_sandbox);
+  /* Querying time is harmless; used for log timestamps and internally to
+   * OpenSSL
+   */
+  ptrace_sandbox_permit_query_time(p_sandbox);
+
+  /* Typically post-login things follow. */
+  /* Since we're in a chroot(), we can just blanket allow filesystem readonly
+   * open.
+   */
+  ptrace_sandbox_permit_open(p_sandbox, 0);
+  ptrace_sandbox_permit_close(p_sandbox);
+  /* Other pathname-based metadata queries. */
+  ptrace_sandbox_permit_file_stats(p_sandbox);
+  ptrace_sandbox_permit_readlink(p_sandbox);
+  /* Querying, reading and changing directory. */
+  ptrace_sandbox_permit_getcwd(p_sandbox);
+  ptrace_sandbox_permit_chdir(p_sandbox);
+  ptrace_sandbox_permit_getdents(p_sandbox);
+  /* Simple fd-based operations. */
+  ptrace_sandbox_permit_fd_stats(p_sandbox);
+  ptrace_sandbox_permit_seek(p_sandbox);
+  ptrace_sandbox_permit_shutdown(p_sandbox);
+  ptrace_sandbox_permit_fcntl(p_sandbox);
+  ptrace_sandbox_permit_setsockopt(p_sandbox);
+  ptrace_sandbox_set_setsockopt_validator(p_sandbox, setsockopt_validator, 0);
+  /* Misc */
+  /* Setting umask. */
+  ptrace_sandbox_permit_umask(p_sandbox);
+  /* Select for data connection readyness. */
+  ptrace_sandbox_permit_select(p_sandbox);
+  /* Always need ability to take signals (SIGPIPE) */
+  ptrace_sandbox_permit_sigreturn(p_sandbox);
+  /* Sleeping (bandwidth limit, connect retires, anon login fails) */
+  ptrace_sandbox_permit_sleep(p_sandbox);
+  /* High-speed transfers... */
+  ptrace_sandbox_permit_sendfile(p_sandbox);
+  /* TODO - Grrrr! nscd cache access is leaking into child. Need to find out
+   * out how to disable that. Also means that text_userdb_names loads values
+   * from the real system data.
+   */
+  if (tunable_text_userdb_names)
+  {
+    ptrace_sandbox_permit_mremap(p_sandbox);
+  }
+  /* May need ability to install signal handlers. */
+  if (tunable_async_abor_enable ||
+      tunable_idle_session_timeout > 0 ||
+      tunable_data_connection_timeout > 0)
+  {
+    ptrace_sandbox_permit_sigaction(p_sandbox);
+  }
+  /* May need ability to set up timeout alarms. */
+  if (tunable_idle_session_timeout > 0 || tunable_data_connection_timeout > 0)
+  {
+    ptrace_sandbox_permit_alarm(p_sandbox);
+  }
+  /* Set up network permissions according to config and session. */
+  ptrace_sandbox_permit_socket(p_sandbox);
+  ptrace_sandbox_set_socket_validator(p_sandbox,
+                                      socket_validator,
+                                      (void*) p_sess);
+  ptrace_sandbox_permit_bind(p_sandbox);
+  /* Yes, reuse of the connect validator is intentional. */
+  ptrace_sandbox_set_bind_validator(p_sandbox,
+                                    connect_validator,
+                                    (void*) p_sess);
+  if (tunable_port_enable)
+  {
+    ptrace_sandbox_permit_connect(p_sandbox);
+    ptrace_sandbox_set_connect_validator(p_sandbox,
+                                         connect_validator,
+                                         (void*) p_sess);
+    ptrace_sandbox_permit_getsockopt(p_sandbox);
+    ptrace_sandbox_set_getsockopt_validator(p_sandbox, getsockopt_validator, 0);
+  }
+  if (tunable_pasv_enable)
+  {
+    ptrace_sandbox_permit_listen(p_sandbox);
+    ptrace_sandbox_permit_accept(p_sandbox);
+  }
+  /* Set up write permissions according to config and session. */
+  if (tunable_write_enable)
+  {
+    if (!is_anon || tunable_anon_upload_enable)
+    {
+      ptrace_sandbox_permit_open(p_sandbox, 1);
+    }
+    if (!is_anon || tunable_anon_mkdir_write_enable)
+    {
+      ptrace_sandbox_permit_mkdir(p_sandbox);
+    }
+    if (!is_anon || tunable_anon_other_write_enable)
+    {
+      ptrace_sandbox_permit_unlink(p_sandbox);
+      ptrace_sandbox_permit_rmdir(p_sandbox);
+      ptrace_sandbox_permit_rename(p_sandbox);
+      ptrace_sandbox_permit_ftruncate(p_sandbox);
+      if (tunable_mdtm_write)
+      {
+        ptrace_sandbox_permit_utime(p_sandbox);
+      }
+    }
+    if (!is_anon && tunable_chmod_enable)
+    {
+      ptrace_sandbox_permit_chmod(p_sandbox);
+    }
+    if (is_anon && tunable_chown_uploads)
+    {
+      ptrace_sandbox_permit_fchmod(p_sandbox);
+      ptrace_sandbox_permit_fchown(p_sandbox);
+    }
+  }
+}
+
+static int
+socket_validator(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  int ret;
+  struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+  unsigned long arg1;
+  unsigned long arg2;
+  unsigned long expected_family = AF_INET;
+  if (vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr))
+  {
+    expected_family = AF_INET6;
+  }
+  ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 0, &arg1);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 1, &arg2);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if (arg1 != expected_family || arg2 != SOCK_STREAM)
+  {
+    return -1;
+  }
+  return 0;
+}
+
+static int
+connect_validator(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  int ret;
+  struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+  unsigned long arg2;
+  unsigned long arg3;
+  unsigned long expected_family = AF_INET;
+  unsigned long expected_len = sizeof(struct sockaddr_in);
+  void* p_buf = 0;
+  struct sockaddr* p_sockaddr;
+  static struct vsf_sysutil_sockaddr* p_sockptr;
+  if (vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr))
+  {
+    expected_family = AF_INET6;
+    expected_len = sizeof(struct sockaddr_in6);
+  }
+  ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 1, &arg2);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 2, &arg3);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if (arg3 != expected_len)
+  {
+    return -1;
+  }
+  p_buf = vsf_sysutil_malloc((int) expected_len);
+  ret = ptrace_sandbox_get_buf(p_sandbox, arg2, expected_len, p_buf);
+  if (ret != 0)
+  {
+    vsf_sysutil_free(p_buf);
+    return -2;
+  }
+  p_sockaddr = (struct sockaddr*) p_buf;
+  if (p_sockaddr->sa_family != expected_family)
+  {
+    vsf_sysutil_free(p_buf);
+    return -3;
+  }
+  if (expected_family == AF_INET)
+  {
+    struct sockaddr_in* p_sockaddr_in = (struct sockaddr_in*) p_sockaddr;
+    vsf_sysutil_sockaddr_alloc_ipv4(&p_sockptr);
+    vsf_sysutil_sockaddr_set_ipv4addr(p_sockptr,
+                                      (const unsigned char*)
+                                          &p_sockaddr_in->sin_addr);
+  }
+  else
+  {
+    struct sockaddr_in6* p_sockaddr_in6 = (struct sockaddr_in6*) p_sockaddr;
+    vsf_sysutil_sockaddr_alloc_ipv6(&p_sockptr);
+    vsf_sysutil_sockaddr_set_ipv6addr(p_sockptr,
+                                      (const unsigned char*)
+                                          &p_sockaddr_in6->sin6_addr);
+  }
+  if (!vsf_sysutil_sockaddr_addr_equal(p_sess->p_remote_addr, p_sockptr))
+  {
+    vsf_sysutil_free(p_buf);
+    return -4;
+  }
+  vsf_sysutil_free(p_buf);
+  return 0;
+}
+
+static int
+getsockopt_validator(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  int ret;
+  unsigned long arg2;
+  unsigned long arg3;
+  (void) p_arg;
+  ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 1, &arg2);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 2, &arg3);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if (arg2 != SOL_SOCKET || arg3 != SO_ERROR)
+  {
+    return -1;
+  }
+  return 0;
+}
+
+static int
+setsockopt_validator(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  int ret;
+  unsigned long arg2;
+  unsigned long arg3;
+  (void) p_arg;
+  ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 1, &arg2);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  ret = ptrace_sandbox_get_socketcall_arg(p_sandbox, 2, &arg3);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if (arg2 == SOL_SOCKET)
+  {
+    if (arg3 != SO_KEEPALIVE &&
+        arg3 != SO_REUSEADDR &&
+        arg3 != SO_OOBINLINE &&
+        arg3 != SO_LINGER)
+    {
+      return -1;
+    }
+  }
+  else if (arg2 == IPPROTO_TCP)
+  {
+    if (arg3 != TCP_NODELAY)
+    {
+      return -2;
+    }
+  }
+  else if (arg2 == IPPROTO_IP)
+  {
+    if (arg3 != IP_TOS)
+    {
+      return -3;
+    }
+  }
+  else
+  {
+    return -4;
+  }
+  return 0;
+}

ftppolicy.h

@@ -0,0 +1,18 @@
+#ifndef VSF_FTPPOLICY_H
+#define VSF_FTPPOLICY_H
+
+/* Forward delcarations */
+struct pt_sandbox;
+struct vsf_session;
+
+/* policy_setup()
+ * PURPOSE
+ * Sets up a sandbox policy according to the currently enabled options.
+ * PARAMETERS
+ * p_sandbox    - the sandbox to set the policy on
+ * p_sess       - current vsftpd session object
+ */
+void policy_setup(struct pt_sandbox* p_sandbox,
+                  const struct vsf_session* p_sess);
+
+#endif /* VSF_FTPPOLICY_H */

hash.c

@@ -0,0 +1,147 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * hash.c
+ *
+ * Routines to handle simple hash table lookups and modifications.
+ */
+
+#include "hash.h"
+#include "sysutil.h"
+#include "utility.h"
+
+struct hash_node
+{
+  void* p_key;
+  void* p_value;
+  struct hash_node* p_prev;
+  struct hash_node* p_next;
+};
+
+struct hash
+{
+  unsigned int buckets;
+  unsigned int key_size;
+  unsigned int value_size;
+  hashfunc_t hash_func;
+  struct hash_node** p_nodes;
+};
+
+/* Internal functions */
+struct hash_node** hash_get_bucket(struct hash* p_hash, void* p_key);
+struct hash_node* hash_get_node_by_key(struct hash* p_hash, void* p_key);
+
+struct hash*
+hash_alloc(unsigned int buckets, unsigned int key_size,
+           unsigned int value_size, hashfunc_t hash_func)
+{
+  unsigned int size;
+  struct hash* p_hash = vsf_sysutil_malloc(sizeof(*p_hash));
+  p_hash->buckets = buckets;
+  p_hash->key_size = key_size;
+  p_hash->value_size = value_size;
+  p_hash->hash_func = hash_func;
+  size = (unsigned int) sizeof(struct hash_node*) * buckets;
+  p_hash->p_nodes = vsf_sysutil_malloc(size);
+  vsf_sysutil_memclr(p_hash->p_nodes, size);
+  return p_hash;
+}
+
+void*
+hash_lookup_entry(struct hash* p_hash, void* p_key)
+{
+  struct hash_node* p_node = hash_get_node_by_key(p_hash, p_key);
+  if (!p_node)
+  {
+    return p_node;
+  }
+  return p_node->p_value;
+}
+
+void
+hash_add_entry(struct hash* p_hash, void* p_key, void* p_value)
+{
+  struct hash_node** p_bucket;
+  struct hash_node* p_new_node;
+  if (hash_lookup_entry(p_hash, p_key))
+  {
+    bug("duplicate hash key");
+  }
+  p_bucket = hash_get_bucket(p_hash, p_key);
+  p_new_node = vsf_sysutil_malloc(sizeof(*p_new_node));
+  p_new_node->p_prev = 0;
+  p_new_node->p_next = 0;
+  p_new_node->p_key = vsf_sysutil_malloc(p_hash->key_size);
+  vsf_sysutil_memcpy(p_new_node->p_key, p_key, p_hash->key_size);
+  p_new_node->p_value = vsf_sysutil_malloc(p_hash->value_size);
+  vsf_sysutil_memcpy(p_new_node->p_value, p_value, p_hash->value_size);
+
+  if (!*p_bucket)
+  {
+    *p_bucket = p_new_node;    
+  }
+  else
+  {
+    p_new_node->p_next = *p_bucket;
+    (*p_bucket)->p_prev = p_new_node;
+    *p_bucket = p_new_node;
+  }
+}
+
+void
+hash_free_entry(struct hash* p_hash, void* p_key)
+{
+  struct hash_node* p_node = hash_get_node_by_key(p_hash, p_key);
+  if (!p_node)
+  {
+    bug("hash node not found");
+  }
+  vsf_sysutil_free(p_node->p_key);
+  vsf_sysutil_free(p_node->p_value);
+
+  if (p_node->p_prev)
+  {
+    p_node->p_prev->p_next = p_node->p_next;
+  }
+  else
+  {
+    struct hash_node** p_bucket = hash_get_bucket(p_hash, p_key);
+    *p_bucket = p_node->p_next;
+  }
+  if (p_node->p_next)
+  {
+    p_node->p_next->p_prev = p_node->p_prev;
+  }
+
+  vsf_sysutil_free(p_node);
+}
+
+struct hash_node**
+hash_get_bucket(struct hash* p_hash, void* p_key)
+{
+  unsigned int bucket = (*p_hash->hash_func)(p_hash->buckets, p_key);
+  if (bucket >= p_hash->buckets)
+  {
+    bug("bad bucket lookup");
+  }
+  return &(p_hash->p_nodes[bucket]);
+}
+
+struct hash_node*
+hash_get_node_by_key(struct hash* p_hash, void* p_key)
+{
+  struct hash_node** p_bucket = hash_get_bucket(p_hash, p_key);
+  struct hash_node* p_node = *p_bucket;
+  if (!p_node)
+  {
+    return p_node;
+  }
+  while (p_node != 0 &&
+         vsf_sysutil_memcmp(p_key, p_node->p_key, p_hash->key_size) != 0)
+  {
+    p_node = p_node->p_next;
+  }
+  return p_node;
+}
+

hash.h

@@ -0,0 +1,15 @@
+#ifndef VSFTP_HASH_H
+#define VSFTP_HASH_H
+
+struct hash;
+
+typedef unsigned int (*hashfunc_t)(unsigned int, void*);
+
+struct hash* hash_alloc(unsigned int buckets, unsigned int key_size,
+                        unsigned int value_size, hashfunc_t hash_func);
+void* hash_lookup_entry(struct hash* p_hash, void* p_key);
+void hash_add_entry(struct hash* p_hash, void* p_key, void* p_value);
+void hash_free_entry(struct hash* p_hash, void* p_key);
+
+#endif /* VSFTP_HASH_H */
+

ipaddrparse.c

@@ -0,0 +1,220 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * ipaddrparse.c
+ *
+ * A routine to parse ip addresses. I'm paranoid and don't want to use
+ * inet_pton.
+ */
+
+#include "ipaddrparse.h"
+#include "sysutil.h"
+#include "str.h"
+
+static int ipv6_parse_main(struct mystr* p_out_str,
+                           const struct mystr* p_in_str);
+static int ipv6_parse_hex(struct mystr* p_out_str,
+                          const struct mystr* p_in_str);
+static int ipv4_parse_dotquad(struct mystr* p_out_str,
+                              const struct mystr* p_in_str);
+
+const unsigned char*
+vsf_sysutil_parse_ipv6(const struct mystr* p_str)
+{
+  static struct mystr s_ret;
+  static struct mystr s_rhs_ret;
+  static struct mystr s_lhs_str;
+  static struct mystr s_rhs_str;
+  unsigned int lhs_len;
+  unsigned int rhs_len;
+  str_empty(&s_ret);
+  str_empty(&s_rhs_ret);
+  str_copy(&s_lhs_str, p_str);
+  str_split_text(&s_lhs_str, &s_rhs_str, "::");
+  if (!ipv6_parse_main(&s_ret, &s_lhs_str))
+  {
+    return 0;
+  }
+  if (!ipv6_parse_main(&s_rhs_ret, &s_rhs_str))
+  {
+    return 0;
+  }
+  lhs_len = str_getlen(&s_ret);
+  rhs_len = str_getlen(&s_rhs_ret);
+  if (lhs_len + rhs_len > 16)
+  {
+    return 0;
+  }
+  if (rhs_len > 0)
+  {
+    unsigned int add_nulls = 16 - (lhs_len + rhs_len);
+    while (add_nulls--)
+    {
+      str_append_char(&s_ret, '\0');
+    }
+    str_append_str(&s_ret, &s_rhs_ret);
+  }
+  return (const unsigned char*) str_getbuf(&s_ret);
+}
+
+const unsigned char*
+vsf_sysutil_parse_ipv4(const struct mystr* p_str)
+{
+  static unsigned char items[4];
+  return vsf_sysutil_parse_uchar_string_sep(p_str, '.', items, sizeof(items));
+}
+
+const unsigned char*
+vsf_sysutil_parse_uchar_string_sep(
+  const struct mystr* p_str, char sep, unsigned char* p_items,
+  unsigned int items)
+{
+  static struct mystr s_tmp_str;
+  unsigned int i;
+  str_copy(&s_tmp_str, p_str);
+  for (i=0; i<items; i++)
+  {
+    static struct mystr s_rhs_sep_str;
+    int this_number;
+    /* This puts a single separator delimited field in tmp_str */
+    str_split_char(&s_tmp_str, &s_rhs_sep_str, sep);
+    /* Sanity - check for too many or two few dots! */
+    if ( (i < (items-1) && str_isempty(&s_rhs_sep_str)) ||
+         (i == (items-1) && !str_isempty(&s_rhs_sep_str)))
+    {
+      return 0;
+    }
+    this_number = str_atoi(&s_tmp_str);
+    if (this_number < 0 || this_number > 255)
+    {
+      return 0;
+    }
+    /* If this truncates from int to uchar, we don't care */
+    p_items[i] = (unsigned char) this_number;
+    /* The right hand side of the comma now becomes the new string to
+     * breakdown
+     */
+    str_copy(&s_tmp_str, &s_rhs_sep_str);
+  }
+  return p_items;
+}
+
+static int
+ipv6_parse_main(struct mystr* p_out_str, const struct mystr* p_in_str)
+{
+  static struct mystr s_lhs_str;
+  static struct mystr s_rhs_str;
+  struct str_locate_result loc_ret;
+  str_copy(&s_lhs_str, p_in_str);
+  while (!str_isempty(&s_lhs_str))
+  {
+    str_split_char(&s_lhs_str, &s_rhs_str, ':');
+    if (str_isempty(&s_lhs_str))
+    {
+      return 0;
+    }
+    loc_ret = str_locate_char(&s_lhs_str, '.');
+    if (loc_ret.found)
+    {
+      if (!ipv4_parse_dotquad(p_out_str, &s_lhs_str))
+      {
+        return 0;
+      }
+    }
+    else if (!ipv6_parse_hex(p_out_str, &s_lhs_str))
+    {
+      return 0;
+    }
+    str_copy(&s_lhs_str, &s_rhs_str);
+  }
+  return 1;
+}
+
+static int
+ipv6_parse_hex(struct mystr* p_out_str, const struct mystr* p_in_str)
+{
+  unsigned int len = str_getlen(p_in_str);
+  unsigned int i;
+  unsigned int val = 0;
+  for (i=0; i<len; ++i)
+  {
+    int ch = vsf_sysutil_toupper(str_get_char_at(p_in_str, i));
+    if (ch >= '0' && ch <= '9')
+    {
+      ch -= '0';
+    }
+    else if (ch >= 'A' && ch <= 'F')
+    {
+      ch -= 'A';
+      ch += 10;
+    }
+    else
+    {
+      return 0;
+    }
+    val <<= 4;
+    val |= ch;
+    if (val > 0xFFFF)
+    {
+      return 0;
+    }
+  }
+  str_append_char(p_out_str, (val >> 8));
+  str_append_char(p_out_str, (val & 0xFF));
+  return 1;
+}
+
+static int
+ipv4_parse_dotquad(struct mystr* p_out_str, const struct mystr* p_in_str)
+{
+  unsigned int len = str_getlen(p_in_str);
+  unsigned int i;
+  unsigned int val = 0;
+  unsigned int final_val = 0;
+  int seen_char = 0;
+  int dots = 0;
+  for (i=0; i<len; ++i)
+  {
+    int ch = str_get_char_at(p_in_str, i);
+    if (ch == '.')
+    {
+      if (!seen_char || dots == 3)
+      {
+        return 0;
+      }
+      seen_char = 0;
+      dots++;
+      final_val <<= 8;
+      final_val |= val;
+      val = 0;
+    }
+    else if (ch >= '0' && ch <= '9')
+    {
+      ch -= '0';
+      val *= 10;
+      val += ch;
+      if (val > 255)
+      {
+        return 0;
+      }
+      seen_char = 1;
+    }
+    else
+    {
+      return 0;
+    }
+  }
+  if (dots != 3 || !seen_char)
+  {
+    return 0;
+  }
+  final_val <<= 8;
+  final_val |= val;
+  str_append_char(p_out_str, (final_val >> 24));
+  str_append_char(p_out_str, ((final_val >> 16) & 0xFF));
+  str_append_char(p_out_str, ((final_val >> 8) & 0xFF));
+  str_append_char(p_out_str, (final_val & 0xFF));
+  return 1;
+}
+

ipaddrparse.h

@@ -0,0 +1,20 @@
+#ifndef VSF_IPADDRPARSE_H
+#define VSF_IPADDRPARSE_H
+
+struct mystr;
+
+/* Effectively doing the same sort of job as inet_pton. Since inet_pton does
+ * a non-trivial amount of parsing, we'll do it ourselves for maximum security
+ * and safety.
+ */
+
+const unsigned char* vsf_sysutil_parse_ipv6(const struct mystr* p_str);
+
+const unsigned char* vsf_sysutil_parse_ipv4(const struct mystr* p_str);
+
+const unsigned char* vsf_sysutil_parse_uchar_string_sep(
+  const struct mystr* p_str, char sep, unsigned char* p_items,
+  unsigned int items);
+
+#endif /* VSF_IPADDRPARSE_H */
+

logging.c

@@ -0,0 +1,384 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ *
+ * logging.c
+ */
+
+#include "logging.h"
+#include "tunables.h"
+#include "utility.h"
+#include "str.h"
+#include "sysutil.h"
+#include "sysstr.h"
+#include "session.h"
+
+/* File local functions */
+static int vsf_log_type_is_transfer(enum EVSFLogEntryType type);
+static void vsf_log_common(struct vsf_session* p_sess, int succeeded,
+                           enum EVSFLogEntryType what,
+                           const struct mystr* p_str);
+static void vsf_log_do_log_vsftpd_format(struct vsf_session* p_sess,
+                                         struct mystr* p_str, int succeeded,
+                                         enum EVSFLogEntryType what,
+                                         const struct mystr* p_log_str);
+static void vsf_log_do_log_wuftpd_format(struct vsf_session* p_sess,
+                                         struct mystr* p_str, int succeeded);
+static void vsf_log_do_log_to_file(int fd, struct mystr* p_str);
+
+void
+vsf_log_init(struct vsf_session* p_sess)
+{
+  if (tunable_syslog_enable || tunable_tcp_wrappers)
+  {
+    vsf_sysutil_openlog(1);
+  }
+  if (!tunable_xferlog_enable && !tunable_dual_log_enable)
+  {
+    return;
+  }
+  if (tunable_dual_log_enable || tunable_xferlog_std_format)
+  {
+    int retval = -1;
+    if (tunable_xferlog_file)
+    {
+      retval = vsf_sysutil_create_or_open_file_append(tunable_xferlog_file,
+                                                      0600);
+    }
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      die2("failed to open xferlog log file:", tunable_xferlog_file);
+    }
+    p_sess->xferlog_fd = retval;
+  }
+  if (tunable_dual_log_enable || !tunable_xferlog_std_format)
+  {
+    if (!tunable_syslog_enable)
+    {
+      int retval = -1;
+      if (tunable_vsftpd_log_file)
+      {
+        retval = vsf_sysutil_create_or_open_file_append(tunable_vsftpd_log_file,
+                                                        0600);
+      }
+      if (vsf_sysutil_retval_is_error(retval))
+      {
+        die2("failed to open zftpd log file:", tunable_vsftpd_log_file);
+      }
+      p_sess->vsftpd_log_fd = retval;
+    }
+  }
+}
+
+static int
+vsf_log_type_is_transfer(enum EVSFLogEntryType type)
+{
+  return (type == kVSFLogEntryDownload || type == kVSFLogEntryUpload);
+}
+
+void
+vsf_log_start_entry(struct vsf_session* p_sess, enum EVSFLogEntryType what)
+{
+  if (p_sess->log_type != 0)
+  {
+    bug("non null log_type in vsf_log_start_entry");
+  }
+  p_sess->log_type = (unsigned long) what;
+  p_sess->log_start_sec = 0;
+  p_sess->log_start_usec = 0;
+  p_sess->transfer_size = 0;
+  str_empty(&p_sess->log_str);
+  if (vsf_log_type_is_transfer(what))
+  {
+    p_sess->log_start_sec = vsf_sysutil_get_time_sec();
+    p_sess->log_start_usec = vsf_sysutil_get_time_usec();
+  }
+}
+
+void
+vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
+             struct mystr* p_str)
+{
+  vsf_log_common(p_sess, 1, what, p_str);
+}
+
+int
+vsf_log_entry_pending(struct vsf_session* p_sess)
+{
+  if (p_sess->log_type == 0)
+  {
+    return 0;
+  }
+  return 1;
+}
+
+void
+vsf_log_clear_entry(struct vsf_session* p_sess)
+{
+  p_sess->log_type = 0;
+}
+
+void
+vsf_log_do_log(struct vsf_session* p_sess, int succeeded)
+{
+  vsf_log_common(p_sess, succeeded, (enum EVSFLogEntryType) p_sess->log_type,
+                 &p_sess->log_str);
+  p_sess->log_type = 0;
+}
+
+static void
+vsf_log_common(struct vsf_session* p_sess, int succeeded,
+               enum EVSFLogEntryType what, const struct mystr* p_str)
+{
+  static struct mystr s_log_str;
+  /* Handle xferlog line if appropriate */
+  if (p_sess->xferlog_fd != -1 && vsf_log_type_is_transfer(what))
+  {
+    vsf_log_do_log_wuftpd_format(p_sess, &s_log_str, succeeded);
+    vsf_log_do_log_to_file(p_sess->xferlog_fd, &s_log_str);
+  }
+  /* Handle vsftpd.log line if appropriate */
+  if (p_sess->vsftpd_log_fd != -1)
+  {
+    vsf_log_do_log_vsftpd_format(p_sess, &s_log_str, succeeded, what, p_str);
+    vsf_log_do_log_to_file(p_sess->vsftpd_log_fd, &s_log_str);
+  }
+  /* Handle syslog() line if appropriate */
+  if (tunable_syslog_enable)
+  {
+    int severe = 0;
+    vsf_log_do_log_vsftpd_format(p_sess, &s_log_str, succeeded, what, p_str);
+    if (what == kVSFLogEntryLogin && !succeeded)
+    {
+      severe = 1;
+    }
+    str_syslog(&s_log_str, severe);
+  }
+}
+
+static void
+vsf_log_do_log_to_file(int fd, struct mystr* p_str)
+{
+  if (!tunable_no_log_lock)
+  {
+    int retval = vsf_sysutil_lock_file_write(fd);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      return;
+    }
+  }
+  str_replace_unprintable(p_str, '?');
+  str_append_char(p_str, '\n');
+  /* Ignore write failure; maybe the disk filled etc. */
+  (void) str_write_loop(p_str, fd);
+  if (!tunable_no_log_lock)
+  {
+    vsf_sysutil_unlock_file(fd);
+  }
+}
+
+static void
+vsf_log_do_log_wuftpd_format(struct vsf_session* p_sess, struct mystr* p_str,
+                             int succeeded)
+{
+  static struct mystr s_filename_str;
+  long delta_sec;
+  enum EVSFLogEntryType what = (enum EVSFLogEntryType) p_sess->log_type;
+  /* Date - vsf_sysutil_get_current_date updates cached time */
+  str_alloc_text(p_str, vsf_sysutil_get_current_date());
+  str_append_char(p_str, ' ');
+  /* Transfer time (in seconds) */
+  delta_sec = vsf_sysutil_get_time_sec() - p_sess->log_start_sec;
+  if (delta_sec <= 0)
+  {
+    delta_sec = 1;
+  }
+  str_append_ulong(p_str, (unsigned long) delta_sec);
+  str_append_char(p_str, ' ');
+  /* Remote host name */
+  str_append_str(p_str, &p_sess->remote_ip_str);
+  str_append_char(p_str, ' ');
+  /* Bytes transferred */
+  str_append_filesize_t(p_str, p_sess->transfer_size);
+  str_append_char(p_str, ' ');
+  /* Filename */
+  str_copy(&s_filename_str, &p_sess->log_str);
+  str_replace_char(&s_filename_str, ' ', '_');
+  str_append_str(p_str, &s_filename_str);
+  str_append_char(p_str, ' ');
+  /* Transfer type (ascii/binary) */
+  if (p_sess->is_ascii)
+  {
+    str_append_text(p_str, "a ");
+  }
+  else
+  {
+    str_append_text(p_str, "b ");
+  }
+  /* Special action flag - tar, gzip etc. */
+  str_append_text(p_str, "_ ");
+  /* Direction of transfer */
+  if (what == kVSFLogEntryUpload)
+  {
+    str_append_text(p_str, "i ");
+  }
+  else
+  {
+    str_append_text(p_str, "o ");
+  }
+  /* Access mode: anonymous/real user, and identity */
+  if (p_sess->is_anonymous && !p_sess->is_guest)
+  {
+    str_append_text(p_str, "a ");
+    str_append_str(p_str, &p_sess->anon_pass_str);
+  }
+  else
+  {
+    if (p_sess->is_guest)
+    {
+      str_append_text(p_str, "g ");
+    } 
+    else
+    {
+      str_append_text(p_str, "r ");
+    }
+    str_append_str(p_str, &p_sess->user_str);
+  }
+  str_append_char(p_str, ' ');
+  /* Service name, authentication method, authentication user id */
+  str_append_text(p_str, "ftp 0 * ");
+  /* Completion status */
+  if (succeeded)
+  {
+    str_append_char(p_str, 'c');
+  }
+  else
+  {
+    str_append_char(p_str, 'i');
+  }
+}
+
+static void
+vsf_log_do_log_vsftpd_format(struct vsf_session* p_sess, struct mystr* p_str,
+                             int succeeded, enum EVSFLogEntryType what,
+                             const struct mystr* p_log_str)
+{
+  str_empty(p_str);
+  if (!tunable_syslog_enable)
+  {
+    /* Date - vsf_sysutil_get_current_date updates cached time */
+    str_append_text(p_str, vsf_sysutil_get_current_date());
+    /* Pid */
+    str_append_text(p_str, " [pid ");
+    str_append_ulong(p_str, vsf_sysutil_getpid());
+    str_append_text(p_str, "] ");
+  }
+  /* User */
+  if (!str_isempty(&p_sess->user_str))
+  {
+    str_append_char(p_str, '[');
+    str_append_str(p_str, &p_sess->user_str);
+    str_append_text(p_str, "] ");
+  }
+  /* And the action */
+  if (what != kVSFLogEntryFTPInput && what != kVSFLogEntryFTPOutput &&
+      what != kVSFLogEntryConnection && what != kVSFLogEntryDebug)
+  {
+    if (succeeded)
+    {
+      str_append_text(p_str, "OK ");
+    }
+    else
+    {
+      str_append_text(p_str, "FAIL ");
+    }
+  }
+  switch (what)
+  {
+    case kVSFLogEntryDownload:
+      str_append_text(p_str, "DOWNLOAD");
+      break;
+    case kVSFLogEntryUpload:
+      str_append_text(p_str, "UPLOAD");
+      break;
+    case kVSFLogEntryMkdir:
+      str_append_text(p_str, "MKDIR");
+      break;
+    case kVSFLogEntryLogin:
+      str_append_text(p_str, "LOGIN");
+      break;
+    case kVSFLogEntryFTPInput:
+      str_append_text(p_str, "FTP command");
+      break;
+    case kVSFLogEntryFTPOutput:
+      str_append_text(p_str, "FTP response");
+      break;
+    case kVSFLogEntryConnection:
+      str_append_text(p_str, "CONNECT");
+      break;
+    case kVSFLogEntryDelete:
+      str_append_text(p_str, "DELETE");
+      break;
+    case kVSFLogEntryRename:
+      str_append_text(p_str, "RENAME");
+      break;
+    case kVSFLogEntryRmdir:
+      str_append_text(p_str, "RMDIR");
+      break;
+    case kVSFLogEntryChmod:
+      str_append_text(p_str, "CHMOD");
+      break;
+    case kVSFLogEntryDebug:
+      str_append_text(p_str, "DEBUG");
+      break;
+    case kVSFLogEntryNull:
+      /* Fall through */
+    default:
+      bug("bad entry_type in sf_log_do_log");
+      break;
+  }
+  str_append_text(p_str, ": Client \"");
+  str_append_str(p_str, &p_sess->remote_ip_str);
+  str_append_char(p_str, '"');
+  if (what == kVSFLogEntryLogin && !str_isempty(&p_sess->anon_pass_str))
+  {
+    str_append_text(p_str, ", anon password \"");
+    str_append_str(p_str, &p_sess->anon_pass_str);
+    str_append_char(p_str, '"');
+  }
+  if (!str_isempty(p_log_str))
+  {
+    str_append_text(p_str, ", \"");
+    str_append_str(p_str, p_log_str);
+    str_append_char(p_str, '"');
+  }
+  if (what != kVSFLogEntryFTPInput && what != kVSFLogEntryFTPOutput &&
+      what != kVSFLogEntryDebug)
+  {
+    if (p_sess->transfer_size)
+    {
+      str_append_text(p_str, ", ");
+      str_append_filesize_t(p_str, p_sess->transfer_size);
+      str_append_text(p_str, " bytes");
+    }
+    if (vsf_log_type_is_transfer(what))
+    {
+      long delta_sec = vsf_sysutil_get_time_sec() - p_sess->log_start_sec;
+      long delta_usec = vsf_sysutil_get_time_usec() - p_sess->log_start_usec;
+      double time_delta = (double) delta_sec + ((double) delta_usec /
+                                                (double) 1000000);
+      double kbyte_rate;
+      if (time_delta <= 0)
+      {
+        time_delta = 0.1;
+      }
+      kbyte_rate =
+        ((double) p_sess->transfer_size / time_delta) / (double) 1024;
+      str_append_text(p_str, ", ");
+      str_append_double(p_str, kbyte_rate);
+      str_append_text(p_str, "Kbyte/sec");
+    }
+  }
+}
+

logging.h

@@ -0,0 +1,84 @@
+#ifndef VSF_LOGGING_H
+#define VSF_LOGGING_H
+
+/* Forward delcarations */
+struct mystr;
+struct vsf_session;
+
+enum EVSFLogEntryType
+{
+  kVSFLogEntryNull = 1,
+  kVSFLogEntryDownload,
+  kVSFLogEntryUpload,
+  kVSFLogEntryMkdir,
+  kVSFLogEntryLogin,
+  kVSFLogEntryFTPInput,
+  kVSFLogEntryFTPOutput,
+  kVSFLogEntryConnection,
+  kVSFLogEntryDelete,
+  kVSFLogEntryRename,
+  kVSFLogEntryRmdir,
+  kVSFLogEntryChmod,
+  kVSFLogEntryDebug,
+};
+
+/* vsf_log_init()
+ * PURPOSE
+ * Initialize the logging services, by opening a writable file descriptor to
+ * the log file (should logging be enabled).
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void vsf_log_init(struct vsf_session* p_sess);
+
+/* vsf_log_start_entry()
+ * PURPOSE
+ * Denote the start of a logged operation. Importantly, timing information
+ * (if applicable) will be taken starting from this call.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * what         - the type of operation which just started
+ */
+void vsf_log_start_entry(struct vsf_session* p_sess,
+                         enum EVSFLogEntryType what);
+
+/* vsf_log_entry_pending()
+ * PURPOSE
+ * Determine whether a log entry has been started and not yet closed.
+ * RETURNS
+ * 0 if no log entry is pending; 1 if one is.
+ */
+int vsf_log_entry_pending(struct vsf_session* p_sess);
+
+/* vsf_log_clear_entry()
+ * PURPOSE
+ * Clears any pending log entry.
+ */
+void vsf_log_clear_entry(struct vsf_session* p_sess);
+
+/* vsf_log_do_log()
+ * PURPOSE
+ * Denote the end of a logged operation, specifying whether the operation
+ * was successful or not.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * succeeded    - 0 for a failed operation, 1 for a successful operation
+ */
+void vsf_log_do_log(struct vsf_session* p_sess, int succeeded);
+
+/* vsf_log_line()
+ * PURPOSE
+ * Logs a single line of information, without disturbing any pending log
+ * operations (e.g. a download log spans a period of time).
+ * This call must be used for any logging calls nested within a call to
+ * the vsf_log_start_entry() function.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * what         - the type of operation to log
+ * p_str        - the string to log
+ */
+void vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
+                  struct mystr* p_str);
+
+#endif /* VSF_LOGGING_H */
+

ls.c

@@ -0,0 +1,449 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * ls.c
+ *
+ * Would you believe, code to handle directory listing.
+ */
+
+#include "ls.h"
+#include "access.h"
+#include "defs.h"
+#include "str.h"
+#include "strlist.h"
+#include "sysstr.h"
+#include "sysutil.h"
+#include "tunables.h"
+
+static void build_dir_line(struct mystr* p_str,
+                           const struct mystr* p_filename_str,
+                           const struct vsf_sysutil_statbuf* p_stat,
+                           long curr_time);
+
+void
+vsf_ls_populate_dir_list(struct mystr_list* p_list,
+                         struct mystr_list* p_subdir_list,
+                         struct vsf_sysutil_dir* p_dir,
+                         const struct mystr* p_base_dir_str,
+                         const struct mystr* p_option_str,
+                         const struct mystr* p_filter_str,
+                         int is_verbose)
+{
+  struct mystr dirline_str = INIT_MYSTR;
+  struct mystr normalised_base_dir_str = INIT_MYSTR;
+  struct str_locate_result loc_result;
+  int a_option;
+  int r_option;
+  int t_option;
+  int F_option;
+  int do_stat = 0;
+  long curr_time = 0;
+  loc_result = str_locate_char(p_option_str, 'a');
+  a_option = loc_result.found;
+  loc_result = str_locate_char(p_option_str, 'r');
+  r_option = loc_result.found;
+  loc_result = str_locate_char(p_option_str, 't');
+  t_option = loc_result.found;
+  loc_result = str_locate_char(p_option_str, 'F');
+  F_option = loc_result.found;
+  loc_result = str_locate_char(p_option_str, 'l');
+  if (loc_result.found)
+  {
+    is_verbose = 1;
+  }
+  /* Invert "reverse" arg for "-t", the time sorting */
+  if (t_option)
+  {
+    r_option = !r_option;
+  }
+  if (is_verbose || t_option || F_option || p_subdir_list != 0)
+  {
+    do_stat = 1;
+  }
+  /* If the filter starts with a . then implicitly enable -a */
+  if (!str_isempty(p_filter_str) && str_get_char_at(p_filter_str, 0) == '.')
+  {
+    a_option = 1;
+  }
+  /* "Normalise" the incoming base directory string by making sure it
+   * ends in a '/' if it is nonempty
+   */
+  if (!str_equal_text(p_base_dir_str, "."))
+  {
+    str_copy(&normalised_base_dir_str, p_base_dir_str);
+  }
+  if (!str_isempty(&normalised_base_dir_str))
+  {
+    unsigned int len = str_getlen(&normalised_base_dir_str);
+    if (str_get_char_at(&normalised_base_dir_str, len - 1) != '/')
+    {
+      str_append_char(&normalised_base_dir_str, '/');
+    }
+  }
+  /* If we're going to need to do time comparisions, cache the local time */
+  if (is_verbose)
+  {
+    curr_time = vsf_sysutil_get_time_sec();
+  }
+  while (1)
+  {
+    static struct mystr s_next_filename_str;
+    static struct mystr s_next_path_and_filename_str;
+    static struct vsf_sysutil_statbuf* s_p_statbuf;
+    str_next_dirent(&s_next_filename_str, p_dir);
+    if (str_isempty(&s_next_filename_str))
+    {
+      break;
+    }
+    {
+      unsigned int len = str_getlen(&s_next_filename_str);
+      if (len > 0 && str_get_char_at(&s_next_filename_str, 0) == '.')
+      {
+        if (!a_option && !tunable_force_dot_files)
+        {
+          continue;
+        }
+        if (!a_option &&
+            ((len == 2 && str_get_char_at(&s_next_filename_str, 1) == '.') ||
+             len == 1))
+        {
+          continue;
+        }
+      }
+    }
+    /* Don't show hidden directory entries */
+    if (!vsf_access_check_file_visible(&s_next_filename_str))
+    {
+      continue;
+    }
+    /* If we have an ls option which is a filter, apply it */
+    if (!str_isempty(p_filter_str))
+    {
+      unsigned int iters = 0;
+      if (!vsf_filename_passes_filter(&s_next_filename_str, p_filter_str,
+                                      &iters))
+      {
+        continue;
+      }
+    }
+    /* Calculate the full path (relative to CWD) for lstat() and
+     * output purposes
+     */
+    str_copy(&s_next_path_and_filename_str, &normalised_base_dir_str);
+    str_append_str(&s_next_path_and_filename_str, &s_next_filename_str);
+    if (do_stat)
+    {
+      /* lstat() the file. Of course there's a race condition - the
+       * directory entry may have gone away whilst we read it, so
+       * ignore failure to stat
+       */
+      int retval = str_lstat(&s_next_path_and_filename_str, &s_p_statbuf);
+      if (vsf_sysutil_retval_is_error(retval))
+      {
+        continue;
+      }
+    }
+    if (is_verbose)
+    {
+      static struct mystr s_final_file_str;
+      /* If it's a damn symlink, we need to append the target */
+      str_copy(&s_final_file_str, &s_next_filename_str);
+      if (vsf_sysutil_statbuf_is_symlink(s_p_statbuf))
+      {
+        static struct mystr s_temp_str;
+        int retval = str_readlink(&s_temp_str, &s_next_path_and_filename_str);
+        if (retval == 0 && !str_isempty(&s_temp_str))
+        {
+          str_append_text(&s_final_file_str, " -> ");
+          str_append_str(&s_final_file_str, &s_temp_str);
+        }
+      }
+      if (F_option && vsf_sysutil_statbuf_is_dir(s_p_statbuf))
+      {
+        str_append_char(&s_final_file_str, '/');
+      }
+      build_dir_line(&dirline_str, &s_final_file_str, s_p_statbuf, curr_time);
+    }
+    else
+    {
+      /* Just emit the filenames - note, we prepend the directory for NLST
+       * but not for LIST
+       */
+      str_copy(&dirline_str, &s_next_path_and_filename_str);
+      if (F_option)
+      {
+        if (vsf_sysutil_statbuf_is_dir(s_p_statbuf))
+        {
+          str_append_char(&dirline_str, '/');
+        }
+        else if (vsf_sysutil_statbuf_is_symlink(s_p_statbuf))
+        {
+          str_append_char(&dirline_str, '@');
+        }
+      }
+      str_append_text(&dirline_str, "\r\n");
+    }
+    /* Add filename into our sorted list - sorting by filename or time. Also,
+     * if we are required to, maintain a distinct list of direct
+     * subdirectories.
+     */
+    {
+      static struct mystr s_temp_str;
+      const struct mystr* p_sort_str = 0;
+      const struct mystr* p_sort_subdir_str = 0;
+      if (!t_option)
+      {
+        p_sort_str = &s_next_filename_str;
+      }
+      else
+      {
+        str_alloc_text(&s_temp_str,
+                       vsf_sysutil_statbuf_get_sortkey_mtime(s_p_statbuf));
+        p_sort_str = &s_temp_str;
+        p_sort_subdir_str = &s_temp_str;
+      }
+      str_list_add(p_list, &dirline_str, p_sort_str);
+      if (p_subdir_list != 0 && vsf_sysutil_statbuf_is_dir(s_p_statbuf))
+      {
+        str_list_add(p_subdir_list, &s_next_filename_str, p_sort_subdir_str);
+      }
+    }
+  } /* END: while(1) */
+  str_list_sort(p_list, r_option);
+  if (p_subdir_list != 0)
+  {
+    str_list_sort(p_subdir_list, r_option);
+  }
+  str_free(&dirline_str);
+  str_free(&normalised_base_dir_str);
+}
+
+int
+vsf_filename_passes_filter(const struct mystr* p_filename_str,
+                           const struct mystr* p_filter_str,
+                           unsigned int* iters)
+{
+  /* A simple routine to match a filename against a pattern.
+   * This routine is used instead of e.g. fnmatch(3), because we should be
+   * reluctant to trust the latter. fnmatch(3) involves _lots_ of string
+   * parsing and handling. There is broad potential for any given fnmatch(3)
+   * implementation to be buggy.
+   *
+   * Currently supported pattern(s):
+   * - any number of wildcards, "*" or "?"
+   * - {,} syntax (not nested)
+   *
+   * Note that pattern matching is only supported within the last path
+   * component. For example, searching for /a/b/? will work, but searching
+   * for /a/?/c will not.
+   */
+  struct mystr filter_remain_str = INIT_MYSTR;
+  struct mystr name_remain_str = INIT_MYSTR;
+  struct mystr temp_str = INIT_MYSTR;
+  struct mystr brace_list_str = INIT_MYSTR;
+  struct mystr new_filter_str = INIT_MYSTR;
+  int ret = 0;
+  char last_token = 0;
+  int must_match_at_current_pos = 1;
+  str_copy(&filter_remain_str, p_filter_str);
+  str_copy(&name_remain_str, p_filename_str);
+
+  while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
+  {
+    static struct mystr s_match_needed_str;
+    /* Locate next special token */
+    struct str_locate_result locate_result =
+      str_locate_chars(&filter_remain_str, "*?{");
+    (*iters)++;
+    /* Isolate text leading up to token (if any) - needs to be matched */
+    if (locate_result.found)
+    {
+      unsigned int indexx = locate_result.index;
+      str_left(&filter_remain_str, &s_match_needed_str, indexx);
+      str_mid_to_end(&filter_remain_str, &temp_str, indexx + 1);
+      str_copy(&filter_remain_str, &temp_str);
+      last_token = locate_result.char_found;
+    }
+    else
+    {
+      /* No more tokens. Must match remaining filter string exactly. */
+      str_copy(&s_match_needed_str, &filter_remain_str);
+      str_empty(&filter_remain_str);
+      last_token = 0;
+    }
+    if (!str_isempty(&s_match_needed_str))
+    {
+      /* Need to match something.. could be a match which has to start at
+       * current position, or we could allow it to start anywhere
+       */
+      unsigned int indexx;
+      locate_result = str_locate_str(&name_remain_str, &s_match_needed_str);
+      if (!locate_result.found)
+      {
+        /* Fail */
+        goto out;
+      }
+      indexx = locate_result.index;
+      if (must_match_at_current_pos && indexx > 0)
+      {
+        goto out;
+      }
+      /* Chop matched string out of remainder */
+      str_mid_to_end(&name_remain_str, &temp_str,
+                     indexx + str_getlen(&s_match_needed_str));
+      str_copy(&name_remain_str, &temp_str);
+    }
+    if (last_token == '?')
+    {
+      if (str_isempty(&name_remain_str))
+      {
+        goto out;
+      }
+      str_right(&name_remain_str, &temp_str, str_getlen(&name_remain_str) - 1);
+      str_copy(&name_remain_str, &temp_str);
+      must_match_at_current_pos = 1;
+    }
+    else if (last_token == '{')
+    {
+      struct str_locate_result end_brace =
+        str_locate_char(&filter_remain_str, '}');
+      must_match_at_current_pos = 1;
+      if (end_brace.found)
+      {
+        str_split_char(&filter_remain_str, &temp_str, '}');
+        str_copy(&brace_list_str, &filter_remain_str);
+        str_copy(&filter_remain_str, &temp_str);
+        str_split_char(&brace_list_str, &temp_str, ',');
+        while (!str_isempty(&brace_list_str))
+        {
+          str_copy(&new_filter_str, &brace_list_str);
+          str_append_str(&new_filter_str, &filter_remain_str);
+          if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
+                                         iters))
+          {
+            ret = 1;
+            goto out;
+          }
+          str_copy(&brace_list_str, &temp_str);
+          str_split_char(&brace_list_str, &temp_str, ',');
+        }
+        goto out;
+      }
+      else if (str_isempty(&name_remain_str) ||
+               str_get_char_at(&name_remain_str, 0) != '{')
+      {
+        goto out;
+      }
+      else
+      {
+        str_right(&name_remain_str, &temp_str,
+                  str_getlen(&name_remain_str) - 1);
+        str_copy(&name_remain_str, &temp_str);
+      }
+    }
+    else
+    {
+      must_match_at_current_pos = 0;
+    }
+  }
+  /* Any incoming string left means no match unless we ended on the correct
+   * type of wildcard.
+   */
+  if (str_getlen(&name_remain_str) > 0 && last_token != '*')
+  {
+    goto out;
+  }
+  /* OK, a match */
+  ret = 1;
+  if (*iters == VSFTP_MATCHITERS_MAX) {
+    ret = 0;
+  }
+out:
+  str_free(&filter_remain_str);
+  str_free(&name_remain_str);
+  str_free(&temp_str);
+  str_free(&brace_list_str);
+  str_free(&new_filter_str);
+  return ret;
+}
+
+static void
+build_dir_line(struct mystr* p_str, const struct mystr* p_filename_str,
+               const struct vsf_sysutil_statbuf* p_stat, long curr_time)
+{
+  static struct mystr s_tmp_str;
+  filesize_t size = vsf_sysutil_statbuf_get_size(p_stat);
+  /* Permissions */
+  str_alloc_text(p_str, vsf_sysutil_statbuf_get_perms(p_stat));
+  str_append_char(p_str, ' ');
+  /* Hard link count */
+  str_alloc_ulong(&s_tmp_str, vsf_sysutil_statbuf_get_links(p_stat));
+  str_lpad(&s_tmp_str, 4);
+  str_append_str(p_str, &s_tmp_str);
+  str_append_char(p_str, ' ');
+  /* User */
+  if (tunable_hide_ids)
+  {
+    str_alloc_text(&s_tmp_str, "ftp");
+  }
+  else
+  {
+    int uid = vsf_sysutil_statbuf_get_uid(p_stat);
+    struct vsf_sysutil_user* p_user = 0;
+    if (tunable_text_userdb_names)
+    {
+      p_user = vsf_sysutil_getpwuid(uid);
+    }
+    if (p_user == 0)
+    {
+      str_alloc_ulong(&s_tmp_str, (unsigned long) uid);
+    }
+    else
+    {
+      str_alloc_text(&s_tmp_str, vsf_sysutil_user_getname(p_user));
+    }
+  }
+  str_rpad(&s_tmp_str, 8);
+  str_append_str(p_str, &s_tmp_str);
+  str_append_char(p_str, ' ');
+  /* Group */
+  if (tunable_hide_ids)
+  {
+    str_alloc_text(&s_tmp_str, "ftp");
+  }
+  else
+  {
+    int gid = vsf_sysutil_statbuf_get_gid(p_stat);
+    struct vsf_sysutil_group* p_group = 0;
+    if (tunable_text_userdb_names)
+    {
+      p_group = vsf_sysutil_getgrgid(gid);
+    }
+    if (p_group == 0)
+    {
+      str_alloc_ulong(&s_tmp_str, (unsigned long) gid);
+    }
+    else
+    {
+      str_alloc_text(&s_tmp_str, vsf_sysutil_group_getname(p_group));
+    }
+  }
+  str_rpad(&s_tmp_str, 8);
+  str_append_str(p_str, &s_tmp_str);
+  str_append_char(p_str, ' ');
+  /* Size in bytes */
+  str_alloc_filesize_t(&s_tmp_str, size);
+  str_lpad(&s_tmp_str, 8);
+  str_append_str(p_str, &s_tmp_str);
+  str_append_char(p_str, ' ');
+  /* Date stamp */
+  str_append_text(p_str, vsf_sysutil_statbuf_get_date(p_stat,
+                                                      tunable_use_localtime,
+                                                      curr_time));
+  str_append_char(p_str, ' ');
+  /* Filename */
+  str_append_str(p_str, p_filename_str);
+  str_append_text(p_str, "\r\n");
+}
+

ls.h

@@ -0,0 +1,48 @@
+#ifndef VSF_LS_H
+#define VSF_LS_H
+
+struct mystr;
+struct mystr_list;
+struct vsf_sysutil_dir;
+
+/* vsf_ls_populate_dir_list()
+ * PURPOSE
+ * Given a directory handle, populate a formatted directory entry list (/bin/ls
+ * format). Also optionally populate a list of subdirectories.
+ * PARAMETERS
+ * p_list         - the string list object for the result list of entries
+ * p_subdir_list  - the string list object for the result list of
+ *                  subdirectories. May be 0 if client is not interested.
+ * p_dir          - the directory object to be listed
+ * p_base_dir_str - the directory name we are listing, relative to current
+ * p_option_str   - the string of options given to the LIST/NLST command
+ * p_filter_str   - the filter string given to LIST/NLST - e.g. "*.mp3"
+ * is_verbose     - set to 1 for LIST, 0 for NLST
+ */
+void vsf_ls_populate_dir_list(struct mystr_list* p_list,
+                              struct mystr_list* p_subdir_list,
+                              struct vsf_sysutil_dir* p_dir,
+                              const struct mystr* p_base_dir_str,
+                              const struct mystr* p_option_str,
+                              const struct mystr* p_filter_str,
+                              int is_verbose);
+
+/* vsf_filename_passes_filter()
+ * PURPOSE
+ * Determine whether the given filename is matched by the given filter string.
+ * The format of the filter string is a small subset of a regular expression.
+ * Currently, just * and ? are supported.
+ * PARAMETERS
+ * p_filename_str  - the filename to match
+ * p_filter_str    - the filter to match against
+ * iters           - pointer to a zero-seeded int which prevents the match
+ *                   loop from running an excessive number of times
+ * RETURNS
+ * Returns 1 if there is a match, 0 otherwise.
+ */
+int vsf_filename_passes_filter(const struct mystr* p_filename_str,
+                               const struct mystr* p_filter_str,
+                               unsigned int* iters);
+
+#endif /* VSF_LS_H */
+

main.c

@@ -0,0 +1,381 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * main.c
+ */
+
+#include "session.h"
+#include "utility.h"
+#include "tunables.h"
+#include "logging.h"
+#include "str.h"
+#include "filestr.h"
+#include "ftpcmdio.h"
+#include "sysutil.h"
+#include "sysdeputil.h"
+#include "defs.h"
+#include "parseconf.h"
+#include "oneprocess.h"
+#include "twoprocess.h"
+#include "standalone.h"
+#include "tcpwrap.h"
+#include "vsftpver.h"
+#include "ssl.h"
+
+/*
+ * Forward decls of helper functions
+ */
+static void die_unless_privileged(void);
+static void do_sanity_checks(void);
+static void session_init(struct vsf_session* p_sess);
+static void env_init(void);
+static void limits_init(void);
+
+int
+main(int argc, const char* argv[])
+{
+  struct vsf_session the_session =
+  {
+    /* Control connection */
+    0, 0, 0, 0, 0,
+    /* Data connection */
+    -1, 0, -1, 0, 0, 0, 0,
+    /* Login */
+    1, 0, INIT_MYSTR, INIT_MYSTR,
+    /* Protocol state */
+    0, 1, INIT_MYSTR, 0, 0,
+    /* HTTP hacks */
+    0, INIT_MYSTR,
+    /* Session state */
+    0,
+    /* Userids */
+    -1, -1, -1,
+    /* Pre-chroot() cache */
+    INIT_MYSTR, INIT_MYSTR, INIT_MYSTR, INIT_MYSTR, 1,
+    /* Logging */
+    -1, -1, INIT_MYSTR, 0, 0, 0, INIT_MYSTR, 0,
+    /* Buffers */
+    INIT_MYSTR, INIT_MYSTR,
+    /* Parent <-> child comms */
+    -1, -1,
+    /* Number of clients */
+    0, 0,
+    /* Home directory */
+    INIT_MYSTR,
+    /* Secure connection state */
+    0, 0, 0, 0, 0, INIT_MYSTR, 0, -1, -1,
+    /* Login fails */
+    0
+  };
+  int config_loaded = 0;
+  int i;
+  tunables_load_defaults();
+  /* This might need to open /dev/zero on systems lacking MAP_ANON. Needs
+   * to be done early (i.e. before config file parse, which may use
+   * anonymous pages
+   */
+  vsf_sysutil_map_anon_pages_init();
+  /* Argument parsing. Any argument not starting with "-" is a config file,
+   * loaded in the order encountered. -o opt=value options are loading in the
+   * order encountered, including correct ordering with respect intermingled
+   * config files.
+   * If we see -v (version) or an unknown option, parsing bails and exits.
+   */
+  if (argc == 0)
+  {
+    die("missing argv[0]");
+  }
+  for (i = 1; i < argc; ++i)
+  {
+    const char* p_arg = argv[i];
+    if (p_arg[0] != '-')
+    {
+      config_loaded = 1;
+      vsf_parseconf_load_file(p_arg, 1);
+    }
+    else
+    {
+      if (p_arg[1] == 'v')
+      {
+        vsf_exit("ProFTPD 1.3.5 Server\n");
+      }
+      else if (p_arg[1] == 'o')
+      {
+        vsf_parseconf_load_setting(&p_arg[2], 1);
+      }
+      else
+      {
+        die2("unrecognise option: ", p_arg);
+      }
+    }
+  }
+  /* Parse default config file if necessary */
+  if (!config_loaded) {
+    struct vsf_sysutil_statbuf* p_statbuf = 0;
+    int retval = vsf_sysutil_stat(VSFTP_DEFAULT_CONFIG, &p_statbuf);
+    if (!vsf_sysutil_retval_is_error(retval))
+    {
+      vsf_parseconf_load_file(VSFTP_DEFAULT_CONFIG, 1);
+    }
+    vsf_sysutil_free(p_statbuf);
+  }
+  /* Resolve pasv_address if required */
+  if (tunable_pasv_address && tunable_pasv_addr_resolve)
+  {
+    struct vsf_sysutil_sockaddr* p_addr = 0;
+    const char* p_numeric_addr;
+    vsf_sysutil_dns_resolve(&p_addr, tunable_pasv_address);
+    vsf_sysutil_free((char*) tunable_pasv_address);
+    p_numeric_addr = vsf_sysutil_inet_ntop(p_addr);
+    tunable_pasv_address = vsf_sysutil_strdup(p_numeric_addr);
+    vsf_sysutil_free(p_addr);
+  }
+  if (!tunable_run_as_launching_user)
+  {
+    /* Just get out unless we start with requisite privilege */
+    die_unless_privileged();
+  }
+  if (tunable_setproctitle_enable)
+  {
+    /* Warning -- warning -- may nuke argv, environ */
+    vsf_sysutil_setproctitle_init(argc, argv);
+  }
+  /* Initialize the SSL system here if needed - saves the overhead of each
+   * child doing this itself.
+   */
+  if (tunable_ssl_enable)
+  {
+    ssl_init(&the_session);
+  }
+  if (tunable_listen || tunable_listen_ipv6)
+  {
+    /* Standalone mode */
+    struct vsf_client_launch ret = vsf_standalone_main();
+    the_session.num_clients = ret.num_children;
+    the_session.num_this_ip = ret.num_this_ip;
+  }
+  if (tunable_tcp_wrappers)
+  {
+    the_session.tcp_wrapper_ok = vsf_tcp_wrapper_ok(VSFTP_COMMAND_FD);
+  }
+  {
+    const char* p_load_conf = vsf_sysutil_getenv("VSFTPD_LOAD_CONF");
+    if (p_load_conf)
+    {
+      vsf_parseconf_load_file(p_load_conf, 1);
+    }
+  }
+  /* Sanity checks - exit with a graceful error message if our STDIN is not
+   * a socket. Also check various config options don't collide.
+   */
+  do_sanity_checks();
+  /* Initializes session globals - e.g. IP addr's etc. */
+  session_init(&the_session);
+  /* Set up "environment", e.g. process group etc. */
+  env_init();
+  /* Set up resource limits. */
+  limits_init();
+  /* Set up logging - must come after global init because we need the remote
+   * address to convert into text
+   */
+  vsf_log_init(&the_session);
+  str_alloc_text(&the_session.remote_ip_str,
+                 vsf_sysutil_inet_ntop(the_session.p_remote_addr));
+  /* Set up options on the command socket */
+  vsf_cmdio_sock_setup();
+  if (tunable_setproctitle_enable)
+  {
+    vsf_sysutil_set_proctitle_prefix(&the_session.remote_ip_str);
+    vsf_sysutil_setproctitle("connected");
+  }
+  /* We might chroot() very soon (one process model), so we need to open
+   * any required config files here.
+   */
+  /* SSL may have been enabled by a per-IP configuration.. */
+  if (tunable_ssl_enable)
+  {
+    ssl_init(&the_session);
+    ssl_add_entropy(&the_session);
+  }
+  if (tunable_deny_email_enable)
+  {
+    int retval = -1;
+    if (tunable_banned_email_file)
+    {
+      retval = str_fileread(&the_session.banned_email_str,
+                            tunable_banned_email_file, VSFTP_CONF_FILE_MAX);
+    }
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      die2(":", tunable_banned_email_file);
+    }
+  }
+  if (tunable_banner_file)
+  {
+    int retval = str_fileread(&the_session.banner_str, tunable_banner_file,
+                              VSFTP_CONF_FILE_MAX);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      die2(":", tunable_banner_file);
+    }
+  }
+  if (tunable_secure_email_list_enable)
+  {
+    int retval = -1;
+    if (tunable_email_password_file)
+    {
+      retval = str_fileread(&the_session.email_passwords_str,
+                            tunable_email_password_file,
+                            VSFTP_CONF_FILE_MAX);
+    }
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      die2(":", tunable_email_password_file);
+    }
+  }
+  if (tunable_run_as_launching_user)
+  {
+    tunable_one_process_model = 1;
+    if (!vsf_sysutil_running_as_root())
+    {
+      tunable_connect_from_port_20 = 0;
+      tunable_chown_uploads = 0;
+    }
+  }
+  if (tunable_one_process_model)
+  {
+    vsf_one_process_start(&the_session);
+  }
+  else
+  {
+    vsf_two_process_start(&the_session);
+  }
+  /* NOTREACHED */
+  bug("should not get here: main");
+  return 1;
+}
+
+static void
+die_unless_privileged(void)
+{
+  if (!vsf_sysutil_running_as_root())
+  {
+    die(" must be started as root");
+  }
+}
+
+static void
+do_sanity_checks(void)
+{
+  {
+    struct vsf_sysutil_statbuf* p_statbuf = 0;
+    vsf_sysutil_fstat(VSFTP_COMMAND_FD, &p_statbuf);
+    if (!vsf_sysutil_statbuf_is_socket(p_statbuf))
+    {
+      die("");
+    }
+    vsf_sysutil_free(p_statbuf);
+  }
+  if (tunable_one_process_model)
+  {
+    if (tunable_local_enable)
+    {
+      die("'one_process_model' is anonymous only");
+    }
+    if (!vsf_sysdep_has_capabilities_as_non_root())
+    {
+      die("'one_process_model' needs a better OS");
+    }
+  }
+  if (!tunable_local_enable && !tunable_anonymous_enable)
+  {
+    die("");
+  }
+  if (!tunable_ftp_enable && !tunable_http_enable)
+  {
+    die("");
+  }
+  if (tunable_http_enable && !tunable_one_process_model)
+  {
+    die("");
+  }
+}
+
+static void
+env_init(void)
+{
+  vsf_sysutil_make_session_leader();
+  /* Set up a secure umask - we'll set the proper one after login */
+  vsf_sysutil_set_umask(VSFTP_SECURE_UMASK);
+  /* Fire up libc's timezone initialisation, before we chroot()! */
+  vsf_sysutil_tzset();
+  /* Signals. We'll always take -EPIPE rather than a rude signal, thanks */
+  vsf_sysutil_install_null_sighandler(kVSFSysUtilSigPIPE);
+}
+
+static void
+limits_init(void)
+{
+  unsigned long limit = VSFTP_AS_LIMIT;
+  if (tunable_text_userdb_names)
+  {
+    /* Turns out, LDAP lookups for lots of userid -> name mappings can really
+     * bloat memory usage.
+     */
+    limit *= 3;
+  }
+  vsf_sysutil_set_address_space_limit(limit);
+}
+
+static void
+session_init(struct vsf_session* p_sess)
+{
+  /* Get the addresses of the control connection */
+  vsf_sysutil_getpeername(VSFTP_COMMAND_FD, &p_sess->p_remote_addr);
+  vsf_sysutil_getsockname(VSFTP_COMMAND_FD, &p_sess->p_local_addr);
+  /* If anonymous mode is active, fetch the uid of the anonymous user */
+  if (tunable_anonymous_enable)
+  {
+    const struct vsf_sysutil_user* p_user = 0;
+    if (tunable_ftp_username)
+    {
+      p_user = vsf_sysutil_getpwnam(tunable_ftp_username);
+    }
+    if (p_user == 0)
+    {
+      die2("",
+           tunable_ftp_username);
+    }
+    p_sess->anon_ftp_uid = vsf_sysutil_user_getuid(p_user);
+  }
+  if (tunable_guest_enable)
+  {
+    const struct vsf_sysutil_user* p_user = 0;
+    if (tunable_guest_username)
+    {
+      p_user = vsf_sysutil_getpwnam(tunable_guest_username);
+    }
+    if (p_user == 0)
+    {
+      die2("",
+           tunable_guest_username);
+    }
+    p_sess->guest_user_uid = vsf_sysutil_user_getuid(p_user);
+  }
+  if (tunable_chown_uploads)
+  {
+    const struct vsf_sysutil_user* p_user = 0;
+    if (tunable_chown_username)
+    {
+      p_user = vsf_sysutil_getpwnam(tunable_chown_username);
+    }
+    if (p_user == 0)
+    {
+      die2("",
+           tunable_chown_username);
+    }
+    p_sess->anon_upload_chown_uid = vsf_sysutil_user_getuid(p_user);
+  }
+}
+

netstr.c

@@ -0,0 +1,122 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * netstr.c
+ *
+ * The netstr interface extends the standard string interface, adding
+ * functions which can cope safely with building strings from the network,
+ * and send them out too.
+ */
+
+#include "netstr.h"
+#include "str.h"
+#include "sysstr.h"
+#include "utility.h"
+#include "sysutil.h"
+
+int
+str_netfd_alloc(struct vsf_session* p_sess,
+                struct mystr* p_str,
+                char term,
+                char* p_readbuf,
+                unsigned int maxlen,
+                str_netfd_read_t p_peekfunc,
+                str_netfd_read_t p_readfunc)
+{
+  int retval;
+  unsigned int bytes_read;
+  unsigned int i;
+  char* p_readpos = p_readbuf;
+  unsigned int left = maxlen;
+  str_empty(p_str);
+  while (1)
+  {
+    if (p_readpos + left != p_readbuf + maxlen)
+    {
+      bug("poor buffer accounting in str_netfd_alloc");
+    }
+    /* Did we hit the max? */
+    if (left == 0)
+    {
+      return -1;
+    }
+    retval = (*p_peekfunc)(p_sess, p_readpos, left);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      die("vsf_sysutil_recv_peek");
+    }
+    else if (retval == 0)
+    {
+      return 0;
+    }
+    bytes_read = (unsigned int) retval;
+    /* Search for the terminator */
+    for (i=0; i < bytes_read; i++)
+    {
+      if (p_readpos[i] == term)
+      {
+        /* Got it! */
+        i++;
+        retval = (*p_readfunc)(p_sess, p_readpos, i);
+        if (vsf_sysutil_retval_is_error(retval) ||
+            (unsigned int) retval != i)
+        {
+          die("vsf_sysutil_read_loop");
+        }
+        if (p_readpos[i - 1] != term)
+        {
+          die("missing terminator in str_netfd_alloc");
+        }
+        str_alloc_alt_term(p_str, p_readbuf, term);
+        return (int) i;
+      }
+    }
+    /* Not found in this read chunk, so consume the data and re-loop */
+    if (bytes_read > left)
+    {
+      bug("bytes_read > left in str_netfd_alloc");
+    }
+    left -= bytes_read;
+    retval = (*p_readfunc)(p_sess, p_readpos, bytes_read);
+    if (vsf_sysutil_retval_is_error(retval) ||
+        (unsigned int) retval != bytes_read)
+    {
+      die("vsf_sysutil_read_loop");
+    }
+    p_readpos += bytes_read;
+  } /* END: while(1) */
+}
+
+int
+str_netfd_write(const struct mystr* p_str, int fd)
+{
+  int ret = 0;
+  int retval;
+  unsigned int str_len = str_getlen(p_str);
+  if (str_len == 0)
+  {
+    bug("zero str_len in str_netfd_write");
+  }
+  retval = str_write_loop(p_str, fd);
+  if (vsf_sysutil_retval_is_error(retval) || (unsigned int) retval != str_len)
+  {
+    ret = -1;
+  }
+  return ret;
+}
+
+int
+str_netfd_read(struct mystr* p_str, int fd, unsigned int len)
+{
+  int retval;
+  str_reserve(p_str, len);
+  str_trunc(p_str, len);
+  retval = str_read_loop(p_str, fd);
+  if (vsf_sysutil_retval_is_error(retval) || (unsigned int) retval != len)
+  {
+    return -1;
+  }
+  return retval;
+}
+

netstr.h

@@ -0,0 +1,70 @@
+#ifndef VSFTP_NETSTR_H
+#define VSFTP_NETSTR_H
+
+struct mystr;
+struct vsf_session;
+
+typedef int (*str_netfd_read_t)(struct vsf_session*
+                                p_sess, char*,
+                                unsigned int);
+
+/* str_netfd_alloc()
+ * PURPOSE
+ * Read a string from a network socket into a string buffer object. The string
+ * is delimited by a specified string terminator character.
+ * If any network related errors occur trying to read the string, this call
+ * will exit the program.
+ * This method avoids reading one character at a time from the network.
+ * PARAMETERS
+ * p_sess       - the session object, used for passing into the I/O callbacks
+ * p_str        - the destination string object
+ * term         - the character which will terminate the string. This character
+ *                is included in the returned string.
+ * p_readbuf    - pointer to a scratch buffer into which to read from the
+ *                network. This buffer must be at least "maxlen" characters!
+ * maxlen       - maximum length of string to return. If this limit is passed,
+ *                an empty string will be returned.
+ * p_peekfunc   - a function called to peek data from the network
+ * p_readfunc   - a function called to read data from the network
+ * RETURNS
+ * -1 upon reaching max buffer length without seeing terminator, or the number
+ * of bytes read, _including_ the terminator. 0 for an EOF on the socket.
+ * Does not return (exits) for a serious socket error.
+ */
+int str_netfd_alloc(struct vsf_session* p_sess,
+                    struct mystr* p_str,
+                    char term,
+                    char* p_readbuf,
+                    unsigned int maxlen,
+                    str_netfd_read_t p_peekfunc,
+                    str_netfd_read_t p_readfunc);
+
+/* str_netfd_read()
+ * PURPOSE
+ * Fills contents of a string buffer object from a (typically network) file
+ * descriptor.
+ * PARAMETERS
+ * p_str        - the string object to be filled
+ * fd           - the file descriptor to read from
+ * len          - the number of bytes to read
+ * RETURNS
+ * Number read on success, -1 on failure. The read is considered a failure
+ * unless the full requested byte count is read.
+ */
+int str_netfd_read(struct mystr* p_str, int fd, unsigned int len);
+
+/* str_netfd_write()
+ * PURPOSE
+ * Write the contents of a string buffer object out to a (typically network)
+ * file descriptor.
+ * PARAMETERS
+ * p_str        - the string object to send
+ * fd           - the file descriptor to write to
+ * RETURNS
+ * Number written on success, -1 on failure. The write is considered a failure
+ * unless the full string buffer object is written.
+ */
+int str_netfd_write(const struct mystr* p_str, int fd);
+
+#endif /* VSFTP_NETSTR_H */
+

oneprocess.c

@@ -0,0 +1,175 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * oneprocess.c
+ *
+ * Code for the "one process" security model. The one process security model
+ * is born for the purposes of raw speed at the expense of compromising the
+ * purity of the security model.
+ * The one process model will typically be disabled, for security reasons.
+ * Only sites with huge numbers of concurrent users are likely to feel the
+ * pain of two processes per session.
+ */
+
+#include "prelogin.h"
+#include "postlogin.h"
+#include "privops.h"
+#include "session.h"
+#include "secutil.h"
+#include "str.h"
+#include "tunables.h"
+#include "utility.h"
+#include "sysstr.h"
+#include "sysdeputil.h"
+#include "sysutil.h"
+#include "ptracesandbox.h"
+#include "ftppolicy.h"
+#include "seccompsandbox.h"
+
+static void one_process_start(void* p_arg);
+
+void
+vsf_one_process_start(struct vsf_session* p_sess)
+{
+  if (tunable_ptrace_sandbox)
+  {
+    struct pt_sandbox* p_sandbox = ptrace_sandbox_alloc();
+    if (p_sandbox == 0)
+    {
+      die("could not allocate sandbox (only works for 32-bit builds)");
+    }
+    policy_setup(p_sandbox, p_sess);
+    if (ptrace_sandbox_launch_process(p_sandbox,
+                                      one_process_start,
+                                      (void*) p_sess) <= 0)
+    {
+      die("could not launch sandboxed child");
+    }
+    /* TODO - could drop privs here. For now, run as root as the attack surface
+     * is negligible, and running as root permits us to correctly deliver the
+     * parent death signal upon unexpected crash.
+     */
+    (void) ptrace_sandbox_run_processes(p_sandbox);
+    ptrace_sandbox_free(p_sandbox);
+    vsf_sysutil_exit(0);
+  }
+  else
+  {
+    one_process_start((void*) p_sess);
+  }
+}
+
+static void
+one_process_start(void* p_arg)
+{
+  struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+  unsigned int caps = 0;
+  if (tunable_chown_uploads)
+  {
+    caps |= kCapabilityCAP_CHOWN;
+  }
+  if (tunable_connect_from_port_20)
+  {
+    caps |= kCapabilityCAP_NET_BIND_SERVICE;
+  }
+  {
+    struct mystr user_name = INIT_MYSTR;
+    struct mystr chdir_str = INIT_MYSTR;
+    if (tunable_ftp_username)
+    {
+      str_alloc_text(&user_name, tunable_ftp_username);
+    }
+    if (tunable_anon_root)
+    {
+      str_alloc_text(&chdir_str, tunable_anon_root);
+    }
+    if (tunable_run_as_launching_user)
+    {
+      if (!str_isempty(&chdir_str))
+      {
+        str_chdir(&chdir_str);
+      }
+    }
+    else
+    {
+      vsf_secutil_change_credentials(&user_name, 0, &chdir_str, caps,
+          VSF_SECUTIL_OPTION_CHROOT |
+          VSF_SECUTIL_OPTION_USE_GROUPS |
+          VSF_SECUTIL_OPTION_NO_PROCS);
+    }
+    str_free(&user_name);
+    str_free(&chdir_str);
+  }
+  if (tunable_ptrace_sandbox)
+  {
+    ptrace_sandbox_attach_point();
+  }
+  seccomp_sandbox_init();
+  seccomp_sandbox_setup_postlogin(p_sess);
+  seccomp_sandbox_lockdown();
+  init_connection(p_sess);
+}
+
+void
+vsf_one_process_login(struct vsf_session* p_sess,
+                      const struct mystr* p_pass_str)
+{
+  enum EVSFPrivopLoginResult login_result =
+    vsf_privop_do_login(p_sess, p_pass_str);
+  switch (login_result)
+  {
+    case kVSFLoginFail:
+      return;
+      break;
+    case kVSFLoginAnon:
+      p_sess->is_anonymous = 1;
+      process_post_login(p_sess);
+      break;
+    case kVSFLoginNull:
+      /* Fall through. */
+    case kVSFLoginReal:
+      /* Fall through. */
+    default:
+      bug("bad state in vsf_one_process_login");
+      break;
+  }
+}
+
+int
+vsf_one_process_get_priv_data_sock(struct vsf_session* p_sess)
+{
+  unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr);
+  return vsf_privop_get_ftp_port_sock(p_sess, port, 1);
+}
+
+void
+vsf_one_process_pasv_cleanup(struct vsf_session* p_sess)
+{
+  vsf_privop_pasv_cleanup(p_sess);
+}
+
+int
+vsf_one_process_pasv_active(struct vsf_session* p_sess)
+{
+  return vsf_privop_pasv_active(p_sess);
+}
+
+unsigned short
+vsf_one_process_listen(struct vsf_session* p_sess)
+{
+  return vsf_privop_pasv_listen(p_sess);
+}
+
+int
+vsf_one_process_get_pasv_fd(struct vsf_session* p_sess)
+{
+  return vsf_privop_accept_pasv(p_sess);
+}
+
+void
+vsf_one_process_chown_upload(struct vsf_session* p_sess, int fd)
+{
+  vsf_privop_do_file_chown(p_sess, fd);
+}
+

oneprocess.h

@@ -0,0 +1,85 @@
+#ifndef VSF_ONEPROCESS_H
+#define VSF_ONEPROCESS_H
+
+struct mystr;
+struct vsf_session;
+
+/* vsf_one_process_start()
+ * PURPOSE
+ * Called to start FTP login processing using the one process model. Before
+ * processing starts, all possible privileges are dropped.
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void vsf_one_process_start(struct vsf_session* p_sess);
+
+/* vsf_one_process_login()
+ * PURPOSE
+ * Called to propose a login using the one process model. Only anonymous
+ * logins supported!
+ * PARAMETERS
+ * p_sess       - the current session object
+ * p_pass_str   - the proposed password
+ */
+void vsf_one_process_login(struct vsf_session* p_sess,
+                           const struct mystr* p_pass_str);
+
+/* vsf_one_process_get_priv_data_sock()
+ * PURPOSE
+ * Get a privileged port 20 bound data socket using the one process model.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * RETURNS
+ * The file descriptor of the privileged socket
+ */
+int vsf_one_process_get_priv_data_sock(struct vsf_session* p_sess);
+
+/* vsf_one_process_pasv_cleanup()
+ * PURPOSE
+ * Clean up any listening passive socket.
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void vsf_one_process_pasv_cleanup(struct vsf_session* p_sess);
+
+/* vsf_one_process_pasv_active()
+ * PURPOSE
+ * Determine whether a listening pasv socket is active.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * RETURNS
+ * 1 if active, 0 if not.
+ */
+int vsf_one_process_pasv_active(struct vsf_session* p_sess);
+
+/* vsf_one_process_listen()
+ * PURPOSE
+ * Start listening for an incoming connection.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * RETURNS
+ * The port we listened on.
+ */
+unsigned short vsf_one_process_listen(struct vsf_session* p_sess);
+
+/* vsf_one_process_get_pasv_fd()
+ * PURPOSE
+ * Accept an incoming connection.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * RETURNS
+ * The file descriptor for the incoming connection.
+ */
+int vsf_one_process_get_pasv_fd(struct vsf_session* p_sess);
+
+/* vsf_one_process_chown_upload()
+ * PURPOSE
+ * Change ownership of an uploaded file using the one process model.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * fd           - the file descriptor to change ownership on
+ */
+void vsf_one_process_chown_upload(struct vsf_session* p_sess, int fd);
+
+#endif /* VSF_ONEPROCESS_H */
+

opts.c

@@ -0,0 +1,27 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * opts.c
+ *
+ * Routines to handle OPTS.
+ */
+
+#include "ftpcodes.h"
+#include "ftpcmdio.h"
+#include "session.h"
+
+void
+handle_opts(struct vsf_session* p_sess)
+{
+  str_upper(&p_sess->ftp_arg_str);
+  if (str_equal_text(&p_sess->ftp_arg_str, "UTF8 ON"))
+  {
+    vsf_cmdio_write(p_sess, FTP_OPTSOK, "Always in UTF8 mode.");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_BADOPTS, "Option not understood.");
+  }
+}
+

opts.h

@@ -0,0 +1,9 @@
+#ifndef VSF_OPTS_H
+#define VSF_OPTS_H
+
+struct vsf_session;
+
+void handle_opts(struct vsf_session* p_sess);
+
+#endif /* VSF_OPTS_H */
+

parseconf.c

@@ -0,0 +1,359 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * parseconf.c
+ *
+ * Routines and support to load in a file full of tunable variables and
+ * settings, populating corresponding runtime variables.
+ */
+
+#include "parseconf.h"
+#include "tunables.h"
+#include "str.h"
+#include "filestr.h"
+#include "defs.h"
+#include "sysutil.h"
+#include "utility.h"
+
+static const char* s_p_saved_filename;
+
+/* Tables mapping setting names to runtime variables */
+/* Boolean settings */
+static struct parseconf_bool_setting
+{
+  const char* p_setting_name;
+  int* p_variable;
+}
+parseconf_bool_array[] =
+{
+  { "anonymous_enable", &tunable_anonymous_enable },
+  { "local_enable", &tunable_local_enable },
+  { "pasv_enable", &tunable_pasv_enable },
+  { "port_enable", &tunable_port_enable },
+  { "chroot_local_user", &tunable_chroot_local_user },
+  { "write_enable", &tunable_write_enable },
+  { "anon_upload_enable", &tunable_anon_upload_enable },
+  { "anon_mkdir_write_enable", &tunable_anon_mkdir_write_enable },
+  { "anon_other_write_enable", &tunable_anon_other_write_enable },
+  { "chown_uploads", &tunable_chown_uploads },
+  { "connect_from_port_20", &tunable_connect_from_port_20 },
+  { "xferlog_enable", &tunable_xferlog_enable },
+  { "dirmessage_enable", &tunable_dirmessage_enable },
+  { "anon_world_readable_only", &tunable_anon_world_readable_only },
+  { "async_abor_enable", &tunable_async_abor_enable },
+  { "ascii_upload_enable", &tunable_ascii_upload_enable },
+  { "ascii_download_enable", &tunable_ascii_download_enable },
+  { "one_process_model", &tunable_one_process_model },
+  { "xferlog_std_format", &tunable_xferlog_std_format },
+  { "pasv_promiscuous", &tunable_pasv_promiscuous },
+  { "deny_email_enable", &tunable_deny_email_enable },
+  { "chroot_list_enable", &tunable_chroot_list_enable },
+  { "setproctitle_enable", &tunable_setproctitle_enable },
+  { "text_userdb_names", &tunable_text_userdb_names },
+  { "ls_recurse_enable", &tunable_ls_recurse_enable },
+  { "log_ftp_protocol", &tunable_log_ftp_protocol },
+  { "guest_enable", &tunable_guest_enable },
+  { "userlist_enable", &tunable_userlist_enable },
+  { "userlist_deny", &tunable_userlist_deny },
+  { "use_localtime", &tunable_use_localtime },
+  { "check_shell", &tunable_check_shell },
+  { "hide_ids", &tunable_hide_ids },
+  { "listen", &tunable_listen },
+  { "port_promiscuous", &tunable_port_promiscuous },
+  { "passwd_chroot_enable", &tunable_passwd_chroot_enable },
+  { "no_anon_password", &tunable_no_anon_password },
+  { "tcp_wrappers", &tunable_tcp_wrappers },
+  { "use_sendfile", &tunable_use_sendfile },
+  { "force_dot_files", &tunable_force_dot_files },
+  { "listen_ipv6", &tunable_listen_ipv6 },
+  { "dual_log_enable", &tunable_dual_log_enable },
+  { "syslog_enable", &tunable_syslog_enable },
+  { "background", &tunable_background },
+  { "virtual_use_local_privs", &tunable_virtual_use_local_privs },
+  { "session_support", &tunable_session_support },
+  { "download_enable", &tunable_download_enable },
+  { "dirlist_enable", &tunable_dirlist_enable },
+  { "chmod_enable", &tunable_chmod_enable },
+  { "secure_email_list_enable", &tunable_secure_email_list_enable },
+  { "run_as_launching_user", &tunable_run_as_launching_user },
+  { "no_log_lock", &tunable_no_log_lock },
+  { "ssl_enable", &tunable_ssl_enable },
+  { "allow_anon_ssl", &tunable_allow_anon_ssl },
+  { "force_local_logins_ssl", &tunable_force_local_logins_ssl },
+  { "force_local_data_ssl", &tunable_force_local_data_ssl },
+  { "ssl_sslv2", &tunable_sslv2 },
+  { "ssl_sslv3", &tunable_sslv3 },
+  { "ssl_tlsv1", &tunable_tlsv1 },
+  { "tilde_user_enable", &tunable_tilde_user_enable },
+  { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+  { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
+  { "mdtm_write", &tunable_mdtm_write },
+  { "lock_upload_files", &tunable_lock_upload_files },
+  { "pasv_addr_resolve", &tunable_pasv_addr_resolve },
+  { "debug_ssl", &tunable_debug_ssl },
+  { "require_cert", &tunable_require_cert },
+  { "validate_cert", &tunable_validate_cert },
+  { "strict_ssl_read_eof", &tunable_strict_ssl_read_eof },
+  { "strict_ssl_write_shutdown", &tunable_strict_ssl_write_shutdown },
+  { "ssl_request_cert", &tunable_ssl_request_cert },
+  { "delete_failed_uploads", &tunable_delete_failed_uploads },
+  { "implicit_ssl", &tunable_implicit_ssl },
+  { "ptrace_sandbox", &tunable_ptrace_sandbox },
+  { "require_ssl_reuse", &tunable_require_ssl_reuse },
+  { "isolate", &tunable_isolate },
+  { "isolate_network", &tunable_isolate_network },
+  { "ftp_enable", &tunable_ftp_enable },
+  { "http_enable", &tunable_http_enable },
+  { "seccomp_sandbox", &tunable_seccomp_sandbox },
+  { "allow_writeable_chroot", &tunable_allow_writeable_chroot },
+  { 0, 0 }
+};
+
+static struct parseconf_uint_setting
+{
+  const char* p_setting_name;
+  unsigned int* p_variable;
+}
+parseconf_uint_array[] =
+{
+  { "accept_timeout", &tunable_accept_timeout },
+  { "connect_timeout", &tunable_connect_timeout },
+  { "local_umask", &tunable_local_umask },
+  { "anon_umask", &tunable_anon_umask },
+  { "ftp_data_port", &tunable_ftp_data_port },
+  { "idle_session_timeout", &tunable_idle_session_timeout },
+  { "data_connection_timeout", &tunable_data_connection_timeout },
+  { "pasv_min_port", &tunable_pasv_min_port },
+  { "pasv_max_port", &tunable_pasv_max_port },
+  { "anon_max_rate", &tunable_anon_max_rate },
+  { "local_max_rate", &tunable_local_max_rate },
+  { "listen_port", &tunable_listen_port },
+  { "max_clients", &tunable_max_clients },
+  { "file_open_mode", &tunable_file_open_mode },
+  { "max_per_ip", &tunable_max_per_ip },
+  { "trans_chunk_size", &tunable_trans_chunk_size },
+  { "delay_failed_login", &tunable_delay_failed_login },
+  { "delay_successful_login", &tunable_delay_successful_login },
+  { "max_login_fails", &tunable_max_login_fails },
+  { "chown_upload_mode", &tunable_chown_upload_mode },
+  { 0, 0 }
+};
+
+static struct parseconf_str_setting
+{
+  const char* p_setting_name;
+  const char** p_variable;
+}
+parseconf_str_array[] =
+{
+  { "secure_chroot_dir", &tunable_secure_chroot_dir },
+  { "ftp_username", &tunable_ftp_username },
+  { "chown_username", &tunable_chown_username },
+  { "xferlog_file", &tunable_xferlog_file },
+  { "vsftpd_log_file", &tunable_vsftpd_log_file },
+  { "message_file", &tunable_message_file },
+  { "nopriv_user", &tunable_nopriv_user },
+  { "ftpz_banner", &tunable_ftpd_banner },
+  { "banned_email_file", &tunable_banned_email_file },
+  { "chroot_list_file", &tunable_chroot_list_file },
+  { "pam_service_name", &tunable_pam_service_name },
+  { "guest_username", &tunable_guest_username },
+  { "userlist_file", &tunable_userlist_file },
+  { "anon_root", &tunable_anon_root },
+  { "local_root", &tunable_local_root },
+  { "banner_file", &tunable_banner_file },
+  { "pasv_address", &tunable_pasv_address },
+  { "listen_address", &tunable_listen_address },
+  { "user_config_dir", &tunable_user_config_dir },
+  { "listen_address6", &tunable_listen_address6 },
+  { "cmds_allowed", &tunable_cmds_allowed },
+  { "hide_file", &tunable_hide_file },
+  { "deny_file", &tunable_deny_file },
+  { "user_sub_token", &tunable_user_sub_token },
+  { "email_password_file", &tunable_email_password_file },
+  { "rsa_cert_file", &tunable_rsa_cert_file },
+  { "dsa_cert_file", &tunable_dsa_cert_file },
+  { "ssl_ciphers", &tunable_ssl_ciphers },
+  { "rsa_private_key_file", &tunable_rsa_private_key_file },
+  { "dsa_private_key_file", &tunable_dsa_private_key_file },
+  { "ca_certs_file", &tunable_ca_certs_file },
+  { "cmds_denied", &tunable_cmds_denied },
+  { 0, 0 }
+};
+
+void
+vsf_parseconf_load_file(const char* p_filename, int errs_fatal)
+{
+  struct mystr config_file_str = INIT_MYSTR;
+  struct mystr config_setting_str = INIT_MYSTR;
+  struct mystr config_value_str = INIT_MYSTR;
+  unsigned int str_pos = 0;
+  int retval;
+  if (!p_filename)
+  {
+    p_filename = s_p_saved_filename;
+  }
+  else
+  {
+    if (s_p_saved_filename)
+    {
+      vsf_sysutil_free((char*)s_p_saved_filename);
+    }
+    s_p_saved_filename = vsf_sysutil_strdup(p_filename);
+  }
+  if (!p_filename)
+  {
+    bug("null filename in vsf_parseconf_load_file");
+  }
+  retval = str_fileread(&config_file_str, p_filename, VSFTP_CONF_FILE_MAX);
+  if (vsf_sysutil_retval_is_error(retval))
+  {
+    if (errs_fatal)
+    {
+      die2("cannot read config file: ", p_filename);
+    }
+    else
+    {
+      str_free(&config_file_str);
+      return;
+    }
+  }
+  {
+    struct vsf_sysutil_statbuf* p_statbuf = 0;
+    retval = vsf_sysutil_stat(p_filename, &p_statbuf);
+    /* Security: check current user owns the config file. These are sanity
+     * checks for the admin, and are NOT designed to be checks safe from
+     * race conditions.
+     */
+    if (vsf_sysutil_retval_is_error(retval) ||
+        vsf_sysutil_statbuf_get_uid(p_statbuf) != vsf_sysutil_getuid() ||
+        !vsf_sysutil_statbuf_is_regfile(p_statbuf))
+    {
+      die("config file not owned by correct user, or not a file");
+    }
+    vsf_sysutil_free(p_statbuf);
+  }
+  while (str_getline(&config_file_str, &config_setting_str, &str_pos))
+  {
+    if (str_isempty(&config_setting_str) ||
+        str_get_char_at(&config_setting_str, 0) == '#' ||
+        str_all_space(&config_setting_str))
+    {
+      continue;
+    }
+    vsf_parseconf_load_setting(str_getbuf(&config_setting_str), errs_fatal);
+  }
+  str_free(&config_file_str);
+  str_free(&config_setting_str);
+  str_free(&config_value_str);
+}
+
+void
+vsf_parseconf_load_setting(const char* p_setting, int errs_fatal)
+{
+  static struct mystr s_setting_str;
+  static struct mystr s_value_str;
+  while (vsf_sysutil_isspace(*p_setting))
+  {
+    p_setting++;
+  }
+  str_alloc_text(&s_setting_str, p_setting);
+  str_split_char(&s_setting_str, &s_value_str, '=');
+  /* Is it a string setting? */
+  {
+    const struct parseconf_str_setting* p_str_setting = parseconf_str_array;
+    while (p_str_setting->p_setting_name != 0)
+    {
+      if (str_equal_text(&s_setting_str, p_str_setting->p_setting_name))
+      {
+        /* Got it */
+        const char** p_curr_setting = p_str_setting->p_variable;
+        if (*p_curr_setting)
+        {
+          vsf_sysutil_free((char*) *p_curr_setting);
+        }
+        if (str_isempty(&s_value_str))
+        {
+          *p_curr_setting = 0;
+        }
+        else
+        {
+          *p_curr_setting = str_strdup(&s_value_str);
+        }
+        return;
+      }
+      p_str_setting++;
+    }
+  }
+  if (str_isempty(&s_value_str))
+  {
+    if (errs_fatal)
+    {
+      die2("missing value in config file for: ", str_getbuf(&s_setting_str));
+    }
+    else
+    {
+      return;
+    }
+  }
+  /* Is it a boolean value? */
+  {
+    const struct parseconf_bool_setting* p_bool_setting = parseconf_bool_array;
+    while (p_bool_setting->p_setting_name != 0)
+    {
+      if (str_equal_text(&s_setting_str, p_bool_setting->p_setting_name))
+      {
+        /* Got it */
+        str_upper(&s_value_str);
+        if (str_equal_text(&s_value_str, "YES") ||
+            str_equal_text(&s_value_str, "TRUE") ||
+            str_equal_text(&s_value_str, "1"))
+        {
+          *(p_bool_setting->p_variable) = 1;
+        }
+        else if (str_equal_text(&s_value_str, "NO") ||
+                 str_equal_text(&s_value_str, "FALSE") ||
+                 str_equal_text(&s_value_str, "0"))
+        {
+          *(p_bool_setting->p_variable) = 0;
+        }
+        else if (errs_fatal)
+        {
+          die2("bad bool value in config file for: ",
+               str_getbuf(&s_setting_str));
+        }
+        return;
+      }
+      p_bool_setting++;
+    }
+  }
+  /* Is it an unsigned integer setting? */
+  {
+    const struct parseconf_uint_setting* p_uint_setting = parseconf_uint_array;
+    while (p_uint_setting->p_setting_name != 0)
+    {
+      if (str_equal_text(&s_setting_str, p_uint_setting->p_setting_name))
+      {
+        /* Got it */
+        /* If the value starts with 0, assume it's an octal value */
+        if (!str_isempty(&s_value_str) &&
+            str_get_char_at(&s_value_str, 0) == '0')
+        {
+          *(p_uint_setting->p_variable) = str_octal_to_uint(&s_value_str);
+        }
+        else
+        {
+          /* TODO: we could reject negatives instead of converting them? */
+          *(p_uint_setting->p_variable) = (unsigned int) str_atoi(&s_value_str);
+        }
+        return;
+      }
+      p_uint_setting++;
+    }
+  }
+  if (errs_fatal)
+  {
+    die2("unrecognised variable in config file: ", str_getbuf(&s_setting_str));
+  }
+}

parseconf.h

@@ -0,0 +1,31 @@
+#ifndef VSF_PARSECONF_H
+#define VSF_PARSECONF_H
+
+/* vsf_parseconf_load_file()
+ * PURPOSE
+ * Parse the given file as a vsftpd config file. If the file cannot be
+ * opened for whatever reason, a fatal error is raised. If the file contains
+ * any syntax errors, a fatal error is raised.
+ * If the call returns (no fatal error raised), then the config file was
+ * parsed and the global config settings will have been updated.
+ * PARAMETERS
+ * p_filename     - the name of the config file to parse
+ * errs_fatal     - errors will cause the calling process to exit if not 0
+ * NOTES
+ * If p_filename is NULL, then the last filename passed to this function is
+ * used to reload the configuration details.
+ */
+void vsf_parseconf_load_file(const char* p_filename, int errs_fatal);
+
+/* vsf_parseconf_parse_setting()
+ * PURPOSE
+ * Handle a given name=value setting and apply it. Any whitespace at the
+ * beginning is skipped.
+ * PARAMETERS
+ * p_settings    - the name=value pair to apply
+ * errs_fatal    - errors will cause the calling process to exit if not 0
+ */
+void vsf_parseconf_load_setting(const char* p_setting, int errs_fatal);
+
+#endif /* VSF_PARSECONF_H */
+

port/aix_bogons.h

@@ -0,0 +1,8 @@
+#ifndef VSF_AIX_BOGONS_H
+#define VSF_AIX_BOGONS_H
+
+/* Need dirfd() */
+#include "dirfd_extras.h"
+
+#endif /* VSF_AIX_BOGONS_H */
+

port/cmsg_extras.h

@@ -0,0 +1,23 @@
+#ifndef VSF_CMSG_EXTRAS_H
+#define VSF_CMSG_EXTRAS_H
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+/* These are from Linux glibc-2.2 */
+#ifndef CMSG_ALIGN
+#define CMSG_ALIGN(len) (((len) + sizeof (size_t) - 1) \
+               & ~(sizeof (size_t) - 1))
+#endif
+
+#ifndef CMSG_SPACE
+#define CMSG_SPACE(len) (CMSG_ALIGN (len) \
+               + CMSG_ALIGN (sizeof (struct cmsghdr)))
+#endif
+
+#ifndef CMSG_LEN
+#define CMSG_LEN(len)   (CMSG_ALIGN (sizeof (struct cmsghdr)) + (len))
+#endif
+
+#endif /* VSF_CMSG_EXTRAS_H */
+

port/dirfd_extras.h

@@ -0,0 +1,7 @@
+#ifndef VSF_DIRFD_EXTRAS_H
+#define VSF_DIRFD_EXTRAS_H
+
+#define dirfd(x) ((x)->dd_fd)
+
+#endif /* VSF_DIRFD_EXTRAS_H */
+

port/hpux_bogons.h

@@ -0,0 +1,23 @@
+#ifndef VSF_HPUX_BOGONS_H
+#define VSF_HPUX_BOGONS_H
+
+#include <sys/mman.h>
+/* HP-UX has MAP_ANONYMOUS but not MAP_ANON - I'm not sure which is more
+ * standard!
+ */
+#ifdef MAP_ANONYMOUS
+  #ifndef MAP_ANON
+    #define MAP_ANON MAP_ANONYMOUS
+  #endif
+#endif
+
+/* Ancient versions of HP-UX don't have MAP_FAILED */
+#ifndef MAP_FAILED
+  #define MAP_FAILED (void *) -1L
+#endif
+
+/* Need dirfd() */
+#include "dirfd_extras.h"
+
+#endif /* VSF_HPUX_BOGONS_H */
+

port/irix_bogons.h

@@ -0,0 +1,8 @@
+#ifndef VSF_IRIX_BOGONS_H
+#define VSF_IRIX_BOGONS_H
+
+/* Need dirfd() */
+#include "dirfd_extras.h"
+
+#endif /* VSF_IRIX_BOGONS_H */
+

port/porting_junk.h

@@ -0,0 +1,30 @@
+#ifndef VSF_PORTINGJUNK_H
+#define VSF_PORTINGJUNK_H
+
+#ifdef __sun
+#include "solaris_bogons.h"
+#endif
+
+#ifdef __sgi
+#include "irix_bogons.h"
+#endif
+
+#ifdef __hpux
+#include "hpux_bogons.h"
+#endif
+
+#ifdef _AIX
+#include "aix_bogons.h"
+#endif
+
+#ifdef __osf__
+#include "tru64_bogons.h"
+#endif
+
+/* So many older systems lack these, that it's too much hassle to list all
+ * the errant systems
+ */
+#include "cmsg_extras.h"
+
+#endif /* VSF_PORTINGJUNK_H */
+

port/solaris_bogons.h

@@ -0,0 +1,19 @@
+#ifndef VSF_SOLARIS_BOGONS_H
+#define VSF_SOLARIS_BOGONS_H
+
+/* This bogon ensures we get access to CMSG_DATA, CMSG_FIRSTHDR */
+#define _XPG4_2
+
+/* This bogon prevents _XPG4_2 breaking the include of signal.h! */
+#define __EXTENSIONS__
+
+/* Safe to always enable 64-bit file support. */
+#define _FILE_OFFSET_BITS 64
+#define _LARGEFILE_SOURCE 1
+#define _LARGEFILE64_SOURCE 1
+
+/* Need dirfd() */
+#include "dirfd_extras.h"
+
+#endif /* VSF_SOLARIS_BOGONS_H */
+

port/tru64_bogons.h

@@ -0,0 +1,8 @@
+#ifndef VSF_TRU64_BOGONS_H
+#define VSF_TRU64_BOGONS_H
+
+/* Need dirfd() */
+#include "dirfd_extras.h"
+
+#endif /* VSF_TRU64_BOGONS_H */
+

postlogin.c

@@ -0,0 +1,2019 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * postlogin.c
+ */
+
+#include "postlogin.h"
+#include "session.h"
+#include "oneprocess.h"
+#include "twoprocess.h"
+#include "ftpcodes.h"
+#include "ftpcmdio.h"
+#include "ftpdataio.h"
+#include "utility.h"
+#include "tunables.h"
+#include "defs.h"
+#include "str.h"
+#include "sysstr.h"
+#include "banner.h"
+#include "sysutil.h"
+#include "logging.h"
+#include "sysdeputil.h"
+#include "ipaddrparse.h"
+#include "access.h"
+#include "features.h"
+#include "ssl.h"
+#include "vsftpver.h"
+#include "opts.h"
+
+/* Private local functions */
+static void handle_pwd(struct vsf_session* p_sess);
+static void handle_cwd(struct vsf_session* p_sess);
+static void handle_pasv(struct vsf_session* p_sess, int is_epsv);
+static void handle_retr(struct vsf_session* p_sess, int is_http);
+static void handle_cdup(struct vsf_session* p_sess);
+static void handle_list(struct vsf_session* p_sess);
+static void handle_type(struct vsf_session* p_sess);
+static void handle_port(struct vsf_session* p_sess);
+static void handle_stor(struct vsf_session* p_sess);
+static void handle_mkd(struct vsf_session* p_sess);
+static void handle_rmd(struct vsf_session* p_sess);
+static void handle_dele(struct vsf_session* p_sess);
+static void handle_rest(struct vsf_session* p_sess);
+static void handle_rnfr(struct vsf_session* p_sess);
+static void handle_rnto(struct vsf_session* p_sess);
+static void handle_nlst(struct vsf_session* p_sess);
+static void handle_size(struct vsf_session* p_sess);
+static void handle_site(struct vsf_session* p_sess);
+static void handle_appe(struct vsf_session* p_sess);
+static void handle_mdtm(struct vsf_session* p_sess);
+static void handle_site_chmod(struct vsf_session* p_sess,
+                              struct mystr* p_arg_str);
+static void handle_site_umask(struct vsf_session* p_sess,
+                              struct mystr* p_arg_str);
+static void handle_eprt(struct vsf_session* p_sess);
+static void handle_help(struct vsf_session* p_sess);
+static void handle_stou(struct vsf_session* p_sess);
+static void handle_stat(struct vsf_session* p_sess);
+static void handle_stat_file(struct vsf_session* p_sess);
+static void handle_logged_in_user(struct vsf_session* p_sess);
+static void handle_logged_in_pass(struct vsf_session* p_sess);
+static void handle_http(struct vsf_session* p_sess);
+
+static int pasv_active(struct vsf_session* p_sess);
+static int port_active(struct vsf_session* p_sess);
+static void pasv_cleanup(struct vsf_session* p_sess);
+static void port_cleanup(struct vsf_session* p_sess);
+static void handle_dir_common(struct vsf_session* p_sess, int full_details,
+                              int stat_cmd);
+static void prepend_path_to_filename(struct mystr* p_str);
+static int get_remote_transfer_fd(struct vsf_session* p_sess,
+                                  const char* p_status_msg);
+static void check_abor(struct vsf_session* p_sess);
+static void handle_sigurg(void* p_private);
+static void handle_upload_common(struct vsf_session* p_sess, int is_append,
+                                 int is_unique);
+static void get_unique_filename(struct mystr* p_outstr,
+                                const struct mystr* p_base);
+static int data_transfer_checks_ok(struct vsf_session* p_sess);
+static void resolve_tilde(struct mystr* p_str, struct vsf_session* p_sess);
+
+void
+process_post_login(struct vsf_session* p_sess)
+{
+  str_getcwd(&p_sess->home_str);
+  if (p_sess->is_anonymous)
+  {
+    vsf_sysutil_set_umask(tunable_anon_umask);
+    p_sess->bw_rate_max = tunable_anon_max_rate;
+  }
+  else
+  {
+    vsf_sysutil_set_umask(tunable_local_umask);
+    p_sess->bw_rate_max = tunable_local_max_rate;
+  }
+  if (p_sess->is_http)
+  {
+    handle_http(p_sess);
+    bug("should not be reached");
+  }
+
+  /* Don't support async ABOR if we have an SSL channel. The spec says SHOULD
+   * NOT, and I think there are synchronization issues between command and
+   * data reads.
+   */
+  if (tunable_async_abor_enable && !p_sess->control_use_ssl)
+  {
+    vsf_sysutil_install_sighandler(kVSFSysUtilSigURG, handle_sigurg, p_sess, 0);
+    vsf_sysutil_activate_sigurg(VSFTP_COMMAND_FD);
+  }
+  /* Handle any login message */
+  vsf_banner_dir_changed(p_sess, FTP_LOGINOK);
+  vsf_cmdio_write(p_sess, FTP_LOGINOK, "Login successful.");
+
+  while(1)
+  {
+    int cmd_ok = 1;
+    if (tunable_setproctitle_enable)
+    {
+      vsf_sysutil_setproctitle("IDLE");
+    }
+    /* Blocks */
+    vsf_cmdio_get_cmd_and_arg(p_sess, &p_sess->ftp_cmd_str,
+                              &p_sess->ftp_arg_str, 1);
+    if (tunable_setproctitle_enable)
+    {
+      struct mystr proctitle_str = INIT_MYSTR;
+      str_copy(&proctitle_str, &p_sess->ftp_cmd_str);
+      if (!str_isempty(&p_sess->ftp_arg_str))
+      {
+        str_append_char(&proctitle_str, ' ');
+        str_append_str(&proctitle_str, &p_sess->ftp_arg_str);
+      }
+      /* Suggestion from Solar */
+      str_replace_unprintable(&proctitle_str, '?');
+      vsf_sysutil_setproctitle_str(&proctitle_str);
+      str_free(&proctitle_str);
+    }
+    /* Test command against the allowed lists.. */
+    if (tunable_cmds_allowed)
+    {
+      static struct mystr s_src_str;
+      static struct mystr s_rhs_str;
+      str_alloc_text(&s_src_str, tunable_cmds_allowed);
+      while (1)
+      {
+        str_split_char(&s_src_str, &s_rhs_str, ',');
+        if (str_isempty(&s_src_str))
+        {
+          cmd_ok = 0;
+          break;
+        }
+        else if (str_equal(&s_src_str, &p_sess->ftp_cmd_str))
+        {
+          break;
+        }
+        str_copy(&s_src_str, &s_rhs_str);
+      }
+    }
+    if (tunable_cmds_denied)
+    {
+      static struct mystr s_src_str;
+      static struct mystr s_rhs_str;
+      str_alloc_text(&s_src_str, tunable_cmds_denied);
+      while (1)
+      {
+        str_split_char(&s_src_str, &s_rhs_str, ',');
+        if (str_isempty(&s_src_str))
+        {
+          break;
+        }
+        else if (str_equal(&s_src_str, &p_sess->ftp_cmd_str))
+        {
+          cmd_ok = 0;
+          break;
+        }
+        str_copy(&s_src_str, &s_rhs_str);
+      }
+    }
+    if (!cmd_ok)
+    {
+      vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "QUIT"))
+    {
+      vsf_cmdio_write_exit(p_sess, FTP_GOODBYE, "Goodbye.", 0);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "PWD") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "XPWD"))
+    {
+      handle_pwd(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "CWD") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "XCWD"))
+    {
+      handle_cwd(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "CDUP") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "XCUP"))
+    {
+      handle_cdup(p_sess);
+    }
+    else if (tunable_pasv_enable &&
+             !p_sess->epsv_all &&
+             (str_equal_text(&p_sess->ftp_cmd_str, "PASV") ||
+              str_equal_text(&p_sess->ftp_cmd_str, "P@SW")))
+    {
+      handle_pasv(p_sess, 0);
+    }
+    else if (tunable_pasv_enable &&
+             str_equal_text(&p_sess->ftp_cmd_str, "EPSV"))
+    {
+      handle_pasv(p_sess, 1);
+    }
+    else if (tunable_download_enable &&
+             str_equal_text(&p_sess->ftp_cmd_str, "RETR"))
+    {
+      handle_retr(p_sess, 0);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "NOOP"))
+    {
+      vsf_cmdio_write(p_sess, FTP_NOOPOK, "NOOP ok.");
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "SYST"))
+    {
+      vsf_cmdio_write(p_sess, FTP_SYSTOK, "UNIX Type: L8");
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "HELP"))
+    {
+      handle_help(p_sess);
+    }
+    else if (tunable_dirlist_enable &&
+             str_equal_text(&p_sess->ftp_cmd_str, "LIST"))
+    {
+      handle_list(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "TYPE"))
+    {
+      handle_type(p_sess);
+    }
+    else if (tunable_port_enable &&
+             !p_sess->epsv_all &&
+             str_equal_text(&p_sess->ftp_cmd_str, "PORT"))
+    {
+      handle_port(p_sess);
+    }
+    else if (tunable_write_enable &&
+             (tunable_anon_upload_enable || !p_sess->is_anonymous) &&
+             str_equal_text(&p_sess->ftp_cmd_str, "STOR"))
+    {
+      handle_stor(p_sess);
+    }
+    else if (tunable_write_enable &&
+             (tunable_anon_mkdir_write_enable || !p_sess->is_anonymous) &&
+             (str_equal_text(&p_sess->ftp_cmd_str, "MKD") ||
+              str_equal_text(&p_sess->ftp_cmd_str, "XMKD")))
+    {
+      handle_mkd(p_sess);
+    }
+    else if (tunable_write_enable &&
+             (tunable_anon_other_write_enable || !p_sess->is_anonymous) &&
+             (str_equal_text(&p_sess->ftp_cmd_str, "RMD") ||
+              str_equal_text(&p_sess->ftp_cmd_str, "XRMD")))
+    {
+      handle_rmd(p_sess);
+    }
+    else if (tunable_write_enable &&
+             (tunable_anon_other_write_enable || !p_sess->is_anonymous) &&
+             str_equal_text(&p_sess->ftp_cmd_str, "DELE"))
+    {
+      handle_dele(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "REST"))
+    {
+      handle_rest(p_sess);
+    }
+    else if (tunable_write_enable &&
+             (tunable_anon_other_write_enable || !p_sess->is_anonymous) &&
+             str_equal_text(&p_sess->ftp_cmd_str, "RNFR"))
+    {
+      handle_rnfr(p_sess);
+    }
+    else if (tunable_write_enable &&
+             (tunable_anon_other_write_enable || !p_sess->is_anonymous) &&
+             str_equal_text(&p_sess->ftp_cmd_str, "RNTO"))
+    {
+      handle_rnto(p_sess);
+    }
+    else if (tunable_dirlist_enable &&
+             str_equal_text(&p_sess->ftp_cmd_str, "NLST"))
+    {
+      handle_nlst(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "SIZE"))
+    {
+      handle_size(p_sess);
+    }
+    else if (!p_sess->is_anonymous &&
+             str_equal_text(&p_sess->ftp_cmd_str, "SITE"))
+    {
+      handle_site(p_sess);
+    }
+    /* Note - the weird ABOR string is checking for an async ABOR arriving
+     * without a SIGURG condition.
+     */
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "ABOR") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "\377\364\377\362ABOR"))
+    {
+      vsf_cmdio_write(p_sess, FTP_ABOR_NOCONN, "No transfer to ABOR.");
+    }
+    else if (tunable_write_enable &&
+             (tunable_anon_other_write_enable || !p_sess->is_anonymous) &&
+             str_equal_text(&p_sess->ftp_cmd_str, "APPE"))
+    {
+      handle_appe(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "MDTM"))
+    {
+      handle_mdtm(p_sess);
+    }
+    else if (tunable_port_enable &&
+             str_equal_text(&p_sess->ftp_cmd_str, "EPRT"))
+    {
+      handle_eprt(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "STRU"))
+    {
+      str_upper(&p_sess->ftp_arg_str);
+      if (str_equal_text(&p_sess->ftp_arg_str, "F"))
+      {
+        vsf_cmdio_write(p_sess, FTP_STRUOK, "Structure set to F.");
+      }
+      else
+      {
+        vsf_cmdio_write(p_sess, FTP_BADSTRU, "Bad STRU command.");
+      }
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "MODE"))
+    {
+      str_upper(&p_sess->ftp_arg_str);
+      if (str_equal_text(&p_sess->ftp_arg_str, "S"))
+      {
+        vsf_cmdio_write(p_sess, FTP_MODEOK, "Mode set to S.");
+      }
+      else
+      {
+        vsf_cmdio_write(p_sess, FTP_BADMODE, "Bad MODE command.");
+      }
+    }
+    else if (tunable_write_enable &&
+             (tunable_anon_upload_enable || !p_sess->is_anonymous) &&
+             str_equal_text(&p_sess->ftp_cmd_str, "STOU"))
+    {
+      handle_stou(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "ALLO"))
+    {
+      vsf_cmdio_write(p_sess, FTP_ALLOOK, "ALLO command ignored.");
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "REIN"))
+    {
+      vsf_cmdio_write(p_sess, FTP_COMMANDNOTIMPL, "REIN not implemented.");
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "ACCT"))
+    {
+      vsf_cmdio_write(p_sess, FTP_COMMANDNOTIMPL, "ACCT not implemented.");
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "SMNT"))
+    {
+      vsf_cmdio_write(p_sess, FTP_COMMANDNOTIMPL, "SMNT not implemented.");
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "FEAT"))
+    {
+      handle_feat(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "OPTS"))
+    {
+      handle_opts(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "STAT") &&
+             str_isempty(&p_sess->ftp_arg_str))
+    {
+      handle_stat(p_sess);
+    }
+    else if (tunable_dirlist_enable &&
+             str_equal_text(&p_sess->ftp_cmd_str, "STAT"))
+    {
+      handle_stat_file(p_sess);
+    }
+    else if (tunable_ssl_enable && str_equal_text(&p_sess->ftp_cmd_str, "PBSZ"))
+    {
+      handle_pbsz(p_sess);
+    }
+    else if (tunable_ssl_enable && str_equal_text(&p_sess->ftp_cmd_str, "PROT"))
+    {
+      handle_prot(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "USER"))
+    {
+      handle_logged_in_user(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "PASS"))
+    {
+      handle_logged_in_pass(p_sess);
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "PASV") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "PORT") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "STOR") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "MKD") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "XMKD") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "RMD") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "XRMD") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "DELE") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "RNFR") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "RNTO") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "SITE") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "APPE") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "EPSV") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "EPRT") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "RETR") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "LIST") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "NLST") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "STOU") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "ALLO") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "REIN") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "ACCT") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "SMNT") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "FEAT") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "OPTS") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "STAT") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "PBSZ") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "PROT"))
+    {
+      vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    }
+    else if (str_isempty(&p_sess->ftp_cmd_str) &&
+             str_isempty(&p_sess->ftp_arg_str))
+    {
+      /* Deliberately ignore to avoid NAT device bugs. ProFTPd does the same. */
+    }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "GET") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "POST") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "HEAD") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "OPTIONS") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "CONNECT"))
+    {
+      vsf_cmdio_write_exit(p_sess, FTP_BADCMD,
+                           "HTTP protocol commands not allowed.", 1);
+    }
+    else
+    {
+      vsf_cmdio_write(p_sess, FTP_BADCMD, "Unknown command.");
+    }
+    if (vsf_log_entry_pending(p_sess))
+    {
+      vsf_log_do_log(p_sess, 0);
+    }
+    if (p_sess->data_timeout)
+    {
+      vsf_cmdio_write_exit(p_sess, FTP_DATA_TIMEOUT,
+                           "Data timeout. Reconnect. Sorry.", 1);
+    }
+  }
+}
+
+static void
+handle_pwd(struct vsf_session* p_sess)
+{
+  static struct mystr s_cwd_buf_mangle_str;
+  static struct mystr s_pwd_res_str;
+  str_getcwd(&s_cwd_buf_mangle_str);
+  /* Double up any double-quotes in the pathname! */
+  str_replace_text(&s_cwd_buf_mangle_str, "\"", "\"\"");
+  /* Enclose pathname in quotes */
+  str_alloc_text(&s_pwd_res_str, "\"");
+  str_append_str(&s_pwd_res_str, &s_cwd_buf_mangle_str);
+  str_append_text(&s_pwd_res_str, "\" is the current directory");
+  vsf_cmdio_write_str(p_sess, FTP_PWDOK, &s_pwd_res_str);
+}
+
+static void
+handle_cwd(struct vsf_session* p_sess)
+{
+  int retval;
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  retval = str_chdir(&p_sess->ftp_arg_str);
+  if (retval == 0)
+  {
+    /* Handle any messages */
+    vsf_banner_dir_changed(p_sess, FTP_CWDOK);
+    vsf_cmdio_write(p_sess, FTP_CWDOK, "Directory successfully changed.");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to change directory.");
+  }
+}
+
+static void
+handle_cdup(struct vsf_session* p_sess)
+{
+  str_alloc_text(&p_sess->ftp_arg_str, "..");
+  handle_cwd(p_sess);
+}
+
+static int
+port_active(struct vsf_session* p_sess)
+{
+  int ret = 0;
+  if (p_sess->p_port_sockaddr != 0)
+  {
+    ret = 1;
+    if (pasv_active(p_sess))
+    {
+      bug("port and pasv both active");
+    }
+  }
+  return ret;
+}
+
+static int
+pasv_active(struct vsf_session* p_sess)
+{
+  int ret = 0;
+  if (tunable_one_process_model)
+  {
+    ret = vsf_one_process_pasv_active(p_sess);
+  }
+  else
+  {
+    ret = vsf_two_process_pasv_active(p_sess);
+  }
+  if (ret)
+  {
+    if (port_active(p_sess))
+    {
+      bug("pasv and port both active");
+    }
+  }
+  return ret;
+}
+
+static void
+port_cleanup(struct vsf_session* p_sess)
+{
+  vsf_sysutil_sockaddr_clear(&p_sess->p_port_sockaddr);
+}
+
+static void
+pasv_cleanup(struct vsf_session* p_sess)
+{
+  if (tunable_one_process_model)
+  {
+    vsf_one_process_pasv_cleanup(p_sess);
+  }
+  else
+  {
+    vsf_two_process_pasv_cleanup(p_sess);
+  }
+}
+
+static void
+handle_pasv(struct vsf_session* p_sess, int is_epsv)
+{
+  unsigned short the_port;
+  static struct mystr s_pasv_res_str;
+  static struct vsf_sysutil_sockaddr* s_p_sockaddr;
+  int is_ipv6 = vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr);
+  if (is_epsv && !str_isempty(&p_sess->ftp_arg_str))
+  {
+    int argval;
+    str_upper(&p_sess->ftp_arg_str);
+    if (str_equal_text(&p_sess->ftp_arg_str, "ALL"))
+    {
+      p_sess->epsv_all = 1;
+      vsf_cmdio_write(p_sess, FTP_EPSVALLOK, "EPSV ALL ok.");
+      return;
+    }
+    argval = vsf_sysutil_atoi(str_getbuf(&p_sess->ftp_arg_str));
+    if (argval < 1 || argval > 2 || (!is_ipv6 && argval == 2))
+    {
+      vsf_cmdio_write(p_sess, FTP_EPSVBAD, "Bad network protocol.");
+      return;
+    }
+  }
+  pasv_cleanup(p_sess);
+  port_cleanup(p_sess);
+  if (tunable_one_process_model)
+  {
+    the_port = vsf_one_process_listen(p_sess);
+  }
+  else
+  {
+    the_port = vsf_two_process_listen(p_sess);
+  }
+  if (is_epsv)
+  {
+    str_alloc_text(&s_pasv_res_str, "Entering Extended Passive Mode (|||");
+    str_append_ulong(&s_pasv_res_str, (unsigned long) the_port);
+    str_append_text(&s_pasv_res_str, "|)");
+    vsf_cmdio_write_str(p_sess, FTP_EPSVOK, &s_pasv_res_str);
+    return;
+  }
+  if (tunable_pasv_address != 0)
+  {
+    vsf_sysutil_sockaddr_alloc_ipv4(&s_p_sockaddr);
+    /* Report passive address as specified in configuration */
+    if (vsf_sysutil_inet_aton(tunable_pasv_address, s_p_sockaddr) == 0)
+    {
+      die("invalid pasv_address");
+    }
+  }
+  else
+  {
+    vsf_sysutil_sockaddr_clone(&s_p_sockaddr, p_sess->p_local_addr);
+  }
+  str_alloc_text(&s_pasv_res_str, "Entering Passive Mode (");
+  if (!is_ipv6)
+  {
+    str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntop(s_p_sockaddr));
+  }
+  else
+  {
+    const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr);
+    if (p_v4addr)
+    {
+      str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr));
+    }
+    else
+    {
+      str_append_text(&s_pasv_res_str, "0,0,0,0");
+    }
+  }
+  str_replace_char(&s_pasv_res_str, '.', ',');
+  str_append_text(&s_pasv_res_str, ",");
+  str_append_ulong(&s_pasv_res_str, the_port >> 8);
+  str_append_text(&s_pasv_res_str, ",");
+  str_append_ulong(&s_pasv_res_str, the_port & 255);
+  str_append_text(&s_pasv_res_str, ").");
+  vsf_cmdio_write_str(p_sess, FTP_PASVOK, &s_pasv_res_str);
+}
+
+static void
+handle_retr(struct vsf_session* p_sess, int is_http)
+{
+  static struct mystr s_mark_str;
+  static struct vsf_sysutil_statbuf* s_p_statbuf;
+  struct vsf_transfer_ret trans_ret;
+  int remote_fd;
+  int opened_file;
+  int is_ascii = 0;
+  filesize_t offset = p_sess->restart_pos;
+  p_sess->restart_pos = 0;
+  if (!is_http && !data_transfer_checks_ok(p_sess))
+  {
+    return;
+  }
+  if (p_sess->is_ascii && offset != 0)
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL,
+                    "No support for resume of ASCII transfer.");
+    return;
+  }
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  vsf_log_start_entry(p_sess, kVSFLogEntryDownload);
+  str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
+  prepend_path_to_filename(&p_sess->log_str);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  opened_file = str_open(&p_sess->ftp_arg_str, kVSFSysStrOpenReadOnly);
+  if (vsf_sysutil_retval_is_error(opened_file))
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file.");
+    return;
+  }
+  /* Lock file if required */
+  if (tunable_lock_upload_files)
+  {
+    vsf_sysutil_lock_file_read(opened_file);
+  }
+  vsf_sysutil_fstat(opened_file, &s_p_statbuf);
+  /* No games please */
+  if (!vsf_sysutil_statbuf_is_regfile(s_p_statbuf))
+  {
+    /* Note - pretend open failed */
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file.");
+    /* Irritating FireFox does RETR on directories, so avoid logging this
+     * very common and noisy case.
+     */
+    if (vsf_sysutil_statbuf_is_dir(s_p_statbuf))
+    {
+      vsf_log_clear_entry(p_sess);
+    }
+    goto file_close_out;
+  }
+  /* Now deactive O_NONBLOCK, otherwise we have a problem on DMAPI filesystems
+   * such as XFS DMAPI.
+   */
+  vsf_sysutil_deactivate_noblock(opened_file);
+  /* Optionally, we'll be paranoid and only serve publicly readable stuff */
+  if (p_sess->is_anonymous && tunable_anon_world_readable_only &&
+      !vsf_sysutil_statbuf_is_readable_other(s_p_statbuf))
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file.");
+    goto file_close_out;
+  }
+  /* Set the download offset (from REST) if any */
+  if (offset != 0)
+  {
+    vsf_sysutil_lseek_to(opened_file, offset);
+  }
+  str_alloc_text(&s_mark_str, "Opening ");
+  if (tunable_ascii_download_enable && p_sess->is_ascii)
+  {
+    str_append_text(&s_mark_str, "ASCII");
+    is_ascii = 1;
+  }
+  else
+  {
+    str_append_text(&s_mark_str, "BINARY");
+  }
+  str_append_text(&s_mark_str, " mode data connection for ");
+  str_append_str(&s_mark_str, &p_sess->ftp_arg_str);
+  str_append_text(&s_mark_str, " (");
+  str_append_filesize_t(&s_mark_str,
+                        vsf_sysutil_statbuf_get_size(s_p_statbuf));
+  str_append_text(&s_mark_str, " bytes).");
+  if (is_http)
+  {
+    remote_fd = VSFTP_COMMAND_FD;
+  }
+  else
+  {
+    remote_fd = get_remote_transfer_fd(p_sess, str_getbuf(&s_mark_str));
+    if (vsf_sysutil_retval_is_error(remote_fd))
+    {
+      goto port_pasv_cleanup_out;
+    }
+  }
+  trans_ret = vsf_ftpdataio_transfer_file(p_sess, remote_fd,
+                                          opened_file, 0, is_ascii);
+  if (!is_http &&
+      vsf_ftpdataio_dispose_transfer_fd(p_sess) != 1 &&
+      trans_ret.retval == 0)
+  {
+    trans_ret.retval = -2;
+  }
+  p_sess->transfer_size = trans_ret.transferred;
+  /* Log _after_ the blocking dispose call, so we get transfer times right */
+  if (trans_ret.retval == 0)
+  {
+    vsf_log_do_log(p_sess, 1);
+  }
+  if (is_http)
+  {
+    goto file_close_out;
+  }
+  /* Emit status message _after_ blocking dispose call to avoid buggy FTP
+   * clients truncating the transfer.
+   */
+  if (trans_ret.retval == -1)
+  {
+    vsf_cmdio_write(p_sess, FTP_BADSENDFILE, "Failure reading local file.");
+  }
+  else if (trans_ret.retval == -2)
+  {
+    if (!p_sess->data_timeout)
+    {
+      vsf_cmdio_write(p_sess, FTP_BADSENDNET,
+                      "Failure writing network stream.");
+    }
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_TRANSFEROK, "Transfer complete.");
+  }
+  check_abor(p_sess);
+port_pasv_cleanup_out:
+  port_cleanup(p_sess);
+  pasv_cleanup(p_sess);
+file_close_out:
+  vsf_sysutil_close(opened_file);
+}
+
+static void
+handle_list(struct vsf_session* p_sess)
+{
+  handle_dir_common(p_sess, 1, 0);
+}
+
+static void
+handle_dir_common(struct vsf_session* p_sess, int full_details, int stat_cmd)
+{
+  static struct mystr s_option_str;
+  static struct mystr s_filter_str;
+  static struct mystr s_dir_name_str;
+  static struct vsf_sysutil_statbuf* s_p_dirstat;
+  int dir_allow_read = 1;
+  struct vsf_sysutil_dir* p_dir = 0;
+  int retval = 0;
+  int use_control = 0;
+  str_empty(&s_option_str);
+  str_empty(&s_filter_str);
+  /* By default open the current directory */
+  str_alloc_text(&s_dir_name_str, ".");
+  if (!stat_cmd && !data_transfer_checks_ok(p_sess))
+  {
+    return;
+  }
+  /* Do we have an option? Going to be strict here - the option must come
+   * first. e.g. "ls -a .." fine, "ls .. -a" not fine
+   */
+  if (!str_isempty(&p_sess->ftp_arg_str) &&
+      str_get_char_at(&p_sess->ftp_arg_str, 0) == '-')
+  {
+    /* Chop off the '-' */
+    str_mid_to_end(&p_sess->ftp_arg_str, &s_option_str, 1);
+    /* A space will separate options from filter (if any) */
+    str_split_char(&s_option_str, &s_filter_str, ' ');
+  }
+  else
+  {
+    /* The argument, if any, is just a filter */
+    str_copy(&s_filter_str, &p_sess->ftp_arg_str);
+  }
+  if (!str_isempty(&s_filter_str))
+  {
+    resolve_tilde(&s_filter_str, p_sess);
+    if (!vsf_access_check_file(&s_filter_str))
+    {
+      vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+      return;
+    }
+    /* First check - is it an outright directory, as in "ls /pub" */
+    p_dir = str_opendir(&s_filter_str);
+    if (p_dir != 0)
+    {
+      /* Listing a directory! */
+      str_copy(&s_dir_name_str, &s_filter_str);
+      str_free(&s_filter_str);
+    }
+    else
+    {
+      struct str_locate_result locate_result =
+        str_locate_char(&s_filter_str, '/');
+      if (locate_result.found)
+      {
+        /* Includes a path! Reverse scan for / in the arg, to get the
+         * base directory and filter (if any)
+         */
+        str_copy(&s_dir_name_str, &s_filter_str);
+        str_split_char_reverse(&s_dir_name_str, &s_filter_str, '/');
+        /* If we have e.g. "ls /.message", we just ripped off the leading
+         * slash because it is the only one!
+         */
+        if (str_isempty(&s_dir_name_str))
+        {
+          str_alloc_text(&s_dir_name_str, "/");
+        }
+      }
+    }
+  }
+  if (p_dir == 0)
+  {
+    /* NOTE - failure check done below, it's not forgotten */
+    p_dir = str_opendir(&s_dir_name_str);
+  }
+  /* Fine, do it */
+  if (stat_cmd)
+  {
+    use_control = 1;
+    str_append_char(&s_option_str, 'a');
+    vsf_cmdio_write_hyphen(p_sess, FTP_STATFILE_OK, "Status follows:");
+  }
+  else
+  {
+    int remote_fd = get_remote_transfer_fd(
+      p_sess, "Here comes the directory listing.");
+    if (vsf_sysutil_retval_is_error(remote_fd))
+    {
+      goto dir_close_out;
+    }
+  }
+  if (p_sess->is_anonymous && p_dir && tunable_anon_world_readable_only)
+  {
+    vsf_sysutil_dir_stat(p_dir, &s_p_dirstat);
+    if (!vsf_sysutil_statbuf_is_readable_other(s_p_dirstat))
+    {
+      dir_allow_read = 0;
+    }
+  }
+  if (p_dir != 0 && dir_allow_read)
+  {
+    retval = vsf_ftpdataio_transfer_dir(p_sess, use_control, p_dir,
+                                        &s_dir_name_str, &s_option_str,
+                                        &s_filter_str, full_details);
+  }
+  if (!stat_cmd)
+  {
+    if (vsf_ftpdataio_dispose_transfer_fd(p_sess) != 1 && retval == 0)
+    {
+      retval = -1;
+    }
+  }
+  if (stat_cmd)
+  {
+    vsf_cmdio_write(p_sess, FTP_STATFILE_OK, "End of status");
+  }
+  else if (retval != 0)
+  {
+    if (!p_sess->data_timeout)
+    {
+      vsf_cmdio_write(p_sess, FTP_BADSENDNET,
+                      "Failure writing network stream.");
+    }
+  }
+  else if (p_dir == 0 || !dir_allow_read)
+  {
+    vsf_cmdio_write(p_sess, FTP_TRANSFEROK,
+                    "Transfer done (but failed to open directory).");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_TRANSFEROK, "Directory send OK.");
+  }
+  check_abor(p_sess);
+dir_close_out:
+  if (p_dir)
+  {
+    vsf_sysutil_closedir(p_dir);
+  }
+  if (!stat_cmd)
+  {
+    port_cleanup(p_sess);
+    pasv_cleanup(p_sess);
+  }
+}
+
+static void
+handle_type(struct vsf_session* p_sess)
+{
+  str_upper(&p_sess->ftp_arg_str);
+  if (str_equal_text(&p_sess->ftp_arg_str, "I") ||
+      str_equal_text(&p_sess->ftp_arg_str, "L8") ||
+      str_equal_text(&p_sess->ftp_arg_str, "L 8"))
+  {
+    p_sess->is_ascii = 0;
+    vsf_cmdio_write(p_sess, FTP_TYPEOK, "Switching to Binary mode.");
+  }
+  else if (str_equal_text(&p_sess->ftp_arg_str, "A") ||
+           str_equal_text(&p_sess->ftp_arg_str, "A N"))
+  {
+    p_sess->is_ascii = 1;
+    vsf_cmdio_write(p_sess, FTP_TYPEOK, "Switching to ASCII mode.");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_BADCMD, "Unrecognised TYPE command.");
+  }
+}
+
+static void
+handle_port(struct vsf_session* p_sess)
+{
+  unsigned short the_port;
+  unsigned char vals[6];
+  const unsigned char* p_raw;
+  pasv_cleanup(p_sess);
+  port_cleanup(p_sess);
+  p_raw = vsf_sysutil_parse_uchar_string_sep(&p_sess->ftp_arg_str, ',', vals,
+                                             sizeof(vals));
+  if (p_raw == 0)
+  {
+    vsf_cmdio_write(p_sess, FTP_BADCMD, "Illegal PORT command.");
+    return;
+  }
+  the_port = (unsigned short) ((vals[4] << 8) | vals[5]);
+  vsf_sysutil_sockaddr_clone(&p_sess->p_port_sockaddr, p_sess->p_local_addr);
+  vsf_sysutil_sockaddr_set_ipv4addr(p_sess->p_port_sockaddr, vals);
+  vsf_sysutil_sockaddr_set_port(p_sess->p_port_sockaddr, the_port);
+  /* SECURITY:
+   * 1) Reject requests not connecting to the control socket IP
+   * 2) Reject connects to privileged ports
+   */
+  if (!tunable_port_promiscuous)
+  {
+    if (!vsf_sysutil_sockaddr_addr_equal(p_sess->p_remote_addr,
+                                         p_sess->p_port_sockaddr) ||
+        vsf_sysutil_is_port_reserved(the_port))
+    {
+      vsf_cmdio_write(p_sess, FTP_BADCMD, "Illegal PORT command.");
+      port_cleanup(p_sess);
+      return;
+    }
+  }
+  vsf_cmdio_write(p_sess, FTP_PORTOK,
+                  "PORT command successful. Consider using PASV.");
+}
+
+static void
+handle_stor(struct vsf_session* p_sess)
+{
+  handle_upload_common(p_sess, 0, 0);
+}
+
+static void
+handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
+{
+  static struct vsf_sysutil_statbuf* s_p_statbuf;
+  static struct mystr s_filename;
+  struct mystr* p_filename;
+  struct vsf_transfer_ret trans_ret;
+  int new_file_fd;
+  int remote_fd;
+  int success = 0;
+  int created = 0;
+  int do_truncate = 0;
+  filesize_t offset = p_sess->restart_pos;
+  p_sess->restart_pos = 0;
+  if (!data_transfer_checks_ok(p_sess))
+  {
+    return;
+  }
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  p_filename = &p_sess->ftp_arg_str;
+  if (is_unique)
+  {
+    get_unique_filename(&s_filename, p_filename);
+    p_filename = &s_filename;
+  }
+  vsf_log_start_entry(p_sess, kVSFLogEntryUpload);
+  str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
+  prepend_path_to_filename(&p_sess->log_str);
+  if (!vsf_access_check_file(p_filename))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  /* NOTE - actual file permissions will be governed by the tunable umask */
+  /* XXX - do we care about race between create and chown() of anonymous
+   * upload?
+   */
+  if (is_unique || (p_sess->is_anonymous && !tunable_anon_other_write_enable))
+  {
+    new_file_fd = str_create_exclusive(p_filename);
+  }
+  else
+  {
+    /* For non-anonymous, allow open() to overwrite or append existing files */
+    new_file_fd = str_create(p_filename);
+    if (!is_append && offset == 0)
+    {
+      do_truncate = 1;
+    }
+  }
+  if (vsf_sysutil_retval_is_error(new_file_fd))
+  {
+    vsf_cmdio_write(p_sess, FTP_UPLOADFAIL, "Could not create file.");
+    return;
+  }
+  created = 1;
+  vsf_sysutil_fstat(new_file_fd, &s_p_statbuf);
+  if (vsf_sysutil_statbuf_is_regfile(s_p_statbuf))
+  {
+    /* Now deactive O_NONBLOCK, otherwise we have a problem on DMAPI filesystems
+     * such as XFS DMAPI.
+     */
+    vsf_sysutil_deactivate_noblock(new_file_fd);
+  }
+  /* Are we required to chown() this file for security? */
+  if (p_sess->is_anonymous && tunable_chown_uploads)
+  {
+    vsf_sysutil_fchmod(new_file_fd, tunable_chown_upload_mode);
+    if (tunable_one_process_model)
+    {
+      vsf_one_process_chown_upload(p_sess, new_file_fd);
+    }
+    else
+    {
+      vsf_two_process_chown_upload(p_sess, new_file_fd);
+    }
+  }
+  /* Are we required to lock this file? */
+  if (tunable_lock_upload_files)
+  {
+    vsf_sysutil_lock_file_write(new_file_fd);
+  }
+  /* Must truncate the file AFTER locking it! */
+  if (do_truncate)
+  {
+    vsf_sysutil_ftruncate(new_file_fd);
+    vsf_sysutil_lseek_to(new_file_fd, 0);
+  }
+  if (!is_append && offset != 0)
+  {
+    /* XXX - warning, allows seek past end of file! Check for seek > size? */
+    vsf_sysutil_lseek_to(new_file_fd, offset);
+  }
+  else if (is_append)
+  {
+    vsf_sysutil_lseek_end(new_file_fd);
+  }
+  if (is_unique)
+  {
+    struct mystr resp_str = INIT_MYSTR;
+    str_alloc_text(&resp_str, "FILE: ");
+    str_append_str(&resp_str, p_filename);
+    remote_fd = get_remote_transfer_fd(p_sess, str_getbuf(&resp_str));
+    str_free(&resp_str);
+  }
+  else
+  {
+    remote_fd = get_remote_transfer_fd(p_sess, "Ok to send data.");
+  }
+  if (vsf_sysutil_retval_is_error(remote_fd))
+  {
+    goto port_pasv_cleanup_out;
+  }
+  if (tunable_ascii_upload_enable && p_sess->is_ascii)
+  {
+    trans_ret = vsf_ftpdataio_transfer_file(p_sess, remote_fd,
+                                            new_file_fd, 1, 1);
+  }
+  else
+  {
+    trans_ret = vsf_ftpdataio_transfer_file(p_sess, remote_fd,
+                                            new_file_fd, 1, 0);
+  }
+  if (vsf_ftpdataio_dispose_transfer_fd(p_sess) != 1 && trans_ret.retval == 0)
+  {
+    trans_ret.retval = -2;
+  }
+  p_sess->transfer_size = trans_ret.transferred;
+  if (trans_ret.retval == 0)
+  {
+    success = 1;
+    vsf_log_do_log(p_sess, 1);
+  }
+  if (trans_ret.retval == -1)
+  {
+    vsf_cmdio_write(p_sess, FTP_BADSENDFILE, "Failure writing to local file.");
+  }
+  else if (trans_ret.retval == -2)
+  {
+    if (!p_sess->data_timeout)
+    {
+      vsf_cmdio_write(p_sess, FTP_BADSENDNET,
+                      "Failure reading network stream.");
+    }
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_TRANSFEROK, "Transfer complete.");
+  }
+  check_abor(p_sess);
+port_pasv_cleanup_out:
+  port_cleanup(p_sess);
+  pasv_cleanup(p_sess);
+  if (tunable_delete_failed_uploads && created && !success)
+  {
+    str_unlink(p_filename);
+  }
+  vsf_sysutil_close(new_file_fd);
+}
+
+static void
+handle_mkd(struct vsf_session* p_sess)
+{
+  int retval;
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  vsf_log_start_entry(p_sess, kVSFLogEntryMkdir);
+  str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
+  prepend_path_to_filename(&p_sess->log_str);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  /* NOTE! Actual permissions will be governed by the tunable umask */
+  retval = str_mkdir(&p_sess->ftp_arg_str, 0777);
+  if (retval != 0)
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL,
+                    "Create directory operation failed.");
+    return;
+  }
+  vsf_log_do_log(p_sess, 1);
+  {
+    static struct mystr s_mkd_res;
+    static struct mystr s_tmp_str;
+    str_copy(&s_tmp_str, &p_sess->ftp_arg_str);
+    prepend_path_to_filename(&s_tmp_str);
+    /* Double up double quotes */
+    str_replace_text(&s_tmp_str, "\"", "\"\"");
+    /* Build result string */
+    str_alloc_text(&s_mkd_res, "\"");
+    str_append_str(&s_mkd_res, &s_tmp_str);
+    str_append_text(&s_mkd_res, "\" created");
+    vsf_cmdio_write_str(p_sess, FTP_MKDIROK, &s_mkd_res);
+  }
+}
+
+static void
+handle_rmd(struct vsf_session* p_sess)
+{
+  int retval;
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  vsf_log_start_entry(p_sess, kVSFLogEntryRmdir);
+  str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
+  prepend_path_to_filename(&p_sess->log_str);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  retval = str_rmdir(&p_sess->ftp_arg_str);
+  if (retval != 0)
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL,
+                    "Remove directory operation failed.");
+  }
+  else
+  {
+    vsf_log_do_log(p_sess, 1);
+    vsf_cmdio_write(p_sess, FTP_RMDIROK,
+                    "Remove directory operation successful.");
+  }
+}
+
+static void
+handle_dele(struct vsf_session* p_sess)
+{
+  int retval;
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  vsf_log_start_entry(p_sess, kVSFLogEntryDelete);
+  str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
+  prepend_path_to_filename(&p_sess->log_str);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  retval = str_unlink(&p_sess->ftp_arg_str);
+  if (retval != 0)
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Delete operation failed.");
+  }
+  else
+  {
+    vsf_log_do_log(p_sess, 1);
+    vsf_cmdio_write(p_sess, FTP_DELEOK, "Delete operation successful.");
+  }
+}
+
+static void
+handle_rest(struct vsf_session* p_sess)
+{
+  static struct mystr s_rest_str;
+  filesize_t val = str_a_to_filesize_t(&p_sess->ftp_arg_str);
+  if (val < 0)
+  {
+    val = 0;
+  }
+  p_sess->restart_pos = val;
+  str_alloc_text(&s_rest_str, "Restart position accepted (");
+  str_append_filesize_t(&s_rest_str, val);
+  str_append_text(&s_rest_str, ").");
+  vsf_cmdio_write_str(p_sess, FTP_RESTOK, &s_rest_str);
+}
+
+static void
+handle_rnfr(struct vsf_session* p_sess)
+{
+  static struct vsf_sysutil_statbuf* p_statbuf;
+  int retval;
+  /* Clear old value */
+  str_free(&p_sess->rnfr_filename_str);
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_log_start_entry(p_sess, kVSFLogEntryRename);
+    str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
+    prepend_path_to_filename(&p_sess->log_str);
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  /* Does it exist? */
+  retval = str_stat(&p_sess->ftp_arg_str, &p_statbuf);
+  if (retval == 0)
+  {
+    /* Yes */
+    str_copy(&p_sess->rnfr_filename_str, &p_sess->ftp_arg_str);
+    vsf_cmdio_write(p_sess, FTP_RNFROK, "Ready for RNTO.");
+  }
+  else
+  {
+    vsf_log_start_entry(p_sess, kVSFLogEntryRename);
+    str_copy(&p_sess->log_str, &p_sess->ftp_arg_str);
+    prepend_path_to_filename(&p_sess->log_str);
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "RNFR command failed.");
+  }
+}
+
+static void
+handle_rnto(struct vsf_session* p_sess)
+{
+  static struct mystr s_tmp_str;
+  int retval;
+  /* If we didn't get a RNFR, throw a wobbly */
+  if (str_isempty(&p_sess->rnfr_filename_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NEEDRNFR,
+                    "RNFR required first.");
+    return;
+  }
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  vsf_log_start_entry(p_sess, kVSFLogEntryRename);
+  str_copy(&p_sess->log_str, &p_sess->rnfr_filename_str);
+  prepend_path_to_filename(&p_sess->log_str);
+  str_append_char(&p_sess->log_str, ' ');
+  str_copy(&s_tmp_str, &p_sess->ftp_arg_str);
+  prepend_path_to_filename(&s_tmp_str);
+  str_append_str(&p_sess->log_str, &s_tmp_str);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  /* NOTE - might overwrite destination file. Not a concern because the same
+   * could be accomplished with DELE.
+   */
+  retval = str_rename(&p_sess->rnfr_filename_str, &p_sess->ftp_arg_str);
+  /* Clear the RNFR filename; start the two stage process again! */
+  str_free(&p_sess->rnfr_filename_str);
+  if (retval == 0)
+  {
+    vsf_log_do_log(p_sess, 1);
+    vsf_cmdio_write(p_sess, FTP_RENAMEOK, "Rename successful.");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Rename failed.");
+  }
+}
+
+static void
+handle_nlst(struct vsf_session* p_sess)
+{
+  handle_dir_common(p_sess, 0, 0);
+}
+
+static void
+prepend_path_to_filename(struct mystr* p_str)
+{
+  static struct mystr s_tmp_str;
+  /* Only prepend current working directory if the incoming filename is
+   * relative
+   */
+  str_empty(&s_tmp_str);
+  if (str_isempty(p_str) || str_get_char_at(p_str, 0) != '/')
+  {
+    str_getcwd(&s_tmp_str);
+    /* Careful to not emit // if we are in directory / (common with chroot) */
+    if (str_isempty(&s_tmp_str) ||
+        str_get_char_at(&s_tmp_str, str_getlen(&s_tmp_str) - 1) != '/')
+    {
+      str_append_char(&s_tmp_str, '/');
+    }
+  }
+  str_append_str(&s_tmp_str, p_str);
+  str_copy(p_str, &s_tmp_str);
+}
+
+
+static void
+handle_sigurg(void* p_private)
+{
+  struct mystr async_cmd_str = INIT_MYSTR;
+  struct mystr async_arg_str = INIT_MYSTR;
+  struct mystr real_cmd_str = INIT_MYSTR;
+  unsigned int len;
+  struct vsf_session* p_sess = (struct vsf_session*) p_private;
+  /* Did stupid client sent something OOB without a data connection? */
+  if (p_sess->data_fd == -1)
+  {
+    return;
+  }
+  /* Get the async command - blocks (use data timeout alarm) */
+  vsf_cmdio_get_cmd_and_arg(p_sess, &async_cmd_str, &async_arg_str, 0);
+  /* Chop off first four characters; they are telnet characters. The client
+   * should have sent the first two normally and the second two as urgent
+   * data.
+   */
+  len = str_getlen(&async_cmd_str);
+  if (len >= 4)
+  {
+    str_right(&async_cmd_str, &real_cmd_str, len - 4);
+  }
+  if (str_equal_text(&real_cmd_str, "ABOR"))
+  {
+    p_sess->abor_received = 1;
+    /* This is failok because of a small race condition; the SIGURG might
+     * be raised after the data socket is closed, but before data_fd is
+     * set to -1.
+     */
+    vsf_sysutil_shutdown_failok(p_sess->data_fd);
+  }
+  else
+  {
+    /* Sorry! */
+    vsf_cmdio_write(p_sess, FTP_BADCMD, "Unknown command.");
+  }
+  str_free(&async_cmd_str);
+  str_free(&async_arg_str);
+  str_free(&real_cmd_str);
+}
+
+static int
+get_remote_transfer_fd(struct vsf_session* p_sess, const char* p_status_msg)
+{
+  int remote_fd;
+  if (!pasv_active(p_sess) && !port_active(p_sess))
+  {
+    bug("neither PORT nor PASV active in get_remote_transfer_fd");
+  }
+  p_sess->abor_received = 0;
+  if (pasv_active(p_sess))
+  {
+    remote_fd = vsf_ftpdataio_get_pasv_fd(p_sess);
+  }
+  else
+  {
+    remote_fd = vsf_ftpdataio_get_port_fd(p_sess);
+  }
+  if (vsf_sysutil_retval_is_error(remote_fd))
+  {
+    return remote_fd;
+  }
+  vsf_cmdio_write(p_sess, FTP_DATACONN, p_status_msg);
+  if (vsf_ftpdataio_post_mark_connect(p_sess) != 1)
+  {
+    vsf_ftpdataio_dispose_transfer_fd(p_sess);
+    return -1;
+  }
+  return remote_fd;
+}
+
+static void
+check_abor(struct vsf_session* p_sess)
+{
+  /* If the client sent ABOR, respond to it here */
+  if (p_sess->abor_received)
+  {
+    p_sess->abor_received = 0;
+    vsf_cmdio_write(p_sess, FTP_ABOROK, "ABOR successful.");
+  }
+}
+
+static void
+handle_size(struct vsf_session* p_sess)
+{
+  /* Note - in ASCII mode, are supposed to return the size after taking into
+   * account ASCII linefeed conversions. At least this is what wu-ftpd does in
+   * version 2.6.1. Proftpd-1.2.0pre fails to do this.
+   * I will not do it because it is a potential I/O DoS.
+   */
+  static struct vsf_sysutil_statbuf* s_p_statbuf;
+  int retval;
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  retval = str_stat(&p_sess->ftp_arg_str, &s_p_statbuf);
+  if (retval != 0 || !vsf_sysutil_statbuf_is_regfile(s_p_statbuf))
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Could not get file size.");
+  }
+  else
+  {
+    static struct mystr s_size_res_str;
+    str_alloc_filesize_t(&s_size_res_str,
+                         vsf_sysutil_statbuf_get_size(s_p_statbuf));
+    vsf_cmdio_write_str(p_sess, FTP_SIZEOK, &s_size_res_str);
+  }
+}
+
+static void
+handle_site(struct vsf_session* p_sess)
+{
+  static struct mystr s_site_args_str;
+  /* What SITE sub-command is it? */
+  str_split_char(&p_sess->ftp_arg_str, &s_site_args_str, ' ');
+  str_upper(&p_sess->ftp_arg_str);
+  if (tunable_write_enable &&
+      tunable_chmod_enable &&
+      str_equal_text(&p_sess->ftp_arg_str, "CHMOD"))
+  {
+    handle_site_chmod(p_sess, &s_site_args_str);
+  }
+  else if (str_equal_text(&p_sess->ftp_arg_str, "UMASK"))
+  {
+    handle_site_umask(p_sess, &s_site_args_str);
+  }
+  else if (str_equal_text(&p_sess->ftp_arg_str, "HELP"))
+  {
+    if (tunable_write_enable &&
+        tunable_chmod_enable)
+    {
+      vsf_cmdio_write(p_sess, FTP_SITEHELP, "CHMOD UMASK HELP");
+    }
+    else
+    {
+      vsf_cmdio_write(p_sess, FTP_SITEHELP, "UMASK HELP");
+    }
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_BADCMD, "Unknown SITE command.");
+  }
+}
+
+static void
+handle_site_chmod(struct vsf_session* p_sess, struct mystr* p_arg_str)
+{
+  static struct mystr s_chmod_file_str;
+  unsigned int perms;
+  int retval;
+  if (str_isempty(p_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_BADCMD, "SITE CHMOD needs 2 arguments.");
+    return;
+  }
+  str_split_char(p_arg_str, &s_chmod_file_str, ' ');
+  if (str_isempty(&s_chmod_file_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_BADCMD, "SITE CHMOD needs 2 arguments.");
+    return;
+  }
+  resolve_tilde(&s_chmod_file_str, p_sess);
+  vsf_log_start_entry(p_sess, kVSFLogEntryChmod);
+  str_copy(&p_sess->log_str, &s_chmod_file_str);
+  prepend_path_to_filename(&p_sess->log_str);
+  str_append_char(&p_sess->log_str, ' ');
+  str_append_str(&p_sess->log_str, p_arg_str);
+  if (!vsf_access_check_file(&s_chmod_file_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  /* Don't worry - our chmod() implementation only allows 0 - 0777 */
+  perms = str_octal_to_uint(p_arg_str);
+  retval = str_chmod(&s_chmod_file_str, perms);
+  if (vsf_sysutil_retval_is_error(retval))
+  {
+    vsf_cmdio_write(p_sess, FTP_FILEFAIL, "SITE CHMOD command failed.");
+  }
+  else
+  {
+    vsf_log_do_log(p_sess, 1);
+    vsf_cmdio_write(p_sess, FTP_CHMODOK, "SITE CHMOD command ok.");
+  }
+}
+
+static void
+handle_site_umask(struct vsf_session* p_sess, struct mystr* p_arg_str)
+{
+  static struct mystr s_umask_resp_str;
+  if (str_isempty(p_arg_str))
+  {
+    /* Empty arg => report current umask */
+    str_alloc_text(&s_umask_resp_str, "Your current UMASK is ");
+    str_append_text(&s_umask_resp_str,
+                    vsf_sysutil_uint_to_octal(vsf_sysutil_get_umask()));
+  }
+  else
+  {
+    /* Set current umask */
+    unsigned int new_umask = str_octal_to_uint(p_arg_str);
+    vsf_sysutil_set_umask(new_umask);
+    str_alloc_text(&s_umask_resp_str, "UMASK set to ");
+    str_append_text(&s_umask_resp_str,
+                    vsf_sysutil_uint_to_octal(vsf_sysutil_get_umask()));
+  }
+  vsf_cmdio_write_str(p_sess, FTP_UMASKOK, &s_umask_resp_str);
+}
+
+static void
+handle_appe(struct vsf_session* p_sess)
+{
+  handle_upload_common(p_sess, 1, 0);
+}
+
+static void
+handle_mdtm(struct vsf_session* p_sess)
+{
+  static struct mystr s_filename_str;
+  static struct vsf_sysutil_statbuf* s_p_statbuf;
+  int do_write = 0;
+  long modtime = 0;
+  struct str_locate_result loc = str_locate_char(&p_sess->ftp_arg_str, ' ');
+  int retval = str_stat(&p_sess->ftp_arg_str, &s_p_statbuf);
+  if (tunable_mdtm_write && retval != 0 && loc.found &&
+      vsf_sysutil_isdigit(str_get_char_at(&p_sess->ftp_arg_str, 0)))
+  {
+    if (loc.index == 8 || loc.index == 14 ||
+        (loc.index > 15 && str_get_char_at(&p_sess->ftp_arg_str, 14) == '.'))
+    {
+      do_write = 1;
+    }
+  }
+  if (do_write != 0)
+  {
+    str_split_char(&p_sess->ftp_arg_str, &s_filename_str, ' ');
+    modtime = vsf_sysutil_parse_time(str_getbuf(&p_sess->ftp_arg_str));
+    str_copy(&p_sess->ftp_arg_str, &s_filename_str);
+  }
+  resolve_tilde(&p_sess->ftp_arg_str, p_sess);
+  if (!vsf_access_check_file(&p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOPERM, "Permission denied.");
+    return;
+  }
+  if (do_write && tunable_write_enable &&
+      (tunable_anon_other_write_enable || !p_sess->is_anonymous))
+  {
+    retval = str_stat(&p_sess->ftp_arg_str, &s_p_statbuf);
+    if (retval != 0 || !vsf_sysutil_statbuf_is_regfile(s_p_statbuf))
+    {
+      vsf_cmdio_write(p_sess, FTP_FILEFAIL,
+                      "Could not set file modification time.");
+    }
+    else
+    {
+      retval = vsf_sysutil_setmodtime(
+        str_getbuf(&p_sess->ftp_arg_str), modtime, tunable_use_localtime);
+      if (retval != 0)
+      {
+        vsf_cmdio_write(p_sess, FTP_FILEFAIL,
+                        "Could not set file modification time.");
+      }
+      else
+      {
+        vsf_cmdio_write(p_sess, FTP_MDTMOK,
+                        "File modification time set.");
+      }
+    }
+  }
+  else
+  {
+    if (retval != 0 || !vsf_sysutil_statbuf_is_regfile(s_p_statbuf))
+    {
+      vsf_cmdio_write(p_sess, FTP_FILEFAIL,
+                      "Could not get file modification time.");
+    }
+    else
+    {
+      static struct mystr s_mdtm_res_str;
+      str_alloc_text(&s_mdtm_res_str,
+                     vsf_sysutil_statbuf_get_numeric_date(
+                       s_p_statbuf, tunable_use_localtime));
+      vsf_cmdio_write_str(p_sess, FTP_MDTMOK, &s_mdtm_res_str);
+    }
+  }
+}
+
+static void
+handle_eprt(struct vsf_session* p_sess)
+{
+  static struct mystr s_part1_str;
+  static struct mystr s_part2_str;
+  static struct mystr s_scopeid_str;
+  int proto;
+  int port;
+  const unsigned char* p_raw_addr;
+  int is_ipv6 = vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr);
+  port_cleanup(p_sess);
+  pasv_cleanup(p_sess);
+  str_copy(&s_part1_str, &p_sess->ftp_arg_str);
+  str_split_char(&s_part1_str, &s_part2_str, '|');
+  if (!str_isempty(&s_part1_str))
+  {
+    goto bad_eprt;
+  }
+  /* Split out the protocol and check it */
+  str_split_char(&s_part2_str, &s_part1_str, '|');
+  proto = str_atoi(&s_part2_str);
+  if (proto < 1 || proto > 2 || (!is_ipv6 && proto == 2))
+  {
+    vsf_cmdio_write(p_sess, FTP_BADCMD, "Bad EPRT protocol.");
+    return;
+  }
+  /* Split out address and parse it */
+  str_split_char(&s_part1_str, &s_part2_str, '|');
+  if (proto == 2)
+  {
+    str_split_char(&s_part1_str, &s_scopeid_str, '%');
+    p_raw_addr = vsf_sysutil_parse_ipv6(&s_part1_str);
+  }
+  else
+  {
+    p_raw_addr = vsf_sysutil_parse_ipv4(&s_part1_str);
+  }
+  if (!p_raw_addr)
+  {
+    goto bad_eprt;
+  }
+  /* Split out port and parse it */
+  str_split_char(&s_part2_str, &s_part1_str, '|');
+  if (!str_isempty(&s_part1_str) || str_isempty(&s_part2_str))
+  {
+    goto bad_eprt;
+  }
+  port = str_atoi(&s_part2_str);
+  if (port < 0 || port > 65535)
+  {
+    goto bad_eprt;
+  }
+  vsf_sysutil_sockaddr_clone(&p_sess->p_port_sockaddr, p_sess->p_local_addr);
+  if (proto == 2)
+  {
+    vsf_sysutil_sockaddr_set_ipv6addr(p_sess->p_port_sockaddr, p_raw_addr);
+  }
+  else
+  {
+    vsf_sysutil_sockaddr_set_ipv4addr(p_sess->p_port_sockaddr, p_raw_addr);
+  }
+  vsf_sysutil_sockaddr_set_port(p_sess->p_port_sockaddr, (unsigned short) port);
+  /* SECURITY:
+   * 1) Reject requests not connecting to the control socket IP
+   * 2) Reject connects to privileged ports
+   */
+  if (!tunable_port_promiscuous)
+  {
+    if (!vsf_sysutil_sockaddr_addr_equal(p_sess->p_remote_addr,
+                                         p_sess->p_port_sockaddr) ||
+        vsf_sysutil_is_port_reserved((unsigned short) port))
+    {
+      vsf_cmdio_write(p_sess, FTP_BADCMD, "Illegal EPRT command.");
+      port_cleanup(p_sess);
+      return;
+    }
+  }
+  vsf_cmdio_write(p_sess, FTP_EPRTOK,
+                  "EPRT command successful. Consider using EPSV.");
+  return;
+bad_eprt:
+  vsf_cmdio_write(p_sess, FTP_BADCMD, "Bad EPRT command.");
+}
+
+/* XXX - add AUTH etc. */
+static void
+handle_help(struct vsf_session* p_sess)
+{
+  vsf_cmdio_write_hyphen(p_sess, FTP_HELP,
+                         "The following commands are recognized.");
+  vsf_cmdio_write_raw(p_sess,
+" ABOR ACCT ALLO APPE CDUP CWD  DELE EPRT EPSV FEAT HELP LIST MDTM MKD\r\n");
+  vsf_cmdio_write_raw(p_sess,
+" MODE NLST NOOP OPTS PASS PASV PORT PWD  QUIT REIN REST RETR RMD  RNFR\r\n");
+  vsf_cmdio_write_raw(p_sess,
+" RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD\r\n");
+  vsf_cmdio_write_raw(p_sess,
+" XPWD XRMD\r\n");
+  vsf_cmdio_write(p_sess, FTP_HELP, "Help OK.");
+}
+
+static void
+handle_stou(struct vsf_session* p_sess)
+{
+  handle_upload_common(p_sess, 0, 1);
+}
+
+static void
+get_unique_filename(struct mystr* p_outstr, const struct mystr* p_base_str)
+{
+  /* Use silly wu-ftpd algorithm for compatibility. It has races of course, if
+   * two sessions are using the same file prefix at the same time.
+   */
+  static struct vsf_sysutil_statbuf* s_p_statbuf;
+  static struct mystr s_stou_str;
+  unsigned int suffix = 1;
+  const struct mystr* p_real_base_str = p_base_str;
+  int retval;
+  if (str_isempty(p_real_base_str))
+  {
+    str_alloc_text(&s_stou_str, "STOU");
+    p_real_base_str = &s_stou_str;
+  }
+  else
+  {
+    /* Do not add any suffix at all if the name is not taken. */
+    retval = str_stat(p_real_base_str, &s_p_statbuf);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+       str_copy(p_outstr, p_real_base_str);
+       return;
+    }
+  }
+  while (1)
+  {
+    str_copy(p_outstr, p_real_base_str);
+    str_append_char(p_outstr, '.');
+    str_append_ulong(p_outstr, suffix);
+    retval = str_stat(p_outstr, &s_p_statbuf);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      return;
+    }
+    ++suffix;
+  }
+}
+
+static void
+handle_stat(struct vsf_session* p_sess)
+{
+  vsf_cmdio_write_hyphen(p_sess, FTP_STATOK, "FTP server status:");
+  vsf_cmdio_write_raw(p_sess, "     Connected to ");
+  vsf_cmdio_write_raw(p_sess, str_getbuf(&p_sess->remote_ip_str));
+  vsf_cmdio_write_raw(p_sess, "\r\n");
+  vsf_cmdio_write_raw(p_sess, "     Logged in as ");
+  vsf_cmdio_write_raw(p_sess, str_getbuf(&p_sess->user_str));
+  vsf_cmdio_write_raw(p_sess, "\r\n");
+  vsf_cmdio_write_raw(p_sess, "     TYPE: ");
+  if (p_sess->is_ascii)
+  {
+    vsf_cmdio_write_raw(p_sess, "ASCII\r\n");
+  }
+  else
+  {
+    vsf_cmdio_write_raw(p_sess, "BINARY\r\n");
+  }
+  if (p_sess->bw_rate_max == 0)
+  {
+    vsf_cmdio_write_raw(p_sess, "     No session bandwidth limit\r\n");
+  }
+  else
+  {
+    vsf_cmdio_write_raw(p_sess, "     Session bandwidth limit in byte/s is ");
+    vsf_cmdio_write_raw(p_sess, vsf_sysutil_ulong_to_str(p_sess->bw_rate_max));
+    vsf_cmdio_write_raw(p_sess, "\r\n");
+  }
+  if (tunable_idle_session_timeout == 0)
+  {
+    vsf_cmdio_write_raw(p_sess, "     No session timeout\r\n");
+  }
+  else
+  {
+    vsf_cmdio_write_raw(p_sess, "     Session timeout in seconds is ");
+    vsf_cmdio_write_raw(p_sess,
+      vsf_sysutil_ulong_to_str(tunable_idle_session_timeout));
+    vsf_cmdio_write_raw(p_sess, "\r\n");
+  }
+  if (p_sess->control_use_ssl)
+  {
+    vsf_cmdio_write_raw(p_sess, "     Control connection is encrypted\r\n"); 
+  }
+  else
+  {
+    vsf_cmdio_write_raw(p_sess, "     Control connection is plain text\r\n"); 
+  }
+  if (p_sess->data_use_ssl)
+  {
+    vsf_cmdio_write_raw(p_sess, "     Data connections will be encrypted\r\n"); 
+  }
+  else
+  {
+    vsf_cmdio_write_raw(p_sess, "     Data connections will be plain text\r\n");
+  }
+  if (p_sess->num_clients > 0)
+  {
+    vsf_cmdio_write_raw(p_sess, "     At session startup, client count was ");
+    vsf_cmdio_write_raw(p_sess, vsf_sysutil_ulong_to_str(p_sess->num_clients));
+    vsf_cmdio_write_raw(p_sess, "\r\n");
+  }
+  vsf_cmdio_write_raw(p_sess,
+    "     vsFTPd " VSF_VERSION " - secure, fast, stable\r\n");
+  vsf_cmdio_write(p_sess, FTP_STATOK, "End of status");
+}
+
+static void
+handle_stat_file(struct vsf_session* p_sess)
+{
+  handle_dir_common(p_sess, 1, 1);
+}
+
+static int
+data_transfer_checks_ok(struct vsf_session* p_sess)
+{
+  if (!pasv_active(p_sess) && !port_active(p_sess))
+  {
+    vsf_cmdio_write(p_sess, FTP_BADSENDCONN, "Use PORT or PASV first.");
+    return 0;
+  }
+  if (tunable_ssl_enable && !p_sess->data_use_ssl &&
+      ((tunable_force_local_data_ssl && !p_sess->is_anonymous) ||
+       (tunable_force_anon_data_ssl && p_sess->is_anonymous)))
+  {
+    vsf_cmdio_write(
+      p_sess, FTP_NEEDENCRYPT, "Data connections must be encrypted.");
+    return 0;
+  }
+  return 1;
+}
+
+static void
+resolve_tilde(struct mystr* p_str, struct vsf_session* p_sess)
+{
+  unsigned int len = str_getlen(p_str);
+  if (len > 0 && str_get_char_at(p_str, 0) == '~')
+  {
+    static struct mystr s_rhs_str;
+    if (len == 1 || str_get_char_at(p_str, 1) == '/')
+    {
+      str_split_char(p_str, &s_rhs_str, '~');
+      str_copy(p_str, &p_sess->home_str);
+      str_append_str(p_str, &s_rhs_str);
+    }
+    else if (tunable_tilde_user_enable && len > 1)
+    {
+      static struct mystr s_user_str;
+      struct vsf_sysutil_user* p_user;
+      str_copy(&s_rhs_str, p_str);
+      str_split_char(&s_rhs_str, &s_user_str, '~');
+      str_split_char(&s_user_str, &s_rhs_str, '/');
+      p_user = str_getpwnam(&s_user_str);
+      if (p_user != 0)
+      {
+        str_alloc_text(p_str, vsf_sysutil_user_get_homedir(p_user));
+        if (!str_isempty(&s_rhs_str))
+        {
+          str_append_char(p_str, '/');
+          str_append_str(p_str, &s_rhs_str);
+        }
+      }
+    }
+  }
+}
+
+static void handle_logged_in_user(struct vsf_session* p_sess)
+{
+  if (p_sess->is_anonymous)
+  {
+    vsf_cmdio_write(p_sess, FTP_LOGINERR, "Can't change from guest user.");
+  }
+  else if (str_equal(&p_sess->user_str, &p_sess->ftp_arg_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_GIVEPWORD, "Any password will do.");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_LOGINERR, "Can't change to another user.");
+  }
+}
+
+static void handle_logged_in_pass(struct vsf_session* p_sess)
+{
+  vsf_cmdio_write(p_sess, FTP_LOGINOK, "Already logged in.");
+}
+
+static void
+handle_http(struct vsf_session* p_sess)
+{
+  /* Warning: Doesn't respect cmds_allowed etc. because there is currently only
+   * one command (GET)!
+   * HTTP likely doesn't respect other important FTP options. I don't think
+   * logging works.
+   */
+  if (!tunable_download_enable)
+  {
+    bug("HTTP needs download - fix your config");
+  }
+  /* Eat the HTTP headers, which we don't care about. */
+  do
+  {
+    vsf_cmdio_get_cmd_and_arg(p_sess, &p_sess->ftp_cmd_str,
+                              &p_sess->ftp_arg_str, 1);
+  }
+  while (!str_isempty(&p_sess->ftp_cmd_str) ||
+         !str_isempty(&p_sess->ftp_arg_str));
+  vsf_cmdio_write_raw(p_sess, "HTTP/1.1 200 OK\r\n");
+  vsf_cmdio_write_raw(p_sess, "ftpz alpha\r\n");
+  vsf_cmdio_write_raw(p_sess, "Connection: close\r\n");
+  vsf_cmdio_write_raw(p_sess, "X-Frame-Options: SAMEORIGIN\r\n");
+  vsf_cmdio_write_raw(p_sess, "X-Content-Type-Options: nosniff\r\n");
+  /* Split the path from the HTTP/1.x */
+  str_split_char(&p_sess->http_get_arg, &p_sess->ftp_arg_str, ' ');
+  str_copy(&p_sess->ftp_arg_str, &p_sess->http_get_arg);
+  str_split_char(&p_sess->http_get_arg, &p_sess->ftp_cmd_str, '.');
+  str_upper(&p_sess->ftp_cmd_str);
+  if (str_equal_text(&p_sess->ftp_cmd_str, "HTML") ||
+      str_equal_text(&p_sess->ftp_cmd_str, "HTM"))
+  {
+    vsf_cmdio_write_raw(p_sess, "Content-Type: text/html\r\n");
+  }
+  else
+  {
+    vsf_cmdio_write_raw(p_sess, "Content-Type: dunno\r\n");
+  }
+  vsf_cmdio_write_raw(p_sess, "\r\n");
+  p_sess->is_ascii = 0;
+  p_sess->restart_pos = 0;
+  handle_retr(p_sess, 1);
+  if (vsf_log_entry_pending(p_sess))
+  {
+    vsf_log_do_log(p_sess, 0);
+  }
+  vsf_sysutil_exit(0);
+}

postlogin.h

@@ -0,0 +1,15 @@
+#ifndef VSF_POSTLOGIN_H
+#define VSF_POSTLOGIN_H
+
+struct vsf_session;
+
+/* process_post_login()
+ * PURPOSE
+ * Called to begin FTP protocol parsing for a logged in session.
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void process_post_login(struct vsf_session* p_sess);
+
+#endif /* VSF_POSTLOGIN_H */
+

postprivparent.c

@@ -0,0 +1,184 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * postprivparent.c
+ *
+ * This file contains all privileged parent services offered after logging
+ * in. This includes e.g. chown() of uploaded files, issuing of port 20
+ * sockets.
+ */
+
+#include "postprivparent.h"
+#include "session.h"
+#include "privops.h"
+#include "privsock.h"
+#include "utility.h"
+#include "tunables.h"
+#include "defs.h"
+#include "sysutil.h"
+#include "str.h"
+#include "secutil.h"
+#include "sysstr.h"
+#include "sysdeputil.h"
+#include "seccompsandbox.h"
+
+static void minimize_privilege(struct vsf_session* p_sess);
+static void process_post_login_req(struct vsf_session* p_sess);
+static void cmd_process_chown(struct vsf_session* p_sess);
+static void cmd_process_get_data_sock(struct vsf_session* p_sess);
+static void cmd_process_pasv_cleanup(struct vsf_session* p_sess);
+static void cmd_process_pasv_active(struct vsf_session* p_sess);
+static void cmd_process_pasv_listen(struct vsf_session* p_sess);
+static void cmd_process_pasv_accept(struct vsf_session* p_sess);
+
+void
+vsf_priv_parent_postlogin(struct vsf_session* p_sess)
+{
+  minimize_privilege(p_sess);
+  /* We're still here... */
+  while (1)
+  {
+    process_post_login_req(p_sess);
+  }
+}
+
+static void
+process_post_login_req(struct vsf_session* p_sess)
+{
+  char cmd;
+  /* Blocks */
+  cmd = priv_sock_get_cmd(p_sess->parent_fd);
+  if (tunable_chown_uploads && cmd == PRIV_SOCK_CHOWN)
+  {
+    cmd_process_chown(p_sess);
+  }
+  else if (cmd == PRIV_SOCK_GET_DATA_SOCK)
+  {
+    cmd_process_get_data_sock(p_sess);
+  }
+  else if (cmd == PRIV_SOCK_PASV_CLEANUP)
+  {
+    cmd_process_pasv_cleanup(p_sess);
+  }
+  else if (cmd == PRIV_SOCK_PASV_ACTIVE)
+  {
+    cmd_process_pasv_active(p_sess);
+  }
+  else if (cmd == PRIV_SOCK_PASV_LISTEN)
+  {
+    cmd_process_pasv_listen(p_sess);
+  }
+  else if (cmd == PRIV_SOCK_PASV_ACCEPT)
+  {
+    cmd_process_pasv_accept(p_sess);
+  }
+  else
+  {
+    die("bad request in process_post_login_req");
+  }
+}
+
+static void
+minimize_privilege(struct vsf_session* p_sess)
+{
+  /* So, we logged in and forked a totally unprivileged child. Our job
+   * now is to minimize the privilege we need in order to act as a helper
+   * to the child.
+   */
+  if (!p_sess->is_anonymous && tunable_session_support)
+  {
+    /* Need to hang around to update logs, utmp, wtmp etc. on logout.
+     * Need to keep privs to do this. */
+    return;
+  }
+  {
+    unsigned int caps = 0;
+    struct mystr user_str = INIT_MYSTR;
+    struct mystr dir_str = INIT_MYSTR;
+    if (tunable_nopriv_user)
+    {
+      str_alloc_text(&user_str, tunable_nopriv_user);
+    }
+    if (tunable_secure_chroot_dir)
+    {
+      str_alloc_text(&dir_str, tunable_secure_chroot_dir);
+    }
+    if (tunable_chown_uploads)
+    {
+      caps |= kCapabilityCAP_CHOWN;
+    }
+    if (tunable_connect_from_port_20)
+    {
+      caps |= kCapabilityCAP_NET_BIND_SERVICE;
+    }
+    vsf_secutil_change_credentials(&user_str, &dir_str, 0, caps,
+                                   VSF_SECUTIL_OPTION_CHROOT);
+    str_free(&user_str);
+    str_free(&dir_str);
+  }
+  seccomp_sandbox_init();
+  seccomp_sandbox_setup_postlogin_broker();
+  seccomp_sandbox_lockdown();
+}
+
+static void
+cmd_process_chown(struct vsf_session* p_sess)
+{
+  int the_fd = priv_sock_recv_fd(p_sess->parent_fd);
+  vsf_privop_do_file_chown(p_sess, the_fd);
+  vsf_sysutil_close(the_fd);
+  priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
+}
+
+static void
+cmd_process_get_data_sock(struct vsf_session* p_sess)
+{
+  unsigned short port = (unsigned short) priv_sock_get_int(p_sess->parent_fd);
+  int sock_fd = vsf_privop_get_ftp_port_sock(p_sess, port, 0);
+  if (sock_fd == -1)
+  {
+    priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_BAD);
+    return;
+  }
+  priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
+  priv_sock_send_fd(p_sess->parent_fd, sock_fd);
+  vsf_sysutil_close(sock_fd);
+}
+
+static void
+cmd_process_pasv_cleanup(struct vsf_session* p_sess)
+{
+  vsf_privop_pasv_cleanup(p_sess);
+  priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
+}
+
+static void
+cmd_process_pasv_active(struct vsf_session* p_sess)
+{
+  int active = vsf_privop_pasv_active(p_sess);
+  priv_sock_send_int(p_sess->parent_fd, active);
+}
+
+static void
+cmd_process_pasv_listen(struct vsf_session* p_sess)
+{
+  unsigned short port = vsf_privop_pasv_listen(p_sess);
+  priv_sock_send_int(p_sess->parent_fd, port);
+}
+
+static void
+cmd_process_pasv_accept(struct vsf_session* p_sess)
+{
+  int fd = vsf_privop_accept_pasv(p_sess);
+  if (fd < 0)
+  {
+    priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_BAD);
+    priv_sock_send_int(p_sess->parent_fd, fd);
+    return;
+  }
+  priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
+  priv_sock_send_fd(p_sess->parent_fd, fd);
+  vsf_sysutil_close(fd);
+}
+

postprivparent.h

@@ -0,0 +1,16 @@
+#ifndef VSF_LOGINPRIVPARENT_H
+#define VSF_LOGINPRIVPARENT_H
+
+struct vsf_session;
+
+/* vsf_priv_parent_postlogin()
+ * PURPOSE
+ * Called in the two process security model to commence "listening" for
+ * requests from the unprivileged child.
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void vsf_priv_parent_postlogin(struct vsf_session* p_sess);
+
+#endif /* VSF_LOGINPRIVPARENT_H */
+

prelogin.c

@@ -0,0 +1,302 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * prelogin.c
+ *
+ * Code to parse the FTP protocol prior to a successful login.
+ */
+
+#include "prelogin.h"
+#include "ftpcmdio.h"
+#include "ftpcodes.h"
+#include "str.h"
+#include "vsftpver.h"
+#include "tunables.h"
+#include "oneprocess.h"
+#include "twoprocess.h"
+#include "sysdeputil.h"
+#include "sysutil.h"
+#include "session.h"
+#include "banner.h"
+#include "logging.h"
+#include "ssl.h"
+#include "features.h"
+#include "defs.h"
+#include "opts.h"
+
+/* Functions used */
+static void check_limits(struct vsf_session* p_sess);
+static void emit_greeting(struct vsf_session* p_sess);
+static void parse_username_password(struct vsf_session* p_sess);
+static void handle_user_command(struct vsf_session* p_sess);
+static void handle_pass_command(struct vsf_session* p_sess);
+static void handle_get(struct vsf_session* p_sess);
+static void check_login_delay();
+static void check_login_fails(struct vsf_session* p_sess);
+
+void
+init_connection(struct vsf_session* p_sess)
+{
+  if (tunable_setproctitle_enable)
+  {
+    vsf_sysutil_setproctitle("not logged in");
+  }
+  /* Before we talk to the remote, make sure an alarm is set up in case
+   * writing the initial greetings should block.
+   */
+  vsf_cmdio_set_alarm(p_sess);
+  /* Check limits before doing an implicit SSL handshake, to avoid DoS
+   * attacks. This will result in plain text messages being sent to the SSL
+   * client, but we can live with that.
+   */
+  check_limits(p_sess);
+  if (tunable_ssl_enable && tunable_implicit_ssl)
+  {
+    ssl_control_handshake(p_sess);
+  }
+  if (tunable_ftp_enable)
+  {
+    emit_greeting(p_sess);
+  }
+  parse_username_password(p_sess);
+}
+
+static void
+check_limits(struct vsf_session* p_sess)
+{
+  struct mystr str_log_line = INIT_MYSTR;
+  /* Check for client limits (standalone mode only) */
+  if (tunable_max_clients > 0 &&
+      p_sess->num_clients > tunable_max_clients)
+  {
+    str_alloc_text(&str_log_line, "Connection refused: too many sessions.");
+    vsf_log_line(p_sess, kVSFLogEntryConnection, &str_log_line);
+    vsf_cmdio_write_exit(p_sess, FTP_TOO_MANY_USERS,
+      "There are too many connected users, please try later.", 1);
+  }
+  if (tunable_max_per_ip > 0 &&
+      p_sess->num_this_ip > tunable_max_per_ip)
+  {
+    str_alloc_text(&str_log_line,
+                   "Connection refused: too many sessions for this address.");
+    vsf_log_line(p_sess, kVSFLogEntryConnection, &str_log_line);
+    vsf_cmdio_write_exit(p_sess, FTP_IP_LIMIT,
+      "There are too many connections from your internet address.", 1);
+  }
+  if (!p_sess->tcp_wrapper_ok)
+  {
+    str_alloc_text(&str_log_line,
+                   "Connection refused: tcp_wrappers denial.");
+    vsf_log_line(p_sess, kVSFLogEntryConnection, &str_log_line);
+    vsf_cmdio_write_exit(p_sess, FTP_IP_DENY, "Service not available.", 1);
+  }
+  vsf_log_line(p_sess, kVSFLogEntryConnection, &str_log_line);
+}
+
+static void
+emit_greeting(struct vsf_session* p_sess)
+{
+  if (!str_isempty(&p_sess->banner_str))
+  {
+    vsf_banner_write(p_sess, &p_sess->banner_str, FTP_GREET);
+    str_free(&p_sess->banner_str);
+    vsf_cmdio_write(p_sess, FTP_GREET, "");
+  }
+  else if (tunable_ftpd_banner == 0)
+  {
+    vsf_cmdio_write(p_sess, FTP_GREET, "ProFTPD 8.6.6 Server (FTPz + Malloc/standalone patch : faz.o )");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_GREET, tunable_ftpd_banner);
+  }
+}
+
+static void
+parse_username_password(struct vsf_session* p_sess)
+{
+  while (1)
+  {
+    vsf_cmdio_get_cmd_and_arg(p_sess, &p_sess->ftp_cmd_str,
+                              &p_sess->ftp_arg_str, 1);
+    if (tunable_ftp_enable)
+    {
+      if (str_equal_text(&p_sess->ftp_cmd_str, "USER"))
+      {
+        handle_user_command(p_sess);
+      }
+      else if (str_equal_text(&p_sess->ftp_cmd_str, "PASS"))
+      {
+        handle_pass_command(p_sess);
+      }
+      else if (str_equal_text(&p_sess->ftp_cmd_str, "QUIT"))
+      {
+        vsf_cmdio_write_exit(p_sess, FTP_GOODBYE, "Goodbye.", 0);
+      }
+      else if (str_equal_text(&p_sess->ftp_cmd_str, "FEAT"))
+      {
+        handle_feat(p_sess);
+      }
+      else if (str_equal_text(&p_sess->ftp_cmd_str, "OPTS"))
+      {
+        handle_opts(p_sess);
+      }
+      else if (tunable_ssl_enable &&
+               str_equal_text(&p_sess->ftp_cmd_str, "AUTH") &&
+               !p_sess->control_use_ssl)
+      {
+        handle_auth(p_sess);
+      }
+      else if (tunable_ssl_enable &&
+               str_equal_text(&p_sess->ftp_cmd_str, "PBSZ"))
+      {
+        handle_pbsz(p_sess);
+      }
+      else if (tunable_ssl_enable &&
+               str_equal_text(&p_sess->ftp_cmd_str, "PROT"))
+      {
+        handle_prot(p_sess);
+      }
+      else if (str_isempty(&p_sess->ftp_cmd_str) &&
+               str_isempty(&p_sess->ftp_arg_str))
+      {
+        /* Deliberately ignore to avoid NAT device bugs, as per ProFTPd. */
+      }
+      else
+      {
+        vsf_cmdio_write(p_sess, FTP_LOGINERR,
+                        "Please login with USER and PASS.");
+      }
+    }
+    else if (tunable_http_enable)
+    {
+      if (str_equal_text(&p_sess->ftp_cmd_str, "GET"))
+      {
+        handle_get(p_sess);
+      }
+      else
+      {
+        vsf_cmdio_write(p_sess, FTP_LOGINERR, "Bad HTTP verb.");
+      }
+      vsf_sysutil_exit(0);
+    }
+  }
+}
+
+static void
+handle_get(struct vsf_session* p_sess)
+{
+  p_sess->is_http = 1;
+  str_copy(&p_sess->http_get_arg, &p_sess->ftp_arg_str);
+  str_alloc_text(&p_sess->user_str, "FTP");
+  str_alloc_text(&p_sess->ftp_arg_str, "<http>");
+  handle_pass_command(p_sess);
+}
+
+static void
+handle_user_command(struct vsf_session* p_sess)
+{
+  /* SECURITY: If we're in anonymous only-mode, immediately reject
+   * non-anonymous usernames in the hope we save passwords going plaintext
+   * over the network
+   */
+  int is_anon = 1;
+  str_copy(&p_sess->user_str, &p_sess->ftp_arg_str);
+  str_upper(&p_sess->ftp_arg_str);
+  if (!str_equal_text(&p_sess->ftp_arg_str, "FTP") &&
+      !str_equal_text(&p_sess->ftp_arg_str, "ANONYMOUS"))
+  {
+    is_anon = 0;
+  }
+  if (!tunable_local_enable && !is_anon)
+  {
+    vsf_cmdio_write(
+      p_sess, FTP_LOGINERR, "This FTP server is anonymous only.");
+    str_empty(&p_sess->user_str);
+    return;
+  }
+  if (is_anon && p_sess->control_use_ssl && !tunable_allow_anon_ssl &&
+      !tunable_force_anon_logins_ssl)
+  {
+    vsf_cmdio_write(
+      p_sess, FTP_LOGINERR, "Anonymous sessions may not use encryption.");
+    str_empty(&p_sess->user_str);
+    return;
+  }
+  if (tunable_ssl_enable && !is_anon && !p_sess->control_use_ssl &&
+      tunable_force_local_logins_ssl)
+  {
+    vsf_cmdio_write_exit(
+      p_sess, FTP_LOGINERR, "Non-anonymous sessions must use encryption.", 1);
+  }
+  if (tunable_ssl_enable && is_anon && !p_sess->control_use_ssl &&
+      tunable_force_anon_logins_ssl)
+  { 
+    vsf_cmdio_write_exit(
+      p_sess, FTP_LOGINERR, "Anonymous sessions must use encryption.", 1);
+  }
+  if (tunable_userlist_enable)
+  {
+    int located = str_contains_line(&p_sess->userlist_str, &p_sess->user_str);
+    if ((located && tunable_userlist_deny) ||
+        (!located && !tunable_userlist_deny))
+    {
+      check_login_delay();
+      vsf_cmdio_write(p_sess, FTP_LOGINERR, "Permission denied.");
+      check_login_fails(p_sess);
+      str_empty(&p_sess->user_str);
+      return;
+    }
+  }
+  if (is_anon && tunable_no_anon_password)
+  {
+    /* Fake a password */
+    str_alloc_text(&p_sess->ftp_arg_str, "<no password>");
+    handle_pass_command(p_sess);
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_GIVEPWORD, "Please specify the password.");
+  }
+}
+
+static void
+handle_pass_command(struct vsf_session* p_sess)
+{
+  if (str_isempty(&p_sess->user_str))
+  {
+    vsf_cmdio_write(p_sess, FTP_NEEDUSER, "Login with USER first.");
+    return;
+  }
+  /* These login calls never return if successful */
+  if (tunable_one_process_model)
+  {
+    vsf_one_process_login(p_sess, &p_sess->ftp_arg_str);
+  }
+  else
+  {
+    vsf_two_process_login(p_sess, &p_sess->ftp_arg_str);
+  }
+  vsf_cmdio_write(p_sess, FTP_LOGINERR, "Login incorrect.");
+  check_login_fails(p_sess);
+  str_empty(&p_sess->user_str);
+  /* FALLTHRU if login fails */
+}
+
+static void check_login_delay()
+{
+  if (tunable_delay_failed_login)
+  {
+    vsf_sysutil_sleep((double) tunable_delay_failed_login);
+  }
+}
+
+static void check_login_fails(struct vsf_session* p_sess)
+{
+  if (++p_sess->login_fails >= tunable_max_login_fails)
+  {
+    vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD);
+    vsf_sysutil_exit(1);
+  }
+}

prelogin.h

@@ -0,0 +1,16 @@
+#ifndef VSF_PRELOGIN_H
+#define VSF_PRELOGIN_H
+
+struct vsf_session;
+
+/* init_connection()
+ * PURPOSE
+ * Called as an entry point to FTP protocol processing, when a client connects.
+ * This function will emit the FTP greeting, then start talking FTP protocol
+ * to the client.
+ * PARAMETERS
+ * p_sess         - the current session object
+ */
+void init_connection(struct vsf_session* p_sess);
+
+#endif /* VSF_PRELOGIN_H */

privops.c

@@ -0,0 +1,409 @@
+/*
+ * Part of Very Secure FTPd
+ * License: GPL v2
+ * Author: Chris Evans
+ * privops.c
+ *
+ * Code implementing the privileged operations that the unprivileged client
+ * might request.
+ * Look for suitable paranoia in this file.
+ */
+
+#include "privops.h"
+#include "session.h"
+#include "sysdeputil.h"
+#include "sysutil.h"
+#include "utility.h"
+#include "str.h"
+#include "tunables.h"
+#include "defs.h"
+#include "logging.h"
+
+/* File private functions */
+static enum EVSFPrivopLoginResult handle_anonymous_login(
+  struct vsf_session* p_sess, const struct mystr* p_pass_str);
+static enum EVSFPrivopLoginResult handle_local_login(
+  struct vsf_session* p_sess, struct mystr* p_user_str,
+  const struct mystr* p_pass_str);
+static void setup_username_globals(struct vsf_session* p_sess,
+                                   const struct mystr* p_str);
+static enum EVSFPrivopLoginResult handle_login(
+  struct vsf_session* p_sess, struct mystr* p_user_str,
+  const struct mystr* p_pass_str);
+
+int
+vsf_privop_get_ftp_port_sock(struct vsf_session* p_sess,
+                             unsigned short remote_port,
+                             int use_port_sockaddr)
+{
+  static struct vsf_sysutil_sockaddr* p_sockaddr;
+  const struct vsf_sysutil_sockaddr* p_connect_to;
+  int retval;
+  int i;
+  int s = vsf_sysutil_get_ipsock(p_sess->p_local_addr);
+  unsigned short port = 0;
+  if (p_sess->pasv_listen_fd != -1)
+  {
+    die("listed fd is active?");
+  }
+  if (vsf_sysutil_is_port_reserved(remote_port))
+  {
+    die("Illegal port request");
+  }
+  if (tunable_connect_from_port_20)
+  {
+    port = (unsigned short) tunable_ftp_data_port;
+  }
+  vsf_sysutil_activate_reuseaddr(s);
+  /* A report of failure here on Solaris, presumably buggy address reuse
+   * support? We'll retry.
+   */
+  for (i = 0; i < 2; ++i)
+  {
+    double sleep_for;
+    vsf_sysutil_sockaddr_clone(&p_sockaddr, p_sess->p_local_addr);
+    vsf_sysutil_sockaddr_set_port(p_sockaddr, port);
+    retval = vsf_sysutil_bind(s, p_sockaddr);
+    if (retval == 0)
+    {
+      break;
+    }
+    if (vsf_sysutil_get_error() != kVSFSysUtilErrADDRINUSE || i == 1)
+    {
+      die("vsf_sysutil_bind");
+    }
+    sleep_for = vsf_sysutil_get_random_byte();
+    sleep_for /= 256.0;
+    sleep_for += 1.0;
+    vsf_sysutil_sleep(sleep_for);
+  }
+  if (use_port_sockaddr)
+  {
+    p_connect_to = p_sess->p_port_sockaddr;
+  }
+  else
+  {
+    vsf_sysutil_sockaddr_set_port(p_sess->p_remote_addr, remote_port);
+    p_connect_to = p_sess->p_remote_addr;
+  }
+  retval = vsf_sysutil_connect_timeout(s, p_connect_to,
+                                       tunable_connect_timeout);
+  if (vsf_sysutil_retval_is_error(retval))
+  {
+    vsf_sysutil_close(s);
+    s = -1;
+  }
+  return s;
+}
+
+void
+vsf_privop_pasv_cleanup(struct vsf_session* p_sess)
+{
+  if (p_sess->pasv_listen_fd != -1)
+  {
+    vsf_sysutil_close(p_sess->pasv_listen_fd);
+    p_sess->pasv_listen_fd = -1;
+  }
+}
+
+int
+vsf_privop_pasv_active(struct vsf_session* p_sess)
+{
+  if (p_sess->pasv_listen_fd != -1)
+  {
+    return 1;
+  }
+  return 0;
+}
+
+unsigned short
+vsf_privop_pasv_listen(struct vsf_session* p_sess)
+{
+  static struct vsf_sysutil_sockaddr* s_p_sockaddr;
+  int bind_retries = 10;
+  unsigned short the_port;
+  /* IPPORT_RESERVED */
+  unsigned short min_port = 1024;
+  unsigned short max_port = 65535;
+  int is_ipv6 = vsf_sysutil_sockaddr_is_ipv6(p_sess->p_local_addr);
+  if (p_sess->pasv_listen_fd != -1)
+  {
+    die("listed fd already active");
+  }
+
+  if (tunable_pasv_min_port > min_port && tunable_pasv_min_port <= max_port)
+  {
+    min_port = (unsigned short) tunable_pasv_min_port;
+  }
+  if (tunable_pasv_max_port >= min_port && tunable_pasv_max_port < max_port)
+  {
+    max_port = (unsigned short) tunable_pasv_max_port;
+  }
+
+  while (--bind_retries)
+  {
+    int retval;
+    double scaled_port;
+    the_port = vsf_sysutil_get_random_byte();
+    the_port = (unsigned short) (the_port << 8);
+    the_port = (unsigned short) (the_port | vsf_sysutil_get_random_byte());
+    scaled_port = (double) min_port;
+    scaled_port += ((double) the_port / (double) 65536) *
+                   ((double) max_port - min_port + 1);
+    the_port = (unsigned short) scaled_port;
+    if (is_ipv6)
+    {
+      p_sess->pasv_listen_fd = vsf_sysutil_get_ipv6_sock();
+    }
+    else
+    {
+      p_sess->pasv_listen_fd = vsf_sysutil_get_ipv4_sock();
+    }
+    vsf_sysutil_activate_reuseaddr(p_sess->pasv_listen_fd);
+    vsf_sysutil_sockaddr_clone(&s_p_sockaddr, p_sess->p_local_addr);
+    vsf_sysutil_sockaddr_set_port(s_p_sockaddr, the_port);
+    retval = vsf_sysutil_bind(p_sess->pasv_listen_fd, s_p_sockaddr);
+    if (!vsf_sysutil_retval_is_error(retval))
+    {
+      retval = vsf_sysutil_listen(p_sess->pasv_listen_fd, 1);
+      if (!vsf_sysutil_retval_is_error(retval))
+      {
+        break;
+      }
+    }
+    /* SELinux systems can give you an inopportune EACCES, it seems. */
+    if (vsf_sysutil_get_error() == kVSFSysUtilErrADDRINUSE ||
+        vsf_sysutil_get_error() == kVSFSysUtilErrACCES)
+    {
+      vsf_sysutil_close(p_sess->pasv_listen_fd);
+      p_sess->pasv_listen_fd = -1;
+      continue;
+    }
+    die("vsf_sysutil_bind / listen");
+  }
+  if (!bind_retries)
+  {
+    die("vsf_sysutil_bind");
+  }
+  return the_port;
+}
+
+int
+vsf_privop_accept_pasv(struct vsf_session* p_sess)
+{
+  struct vsf_sysutil_sockaddr* p_accept_addr = 0;
+  int remote_fd;
+  if (p_sess->pasv_listen_fd == -1)
+  {
+    die("listed fd not active");
+  }
+  vsf_sysutil_sockaddr_alloc(&p_accept_addr);
+  remote_fd = vsf_sysutil_accept_timeout(p_sess->pasv_listen_fd, p_accept_addr,
+                                         tunable_accept_timeout);
+  if (vsf_sysutil_retval_is_error(remote_fd))
+  {
+    vsf_sysutil_sockaddr_clear(&p_accept_addr);
+    return -1;
+  }
+  /* SECURITY:
+   * Reject the connection if it wasn't from the same IP as the
+   * control connection.
+   */
+  if (!tunable_pasv_promiscuous)
+  {
+    if (!vsf_sysutil_sockaddr_addr_equal(p_sess->p_remote_addr, p_accept_addr))
+    {
+      vsf_sysutil_close(remote_fd);
+      vsf_sysutil_sockaddr_clear(&p_accept_addr);
+      return -2;
+    }
+  }
+  vsf_sysutil_sockaddr_clear(&p_accept_addr);
+  return remote_fd;
+}
+
+void
+vsf_privop_do_file_chown(struct vsf_session* p_sess, int fd)
+{
+  static struct vsf_sysutil_statbuf* s_p_statbuf;
+  vsf_sysutil_fstat(fd, &s_p_statbuf);
+  /* Do nothing if it is already owned by the desired user. */
+  if (vsf_sysutil_statbuf_get_uid(s_p_statbuf) ==
+      p_sess->anon_upload_chown_uid)
+  {
+    return;
+  }
+  /* Drop it like a hot potato unless it's a regular file owned by
+   * the the anonymous ftp user
+   */
+  if (p_sess->anon_upload_chown_uid == -1 ||
+      !vsf_sysutil_statbuf_is_regfile(s_p_statbuf) ||
+      (vsf_sysutil_statbuf_get_uid(s_p_statbuf) != p_sess->anon_ftp_uid &&
+       vsf_sysutil_statbuf_get_uid(s_p_statbuf) != p_sess->guest_user_uid))
+  {
+    die("invalid fd in cmd_process_chown");
+  }
+  /* SECURITY! You need an OS which strips SUID/SGID bits on chown(),
+   * otherwise a compromise of the FTP user will lead to compromise of
+   * the "anon_upload_chown_uid" user (think chmod +s).
+   */
+  vsf_sysutil_fchown(fd, p_sess->anon_upload_chown_uid, -1);
+}
+
+enum EVSFPrivopLoginResult
+vsf_privop_do_login(struct vsf_session* p_sess,
+                    const struct mystr* p_pass_str)
+{
+  enum EVSFPrivopLoginResult result =
+    handle_login(p_sess, &p_sess->user_str, p_pass_str);
+  vsf_log_start_entry(p_sess, kVSFLogEntryLogin);
+  if (result == kVSFLoginFail)
+  {
+    vsf_log_do_log(p_sess, 0);
+    if (tunable_delay_failed_login)
+    {
+      vsf_sysutil_sleep((double) tunable_delay_failed_login);
+    }
+  }
+  else
+  {
+    vsf_log_do_log(p_sess, 1);
+    if (tunable_delay_successful_login)
+    {
+      vsf_sysutil_sleep((double) tunable_delay_successful_login);
+    }
+  }
+  return result;
+}
+
+static enum EVSFPrivopLoginResult
+handle_login(struct vsf_session* p_sess, struct mystr* p_user_str,
+             const struct mystr* p_pass_str)
+{
+  /* Do not assume PAM can cope with dodgy input, even though it
+   * almost certainly can.
+   */
+  int anonymous_login = 0;
+  char first_char;
+  unsigned int len = str_getlen(p_user_str);
+  if (len == 0 || len > VSFTP_USERNAME_MAX)
+  {
+    return kVSFLoginFail;
+  }
+  /* Throw out dodgy start characters */
+  first_char = str_get_char_at(p_user_str, 0);
+  if (!vsf_sysutil_isalnum(first_char) &&
+      first_char != '_' &&
+      first_char != '.')
+  {
+    return kVSFLoginFail;
+  }
+  /* Throw out non-printable characters and space in username */
+  if (str_contains_space(p_user_str) ||
+      str_contains_unprintable(p_user_str))
+  {
+    return kVSFLoginFail;
+  }
+  /* Throw out excessive length passwords */
+  len = str_getlen(p_pass_str);
+  if (len > VSFTP_PASSWORD_MAX)
+  {
+    return kVSFLoginFail;
+  }
+  /* Check for an anonymous login or "real" login */
+  if (tunable_anonymous_enable)
+  {
+    struct mystr upper_str = INIT_MYSTR;
+    str_copy(&upper_str, p_user_str);
+    str_upper(&upper_str);
+    if (str_equal_text(&upper_str, "FTP") ||
+        str_equal_text(&upper_str, "ANONYMOUS"))
+    {
+      anonymous_login = 1;
+    }
+    str_free(&upper_str);
+  }
+  {
+    enum EVSFPrivopLoginResult result = kVSFLoginFail;
+    if (anonymous_login)
+    {
+      result = handle_anonymous_login(p_sess, p_pass_str);
+    }
+    else
+    {
+      if (!tunable_local_enable)
+      {
+        die("unexpected local login in handle_login");
+      }
+      result = handle_local_login(p_sess, p_user_str, p_pass_str);
+    }
+    return result;
+  }
+}
+
+static enum EVSFPrivopLoginResult
+handle_anonymous_login(struct vsf_session* p_sess,
+                       const struct mystr* p_pass_str)
+{
+  if (!str_isempty(&p_sess->banned_email_str) &&
+      str_contains_line(&p_sess->banned_email_str, p_pass_str))
+  {
+    return kVSFLoginFail;
+  }
+  if (!str_isempty(&p_sess->email_passwords_str) &&
+      (!str_contains_line(&p_sess->email_passwords_str, p_pass_str) ||
+       str_isempty(p_pass_str)))
+  {
+    return kVSFLoginFail;
+  }
+  /* Store the anonymous identity string */
+  str_copy(&p_sess->anon_pass_str, p_pass_str);
+  if (str_isempty(&p_sess->anon_pass_str))
+  {
+    str_alloc_text(&p_sess->anon_pass_str, "?");
+  }
+  /* "Fix" any characters which might upset the log processing */
+  str_replace_char(&p_sess->anon_pass_str, ' ', '_');
+  str_replace_char(&p_sess->anon_pass_str, '\n', '?');
+  {
+    struct mystr ftp_username_str = INIT_MYSTR;
+    if (tunable_ftp_username)
+    {
+      str_alloc_text(&ftp_username_str, tunable_ftp_username);
+    }
+    setup_username_globals(p_sess, &ftp_username_str);
+    str_free(&ftp_username_str);
+  }
+  str_free(&p_sess->banned_email_str);
+  str_free(&p_sess->email_passwords_str);
+  return kVSFLoginAnon;
+}
+
+static enum EVSFPrivopLoginResult
+handle_local_login(struct vsf_session* p_sess,
+                   struct mystr* p_user_str,
+                   const struct mystr* p_pass_str)
+{
+  if (!vsf_sysdep_check_auth(p_user_str, p_pass_str, &p_sess->remote_ip_str))
+  {
+    return kVSFLoginFail;
+  }
+  setup_username_globals(p_sess, p_user_str);
+  return kVSFLoginReal;
+}
+
+static void
+setup_username_globals(struct vsf_session* p_sess, const struct mystr* p_str)
+{
+  str_copy(&p_sess->user_str, p_str);
+  if (tunable_setproctitle_enable)
+  {
+    struct mystr prefix_str = INIT_MYSTR;
+    str_copy(&prefix_str, &p_sess->remote_ip_str);
+    str_append_char(&prefix_str, '/');
+    str_append_str(&prefix_str, p_str);
+    vsf_sysutil_set_proctitle_prefix(&prefix_str);
+    str_free(&prefix_str);
+  }
+}
+

privops.h

@@ -0,0 +1,98 @@
+#ifndef VSF_PRIVOPS_H
+#define VSF_PRIVOPS_H
+
+struct mystr;
+struct vsf_session;
+
+/* vsf_privop_get_ftp_port_sock()
+ * PURPOSE
+ * Return a network socket potentially bound to a privileged port (less than
+ * 1024) and connected to the remote.
+ * PARAMETERS
+ * p_sess            - the current session object
+ * remote_port       - the remote port to connect to
+ * use_port_sockaddr - true if we should use the specific sockaddr for connect
+ * RETURNS
+ * A file descriptor which is a socket bound to the privileged port, and
+ * connected to the remote on the specified port.
+ * Kills the process / session if the bind() fails.
+ * Returns -1 if the bind() worked but the connect() was not possible.
+ */
+int vsf_privop_get_ftp_port_sock(struct vsf_session* p_sess,
+                                 unsigned short remote_port,
+                                 int use_port_sockaddr);
+
+/* vsf_privop_pasv_cleanup()
+ * PURPOSE
+ * Makes sure any listening passive socket is closed.
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void vsf_privop_pasv_cleanup(struct vsf_session* p_sess);
+
+/* vsf_privop_pasv_listen()
+ * PURPOSE
+ * Start listening for an FTP data connection.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * RETURNS
+ * The port we ended up listening on.
+ */
+unsigned short vsf_privop_pasv_listen(struct vsf_session* p_sess);
+
+/* vsf_privop_pasv_active()
+ * PURPOSE
+ * Determine whether there is a passive listening socket active.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * RETURNS
+ * 1 if active, 0 if not.
+ */
+int vsf_privop_pasv_active(struct vsf_session* p_sess);
+
+/* vsf_privop_accept_pasv()
+ * PURPOSE
+ * Accept a connection on the listening data socket.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * RETURNS
+ * The file descriptor of the accepted incoming connection; or -1 if a
+ * network error occurred or -2 if the incoming connection was from the
+ * wrong IP (security issue).
+ */
+int vsf_privop_accept_pasv(struct vsf_session* p_sess);
+
+/* vsf_privop_do_file_chown()
+ * PURPOSE
+ * Takes a file owned by the unprivileged FTP user, and change the ownership
+ * to the value defined in the config file.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * fd           - the file descriptor of the regular file
+ */
+void vsf_privop_do_file_chown(struct vsf_session* p_sess, int fd);
+
+enum EVSFPrivopLoginResult
+{
+  kVSFLoginNull = 0,
+  kVSFLoginFail,
+  kVSFLoginAnon,
+  kVSFLoginReal
+};
+/* vsf_privop_do_login()
+ * PURPOSE
+ * Check if the supplied username/password combination is valid. This
+ * interface caters for checking both anonymous and real logins.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * p_pass_str   - the proposed password
+ * RETURNS
+ * kVSFLoginFail - access denied
+ * kVSFLoginAnon - anonymous login credentials OK
+ * kVSFLoginReal - real login credentials OK
+ */
+enum EVSFPrivopLoginResult vsf_privop_do_login(
+  struct vsf_session* p_sess, const struct mystr* p_pass_str);
+
+#endif /* VSF_PRIVOPS_H */
+

privsock.c

@@ -0,0 +1,214 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * privsock.c
+ *
+ * This file contains code for a simple message and file descriptor passing
+ * API, over a pair of UNIX sockets.
+ * The messages are typically travelling across a privilege boundary, with
+ * heavy distrust of messages on the side of more privilege.
+ */
+
+#include "privsock.h"
+
+#include "utility.h"
+#include "defs.h"
+#include "str.h"
+#include "netstr.h"
+#include "sysutil.h"
+#include "sysdeputil.h"
+#include "session.h"
+
+void
+priv_sock_init(struct vsf_session* p_sess)
+{
+  struct vsf_sysutil_socketpair_retval retval;
+  if (p_sess->parent_fd != -1)
+  {
+    bug("parent_fd active");
+  }
+  if (p_sess->child_fd != -1)
+  {
+    bug("child_fd active");
+  }
+  retval = vsf_sysutil_unix_stream_socketpair();
+  p_sess->parent_fd = retval.socket_one;
+  p_sess->child_fd = retval.socket_two;
+}
+
+void
+priv_sock_close(struct vsf_session* p_sess)
+{
+  if (p_sess->parent_fd != -1)
+  {
+    vsf_sysutil_close(p_sess->parent_fd);
+    p_sess->parent_fd = -1;
+  }
+  if (p_sess->child_fd != -1)
+  {
+    vsf_sysutil_close(p_sess->child_fd);
+    p_sess->child_fd = -1;
+  }
+}
+
+void
+priv_sock_set_parent_context(struct vsf_session* p_sess)
+{
+  if (p_sess->child_fd == -1)
+  {
+    bug("child_fd not active");
+  }
+  vsf_sysutil_close(p_sess->child_fd);
+  p_sess->child_fd = -1;
+}
+
+void
+priv_sock_set_child_context(struct vsf_session* p_sess)
+{
+  if (p_sess->parent_fd == -1)
+  {
+    bug("parent_fd not active");
+  }
+  vsf_sysutil_close(p_sess->parent_fd);
+  p_sess->parent_fd = -1;
+}
+
+void
+priv_sock_send_cmd(int fd, char cmd)
+{
+  int retval = vsf_sysutil_write_loop(fd, &cmd, sizeof(cmd));
+  if (retval != sizeof(cmd))
+  {
+    die("priv_sock_send_cmd");
+  }
+}
+
+void
+priv_sock_send_str(int fd, const struct mystr* p_str)
+{
+  unsigned int len = str_getlen(p_str);
+  priv_sock_send_int(fd, (int) len);
+  if (len > 0)
+  {
+    str_netfd_write(p_str, fd);
+  }
+}
+
+void
+priv_sock_send_buf(int fd, const char* p_buf, unsigned int len)
+{
+  priv_sock_send_int(fd, (int) len);
+  if (len > 0)
+  {
+    if (vsf_sysutil_write_loop(fd, p_buf, len) != (int) len)
+    {
+      die("priv_sock_send_buf");
+    }
+  }
+}
+
+void
+priv_sock_recv_buf(int fd, char* p_buf, unsigned int len)
+{
+  unsigned int recv_len = (unsigned int) priv_sock_get_int(fd);
+  if (recv_len > len)
+  {
+    bug("recv_len bigger than buffer");
+  }
+  if (recv_len > 0)
+  {
+    if (vsf_sysutil_read_loop(fd, p_buf, recv_len) != (int) recv_len)
+    {
+      die("priv_sock_recv_buf");
+    }
+  }
+}
+
+char
+priv_sock_get_result(int fd)
+{
+  char res;
+  int retval = vsf_sysutil_read_loop(fd, &res, sizeof(res));
+  if (retval != sizeof(res))
+  {
+    die("priv_sock_get_result");
+  }
+  return res;
+}
+
+char
+priv_sock_get_cmd(int fd)
+{
+  char res;
+  int retval = vsf_sysutil_read_loop(fd, &res, sizeof(res));
+  if (retval != sizeof(res))
+  {
+    die("priv_sock_get_cmd");
+  }
+  return res;
+}
+
+void
+priv_sock_get_str(int fd, struct mystr* p_dest)
+{
+  unsigned int len = (unsigned int) priv_sock_get_int(fd);
+  if (len > VSFTP_PRIVSOCK_MAXSTR)
+  {
+    die("priv_sock_get_str: too big");
+  }
+  str_empty(p_dest);
+  if (len > 0)
+  {
+    int retval = str_netfd_read(p_dest, fd, len);
+    if ((unsigned int) retval != len)
+    {
+      die("priv_sock_get_str: read error");
+    }
+  }
+}
+
+void
+priv_sock_send_result(int fd, char res)
+{
+  int retval = vsf_sysutil_write_loop(fd, &res, sizeof(res));
+  if (retval != sizeof(res))
+  {
+    die("priv_sock_send_result");
+  }
+}
+
+void
+priv_sock_send_fd(int fd, int send_fd)
+{
+  vsf_sysutil_send_fd(fd, send_fd);
+}
+
+int
+priv_sock_recv_fd(int fd)
+{
+  return vsf_sysutil_recv_fd(fd);
+}
+
+void
+priv_sock_send_int(int fd, int the_int)
+{
+  int retval = vsf_sysutil_write_loop(fd, &the_int, sizeof(the_int));
+  if (retval != sizeof(the_int))
+  {
+    die("priv_sock_send_int");
+  }
+}
+
+int
+priv_sock_get_int(int fd)
+{
+  int the_int;
+  int retval = vsf_sysutil_read_loop(fd, &the_int, sizeof(the_int));
+  if (retval != sizeof(the_int))
+  {
+    die("priv_sock_get_int");
+  }
+  return the_int;
+}
+

privsock.h

@@ -0,0 +1,177 @@
+#ifndef VSF_PRIVSOCK_H
+#define VSF_PRIVSOCK_H
+
+struct mystr;
+struct vsf_session;
+
+/* priv_sock_init()
+ * PURPOSE
+ * Initialize the priv_sock system, by opening the communications sockets.
+ *
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void priv_sock_init(struct vsf_session* p_sess);
+
+/* priv_sock_close()
+ * PURPOSE
+ * Closes any open file descriptors relating to the priv_sock system.
+ *
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void priv_sock_close(struct vsf_session* p_sess);
+
+/* priv_sock_set_parent_context()
+ * PURPOSE
+ * Closes the child's fd, e.g. p_sess->child_fd.
+ *
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void priv_sock_set_parent_context(struct vsf_session* p_sess);
+
+/* priv_sock_set_child_context()
+ * PURPOSE
+ * Closes the parent's fd, e.g. p_sess->parent_fd.
+ *
+ * PARAMETERS
+ * p_sess       - the current session object
+ */
+void priv_sock_set_child_context(struct vsf_session* p_sess);
+
+/* priv_sock_send_cmd()
+ * PURPOSE
+ * Sends a command, typically to the privileged side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to send the command
+ * cmd          - the command to send
+ */
+void priv_sock_send_cmd(int fd, char cmd);
+
+/* priv_sock_send_str()
+ * PURPOSE
+ * Sends a string to the other side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to send the string
+ * p_str        - the string to send
+ */
+void priv_sock_send_str(int fd, const struct mystr* p_str);
+
+/* priv_sock_send_buf()
+ * PURPOSE
+ * Sends a buffer to the other side of the channel. The protocol used is the
+ * same as priv_sock_send_str()
+ * PARAMETERS
+ * fd           - the fd on which to send the buffer
+ * p_buf        - the buffer to send
+ * len          - length of the buffer
+ */
+void priv_sock_send_buf(int fd, const char* p_buf, unsigned int len);
+
+/* priv_sock_recv_buf()
+ * PURPOSE
+ * Receives a buffer from the other side of the channel. The protocol used is
+ * the same as priv_sock_recv_str()
+ * PARAMETERS
+ * fd           - the fd on which to receive the buffer
+ * p_buf        - the buffer to write into
+ * len          - length of the buffer
+ */
+void priv_sock_recv_buf(int fd, char* p_buf, unsigned int len);
+
+/* priv_sock_get_result()
+ * PURPOSE
+ * Receives a response, typically from the privileged side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to receive the response
+ * RETURNS
+ * The response code.
+ */
+char priv_sock_get_result(int fd);
+
+/* priv_sock_get_cmd()
+ * PURPOSE
+ * Receives a command, typically on the privileged side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to receive the command.
+ * RETURNS
+ * The command that was sent.
+ */
+char priv_sock_get_cmd(int fd);
+
+/* priv_sock_get_str()
+ * PURPOSE
+ * Receives a string from the other side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to receive the string
+ * p_dest       - where to copy the received string
+ */
+void priv_sock_get_str(int fd, struct mystr* p_dest);
+
+/* priv_sock_send_result()
+ * PURPOSE
+ * Sends a command result, typically to the unprivileged side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to send the result
+ * res          - the result to send
+ */
+void priv_sock_send_result(int fd, char res);
+
+/* priv_sock_send_fd()
+ * PURPOSE
+ * Sends a file descriptor to the other side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to send the descriptor 
+ * send_fd      - the descriptor to send
+ */
+void priv_sock_send_fd(int fd, int send_fd);
+
+/* priv_sock_recv_fd()
+ * PURPOSE
+ * Receives a file descriptor from the other side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to receive the descriptor
+ * RETURNS
+ * The received file descriptor
+ */
+int priv_sock_recv_fd(int fd);
+
+/* priv_sock_send_int()
+ * PURPOSE
+ * Sends an integer to the other side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to send the integer
+ * the_int      - the integer to send
+ */
+void priv_sock_send_int(int fd, int the_int);
+
+/* priv_sock_get_int()
+ * PURPOSE
+ * Receives an integer from the other side of the channel.
+ * PARAMETERS
+ * fd           - the fd on which to receive the integer
+ * RETURNS
+ * The integer that was sent.
+ */
+int priv_sock_get_int(int fd);
+
+#define PRIV_SOCK_LOGIN             1
+#define PRIV_SOCK_CHOWN             2
+#define PRIV_SOCK_GET_DATA_SOCK     3
+#define PRIV_SOCK_GET_USER_CMD      4
+#define PRIV_SOCK_WRITE_USER_RESP   5
+#define PRIV_SOCK_DO_SSL_HANDSHAKE  6
+#define PRIV_SOCK_DO_SSL_CLOSE      7
+#define PRIV_SOCK_DO_SSL_READ       8
+#define PRIV_SOCK_DO_SSL_WRITE      9
+#define PRIV_SOCK_PASV_CLEANUP      10
+#define PRIV_SOCK_PASV_ACTIVE       11
+#define PRIV_SOCK_PASV_LISTEN       12
+#define PRIV_SOCK_PASV_ACCEPT       13
+
+#define PRIV_SOCK_RESULT_OK         1
+#define PRIV_SOCK_RESULT_BAD        2
+
+#endif /* VSF_PRIVSOCK_H */
+

ptracesandbox.c

@@ -0,0 +1,1541 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * ptracesandbox.c
+ *
+ * Generic routines to setup and run a process under a restrictive ptrace()
+ * based sandbox.
+ * Note that the style in this file is to not go via the helper functions in
+ * sysutil.c, but instead hit the system APIs directly. This is because I may
+ * very well release just this file to the public domain, and do not want
+ * dependencies on other parts of vsftpd.
+ */
+
+#include "ptracesandbox.h"
+
+#if defined(__linux__) && defined(__i386__)
+
+#include <sys/mman.h>
+#include <sys/prctl.h>
+#include <sys/ptrace.h>
+/* For AF_MAX (NPROTO is defined to this) */
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/user.h>
+#include <sys/wait.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <syslog.h>
+
+#include <asm/unistd.h>
+
+#ifndef __NR_sendfile64
+  #define __NR_sendfile64 239
+#endif
+
+#ifndef __NR_exit_group
+  #define __NR_exit_group 252
+#endif
+
+#ifndef __NR_utimes
+  #define __NR_utimes 271
+#endif
+
+/* For the socketcall() multiplex args. */
+#include <linux/net.h>
+
+#ifndef PTRACE_SETOPTIONS
+  #define PTRACE_SETOPTIONS 0x4200
+#endif
+
+#ifndef PTRACE_O_TRACESYSGOOD
+  #define PTRACE_O_TRACESYSGOOD 1
+#endif
+
+#ifndef PTRACE_O_TRACEFORK
+  #define PTRACE_O_TRACEFORK 2
+#endif
+
+#ifndef PTRACE_O_TRACEVFORK
+  #define PTRACE_O_TRACEVFORK 4
+#endif
+
+#ifndef PTRACE_O_TRACECLONE
+  #define PTRACE_O_TRACECLONE 8
+#endif
+
+#ifndef O_DIRECT
+  #define O_DIRECT 040000
+#endif
+
+static void sanitize_child();
+static int get_action(struct pt_sandbox* p_sandbox);
+
+static int validate_mmap2(struct pt_sandbox* p_sandbox, void* p_arg);
+static int validate_open_default(struct pt_sandbox* p_sandbox, void* p_arg);
+static int validate_open_readonly(struct pt_sandbox* p_sandbox, void* p_arg);
+static int validate_fcntl(struct pt_sandbox* p_sandbox, void* p_arg);
+static int validate_socketcall(struct pt_sandbox* p_sandbox, void* p_arg);
+static void install_socketcall(struct pt_sandbox* p_sandbox);
+
+#define MAX_SYSCALL 300
+
+struct pt_sandbox
+{
+  int read_event_fd;
+  int write_event_fd;
+  pid_t pid;
+  int is_allowed[MAX_SYSCALL];
+  ptrace_sandbox_validator_t validator[MAX_SYSCALL];
+  void* validator_arg[MAX_SYSCALL];
+  int is_exit;
+  struct user_regs_struct regs;
+  int is_socketcall_allowed[NPROTO];
+  ptrace_sandbox_validator_t socketcall_validator[NPROTO];
+  void* socketcall_validator_arg[NPROTO];
+};
+
+static int s_sigchld_fd = -1;
+
+void
+handle_sigchld(int sig)
+{
+  int ret;
+  if (sig != SIGCHLD)
+  {
+    _exit(1);
+  }
+  if (s_sigchld_fd != -1)
+  {
+    do
+    {
+      static const char zero = '\0';
+      ret = write(s_sigchld_fd, &zero, sizeof(zero));
+    } while (ret == -1 && errno == EINTR);
+    if (ret != 1)
+    {
+      _exit(2);
+    }
+  }
+}
+
+struct pt_sandbox*
+ptrace_sandbox_alloc()
+{
+  int i;
+  struct sigaction sigact;
+  struct pt_sandbox* ret = malloc(sizeof(struct pt_sandbox));
+  if (ret == NULL)
+  {
+    return NULL;
+  }
+  ret->pid = -1;
+  ret->read_event_fd = -1;
+  ret->write_event_fd = -1;
+  ret->is_exit = 0;
+  memset(&ret->regs, '\0', sizeof(ret->regs));
+  for (i = 0; i < MAX_SYSCALL; ++i)
+  {
+    ret->is_allowed[i] = 0;
+    ret->validator[i] = 0;
+    ret->validator_arg[i] = 0;
+  }
+  for (i = 0; i < NPROTO; ++i)
+  {
+    ret->is_socketcall_allowed[i] = 0;
+    ret->socketcall_validator[i] = 0;
+    ret->socketcall_validator_arg[i] = 0;
+  }
+  memset((void*) &sigact, '\0', sizeof(sigact));
+  sigact.sa_handler = handle_sigchld;
+  if (sigaction(SIGCHLD, &sigact, NULL) != 0)
+  {
+    goto err_out;
+  }
+  return ret;
+err_out:
+  ptrace_sandbox_free(ret);
+  return NULL;
+}
+
+void
+ptrace_sandbox_free(struct pt_sandbox* p_sandbox)
+{
+  if (p_sandbox->pid != -1)
+  {
+    warnx("bug: pid active in ptrace_sandbox_free");
+    /* We'll kill it for you so it doesn't escape the sandbox totally, but
+     * we won't reap the zombie.
+     * Killing it like this is a risk: if it's stopped in syscall entry,
+     * that syscall will execute before the pending kill takes effect.
+     * If that pending syscall were to be a fork(), there could be trouble.
+     */
+    (void) kill(p_sandbox->pid, SIGKILL);
+  }
+  if (p_sandbox->read_event_fd != -1)
+  {
+    s_sigchld_fd = -1;
+    close(p_sandbox->read_event_fd);
+    close(p_sandbox->write_event_fd);
+  }
+  free(p_sandbox);
+}
+
+void
+ptrace_sandbox_attach_point()
+{
+  long pt_ret;
+  int ret;
+  pid_t pid = getpid();
+  if (pid <= 1)
+  {
+    warnx("weird pid");
+    _exit(1);
+  }
+  /* You don't have to use PTRACE_TRACEME, but if you don't, a rogue SIGCONT
+   * might wake you up from the STOP below before the tracer has attached.
+   */
+  pt_ret = ptrace(PTRACE_TRACEME, 0, 0, 0);
+  if (pt_ret != 0)
+  {
+    warn("PTRACE_TRACEME failed");
+    _exit(2);
+  }
+  ret = kill(pid, SIGSTOP);
+  if (ret != 0)
+  {
+    warn("kill SIGSTOP failed");
+    _exit(3);
+  }
+}
+
+int
+ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox,
+                              void (*p_func)(void*),
+                              void* p_arg)
+{
+  long pt_ret;
+  pid_t ret;
+  int status;
+  if (p_sandbox->pid != -1)
+  {
+    warnx("bug: process already active");
+    return -1;
+  }
+  ret = fork();
+  if (ret < 0)
+  {
+    return -1;
+  }
+  else if (ret == 0)
+  {
+    /* Child context. */
+    sanitize_child();
+    (*p_func)(p_arg);
+    _exit(0);
+  }
+  /* Parent context */
+  p_sandbox->pid = ret;
+  do
+  {
+    ret = waitpid(p_sandbox->pid, &status, 0);
+  } while (ret == -1 && errno == EINTR);
+  if (ret == -1)
+  {
+    warn("waitpid failed");
+    goto kill_out;
+  }
+  else if (ret != p_sandbox->pid)
+  {
+    warnx("unknown pid %d", ret);
+    goto kill_out;
+  }
+  if (!WIFSTOPPED(status))
+  {
+    warnx("not stopped status %d\n", status);
+    goto kill_out;
+  }
+  if (WSTOPSIG(status) != SIGSTOP)
+  {
+    warnx("not SIGSTOP status %d\n", status);
+    goto kill_out;
+  }
+  /* The fork, etc. tracing options are worth a bit of explanation. We don't
+   * permit process launching syscalls at all as they are dangerous. But
+   * there's a small race if the untrusted process attempts a denied fork()
+   * and then takes a rouge SIGKILL before the supervisor gets a chance to
+   * clear the orig_eax register. In this case the syscall will still execute.
+   * (Policies may not include signal sending capabilities, thus mitigating this
+   * direct attack, however a rogue SIGKILL may come from a non-malicious
+   * source). Therefore, we'd rather any fork()ed process starts off traced,
+   * just in case this tiny race condition triggers.
+   */
+  pt_ret = ptrace(PTRACE_SETOPTIONS,
+                  p_sandbox->pid,
+                  0,
+                  PTRACE_O_TRACESYSGOOD | PTRACE_O_TRACEFORK |
+                      PTRACE_O_TRACEVFORK | PTRACE_O_TRACECLONE);
+  if (pt_ret != 0)
+  {
+    warn("PTRACE_SETOPTIONS failure");
+    goto kill_out;
+  }
+  return p_sandbox->pid;
+kill_out:
+  (void) kill(p_sandbox->pid, SIGKILL);
+  p_sandbox->pid = -1;
+  return -1;
+}
+
+int
+ptrace_sandbox_continue_process(struct pt_sandbox* p_sandbox, int sig)
+{
+  long pt_ret = ptrace(PTRACE_SYSCALL, p_sandbox->pid, 0, sig);
+  if (pt_ret != 0)
+  {
+    warn("PTRACE_SYSCALL failure");
+    if (errno == ESRCH)
+    {
+      return PTRACE_SANDBOX_ERR_DEAD;
+    }
+    return PTRACE_SANDBOX_ERR_PTRACE;
+  }
+  return 0;
+}
+
+int
+ptrace_sandbox_get_event_fd(struct pt_sandbox* p_sandbox)
+{
+  /* TODO: allocate pipe fds */
+  (void) p_sandbox;
+  return -1;
+}
+
+int
+ptrace_sandbox_get_event(struct pt_sandbox* p_sandbox, int* status, int block)
+{
+  pid_t pid;
+  int options = 0;
+  if (!block)
+  {
+    options = WNOHANG;
+  }
+  do
+  {
+    pid = waitpid(p_sandbox->pid, status, options);
+  } while (pid == -1 && errno == EINTR);
+  if (pid == -1)
+  {
+    warn("waitpid failure");
+    if (errno == ECHILD)
+    {
+      return PTRACE_SANDBOX_ERR_DEAD;
+    }
+    return PTRACE_SANDBOX_ERR_WAITPID;
+  }
+  return pid;
+}
+
+int
+ptrace_sandbox_handle_event(struct pt_sandbox* p_sandbox, int status)
+{
+  int sig;
+  int action;
+  if (WIFEXITED(status) || WIFSIGNALED(status))
+  {
+    p_sandbox->pid = -1;
+    return 1;
+  }
+  if (!WIFSTOPPED(status))
+  {
+    warnx("weird status: %d\n", status);
+    return PTRACE_SANDBOX_ERR_WAIT_STATUS;
+  }
+  sig = WSTOPSIG(status);
+  if (sig >= 0 && sig < 0x80)
+  {
+    /* It's a normal signal; deliver it right on. SIGSTOP / SIGCONT handling
+     * are buggy in the kernel and I'm not sure it's safe to pass either on,
+     * so the signal becomes a little more... robust :)
+     */
+    if (sig == SIGSTOP || sig == SIGCONT)
+    {
+      sig = SIGKILL;
+    }
+    return ptrace_sandbox_continue_process(p_sandbox, sig);
+  }
+  if (!(sig & 0x80))
+  {
+    warnx("weird status: %d\n", status);
+    return PTRACE_SANDBOX_ERR_WAIT_STATUS;
+  }
+  /* Syscall trap. */
+  if (p_sandbox->is_exit)
+  {
+    p_sandbox->is_exit = 0;
+  }
+  else
+  {
+    p_sandbox->is_exit = 1;
+    action = get_action(p_sandbox);
+    if (action != 0)
+    {
+      return action;
+    }
+  }
+  return ptrace_sandbox_continue_process(p_sandbox, 0);
+}
+
+int
+ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox)
+{
+  if (ptrace_sandbox_continue_process(p_sandbox, 0) != 0)
+  {
+    goto kill_out;
+  }
+  while (1)
+  {
+    int status;
+    int ret = ptrace_sandbox_get_event(p_sandbox, &status, 1);
+    if (ret <= 0)
+    {
+      goto kill_out;
+    }
+    ret = ptrace_sandbox_handle_event(p_sandbox, status);
+    if (ret < 0)
+    {
+      warnx("couldn't handle sandbox event");
+      goto kill_out;
+    }
+    if (ret == 1)
+    {
+      return 0;
+    }
+  }
+kill_out:
+  ptrace_sandbox_kill_processes(p_sandbox);
+  return -1;
+}
+
+void
+ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox)
+{
+  long pt_ret;
+  struct user_regs_struct regs;
+  pid_t pid = p_sandbox->pid;
+  if (pid == -1)
+  {
+    return;
+  }
+  p_sandbox->pid = -1;
+  pt_ret = ptrace(PTRACE_GETREGS, pid, 0, &regs);
+  if (pt_ret != 0)
+  {
+    warn("PTRACE_GETREGS failure");
+    /* This API is supposed to be called with the process stopped; but if it
+     * is still running, we can at least help a bit. See security related
+     * comment in ptrace_sandbox_free(), though.
+     */
+    (void) kill(pid, SIGKILL);
+    return;
+  }
+  /* Kind of nasty, but the only way of stopping a started syscall from
+   * executing is to rewrite the registers to execute a different syscall.
+   */
+  regs.orig_eax = __NR_exit_group;
+  regs.eip = 0xffffffff;
+  pt_ret = ptrace(PTRACE_SETREGS, pid, 0, &regs);
+  if (pt_ret != 0)
+  {
+    warn("PTRACE_SETREGS failure");
+    /* Deliberate fall-thru. */
+  }
+  pt_ret = ptrace(PTRACE_KILL, pid, 0, 0);
+  if (pt_ret != 0)
+  {
+    warn("PTRACE_KILL failure");
+    /* Deliberate fall-thru. */
+  }
+  /* Just to make ourselves clear. */
+  (void) kill(pid, SIGKILL);
+  /* So the GETREGS succeeded, so the process definitely _was_ there. We can
+   * safely wait for it to reap the zombie.
+   */
+  (void) waitpid(pid, NULL, 0);
+}
+
+int
+ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox,
+                       int arg,
+                       unsigned long* p_out)
+{
+  long ret = 0;
+  struct user_regs_struct* p_regs = &p_sandbox->regs;
+  if (p_regs->orig_eax == 0)
+  {
+    return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
+  }
+  if (arg < 0 || arg > 5)
+  {
+    return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
+  }
+  switch (arg)
+  {
+  case 0:
+    ret = p_regs->ebx;
+    break;
+  case 1:
+    ret = p_regs->ecx;
+    break;
+  case 2:
+    ret = p_regs->edx;
+    break;
+  case 3:
+    ret = p_regs->esi;
+    break;
+  case 4:
+    ret = p_regs->edi;
+    break;
+  case 5:
+    ret = p_regs->ebp;
+    break;
+  }
+  *p_out = ret;
+  return 0;
+}
+
+int
+ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox,
+                                  int arg,
+                                  unsigned long* p_out)
+{
+  unsigned long ptr;
+  int ret;
+  struct user_regs_struct* p_regs = &p_sandbox->regs;
+  if (p_regs->orig_eax == 0)
+  {
+    return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
+  }
+  if (arg < 0 || arg > 2)
+  {
+    return PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT;
+  }
+  ret = ptrace_sandbox_get_arg(p_sandbox, 1, &ptr);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  ptr += (arg * 4);
+  ret = ptrace_sandbox_get_long(p_sandbox, ptr, p_out);
+  return ret;
+}
+
+int
+ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox,
+                        unsigned long ptr,
+                        unsigned long* p_out)
+{
+  return ptrace_sandbox_get_buf(p_sandbox, ptr, sizeof(long), (void*) p_out);
+}
+
+int
+ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox,
+                       unsigned long ptr,
+                       unsigned long len,
+                       void* p_buf)
+{
+  long pt_ret;
+  char* p_out = (char*) p_buf;
+  for (; len > 0; len -= sizeof(long))
+  {
+    errno = 0;
+    pt_ret = ptrace(PTRACE_PEEKDATA, p_sandbox->pid, (void*) ptr, 0);
+    if (pt_ret == -1 && errno != 0)
+    {
+      warn("PTRACE_GETREGS failure");
+      if (errno == ESRCH)
+      {
+        return PTRACE_SANDBOX_ERR_DEAD;
+      }
+      return PTRACE_SANDBOX_ERR_PTRACE;
+    }
+    if (len >= sizeof(long))
+    {
+      memcpy(p_out, &pt_ret, sizeof(long));
+    }
+    else
+    {
+      memcpy(p_out, &pt_ret, len);
+    }
+    p_out += sizeof(long);
+    ptr += sizeof(long);
+  }
+  return 0;
+}
+
+static void
+sanitize_child()
+{
+  /* Ensure that if our sandbox supervisor goes down, so do we. */
+  int ret = prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+  if (ret != 0)
+  {
+    _exit(3);
+  }
+}
+
+static int
+get_action(struct pt_sandbox* p_sandbox)
+{
+  int ret;
+  int call;
+  int cs;
+  long pt_ret = ptrace(PTRACE_GETREGS, p_sandbox->pid, 0, &(p_sandbox->regs));
+  if (pt_ret != 0)
+  {
+    warn("PTRACE_GETREGS failure");
+    if (errno == ESRCH)
+    {
+      return PTRACE_SANDBOX_ERR_DEAD;
+    }
+    return PTRACE_SANDBOX_ERR_PTRACE;
+  }
+  /* We need to be sure that the child is attempting a syscall against the
+   * 32-bit syscall table, otherwise they can bypass the policy by abusing the
+   * fact that e.g. syscall 200 is getgid32() on 32-bit but tkill() on 64-bit.
+   * If the syscall instruct was int80 or sysenter, is it guaranteed to hit
+   * the 32-bit table. If it is syscall, the current CS selector determines
+   * the table. Therefore, we can check the current CS selector references a
+   * known system-only selector that is guaranteed 32-bit (not long mode).
+   */
+  cs = p_sandbox->regs.xcs;
+  if (cs != 0x73 && cs != 0x23)
+  {
+    warnx("bad CS %d", cs);
+    ret = PTRACE_SANDBOX_ERR_BAD_SYSCALL;
+    goto out;
+  }
+  call = (int) p_sandbox->regs.orig_eax;
+  if (call < 0 || call >= MAX_SYSCALL)
+  {
+    warnx("syscall %d out of bounds", call);
+    ret = PTRACE_SANDBOX_ERR_BAD_SYSCALL;
+    goto out;
+  }
+  if (p_sandbox->is_allowed[call] != 1)
+  {
+    syslog(LOG_LOCAL0 | LOG_DEBUG, "syscall not permitted: %d", call);
+    warnx("syscall not permitted: %d", call);
+    ret = PTRACE_SANDBOX_ERR_POLICY_SYSCALL;
+    goto out;
+  }
+  if (p_sandbox->validator[call])
+  {
+    ptrace_sandbox_validator_t p_validate = p_sandbox->validator[call];
+    int validate_ret = (*p_validate)(p_sandbox, p_sandbox->validator_arg[call]);
+    if (validate_ret != 0)
+    {
+      syslog(LOG_LOCAL0 | LOG_DEBUG,
+             "syscall validate fail: %d (%d)",
+             call,
+             validate_ret);
+      warnx("syscall validate failed: %d (%d)", call, validate_ret);
+      ret = PTRACE_SANDBOX_ERR_POLICY_ARGS;
+      goto out;
+    }
+  }
+  ret = 0;
+out:
+  memset(&p_sandbox->regs, '\0', sizeof(p_sandbox->regs));
+  return ret;
+}
+
+void
+ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_exit] = 1;
+  p_sandbox->is_allowed[__NR_exit_group] = 1;
+}
+
+void
+ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_read] = 1;
+}
+
+void
+ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_write] = 1;
+}
+
+void
+ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_sigaction] = 1;
+  p_sandbox->is_allowed[__NR_rt_sigaction] = 1;
+}
+
+void
+ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_alarm] = 1;
+}
+
+void
+ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_gettimeofday] = 1;
+  p_sandbox->is_allowed[__NR_time] = 1;
+}
+
+void
+ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_mmap2] = 1;
+  p_sandbox->validator[__NR_mmap2] = validate_mmap2;
+}
+
+static int
+validate_mmap2(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  unsigned long arg4;
+  int ret = ptrace_sandbox_get_arg(p_sandbox, 3, &arg4);
+  (void) p_arg;
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if (arg4 & MAP_SHARED)
+  {
+    return -1;
+  }
+  return 0;
+}
+
+void
+ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_mprotect] = 1;
+}
+
+void
+ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_stat] = 1;
+  p_sandbox->is_allowed[__NR_stat64] = 1;
+  p_sandbox->is_allowed[__NR_lstat] = 1;
+  p_sandbox->is_allowed[__NR_lstat64] = 1;
+}
+
+void
+ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_fstat] = 1;
+  p_sandbox->is_allowed[__NR_fstat64] = 1;
+}
+
+void
+ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_getcwd] = 1;
+}
+
+void
+ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_chdir] = 1;
+}
+
+void
+ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_umask] = 1;
+}
+
+void
+ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable)
+{
+  p_sandbox->is_allowed[__NR_open] = 1;
+  if (writeable == 1)
+  {
+    p_sandbox->validator[__NR_open] = validate_open_default;
+  }
+  else
+  {
+    p_sandbox->validator[__NR_open] = validate_open_readonly;
+  }
+}
+
+static int
+validate_open_default(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  unsigned long arg2;
+  int ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
+  (void) p_arg;
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if (arg2 & (O_ASYNC | O_DIRECT | O_SYNC))
+  {
+    return -1;
+  }
+  return 0;
+}
+
+static int
+validate_open_readonly(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  unsigned long arg2;
+  int ret = validate_open_default(p_sandbox, p_arg);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if ((arg2 & O_ACCMODE) != O_RDONLY)
+  {
+    return -1;
+  }
+  return 0;
+}
+
+void
+ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_close] = 1;
+}
+
+void
+ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_getdents] = 1;
+  p_sandbox->is_allowed[__NR_getdents64] = 1;
+}
+
+void
+ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_fcntl] = 1;
+  p_sandbox->validator[__NR_fcntl] = validate_fcntl;
+  p_sandbox->is_allowed[__NR_fcntl64] = 1;
+  p_sandbox->validator[__NR_fcntl64] = validate_fcntl;
+}
+
+static int
+validate_fcntl(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  unsigned long arg2;
+  unsigned long arg3;
+  int ret = ptrace_sandbox_get_arg(p_sandbox, 1, &arg2);
+  (void) p_arg;
+  if (ret != 0)
+  {
+    return ret;
+  }
+  ret = ptrace_sandbox_get_arg(p_sandbox, 2, &arg3);
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if (arg2 != F_GETFL &&
+      arg2 != F_SETFL &&
+      arg2 != F_SETOWN &&
+      arg2 != F_SETLK &&
+      arg2 != F_SETLKW &&
+      arg2 != F_SETLK64 &&
+      arg2 != F_SETLKW64 &&
+      arg2 != F_SETFD &&
+      arg2 != F_GETFD)
+  {
+    syslog(LOG_LOCAL0 | LOG_DEBUG, "fcntl not permitted: %ld", arg2);
+    warnx("fcntl not permitted: %ld", arg2);
+    return -1;
+  }
+  if (arg2 == F_SETFL && (arg3 & (O_ASYNC | O_DIRECT)))
+  {
+    return -2;
+  }
+  if (arg2 == F_SETOWN && (int) arg3 != p_sandbox->pid)
+  {
+    return -3;
+  }
+  return 0;
+}
+
+void
+ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_sendfile] = 1;
+  p_sandbox->is_allowed[__NR_sendfile64] = 1;
+}
+
+void
+ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_lseek] = 1;
+  p_sandbox->is_allowed[__NR__llseek] = 1;
+}
+
+void
+ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_select] = 1;
+  p_sandbox->is_allowed[__NR__newselect] = 1;
+}
+
+void
+ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_unlink] = 1;
+}
+
+void
+ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_mkdir] = 1;
+}
+
+void
+ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_rmdir] = 1;
+}
+
+void
+ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_rename] = 1;
+}
+
+void
+ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_utime] = 1;
+  p_sandbox->is_allowed[__NR_utimes] = 1;
+}
+
+void
+ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_sigreturn] = 1;
+}
+
+void
+ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_RECV] = 1;
+}
+
+static void
+install_socketcall(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_socketcall] = 1;
+  p_sandbox->validator[__NR_socketcall] = validate_socketcall;
+}
+
+static int
+validate_socketcall(struct pt_sandbox* p_sandbox, void* p_arg)
+{
+  unsigned long arg1;
+  int ret = ptrace_sandbox_get_arg(p_sandbox, 0, &arg1);
+  (void) p_arg;
+  if (ret != 0)
+  {
+    return ret;
+  }
+  if (arg1 < 1 || arg1 >= NPROTO)
+  {
+    return -1;
+  }
+  if (p_sandbox->is_socketcall_allowed[arg1] != 1)
+  {
+    syslog(LOG_LOCAL0 | LOG_DEBUG, "socketcall not permitted: %ld", arg1);
+    warnx("socketcall not permitted: %ld", arg1);
+    return -2;
+  }
+  if (p_sandbox->socketcall_validator[arg1])
+  {
+    ptrace_sandbox_validator_t p_val = p_sandbox->socketcall_validator[arg1];
+    ret = (*p_val)(p_sandbox, p_sandbox->socketcall_validator_arg[arg1]);
+    if (ret != 0)
+    {
+      syslog(LOG_LOCAL0 | LOG_DEBUG,
+             "socketcall validate fail: %ld (%d)",
+             arg1,
+             ret);
+      warnx("socketcall validate fail: %ld (%d)", arg1, ret);
+      return -3;
+    }
+  }
+  return 0;
+}
+
+void
+ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_readlink] = 1;
+}
+
+void
+ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_brk] = 1;
+}
+
+void
+ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_nanosleep] = 1;
+}
+
+void
+ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_fchmod] = 1;
+}
+
+void
+ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_chmod] = 1;
+}
+
+void
+ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_fchown] = 1;
+  p_sandbox->is_allowed[__NR_fchown32] = 1;
+}
+
+void
+ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_mremap] = 1;
+}
+
+void
+ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox)
+{
+  p_sandbox->is_allowed[__NR_ftruncate] = 1;
+  p_sandbox->is_allowed[__NR_ftruncate64] = 1;
+}
+
+void
+ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_SOCKET] = 1;
+}
+
+void
+ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox,
+                                    ptrace_sandbox_validator_t val,
+                                    void* p_arg)
+{
+  p_sandbox->socketcall_validator[SYS_SOCKET] = val;
+  p_sandbox->socketcall_validator_arg[SYS_SOCKET] = p_arg;
+}
+
+void
+ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_BIND] = 1;
+}
+
+void
+ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox,
+                                  ptrace_sandbox_validator_t val,
+                                  void* p_arg)
+{
+  p_sandbox->socketcall_validator[SYS_BIND] = val;
+  p_sandbox->socketcall_validator_arg[SYS_BIND] = p_arg;
+}
+
+void
+ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_CONNECT] = 1;
+}
+
+void
+ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox,
+                                     ptrace_sandbox_validator_t val,
+                                     void* p_arg)
+{
+  p_sandbox->socketcall_validator[SYS_CONNECT] = val;
+  p_sandbox->socketcall_validator_arg[SYS_CONNECT] = p_arg;
+}
+
+void
+ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_LISTEN] = 1;
+}
+
+void
+ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_ACCEPT] = 1;
+}
+
+void
+ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_SETSOCKOPT] = 1;
+}
+
+void
+ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox,
+                                        ptrace_sandbox_validator_t val,
+                                        void* p_arg)
+{
+  p_sandbox->socketcall_validator[SYS_SETSOCKOPT] = val;
+  p_sandbox->socketcall_validator_arg[SYS_SETSOCKOPT] = p_arg;
+}
+
+void
+ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_GETSOCKOPT] = 1;
+}
+
+void
+ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox,
+                                        ptrace_sandbox_validator_t val,
+                                        void* p_arg)
+{
+  p_sandbox->socketcall_validator[SYS_GETSOCKOPT] = val;
+  p_sandbox->socketcall_validator_arg[SYS_GETSOCKOPT] = p_arg;
+}
+
+void
+ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox)
+{
+  install_socketcall(p_sandbox);
+  p_sandbox->is_socketcall_allowed[SYS_SHUTDOWN] = 1;
+}
+
+#else /* __linux__ && __i386__ */
+
+struct pt_sandbox*
+ptrace_sandbox_alloc()
+{
+  return 0;
+}
+
+void
+ptrace_sandbox_free(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+int
+ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox,
+                              void (*p_func)(void*),
+                              void* p_arg)
+{
+  (void) p_sandbox;
+  (void) p_func;
+  (void) p_arg;
+  return -1;
+}
+
+int
+ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+  return -1;
+}
+
+void
+ptrace_sandbox_attach_point(void)
+{
+}
+
+void
+ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable)
+{
+  (void) p_sandbox;
+  (void) writeable;
+}
+
+void
+ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_utimes(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+int
+ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox,
+                       int arg,
+                       unsigned long* p_out)
+{
+  (void) p_sandbox;
+  (void) arg;
+  (void) p_out;
+  return -1;
+}
+
+int
+ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox,
+                                  int arg,
+                                  unsigned long* p_out)
+{
+  (void) p_sandbox;
+  (void) arg;
+  (void) p_out;
+  return -1;
+}
+
+int
+ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox,
+                        unsigned long ptr,
+                        unsigned long* p_out)
+{
+  (void) p_sandbox;
+  (void) ptr;
+  (void) p_out;
+  return -1;
+}
+
+int
+ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox,
+                       unsigned long ptr,
+                       unsigned long len,
+                       void* p_buf)
+{
+  (void) p_sandbox;
+  (void) ptr;
+  (void) len;
+  (void) p_buf;
+  return -1;
+}
+
+void
+ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox,
+                                    ptrace_sandbox_validator_t val,
+                                    void* p_arg)
+{
+  (void) p_sandbox;
+  (void) val;
+  (void) p_arg;
+}
+
+void
+ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox,
+                                  ptrace_sandbox_validator_t val,
+                                  void* p_arg)
+{
+  (void) p_sandbox;
+  (void) val;
+  (void) p_arg;
+}
+
+void
+ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox,
+                                     ptrace_sandbox_validator_t val,
+                                     void* p_arg)
+{
+  (void) p_sandbox;
+  (void) val;
+  (void) p_arg;
+}
+
+void
+ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox,
+                                        ptrace_sandbox_validator_t val,
+                                        void* p_arg)
+{
+  (void) p_sandbox;
+  (void) val;
+  (void) p_arg;
+}
+
+void
+ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+void
+ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox,
+                                        ptrace_sandbox_validator_t val,
+                                        void* p_arg)
+{
+  (void) p_sandbox;
+  (void) val;
+  (void) p_arg;
+}
+
+void
+ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox)
+{
+  (void) p_sandbox;
+}
+
+#endif /* __linux__ && __i386__ */

ptracesandbox.h

@@ -0,0 +1,264 @@
+#ifndef VSF_PTRACESANDBOX_H
+#define VSF_PTRACESANDBOX_H
+
+/* Forward delcarations */
+struct pt_sandbox;
+
+typedef int (*ptrace_sandbox_validator_t)(struct pt_sandbox*, void*);
+
+/* ptrace_sandbox_alloc()
+ * PURPOSE
+ * Allocates a ptrace sandbox object which is needed for the rest of the API.
+ * RETURNS
+ * NULL on failure, otherwise an opaque handle.
+ * TODO
+ * Only one per process supported at this time.
+ */
+struct pt_sandbox* ptrace_sandbox_alloc();
+
+/* ptrace_sandbox_free()
+ * PURPOSE
+ * Frees the sandbox object.
+ * PARAMETERS
+ * p_sandbox        - the sandbox handle to free
+ */
+void ptrace_sandbox_free(struct pt_sandbox* p_sandbox);
+
+/* ptrace_sandbox_launch_process()
+ * PURPOSE
+ * Launches a new process and attaches the sandbox to it when it stops.
+ * PARAMETERS
+ * p_sandbox        - the sandbox handle
+ * p_func           - the function to call at the start of the new process
+ * p_arg            - an argument to pass to the function
+ * RETURNS
+ * -1 on failure, otherwise an id for the created process. Not necessarily a
+ * "pid", please treat is as opaque!
+ * TODO
+ * Only one call to this per sandbox object is supported at this time.
+ */
+int ptrace_sandbox_launch_process(struct pt_sandbox* p_sandbox,
+                                  void (*p_func)(void*),
+                                  void* p_arg);
+
+/* ptrace_sandbox_run_processes()
+ * PURPOSE
+ * Runs sandboxed children until they exit or are killed.
+ * PARAMETERS
+ * p_sandbox        - the sandbox handle
+ * RETURNS
+ * 0 on normal exit or death of processes.
+ * -1 if any process breached the policy.
+ */
+int ptrace_sandbox_run_processes(struct pt_sandbox* p_sandbox);
+
+/* ptrace_sandbox_kill_processes()
+ * PURPOSE
+ * Safely kills off all sandboxed processes.
+ * PARAMETERS
+ * p_sandbox        - the sandbox handle
+ */
+void ptrace_sandbox_kill_processes(struct pt_sandbox* p_sandbox);
+
+/* ptrace_sandbox_get_arg()
+ * PURPOSE
+ * Gets a syscall argument value for a process stopped in syscall entry.
+ * PARAMETERS
+ * p_sandbox        - the sandbox handle
+ * arg              - the arg number to get (zero-based)
+ * p_out            - the result is written here
+ * RETURNS
+ * 0 on success; otherwise it's a failure.
+ */
+int ptrace_sandbox_get_arg(struct pt_sandbox* p_sandbox,
+                           int arg,
+                           unsigned long* p_out);
+
+/* ptrace_sandbox_get_socketcall_arg()
+ * PURPOSE
+ * Gets a syscall argument value for a process stopped in syscall entry, where
+ * the system call is a socket-related one. On some architectures (e.g. i386,
+ * socket calls are in fact multiplexed and store the arguments in a struct
+ * in user space, hence the need for abstraction.
+ * PARAMETERS
+ * p_sandbox        - the sandbox handle
+ * arg              - the arg number to get (zero-based)
+ * p_out            - the result is written here
+ * RETURNS
+ * 0 on success; otherwise it's a failure.
+ */
+int ptrace_sandbox_get_socketcall_arg(struct pt_sandbox* p_sandbox,
+                                      int arg,
+                                      unsigned long* p_out);
+
+/* ptrace_sandbox_get_long()
+ * PURPOSE
+ * Gets a long from the address space of the process stopped in syscall entry.
+ * PARAMETERS
+ * p_sandbox        - the sandbox handle
+ * ptr              - the address to read the long from
+ * p_out            - the result is written here
+ * RETURNS
+ * 0 on success; otherwise it's a failure.
+ */
+int ptrace_sandbox_get_long(struct pt_sandbox* p_sandbox,
+                            unsigned long ptr,
+                            unsigned long* p_out);
+
+/* ptrace_sandbox_get_buf()
+ * PURPOSE
+ * Gets a piece of memory from the address space of the process stopped in
+ * syscall entry.
+ * PARAMETERS
+ * p_sandbox        - the sandbox handle
+ * ptr              - the address to read the buffer from
+ * len              - the length of the buffer
+ * p_buf            - the result is written here
+ * RETURNS
+ * 0 on success; otherwise it's a failure.
+ */
+int ptrace_sandbox_get_buf(struct pt_sandbox* p_sandbox,
+                           unsigned long ptr,
+                           unsigned long len,
+                           void* p_buf);
+
+/* ptrace_sandbox_attach_point()
+ * PURPOSE
+ * Used by the sandbox child code to stop and indicate it is ready to be
+ * attached to.
+ * NOTES
+ * In the event of error trying to stop, the process is forcibly killed as a
+ * security measure.
+ */
+void ptrace_sandbox_attach_point(void);
+
+/* POLICY EDIT: permits exit() and exit_group() */
+void ptrace_sandbox_permit_exit(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits read() */
+void ptrace_sandbox_permit_read(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits write() */
+void ptrace_sandbox_permit_write(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits sigaction() and rt_sigaction() */
+void ptrace_sandbox_permit_sigaction(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits alarm() */
+void ptrace_sandbox_permit_alarm(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits time() and gettimeofday() */
+void ptrace_sandbox_permit_query_time(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits mmap2() (but not the MAP_SHARED flag) */
+void ptrace_sandbox_permit_mmap(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits mprotect() */
+void ptrace_sandbox_permit_mprotect(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits stat(), stat64(), lstat(), lstat64() */
+void ptrace_sandbox_permit_file_stats(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits fstat(), fstat64() */
+void ptrace_sandbox_permit_fd_stats(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits getcwd() */
+void ptrace_sandbox_permit_getcwd(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits chdir() */
+void ptrace_sandbox_permit_chdir(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits umask() */
+void ptrace_sandbox_permit_umask(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits open(), except O_ASYNC and O_DIRECT. Only O_RDONLY
+ * allowed unless writeable is 1
+ */
+void ptrace_sandbox_permit_open(struct pt_sandbox* p_sandbox, int writeable);
+/* POLICY EDIT: permits close() */
+void ptrace_sandbox_permit_close(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits getdents(), getdents64() */
+void ptrace_sandbox_permit_getdents(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits fcntl(), fcntl64() for file locking, safe F_SETFL flag
+ * setting (no O_ASYNC, O_DIRECT), F_SETOWN for your own pid and F_SETFD.
+ */
+void ptrace_sandbox_permit_fcntl(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits sendfile(), sendfile64() */
+void ptrace_sandbox_permit_sendfile(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits lseek(), llseek() */
+void ptrace_sandbox_permit_seek(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits select(), newselect() */
+void ptrace_sandbox_permit_select(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits unlink() */
+void ptrace_sandbox_permit_unlink(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits mkdir() */
+void ptrace_sandbox_permit_mkdir(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits rmdir() */
+void ptrace_sandbox_permit_rmdir(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits rename() */
+void ptrace_sandbox_permit_rename(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits utime(), utimes() */
+void ptrace_sandbox_permit_utime(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits sigreturn() */
+void ptrace_sandbox_permit_sigreturn(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits recv() */
+void ptrace_sandbox_permit_recv(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits readlink() */
+void ptrace_sandbox_permit_readlink(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits brk() */
+void ptrace_sandbox_permit_brk(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits nanosleep() */
+void ptrace_sandbox_permit_sleep(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits fchmod() */
+void ptrace_sandbox_permit_fchmod(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits chmod() */
+void ptrace_sandbox_permit_chmod(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits fchown(), fchown32() */
+void ptrace_sandbox_permit_fchown(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits mremap() */
+void ptrace_sandbox_permit_mremap(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits ftruncate(), ftruncate64() */
+void ptrace_sandbox_permit_ftruncate(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits socket() */
+void ptrace_sandbox_permit_socket(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: set validator for socket() */
+void ptrace_sandbox_set_socket_validator(struct pt_sandbox* p_sandbox,
+                                         ptrace_sandbox_validator_t val,
+                                         void* p_arg);
+/* POLICY EDIT: permits bind() */
+void ptrace_sandbox_permit_bind(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: set validator for bind() */
+void ptrace_sandbox_set_bind_validator(struct pt_sandbox* p_sandbox,
+                                       ptrace_sandbox_validator_t val,
+                                       void* p_arg);
+/* POLICY EDIT: permits connect() */
+void ptrace_sandbox_permit_connect(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: set validator for connect() */
+void ptrace_sandbox_set_connect_validator(struct pt_sandbox* p_sandbox,
+                                          ptrace_sandbox_validator_t val,
+                                          void* p_arg);
+/* POLICY EDIT: permits listen() */
+void ptrace_sandbox_permit_listen(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits accept() */
+void ptrace_sandbox_permit_accept(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: permits setsockopt() */
+void ptrace_sandbox_permit_setsockopt(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: set validator for setsockopt() */
+void ptrace_sandbox_set_setsockopt_validator(struct pt_sandbox* p_sandbox,
+                                             ptrace_sandbox_validator_t val,
+                                             void* p_arg);
+/* POLICY EDIT: permits getsockopt() */
+void ptrace_sandbox_permit_getsockopt(struct pt_sandbox* p_sandbox);
+/* POLICY EDIT: set validator for getsockopt() */
+void ptrace_sandbox_set_getsockopt_validator(struct pt_sandbox* p_sandbox,
+                                             ptrace_sandbox_validator_t val,
+                                             void* p_arg);
+/* POLICY EDIT: permits shutdown() */
+void ptrace_sandbox_permit_shutdown(struct pt_sandbox* p_sandbox);
+
+/* The traced process is unexpectedly dead; probably an external SIGKILL */
+#define PTRACE_SANDBOX_ERR_DEAD              -1
+/* An unexpected error from ptrace() */
+#define PTRACE_SANDBOX_ERR_PTRACE            -2
+/* An unexpected error from waitpid() */
+#define PTRACE_SANDBOX_ERR_WAITPID           -3
+/* An unexpected waitpid() status was returned */
+#define PTRACE_SANDBOX_ERR_WAIT_STATUS       -4
+/* A syscall not in the policy was attempted */
+#define PTRACE_SANDBOX_ERR_POLICY_SYSCALL    -5
+/* A "bad" syscall was attemped: out-of-bounds, 64-bit in a 32-bit child etc. */
+#define PTRACE_SANDBOX_ERR_BAD_SYSCALL       -6
+/* Bad arguments to a generally accepted syscall */
+#define PTRACE_SANDBOX_ERR_POLICY_ARGS       -7
+/* Abuse of our API */
+#define PTRACE_SANDBOX_ERR_API_ABUSE_STOPIT  -8
+
+#endif /* VSF_PTRACESANDBOX_H */
+

readwrite.c

@@ -0,0 +1,184 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * readwrite.c
+ *
+ * Routines to encapsulate the underlying read / write mechanism (OpenSSL vs.
+ * plain read()/write()).
+ */
+
+#include "readwrite.h"
+#include "session.h"
+#include "netstr.h"
+#include "ssl.h"
+#include "privsock.h"
+#include "defs.h"
+#include "sysutil.h"
+
+static int plain_peek_adapter(struct vsf_session* p_sess,
+                              char* p_buf,
+                              unsigned int len);
+static int plain_read_adapter(struct vsf_session* p_sess,
+                              char* p_buf,
+                              unsigned int len);
+static int ssl_peek_adapter(struct vsf_session* p_sess,
+                            char* p_buf,
+                            unsigned int len);
+static int ssl_read_adapter(struct vsf_session* p_sess,
+                            char* p_buf,
+                            unsigned int len);
+
+int
+ftp_write_str(const struct vsf_session* p_sess, const struct mystr* p_str,
+              enum EVSFRWTarget target)
+{
+  if (target == kVSFRWData)
+  {
+    if (p_sess->data_use_ssl && p_sess->ssl_slave_active)
+    {
+      int ret = -1;
+      int written;
+      priv_sock_send_cmd(p_sess->ssl_consumer_fd, PRIV_SOCK_DO_SSL_WRITE);
+      priv_sock_send_str(p_sess->ssl_consumer_fd, p_str);
+      written = priv_sock_get_int(p_sess->ssl_consumer_fd);
+      if (written > 0 && written == (int) str_getlen(p_str))
+      {
+        ret = 0;
+      }
+      return ret;
+    }
+    else if (p_sess->data_use_ssl)
+    {
+      return ssl_write_str(p_sess->p_data_ssl, p_str);
+    }
+    else
+    {
+      return str_netfd_write(p_str, p_sess->data_fd);
+    }
+  }
+  else
+  {
+    if (p_sess->control_use_ssl && p_sess->ssl_slave_active)
+    {
+      priv_sock_send_cmd(p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP);
+      priv_sock_send_str(p_sess->ssl_consumer_fd, p_str);
+      return priv_sock_get_int(p_sess->ssl_consumer_fd);
+    }
+    else if (p_sess->control_use_ssl)
+    {
+      return ssl_write_str(p_sess->p_control_ssl, p_str);
+    }
+    else
+    {
+      return str_netfd_write(p_str, VSFTP_COMMAND_FD);
+    }
+  }
+}
+
+int
+ftp_read_data(struct vsf_session* p_sess, char* p_buf, unsigned int len)
+{
+  if (p_sess->data_use_ssl && p_sess->ssl_slave_active)
+  {
+    int ret;
+    priv_sock_send_cmd(p_sess->ssl_consumer_fd, PRIV_SOCK_DO_SSL_READ);
+    priv_sock_send_int(p_sess->ssl_consumer_fd, len);
+    ret = priv_sock_get_int(p_sess->ssl_consumer_fd);
+    priv_sock_recv_buf(p_sess->ssl_consumer_fd, p_buf, len);
+    /* Need to do this here too because it is useless in the slave process. */
+    vsf_sysutil_check_pending_actions(kVSFSysUtilIO, ret, p_sess->data_fd);
+    return ret;
+  }
+  else if (p_sess->data_use_ssl)
+  {
+    return ssl_read(p_sess, p_sess->p_data_ssl, p_buf, len);
+  }
+  else
+  {
+    return vsf_sysutil_read(p_sess->data_fd, p_buf, len);
+  }
+}
+
+int
+ftp_write_data(const struct vsf_session* p_sess, const char* p_buf,
+               unsigned int len)
+{
+  if (p_sess->data_use_ssl && p_sess->ssl_slave_active)
+  {
+    int ret;
+    priv_sock_send_cmd(p_sess->ssl_consumer_fd, PRIV_SOCK_DO_SSL_WRITE);
+    priv_sock_send_buf(p_sess->ssl_consumer_fd, p_buf, len);
+    ret = priv_sock_get_int(p_sess->ssl_consumer_fd);
+    /* Need to do this here too because it is useless in the slave process. */
+    vsf_sysutil_check_pending_actions(kVSFSysUtilIO, ret, p_sess->data_fd);
+    return ret;
+  }
+  else if (p_sess->data_use_ssl)
+  {
+    return ssl_write(p_sess->p_data_ssl, p_buf, len);
+  }
+  else
+  {
+    return vsf_sysutil_write_loop(p_sess->data_fd, p_buf, len);
+  }
+}
+
+int
+ftp_getline(struct vsf_session* p_sess, struct mystr* p_str, char* p_buf)
+{
+  if (p_sess->control_use_ssl && p_sess->ssl_slave_active)
+  {
+    int ret;
+    priv_sock_send_cmd(p_sess->ssl_consumer_fd, PRIV_SOCK_GET_USER_CMD);
+    ret = priv_sock_get_int(p_sess->ssl_consumer_fd);
+    if (ret >= 0)
+    {
+      priv_sock_get_str(p_sess->ssl_consumer_fd, p_str);
+    }
+    return ret;
+  }
+  else
+  {
+    str_netfd_read_t p_peek = plain_peek_adapter;
+    str_netfd_read_t p_read = plain_read_adapter;
+    if (p_sess->control_use_ssl)
+    {
+      p_peek = ssl_peek_adapter;
+      p_read = ssl_read_adapter;
+    }
+    return str_netfd_alloc(p_sess,
+                           p_str,
+                           '\n',
+                           p_buf,
+                           VSFTP_MAX_COMMAND_LINE,
+                           p_peek,
+                           p_read);
+  }
+}
+
+static int
+plain_peek_adapter(struct vsf_session* p_sess, char* p_buf, unsigned int len)
+{
+  (void) p_sess;
+  return vsf_sysutil_recv_peek(VSFTP_COMMAND_FD, p_buf, len);
+}
+
+static int
+plain_read_adapter(struct vsf_session* p_sess, char* p_buf, unsigned int len)
+{
+  (void) p_sess;
+  return vsf_sysutil_read_loop(VSFTP_COMMAND_FD, p_buf, len);
+}
+
+static int
+ssl_peek_adapter(struct vsf_session* p_sess, char* p_buf, unsigned int len)
+{
+  return ssl_peek(p_sess, p_sess->p_control_ssl, p_buf, len);
+}
+
+static int
+ssl_read_adapter(struct vsf_session* p_sess, char* p_buf, unsigned int len)
+{
+  return ssl_read(p_sess, p_sess->p_control_ssl, p_buf, len);
+}

readwrite.h

@@ -0,0 +1,21 @@
+#ifndef VSF_READWRITE_H
+#define VSF_READWRITE_H
+
+struct vsf_session;
+struct mystr;
+
+enum EVSFRWTarget
+{
+  kVSFRWControl = 1,
+  kVSFRWData
+};
+
+int ftp_write_str(const struct vsf_session* p_sess, const struct mystr* p_str,
+                  enum EVSFRWTarget target);
+int ftp_read_data(struct vsf_session* p_sess, char* p_buf, unsigned int len);
+int ftp_write_data(const struct vsf_session* p_sess, const char* p_buf,
+                   unsigned int len);
+int ftp_getline(struct vsf_session* p_sess, struct mystr* p_str, char* p_buf);
+
+#endif /* VSF_READWRITE_H */
+

secbuf.c

@@ -0,0 +1,89 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * secbuf.c
+ *
+ * Here are some routines providing the (possibly silly) concept of a secure
+ * buffer. A secure buffer may not be overflowed. A single byte overflow
+ * will cause the program to safely terminate.
+ */
+
+#include "secbuf.h"
+#include "utility.h"
+#include "sysutil.h"
+#include "sysdeputil.h"
+
+void
+vsf_secbuf_alloc(char** p_ptr, unsigned int size)
+{
+  unsigned int page_offset;
+  unsigned int round_up;
+  char* p_mmap;
+  char* p_no_access_page;
+  unsigned int page_size = vsf_sysutil_getpagesize();
+
+  /* Free any previous buffer */
+  vsf_secbuf_free(p_ptr);
+  /* Round up to next page size */
+  page_offset = size % page_size;
+  if (page_offset)
+  {
+    unsigned int num_pages = size / page_size;
+    num_pages++;
+    round_up = num_pages * page_size;
+  }
+  else
+  {
+    /* Allocation is on a page-size boundary */
+    round_up = size;
+  }
+  /* Add on another two pages to make inaccessible */
+  round_up += page_size * 2;
+
+  p_mmap = vsf_sysutil_map_anon_pages(round_up);
+  /* Map the first and last page inaccessible */
+  p_no_access_page = p_mmap + round_up - page_size;
+  vsf_sysutil_memprotect(p_no_access_page, page_size, kVSFSysUtilMapProtNone);
+  /* Before we make the "before" page inaccessible, store the size in it.
+   * A little hack so that we don't need to explicitly be passed the size
+   * when freeing an existing secure buffer
+   */
+  *((unsigned int*)p_mmap) = round_up;
+  p_no_access_page = p_mmap;
+  vsf_sysutil_memprotect(p_no_access_page, page_size, kVSFSysUtilMapProtNone);
+
+  p_mmap += page_size;
+  if (page_offset)
+  {
+    p_mmap += (page_size - page_offset);
+  }
+  *p_ptr = p_mmap;
+}
+
+void
+vsf_secbuf_free(char** p_ptr)
+{
+  unsigned int map_size;
+  unsigned long page_offset;
+  char* p_mmap = *p_ptr;
+  unsigned int page_size = vsf_sysutil_getpagesize();
+  if (p_mmap == 0)
+  {
+    return;
+  }
+  /* Calculate the actual start of the mmap region */
+  page_offset = (unsigned long) p_mmap % page_size;
+  if (page_offset)
+  {
+    p_mmap -= page_offset;
+  }
+  p_mmap -= page_size;
+  /* First make the first page readable so we can get the size */
+  vsf_sysutil_memprotect(p_mmap, page_size, kVSFSysUtilMapProtReadOnly);
+  /* Extract the mapping size */
+  map_size = *((unsigned int*)p_mmap);
+  /* Lose the mapping */
+  vsf_sysutil_memunmap(p_mmap, map_size);
+}
+

secbuf.h

@@ -0,0 +1,27 @@
+#ifndef VSF_SECBUF_H
+#define VSF_SECBUF_H
+
+/* vsf_secbuf_alloc()
+ * PURPOSE
+ * Allocate a "secure buffer". A secure buffer is one which will attempt to
+ * catch out of bounds accesses by crashing the program (rather than
+ * corrupting memory). It works by using UNIX memory protection. It isn't
+ * foolproof.
+ * PARAMETERS
+ * p_ptr        - pointer to a pointer which is to contain the secure buffer.
+ *                Any previous buffer pointed to is freed.
+ * size         - size in bytes required for the secure buffer.
+ */
+void vsf_secbuf_alloc(char** p_ptr, unsigned int size);
+
+/* vsf_secbuf_free()
+ * PURPOSE
+ * Frees a "secure buffer".
+ * PARAMETERS
+ * p_ptr        - pointer to a pointer containing the buffer to be freed. The
+ *                buffer pointer is nullified by this call.
+ */
+void vsf_secbuf_free(char** p_ptr);
+
+#endif /* VSF_SECBUF_H */
+

seccompsandbox.c

@@ -0,0 +1,725 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * seccompsandbox.c
+ *
+ * Code to lock down the accessible kernel API in a Linux seccomp filter
+ * sandbox. Works in Ubuntu 11.10 and newer.
+ */
+
+#include "seccompsandbox.h"
+
+#if defined(__linux__) && defined(__x86_64__)
+
+#include "session.h"
+#include "sysutil.h"
+#include "tunables.h"
+#include "utility.h"
+
+#include <errno.h>
+
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+
+#include <sys/fcntl.h>
+#include <sys/mman.h>
+#include <sys/prctl.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#include <linux/filter.h>
+
+#include <asm/unistd.h>
+
+/* #define DEBUG_SIGSYS 1 */
+
+#ifndef PR_SET_SECCOMP
+  #define PR_SET_SECCOMP 22
+#endif
+
+#ifndef PR_SET_NO_NEW_PRIVS
+  #define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#ifndef __NR_openat
+  #define __NR_openat 257
+#endif
+
+#ifndef O_LARGEFILE
+  #define O_LARGEFILE 00100000
+#endif
+
+#ifndef O_DIRECTORY
+  #define O_DIRECTORY 00200000
+#endif
+
+#ifndef O_CLOEXEC
+  #define O_CLOEXEC 002000000
+#endif
+
+#define kMaxSyscalls 100
+
+#ifdef DEBUG_SIGSYS
+
+#include <signal.h>
+#include <string.h>
+
+void
+handle_sigsys(int sig)
+{
+  (void) sig;
+}
+#endif
+
+static const int kOpenFlags =
+    O_CREAT|O_EXCL|O_APPEND|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_LARGEFILE;
+
+static size_t s_syscall_index;
+static size_t s_1_arg_validations;
+static size_t s_2_arg_validations;
+static size_t s_3_arg_validations;
+static int s_syscalls[kMaxSyscalls];
+static int s_errnos[kMaxSyscalls];
+static int s_args_1[kMaxSyscalls];
+static int s_vals_1[kMaxSyscalls];
+static int s_args_2[kMaxSyscalls];
+static int s_vals_2[kMaxSyscalls];
+static int s_args_3[kMaxSyscalls];
+static int s_vals_3[kMaxSyscalls];
+
+static void
+allow_nr(int nr)
+{
+  if (s_syscall_index >= kMaxSyscalls)
+  {
+    bug("out of syscall space");
+  }
+  if (nr < 0)
+  {
+    bug("negative syscall");
+  }
+  s_errnos[s_syscall_index] = 0;
+  s_syscalls[s_syscall_index++] = nr;
+}
+
+static void
+reject_nr(int nr, int errcode)
+{
+  if (s_syscall_index >= kMaxSyscalls)
+  {
+    bug("out of syscall space");
+  }
+  if (nr < 0)
+  {
+    bug("negative syscall");
+  }
+  if (errcode < 0 || errcode > 255)
+  {
+    bug("bad errcode");
+  }
+  s_errnos[s_syscall_index] = errcode;
+  s_syscalls[s_syscall_index++] = nr;
+}
+
+static void
+allow_nr_1_arg_match(int nr, int arg, int val)
+{
+  if (s_syscall_index >= kMaxSyscalls)
+  {
+    bug("out of syscall space");
+  }
+  if (nr < 0)
+  {
+    bug("negative syscall");
+  }
+  if (arg < 1 || arg > 6)
+  {
+    bug("arg out of range");
+  }
+  s_args_1[s_syscall_index] = arg;
+  s_vals_1[s_syscall_index] = val;
+  s_errnos[s_syscall_index] = 0;
+  s_syscalls[s_syscall_index++] = nr;
+  s_1_arg_validations++;
+}
+
+static void
+allow_nr_1_arg_mask(int nr, int arg, int val)
+{
+  if (s_syscall_index >= kMaxSyscalls)
+  {
+    bug("out of syscall space");
+  }
+  if (nr < 0)
+  {
+    bug("negative syscall");
+  }
+  if (arg < 1 || arg > 6)
+  {
+    bug("arg out of range");
+  }
+  s_args_1[s_syscall_index] = 100 + arg;
+  s_vals_1[s_syscall_index] = val;
+  s_errnos[s_syscall_index] = 0;
+  s_syscalls[s_syscall_index++] = nr;
+  s_1_arg_validations++;
+}
+
+static void
+allow_nr_2_arg_match(int nr, int arg1, int val1, int arg2, int val2)
+{
+  if (s_syscall_index >= kMaxSyscalls)
+  {
+    bug("out of syscall space");
+  }
+  if (nr < 0)
+  {
+    bug("negative syscall");
+  }
+  if (arg1 < 1 || arg1 > 6)
+  {
+    bug("arg1 out of range");
+  }
+  if (arg2 < 1 || arg2 > 6)
+  {
+    bug("arg2 out of range");
+  }
+  s_args_1[s_syscall_index] = arg1;
+  s_vals_1[s_syscall_index] = val1;
+  s_args_2[s_syscall_index] = arg2;
+  s_vals_2[s_syscall_index] = val2;
+  s_errnos[s_syscall_index] = 0;
+  s_syscalls[s_syscall_index++] = nr;
+  s_2_arg_validations++;
+}
+
+static void
+allow_nr_2_arg_mask_match(int nr, int arg1, int val1, int arg2, int val2)
+{
+  if (s_syscall_index >= kMaxSyscalls)
+  {
+    bug("out of syscall space");
+  }
+  if (nr < 0)
+  {
+    bug("negative syscall");
+  }
+  if (arg1 < 1 || arg1 > 6)
+  {
+    bug("arg1 out of range");
+  }
+  if (arg2 < 1 || arg2 > 6)
+  {
+    bug("arg2 out of range");
+  }
+  s_args_1[s_syscall_index] = 100 + arg1;
+  s_vals_1[s_syscall_index] = val1;
+  s_args_2[s_syscall_index] = arg2;
+  s_vals_2[s_syscall_index] = val2;
+  s_errnos[s_syscall_index] = 0;
+  s_syscalls[s_syscall_index++] = nr;
+  s_2_arg_validations++;
+}
+
+static void
+allow_nr_3_arg_match(int nr, int arg1, int val1, int arg2, int val2, int arg3,
+                     int val3)
+{
+  if (s_syscall_index >= kMaxSyscalls)
+  {
+    bug("out of syscall space");
+  }
+  if (nr < 0)
+  {
+    bug("negative syscall");
+  }
+  if (arg1 < 1 || arg1 > 6)
+  {
+    bug("arg1 out of range");
+  }
+  if (arg2 < 1 || arg2 > 6)
+  {
+    bug("arg2 out of range");
+  }
+  if (arg3 < 1 || arg3 > 6)
+  {
+    bug("arg3 out of range");
+  }
+  s_args_1[s_syscall_index] = arg1;
+  s_vals_1[s_syscall_index] = val1;
+  s_args_2[s_syscall_index] = arg2;
+  s_vals_2[s_syscall_index] = val2;
+  s_args_3[s_syscall_index] = arg3;
+  s_vals_3[s_syscall_index] = val3;
+  s_errnos[s_syscall_index] = 0;
+  s_syscalls[s_syscall_index++] = nr;
+  s_3_arg_validations++;
+}
+
+static void
+seccomp_sandbox_setup_data_connections()
+{
+  allow_nr_3_arg_match(__NR_socket, 1, PF_INET, 2, SOCK_STREAM, 3, IPPROTO_TCP);
+  allow_nr_3_arg_match(__NR_socket,
+                       1, PF_INET6,
+                       2, SOCK_STREAM,
+                       3, IPPROTO_TCP);
+  allow_nr(__NR_bind);
+  allow_nr(__NR_select);
+  if (tunable_port_enable)
+  {
+    allow_nr(__NR_connect);
+    allow_nr_2_arg_match(__NR_getsockopt, 2, SOL_SOCKET, 3, SO_ERROR);
+    allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_REUSEADDR);
+    allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
+    allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR|O_NONBLOCK);
+    allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);
+  }
+  if (tunable_pasv_enable)
+  {
+    allow_nr(__NR_listen);
+    allow_nr(__NR_accept);
+  }
+}
+
+static void
+seccomp_sandbox_setup_base()
+{
+  /* Simple reads and writes on existing descriptors. */
+  allow_nr(__NR_read);
+  allow_nr(__NR_write);
+
+  /* Needed for memory management. */
+  allow_nr_2_arg_match(__NR_mmap,
+                       3, PROT_READ|PROT_WRITE,
+                       4, MAP_PRIVATE|MAP_ANON);
+  allow_nr_1_arg_mask(__NR_mprotect, 3, PROT_READ);
+  allow_nr(__NR_munmap);
+  allow_nr(__NR_brk);
+  /* glibc falls back gracefully if mremap() fails during realloc(). */
+  reject_nr(__NR_mremap, ENOSYS);
+
+  /* Misc simple low-risk calls. */
+  allow_nr(__NR_gettimeofday); /* Used by logging. */
+  allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
+  allow_nr(__NR_restart_syscall);
+  allow_nr(__NR_close);
+
+  /* Always need to be able to exit ! */
+  allow_nr(__NR_exit_group);
+}
+
+void
+seccomp_sandbox_init()
+{
+  if (s_syscall_index != 0)
+  {
+    bug("bad state in seccomp_sandbox_init");
+  }
+}
+
+void
+seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
+{
+  (void) p_sess;
+
+  seccomp_sandbox_setup_base();
+
+  /* Peeking FTP commands from the network. */
+  allow_nr_1_arg_match(__NR_recvfrom, 4, MSG_PEEK);
+
+  /* Misc simple low-risk calls */
+  allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
+  allow_nr(__NR_getpid); /* Used by logging. */
+  allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
+  allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
+  /* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
+   * Also, sockets are O_RDWR.
+   */
+  allow_nr_2_arg_mask_match(__NR_fcntl, 3, kOpenFlags|O_ACCMODE, 2, F_SETFL);
+
+  /* Config-dependent items follow. */
+  if (tunable_idle_session_timeout > 0)
+  {
+    allow_nr(__NR_rt_sigaction);
+    allow_nr(__NR_alarm);
+  }
+  if (tunable_xferlog_enable || tunable_dual_log_enable)
+  {
+    /* For file locking. */
+    allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW);
+    allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK);
+  }
+  if (tunable_ssl_enable)
+  {
+    allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+    allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
+  }
+  if (tunable_syslog_enable)
+  {
+    reject_nr(__NR_socket, EACCES);
+  }
+}
+
+void
+seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
+{
+  int is_anon = p_sess->is_anonymous;
+  int open_flag = kOpenFlags;
+  if (tunable_write_enable)
+  {
+    open_flag |= O_ACCMODE;
+  }
+
+  /* Put lstat() first because it is a very hot syscall for large directory
+   * listings. And the current BPF only allows a linear scan of allowed
+   * syscalls.
+   */
+  allow_nr(__NR_lstat);
+
+  /* Allow all the simple pre-login things and then expand upon them. */
+  seccomp_sandbox_setup_prelogin(p_sess);
+
+  /* Simple file descriptor-based operations. */
+  if (tunable_xferlog_enable || tunable_dual_log_enable ||
+      tunable_lock_upload_files)
+  {
+    allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLKW);
+    allow_nr_1_arg_match(__NR_fcntl, 2, F_SETLK);
+  }
+  if (tunable_async_abor_enable)
+  {
+    allow_nr_2_arg_match(__NR_fcntl, 2, F_SETOWN, 3, vsf_sysutil_getpid());
+  }
+  allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_KEEPALIVE);
+  allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_SOCKET, 3, SO_LINGER);
+  allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_IP, 3, IP_TOS);
+  allow_nr(__NR_fstat);
+  allow_nr(__NR_lseek);
+  /* Since we use chroot() to restrict filesystem access, we can just blanket
+   * allow open().
+   */
+  allow_nr_1_arg_mask(__NR_open, 2, open_flag);
+  allow_nr_1_arg_mask(__NR_openat, 3, open_flag);
+  /* Other pathname-based metadata queries. */
+  allow_nr(__NR_stat);
+  allow_nr(__NR_readlink);
+  /* Directory handling: query, change, read. */
+  allow_nr(__NR_getcwd);
+  allow_nr(__NR_chdir);
+  allow_nr(__NR_getdents);
+  /* Misc */
+  allow_nr(__NR_umask);
+
+  /* Config-dependent items follow. */
+  if (tunable_use_sendfile)
+  {
+    allow_nr(__NR_sendfile);
+  }
+  if (tunable_idle_session_timeout > 0 ||
+      tunable_data_connection_timeout > 0 ||
+      tunable_async_abor_enable)
+  {
+    allow_nr(__NR_rt_sigaction);
+  }
+  if (tunable_idle_session_timeout > 0 || tunable_data_connection_timeout > 0)
+  {
+    allow_nr(__NR_alarm);
+  }
+
+  if (tunable_one_process_model)
+  {
+    seccomp_sandbox_setup_data_connections();
+    if (is_anon && tunable_chown_uploads)
+    {
+      allow_nr(__NR_fchmod);
+      allow_nr(__NR_fchown);
+    }
+  }
+  else
+  {
+    /* Need to receieve file descriptors from privileged broker. */
+    allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+    if ((is_anon && tunable_chown_uploads) || tunable_ssl_enable)
+    {
+      /* Need to send file descriptors to privileged broker. */
+      allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
+    }
+  }
+
+  if (tunable_syslog_enable)
+  {
+    /* The ability to pass an address spec isn't needed so disable it. We ensure
+     * the 6th arg (socklen) is 0. We could have checked the 5th arg (sockptr)
+     * but I don't know if 64-bit compares work in the kernel filter, so we're
+     * happy to check the socklen arg, which is 32 bits.
+     */
+    allow_nr_1_arg_match(__NR_sendto, 6, 0);
+  }
+
+  if (tunable_text_userdb_names)
+  {
+    reject_nr(__NR_socket, EACCES);
+    allow_nr_2_arg_match(__NR_mmap, 3, PROT_READ, 4, MAP_SHARED);
+  }
+
+  if (tunable_write_enable)
+  {
+    if (!is_anon || tunable_anon_mkdir_write_enable)
+    {
+      allow_nr(__NR_mkdir);
+    }
+    if (!is_anon ||
+        tunable_anon_other_write_enable ||
+        tunable_delete_failed_uploads)
+    {
+      allow_nr(__NR_unlink);
+    }
+    if (!is_anon || tunable_anon_other_write_enable)
+    {
+      allow_nr(__NR_rmdir);
+      allow_nr(__NR_rename);
+      allow_nr(__NR_ftruncate);
+      if (tunable_mdtm_write)
+      {
+        allow_nr(__NR_utime);
+        allow_nr(__NR_utimes);
+      }
+    }
+    if (!is_anon && tunable_chmod_enable)
+    {
+      allow_nr(__NR_chmod);
+    }
+  }
+}
+
+void
+seccomp_sandbox_setup_postlogin_broker()
+{
+  seccomp_sandbox_setup_base();
+  seccomp_sandbox_setup_data_connections();
+  allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
+}
+
+void
+seccomp_sandbox_lockdown()
+{
+  size_t len = (s_syscall_index * 2) +
+               (s_1_arg_validations * 3) +
+               (s_2_arg_validations * 5) +
+               (s_3_arg_validations * 7) +
+               5;
+  struct sock_filter filters[len];
+  struct sock_filter* p_filter = filters;
+  struct sock_fprog prog;
+  size_t i;
+  int ret;
+
+  prog.len = len;
+  prog.filter = filters;
+  /* Validate the syscall architecture. */
+  p_filter->code = BPF_LD+BPF_W+BPF_ABS;
+  p_filter->jt = 0;
+  p_filter->jf = 0;
+  /* Offset 4 for syscall architecture. */
+  p_filter->k = 4;
+  p_filter++;
+  p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
+  p_filter->jt = 1;
+  p_filter->jf = 0;
+  /* AUDIT_ARCH_X86_64 */
+  p_filter->k = 0xc000003e;
+  p_filter++;
+  p_filter->code = BPF_RET+BPF_K;
+  p_filter->jt = 0;
+  p_filter->jf = 0;
+  /* SECCOMP_RET_KILL */
+  p_filter->k = 0;
+  p_filter++;
+
+  /* Load the syscall number. */
+  p_filter->code = BPF_LD+BPF_W+BPF_ABS;
+  p_filter->jt = 0;
+  p_filter->jf = 0;
+  /* Offset 0 for syscall number. */
+  p_filter->k = 0;
+  p_filter++;
+
+  for (i = 0; i < s_syscall_index; ++i)
+  {
+    int block_size = 1;
+    if (s_args_3[i])
+    {
+      block_size = 8;
+    }
+    else if (s_args_2[i])
+    {
+      block_size = 6;
+    }
+    else if (s_args_1[i])
+    {
+      block_size = 4;
+    }
+    /* Check for syscall number match. */
+    p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
+    p_filter->jt = 0;
+    p_filter->jf = block_size;
+    p_filter->k = s_syscalls[i];
+    p_filter++;
+    /* Check argument matches if necessary. */
+    if (s_args_3[i])
+    {
+      p_filter->code = BPF_LD+BPF_W+BPF_ABS;
+      p_filter->jt = 0;
+      p_filter->jf = 0;
+      p_filter->k = 16 + ((s_args_3[i] - 1) * 8);
+      p_filter++;
+      p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
+      p_filter->jt = 0;
+      p_filter->jf = 5;
+      p_filter->k = s_vals_3[i];
+      p_filter++;
+    }
+    if (s_args_2[i])
+    {
+      p_filter->code = BPF_LD+BPF_W+BPF_ABS;
+      p_filter->jt = 0;
+      p_filter->jf = 0;
+      p_filter->k = 16 + ((s_args_2[i] - 1) * 8);
+      p_filter++;
+      p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
+      p_filter->jt = 0;
+      p_filter->jf = 3;
+      p_filter->k = s_vals_2[i];
+      p_filter++;
+    }
+    if (s_args_1[i])
+    {
+      int arg = s_args_1[i];
+      int code = BPF_JMP+BPF_JEQ+BPF_K;
+      int val = s_vals_1[i];
+      int jt = 0;
+      int jf = 1;
+      if (arg > 100)
+      {
+        arg -= 100;
+        code = BPF_JMP+BPF_JSET+BPF_K;
+        val = ~val;
+        jt = 1;
+        jf = 0;
+      }
+      p_filter->code = BPF_LD+BPF_W+BPF_ABS;
+      p_filter->jt = 0;
+      p_filter->jf = 0;
+      p_filter->k = 16 + ((arg - 1) * 8);
+      p_filter++;
+      p_filter->code = code;
+      p_filter->jt = jt;
+      p_filter->jf = jf;
+      p_filter->k = val;
+      p_filter++;
+    }
+    p_filter->code = BPF_RET+BPF_K;
+    p_filter->jt = 0;
+    p_filter->jf = 0;
+    if (!s_errnos[i])
+    {
+      /* SECCOMP_RET_ALLOW */
+      p_filter->k = 0x7fff0000;
+    }
+    else
+    {
+      /* SECCOMP_RET_ERRNO */
+      p_filter->k = 0x00050000 + s_errnos[i];
+    }
+    p_filter++;
+    if (s_args_1[i])
+    {
+      /* We trashed the accumulator so put it back. */
+      p_filter->code = BPF_LD+BPF_W+BPF_ABS;
+      p_filter->jt = 0;
+      p_filter->jf = 0;
+      p_filter->k = 0;
+      p_filter++;
+    }
+  }
+  /* No "allow" matches so kill. */
+  p_filter->code = BPF_RET+BPF_K;
+  p_filter->jt = 0;
+  p_filter->jf = 0;
+#ifdef DEBUG_SIGSYS
+  /* SECCOMP_RET_TRAP */
+  p_filter->k = 0x00030000;
+#else
+  /* SECCOMP_RET_KILL */
+  p_filter->k = 0;
+#endif
+
+  ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+  if (ret != 0)
+  {
+    if (errno == EINVAL)
+    {
+      /* Kernel isn't good enough. */
+      return;
+    }
+    die("prctl PR_SET_NO_NEW_PRIVS");
+  }
+
+  if (!tunable_seccomp_sandbox)
+  {
+    return;
+  }
+
+#ifdef DEBUG_SIGSYS
+  {
+    struct sigaction sa;
+    memset(&sa, '\0', sizeof(sa));
+    sa.sa_handler = handle_sigsys;
+    sigaction(SIGSYS, &sa, NULL);
+  }
+#endif
+
+  ret = prctl(PR_SET_SECCOMP, 2, &prog, 0, 0);
+  if (ret != 0)
+  {
+    if (errno == EINVAL)
+    {
+      /* Kernel isn't good enough. */
+      return;
+    }
+    die("prctl PR_SET_SECCOMP failed");
+  }
+}
+
+#else /* __linux__ && __x86_64__ */
+
+void
+seccomp_sandbox_init()
+{
+}
+
+void
+seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+void
+seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+void
+seccomp_sandbox_setup_postlogin_broker()
+{
+}
+
+void
+seccomp_sandbox_lockdown()
+{
+}
+
+#endif /* __linux__ && __x86_64__ */

seccompsandbox.h

@@ -0,0 +1,17 @@
+#ifndef VSF_SECCOMPSANDBOX_H
+#define VSF_SECCOMPSANDBOX_H
+
+struct vsf_session;
+
+void seccomp_sandbox_init();
+
+void seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess);
+
+void seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess);
+
+void seccomp_sandbox_setup_postlogin_broker();
+
+void seccomp_sandbox_lockdown();
+
+#endif /* VSF_SECCOMPSANDBOX_H */
+

secutil.c

@@ -0,0 +1,144 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * secutil.c
+ */
+
+#include "secutil.h"
+#include "str.h"
+#include "sysutil.h"
+#include "sysstr.h"
+#include "utility.h"
+#include "sysdeputil.h"
+
+void
+vsf_secutil_change_credentials(const struct mystr* p_user_str,
+                               const struct mystr* p_dir_str,
+                               const struct mystr* p_ext_dir_str,
+                               unsigned int caps, unsigned int options)
+{
+  struct vsf_sysutil_user* p_user;
+  if (!vsf_sysutil_running_as_root())
+  {
+    bug("not running as root");
+  }
+  p_user = str_getpwnam(p_user_str);
+  if (p_user == 0)
+  {
+    die2("cannot locate user entry:", str_getbuf(p_user_str));
+  }
+  {
+    struct mystr dir_str = INIT_MYSTR;
+    /* Work out where the chroot() jail is */
+    if (p_dir_str == 0 || str_isempty(p_dir_str))
+    {
+      str_alloc_text(&dir_str, vsf_sysutil_user_get_homedir(p_user));
+    }
+    else
+    {
+      str_copy(&dir_str, p_dir_str);
+    }
+    /* Sort out supplementary groups before the chroot(). We need to access
+     * /etc/groups
+     */
+    if (options & VSF_SECUTIL_OPTION_USE_GROUPS)
+    {
+      vsf_sysutil_initgroups(p_user);
+    }
+    else
+    {
+      vsf_sysutil_clear_supp_groups();
+    }
+    /* Always do the chdir() regardless of whether we are chroot()'ing */
+    {
+      /* Do chdir() with the target effective IDs to cater for NFS mounted
+       * home directories.
+       */
+      int saved_euid = 0;
+      int saved_egid = 0;
+      int retval;
+      if (options & VSF_SECUTIL_OPTION_CHANGE_EUID)
+      {
+        saved_euid = vsf_sysutil_geteuid();
+        saved_egid = vsf_sysutil_getegid();
+        vsf_sysutil_setegid(p_user);
+        vsf_sysutil_seteuid(p_user);
+      }
+      retval = str_chdir(&dir_str);
+      if (retval != 0)
+      {
+        die2("cannot change directory:", str_getbuf(&dir_str));
+      }
+      if (p_ext_dir_str && !str_isempty(p_ext_dir_str))
+      {
+        retval = str_chdir(p_ext_dir_str);
+        /* Failure on the extra directory is OK as long as we're not in
+         * chroot() mode
+         */
+        if (retval != 0 && !(options & VSF_SECUTIL_OPTION_CHROOT))
+        {
+          retval = 0;
+        }
+      }
+      if (retval != 0)
+      {
+        die2("cannot change directory:", str_getbuf(p_ext_dir_str));
+      }
+      if (options & VSF_SECUTIL_OPTION_CHANGE_EUID)
+      {
+        vsf_sysutil_seteuid_numeric(saved_euid);
+        vsf_sysutil_setegid_numeric(saved_egid);
+      }
+      /* Do the chroot() if required */
+      if (options & VSF_SECUTIL_OPTION_CHROOT)
+      {
+        vsf_sysutil_chroot(".");
+      }
+    }
+    str_free(&dir_str);
+  }
+  if (options & VSF_SECUTIL_OPTION_NO_FDS)
+  {
+    vsf_sysutil_set_no_fds();
+  }
+  /* Handle capabilities */
+  if (caps)
+  {
+    if (!vsf_sysdep_has_capabilities())
+    {
+      /* Need privilege but OS has no capabilities - have to keep root */
+      return;
+    }
+    if (!vsf_sysdep_has_capabilities_as_non_root())
+    {
+      vsf_sysdep_adopt_capabilities(caps);
+      return;
+    }
+    vsf_sysdep_keep_capabilities();
+  }
+  /* Set group id */
+  vsf_sysutil_setgid(p_user);
+  /* Finally set user id */
+  vsf_sysutil_setuid(p_user);
+  if (caps)
+  {
+    vsf_sysdep_adopt_capabilities(caps);
+  }
+  if (options & VSF_SECUTIL_OPTION_NO_PROCS)
+  {
+    vsf_sysutil_set_no_procs();
+  }
+  /* Misconfiguration check: don't ever chroot() to a directory writable by
+   * the current user.
+   */
+  if ((options & VSF_SECUTIL_OPTION_CHROOT) &&
+      !(options & VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT))
+  {
+    if (vsf_sysutil_write_access("/"))
+    {
+      die("ftpz: writable root inside chroot()");
+    }
+  }
+}
+

secutil.h

@@ -0,0 +1,43 @@
+#ifndef VSF_SECUTIL_H
+#define VSF_SECUTIL_H
+
+struct mystr;
+
+/* vsf_secutil_change_credentials()
+ * PURPOSE
+ * This function securely switches process credentials to the user specified.
+ * There are options to enter a chroot() jail, and supplementary groups may
+ * or may not be activated.
+ * PARAMETERS
+ * p_user_str     - the name of the user to become
+ * p_dir_str      - the directory to chdir() and possibly chroot() to.
+ *                  (if NULL, the user's home directory is used)
+ * p_ext_dir_str  - the directory to chdir() and possibly chroot() to,
+ *                  applied in addition to the directory calculated by
+ *                  p_user_str and p_dir_str.
+ * caps           - bitmap of capabilities to adopt. NOTE, if the underlying
+ *                  OS does not support capabilities as a non-root user, and
+ *                  the capability bitset is non-empty, then root privileges
+ *                  will have to be retained.
+ * options        - see bitmask definitions below
+ */
+
+/* chroot() the user into the new directory */
+#define VSF_SECUTIL_OPTION_CHROOT                   1
+/* Activate any supplementary groups the user may have */
+#define VSF_SECUTIL_OPTION_USE_GROUPS               2
+/* Do the chdir() as the effective userid of the target user */
+#define VSF_SECUTIL_OPTION_CHANGE_EUID              4
+/* Use RLIMIT_NOFILE to prevent the opening of new fds */
+#define VSF_SECUTIL_OPTION_NO_FDS                   8
+/* Use RLIMIT_NPROC to prevent the launching of new processes */
+#define VSF_SECUTIL_OPTION_NO_PROCS                 16
+/* Permit a writeable chroot() root */
+#define VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT     32
+
+void vsf_secutil_change_credentials(const struct mystr* p_user_str,
+                                    const struct mystr* p_dir_str,
+                                    const struct mystr* p_ext_dir_str,
+                                    unsigned int caps, unsigned int options);
+#endif /* VSF_SECUTIL_H */
+

session.h

@@ -0,0 +1,105 @@
+#ifndef VSF_SESSION_H
+#define VSF_SESSION_H
+
+#ifndef VSFTP_STR_H
+#include "str.h"
+#endif
+
+#ifndef VSF_FILESIZE_H
+#include "filesize.h"
+#endif
+
+struct vsf_sysutil_sockaddr;
+struct mystr_list;
+
+/* This struct contains variables specific to the state of the current FTP
+ * session
+ */
+struct vsf_session
+{
+  /* Details of the control connection */
+  struct vsf_sysutil_sockaddr* p_local_addr;
+  struct vsf_sysutil_sockaddr* p_remote_addr;
+  char* p_control_line_buf;
+  int idle_timeout;
+  int data_timeout;
+
+  /* Details of the data connection */
+  int pasv_listen_fd;
+  struct vsf_sysutil_sockaddr* p_port_sockaddr;
+  int data_fd;
+  int data_progress;
+  unsigned int bw_rate_max;
+  long bw_send_start_sec;
+  long bw_send_start_usec;
+
+  /* Details of the login */
+  int is_anonymous;
+  int is_guest;
+  struct mystr user_str;
+  struct mystr anon_pass_str;
+
+  /* Details of the FTP protocol state */
+  filesize_t restart_pos;
+  int is_ascii;
+  struct mystr rnfr_filename_str;
+  int abor_received;
+  int epsv_all;
+
+  /* HTTP hacks */
+  int is_http;
+  struct mystr http_get_arg;
+
+  /* Details of FTP session state */
+  struct mystr_list* p_visited_dir_list;
+
+  /* Details of userids which are interesting to us */
+  int anon_ftp_uid;
+  int guest_user_uid;
+  int anon_upload_chown_uid;
+
+  /* Things we need to cache before we chroot() */
+  struct mystr banned_email_str;
+  struct mystr email_passwords_str;
+  struct mystr userlist_str;
+  struct mystr banner_str;
+  int tcp_wrapper_ok;
+
+  /* Logging related details */
+  int xferlog_fd;
+  int vsftpd_log_fd;
+  struct mystr remote_ip_str;
+  unsigned long log_type;
+  long log_start_sec;
+  long log_start_usec;
+  struct mystr log_str;
+  filesize_t transfer_size;
+
+  /* Buffers */
+  struct mystr ftp_cmd_str;
+  struct mystr ftp_arg_str;
+
+  /* Parent<->child comms channel */
+  int parent_fd;
+  int child_fd;
+
+  /* Other details */
+  unsigned int num_clients;
+  unsigned int num_this_ip;
+  struct mystr home_str;
+
+  /* Secure connections state */
+  int control_use_ssl;
+  int data_use_ssl;
+  void* p_ssl_ctx;
+  void* p_control_ssl;
+  void* p_data_ssl;
+  struct mystr control_cert_digest;
+  int ssl_slave_active;
+  int ssl_slave_fd;
+  int ssl_consumer_fd;
+  unsigned int login_fails;
+};
+
+#endif /* VSF_SESSION_H */
+

ssl.c

@@ -0,0 +1,840 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2. Note that this code interfaces with with the OpenSSL
+ * libraries, so please read LICENSE where I give explicit permission to link
+ * against the OpenSSL libraries.
+ * Author: Chris Evans
+ * ssl.c
+ *
+ * Routines to handle a SSL/TLS-based implementation of RFC 2228, i.e.
+ * encryption.
+ */
+
+#include "ssl.h"
+#include "session.h"
+#include "ftpcodes.h"
+#include "ftpcmdio.h"
+#include "defs.h"
+#include "str.h"
+#include "sysutil.h"
+#include "tunables.h"
+#include "utility.h"
+#include "builddefs.h"
+#include "logging.h"
+
+#ifdef VSF_BUILD_SSL
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/bio.h>
+#include <errno.h>
+#include <limits.h>
+
+static char* get_ssl_error();
+static SSL* get_ssl(struct vsf_session* p_sess, int fd);
+static int ssl_session_init(struct vsf_session* p_sess);
+static void setup_bio_callbacks();
+static long bio_callback(
+  BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
+static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
+static int ssl_cert_digest(
+  SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
+static void maybe_log_shutdown_state(struct vsf_session* p_sess);
+static void maybe_log_ssl_error_state(struct vsf_session* p_sess, int ret);
+static int ssl_read_common(struct vsf_session* p_sess,
+                           SSL* p_ssl,
+                           char* p_buf,
+                           unsigned int len,
+                           int (*p_ssl_func)(SSL*, void*, int));
+
+static int ssl_inited;
+static struct mystr debug_str;
+
+void
+ssl_init(struct vsf_session* p_sess)
+{
+  if (!ssl_inited)
+  {
+    SSL_CTX* p_ctx;
+    long options;
+    int verify_option = 0;
+    SSL_library_init();
+    p_ctx = SSL_CTX_new(SSLv23_server_method());
+    if (p_ctx == NULL)
+    {
+      die("SSL: could not allocate SSL context");
+    }
+    options = SSL_OP_ALL;
+    if (!tunable_sslv2)
+    {
+      options |= SSL_OP_NO_SSLv2;
+    }
+    if (!tunable_sslv3)
+    {
+      options |= SSL_OP_NO_SSLv3;
+    }
+    if (!tunable_tlsv1)
+    {
+      options |= SSL_OP_NO_TLSv1;
+    }
+    SSL_CTX_set_options(p_ctx, options);
+    if (tunable_rsa_cert_file)
+    {
+      const char* p_key = tunable_rsa_private_key_file;
+      if (!p_key)
+      {
+        p_key = tunable_rsa_cert_file;
+      }
+      if (SSL_CTX_use_certificate_chain_file(p_ctx, tunable_rsa_cert_file) != 1)
+      {
+        die("SSL: cannot load RSA certificate");
+      }
+      if (SSL_CTX_use_PrivateKey_file(p_ctx, p_key, X509_FILETYPE_PEM) != 1)
+      {
+        die("SSL: cannot load RSA private key");
+      }
+    }
+    if (tunable_dsa_cert_file)
+    {
+      const char* p_key = tunable_dsa_private_key_file;
+      if (!p_key)
+      {
+        p_key = tunable_dsa_cert_file;
+      }
+      if (SSL_CTX_use_certificate_chain_file(p_ctx, tunable_dsa_cert_file) != 1)
+      {
+        die("SSL: cannot load DSA certificate");
+      }
+      if (SSL_CTX_use_PrivateKey_file(p_ctx, p_key, X509_FILETYPE_PEM) != 1)
+      {
+        die("SSL: cannot load DSA private key");
+      }
+    }
+    if (tunable_ssl_ciphers &&
+        SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
+    {
+      die("SSL: could not set cipher list");
+    }
+    if (RAND_status() != 1)
+    {
+      die("SSL: RNG is not seeded");
+    }
+    {
+      EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+      if (key == NULL)
+      {
+        die("SSL: failed to get curve p256");
+      }
+      SSL_CTX_set_tmp_ecdh(p_ctx, key);
+      EC_KEY_free(key);
+    }
+    if (tunable_ssl_request_cert)
+    {
+      verify_option |= SSL_VERIFY_PEER;
+    }
+    if (tunable_require_cert)
+    {
+      verify_option |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+    }
+    if (verify_option)
+    {
+      SSL_CTX_set_verify(p_ctx, verify_option, ssl_verify_callback);
+      if (tunable_ca_certs_file)
+      {
+        STACK_OF(X509_NAME)* p_names;
+        if (!SSL_CTX_load_verify_locations(p_ctx, tunable_ca_certs_file, NULL))
+        {
+          die("SSL: could not load verify file");
+        }
+        p_names = SSL_load_client_CA_file(tunable_ca_certs_file);
+        if (!p_names)
+        {
+          die("SSL: could not load client certs file");
+        }
+        SSL_CTX_set_client_CA_list(p_ctx, p_names);
+      }
+    }
+    {
+      static const char* p_ctx_id = "vsftpd";
+      SSL_CTX_set_session_id_context(p_ctx, (void*) p_ctx_id,
+                                     vsf_sysutil_strlen(p_ctx_id));
+    }
+    if (tunable_require_ssl_reuse)
+    {
+      /* Ensure cached session doesn't expire */
+      SSL_CTX_set_timeout(p_ctx, INT_MAX);
+    }
+    p_sess->p_ssl_ctx = p_ctx;
+    ssl_inited = 1;
+  }
+}
+
+void
+ssl_control_handshake(struct vsf_session* p_sess)
+{
+  if (!ssl_session_init(p_sess))
+  {
+    struct mystr err_str = INIT_MYSTR;
+    str_alloc_text(&err_str, "Negotiation failed: ");
+    /* Technically, we shouldn't leak such detailed error messages. */
+    str_append_text(&err_str, get_ssl_error());
+    vsf_cmdio_write_str(p_sess, FTP_TLS_FAIL, &err_str);
+    vsf_sysutil_exit(1);
+  }
+  p_sess->control_use_ssl = 1;
+}
+
+void
+handle_auth(struct vsf_session* p_sess)
+{
+  str_upper(&p_sess->ftp_arg_str);
+  if (str_equal_text(&p_sess->ftp_arg_str, "TLS") ||
+      str_equal_text(&p_sess->ftp_arg_str, "TLS-C") ||
+      str_equal_text(&p_sess->ftp_arg_str, "SSL") ||
+      str_equal_text(&p_sess->ftp_arg_str, "TLS-P"))
+  {
+    vsf_cmdio_write(p_sess, FTP_AUTHOK, "Proceed with negotiation.");
+    ssl_control_handshake(p_sess);
+    if (str_equal_text(&p_sess->ftp_arg_str, "SSL") ||
+        str_equal_text(&p_sess->ftp_arg_str, "TLS-P"))
+    {
+      p_sess->data_use_ssl = 1;
+    }
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_BADAUTH, "Unknown AUTH type.");
+  }
+}
+
+void
+handle_pbsz(struct vsf_session* p_sess)
+{
+  if (!p_sess->control_use_ssl)
+  {
+    vsf_cmdio_write(p_sess, FTP_BADPBSZ, "PBSZ needs a secure connection.");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_PBSZOK, "PBSZ set to 0.");
+  }
+}
+
+void
+handle_prot(struct vsf_session* p_sess)
+{
+  str_upper(&p_sess->ftp_arg_str);
+  if (!p_sess->control_use_ssl)
+  {
+    vsf_cmdio_write(p_sess, FTP_BADPROT, "PROT needs a secure connection.");
+  }
+  else if (str_equal_text(&p_sess->ftp_arg_str, "C"))
+  {
+    p_sess->data_use_ssl = 0;
+    vsf_cmdio_write(p_sess, FTP_PROTOK, "PROT now Clear.");
+  }
+  else if (str_equal_text(&p_sess->ftp_arg_str, "P"))
+  {
+    p_sess->data_use_ssl = 1;
+    vsf_cmdio_write(p_sess, FTP_PROTOK, "PROT now Private.");
+  }
+  else if (str_equal_text(&p_sess->ftp_arg_str, "S") ||
+           str_equal_text(&p_sess->ftp_arg_str, "E"))
+  {
+    vsf_cmdio_write(p_sess, FTP_NOHANDLEPROT, "PROT not supported.");
+  }
+  else
+  {
+    vsf_cmdio_write(p_sess, FTP_NOSUCHPROT, "PROT not recognized.");
+  }
+}
+
+int
+ssl_read(struct vsf_session* p_sess, void* p_ssl, char* p_buf, unsigned int len)
+{
+  return ssl_read_common(p_sess, (SSL*) p_ssl, p_buf, len, SSL_read);
+}
+
+int
+ssl_peek(struct vsf_session* p_sess, void* p_ssl, char* p_buf, unsigned int len)
+{
+  return ssl_read_common(p_sess, (SSL*) p_ssl, p_buf, len, SSL_peek);
+}
+
+static int
+ssl_read_common(struct vsf_session* p_sess,
+                SSL* p_void_ssl,
+                char* p_buf,
+                unsigned int len,
+                int (*p_ssl_func)(SSL*, void*, int))
+{
+  int retval;
+  int err;
+  SSL* p_ssl = (SSL*) p_void_ssl;
+  do
+  {
+    retval = (*p_ssl_func)(p_ssl, p_buf, len);
+    err = SSL_get_error(p_ssl, retval);
+  }
+  while (retval < 0 && (err == SSL_ERROR_WANT_READ ||
+                        err == SSL_ERROR_WANT_WRITE));
+  /* If we hit an EOF, make sure it was from the peer, not injected by the
+   * attacker.
+   */
+  if (retval == 0 && SSL_get_shutdown(p_ssl) != SSL_RECEIVED_SHUTDOWN)
+  {
+    if (p_ssl == p_sess->p_control_ssl)
+    {
+      str_alloc_text(&debug_str, "Control");
+    }
+    else
+    {
+      str_alloc_text(&debug_str, "DATA");
+    }
+    str_append_text(&debug_str, " connection terminated without SSL shutdown.");
+    if (p_ssl != p_sess->p_control_ssl)
+    {
+      str_append_text(&debug_str,
+                      " Buggy client! Integrity of upload cannot be asserted.");
+    }
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    if (tunable_strict_ssl_read_eof)
+    {
+      return -1;
+    }
+  }
+  return retval;
+}
+
+int
+ssl_write(void* p_ssl, const char* p_buf, unsigned int len)
+{
+  int retval;
+  int err;
+  do
+  {
+    retval = SSL_write((SSL*) p_ssl, p_buf, len);
+    err = SSL_get_error((SSL*) p_ssl, retval);
+  }
+  while (retval < 0 && (err == SSL_ERROR_WANT_READ ||
+                        err == SSL_ERROR_WANT_WRITE));
+  return retval;
+}
+
+int
+ssl_write_str(void* p_ssl, const struct mystr* p_str)
+{
+  unsigned int len = str_getlen(p_str);
+  int ret = SSL_write((SSL*) p_ssl, str_getbuf(p_str), len);
+  if ((unsigned int) ret != len)
+  {
+    return -1;
+  }
+  return 0;
+}
+
+int
+ssl_read_into_str(struct vsf_session* p_sess, void* p_ssl, struct mystr* p_str)
+{
+  unsigned int len = str_getlen(p_str);
+  int ret = ssl_read(p_sess, p_ssl, (char*) str_getbuf(p_str), len);
+  if (ret >= 0)
+  {
+    str_trunc(p_str, (unsigned int) ret);
+  }
+  else
+  {
+    str_empty(p_str);
+  }
+  return ret;
+}
+
+static void
+maybe_log_shutdown_state(struct vsf_session* p_sess)
+{
+  if (tunable_debug_ssl)
+  {
+    int ret = SSL_get_shutdown(p_sess->p_data_ssl);
+    str_alloc_text(&debug_str, "SSL shutdown state is: ");
+    if (ret == 0)
+    {
+      str_append_text(&debug_str, "NONE");
+    }
+    else if (ret == SSL_SENT_SHUTDOWN)
+    {
+      str_append_text(&debug_str, "SSL_SENT_SHUTDOWN");
+    }
+    else if (ret == SSL_RECEIVED_SHUTDOWN)
+    {
+      str_append_text(&debug_str, "SSL_RECEIVED_SHUTDOWN");
+    }
+    else
+    {
+      str_append_ulong(&debug_str, ret);
+    }
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+}
+
+static void
+maybe_log_ssl_error_state(struct vsf_session* p_sess, int ret)
+{
+  if (tunable_debug_ssl)
+  {
+    str_alloc_text(&debug_str, "SSL ret: ");
+    str_append_ulong(&debug_str, ret);
+    str_append_text(&debug_str, ", SSL error: ");
+    str_append_text(&debug_str, get_ssl_error());
+    str_append_text(&debug_str, ", errno: ");
+    str_append_ulong(&debug_str, errno);
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+}
+
+int
+ssl_data_close(struct vsf_session* p_sess)
+{
+  int success = 1;
+  SSL* p_ssl = p_sess->p_data_ssl;
+  if (p_ssl)
+  {
+    int ret;
+    maybe_log_shutdown_state(p_sess);
+
+    /* Disable Nagle algorithm. We want the shutdown packet to be sent
+     * immediately, there's nothing coming after.
+     */
+    vsf_sysutil_set_nodelay(SSL_get_fd(p_ssl));
+
+    /* This is a mess. Ideally, when we're the sender, we'd like to get to the
+     * SSL_RECEIVED_SHUTDOWN state to get a cryptographic guarantee that the
+     * peer received all the data and shut the connection down cleanly. It
+     * doesn't matter hugely apart from logging, but it's a nagging detail.
+     * Unfortunately, no FTP client I found was able to get sends into that
+     * state, so the best we can do is issue SSL_shutdown but not check the
+     * errors / returns. At least this enables the receiver to be sure of the
+     * integrity of the send in terms of unwanted truncation.
+     */
+    ret = SSL_shutdown(p_ssl);
+    maybe_log_shutdown_state(p_sess);
+    if (ret == 0)
+    {
+      ret = SSL_shutdown(p_ssl);
+      maybe_log_shutdown_state(p_sess);
+      if (ret != 1)
+      {
+        if (tunable_strict_ssl_write_shutdown)
+        {
+          success = 0;
+        }
+        maybe_log_shutdown_state(p_sess);
+        maybe_log_ssl_error_state(p_sess, ret);
+      }
+    }
+    else if (ret < 0)
+    {
+      if (tunable_strict_ssl_write_shutdown)
+      {
+        success = 0;
+      }
+      maybe_log_ssl_error_state(p_sess, ret);
+    }
+    SSL_free(p_ssl);
+    p_sess->p_data_ssl = NULL;
+  }
+  return success;
+}
+
+int
+ssl_accept(struct vsf_session* p_sess, int fd)
+{
+  /* SECURITY: data SSL connections don't have any auth on them as part of the
+   * protocol. If a client sends an unfortunately optional client cert then
+   * we can check for a match between the control and data connections.
+   */
+  SSL* p_ssl;
+  int reused;
+  if (p_sess->p_data_ssl != NULL)
+  {
+    die("p_data_ssl should be NULL.");
+  }
+  p_ssl = get_ssl(p_sess, fd);
+  if (p_ssl == NULL)
+  {
+    return 0;
+  }
+  p_sess->p_data_ssl = p_ssl;
+  setup_bio_callbacks(p_ssl);
+  reused = SSL_session_reused(p_ssl);
+  if (tunable_require_ssl_reuse && !reused)
+  {
+    str_alloc_text(&debug_str, "No SSL session reuse on data channel.");
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    ssl_data_close(p_sess);
+    return 0;
+  }
+  if (str_getlen(&p_sess->control_cert_digest) > 0)
+  {
+    static struct mystr data_cert_digest;
+    if (!ssl_cert_digest(p_ssl, p_sess, &data_cert_digest))
+    {
+      str_alloc_text(&debug_str, "Missing cert on data channel.");
+      vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+      ssl_data_close(p_sess);
+      return 0;
+    }
+    if (str_strcmp(&p_sess->control_cert_digest, &data_cert_digest))
+    {
+      str_alloc_text(&debug_str, "DIFFERENT cert on data channel.");
+      vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+      ssl_data_close(p_sess);
+      return 0;
+    }
+    if (tunable_debug_ssl)
+    {
+      str_alloc_text(&debug_str, "Matching cert on data channel.");
+      vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+  }
+  return 1;
+}
+
+void
+ssl_comm_channel_init(struct vsf_session* p_sess)
+{
+  const struct vsf_sysutil_socketpair_retval retval =
+    vsf_sysutil_unix_stream_socketpair();
+  if (p_sess->ssl_consumer_fd != -1)
+  {
+    bug("ssl_consumer_fd active");
+  }
+  if (p_sess->ssl_slave_fd != -1)
+  {
+    bug("ssl_slave_fd active");
+  }
+  p_sess->ssl_consumer_fd = retval.socket_one;
+  p_sess->ssl_slave_fd = retval.socket_two;
+}
+
+void
+ssl_comm_channel_set_consumer_context(struct vsf_session* p_sess)
+{
+  if (p_sess->ssl_slave_fd == -1)
+  {
+    bug("ssl_slave_fd already closed");
+  }
+  vsf_sysutil_close(p_sess->ssl_slave_fd);
+  p_sess->ssl_slave_fd = -1;
+}
+
+void
+ssl_comm_channel_set_producer_context(struct vsf_session* p_sess)
+{
+  if (p_sess->ssl_consumer_fd == -1)
+  {
+    bug("ssl_consumer_fd already closed");
+  }
+  vsf_sysutil_close(p_sess->ssl_consumer_fd);
+  p_sess->ssl_consumer_fd = -1;
+}
+
+static SSL*
+get_ssl(struct vsf_session* p_sess, int fd)
+{
+  SSL* p_ssl = SSL_new(p_sess->p_ssl_ctx);
+  if (p_ssl == NULL)
+  {
+    if (tunable_debug_ssl)
+    {
+      str_alloc_text(&debug_str, "SSL_new failed");
+      vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+    return NULL;
+  }
+  if (!SSL_set_fd(p_ssl, fd))
+  {
+    if (tunable_debug_ssl)
+    {
+      str_alloc_text(&debug_str, "SSL_set_fd failed");
+      vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+    SSL_free(p_ssl);
+    return NULL;
+  }
+  if (SSL_accept(p_ssl) != 1)
+  {
+    const char* p_err = get_ssl_error();
+    if (tunable_debug_ssl)
+    {
+      str_alloc_text(&debug_str, "SSL_accept failed: ");
+      str_append_text(&debug_str, p_err);
+      vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+    /* The RFC is quite clear that we can just close the control channel
+     * here.
+     */
+    die(p_err);
+  }
+  if (tunable_debug_ssl)
+  {
+    const char* p_ssl_version = SSL_get_cipher_version(p_ssl);
+    const SSL_CIPHER* p_ssl_cipher = SSL_get_current_cipher(p_ssl);
+    const char* p_cipher_name = SSL_CIPHER_get_name(p_ssl_cipher);
+    X509* p_ssl_cert = SSL_get_peer_certificate(p_ssl);
+    int reused = SSL_session_reused(p_ssl);
+    str_alloc_text(&debug_str, "SSL version: ");
+    str_append_text(&debug_str, p_ssl_version);
+    str_append_text(&debug_str, ", SSL cipher: ");
+    str_append_text(&debug_str, p_cipher_name);
+    if (reused)
+    {
+      str_append_text(&debug_str, ", reused");
+    }
+    else
+    {
+      str_append_text(&debug_str, ", not reused");
+    }
+    if (p_ssl_cert != NULL)
+    {
+      str_append_text(&debug_str, ", CERT PRESENTED");
+      X509_free(p_ssl_cert);
+    }
+    else
+    {
+      str_append_text(&debug_str, ", no cert");
+    }
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+  return p_ssl;
+}
+
+static int
+ssl_session_init(struct vsf_session* p_sess)
+{
+  SSL* p_ssl = get_ssl(p_sess, VSFTP_COMMAND_FD);
+  if (p_ssl == NULL)
+  {
+    return 0;
+  }
+  p_sess->p_control_ssl = p_ssl;
+  (void) ssl_cert_digest(p_ssl, p_sess, &p_sess->control_cert_digest);
+  setup_bio_callbacks(p_ssl);
+  return 1;
+}
+
+static int
+ssl_cert_digest(SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str)
+{
+  X509* p_cert = SSL_get_peer_certificate(p_ssl);
+  unsigned int num_bytes = 0;
+  if (p_cert == NULL)
+  {
+    return 0;
+  }
+  str_reserve(p_str, EVP_MAX_MD_SIZE);
+  str_empty(p_str);
+  str_rpad(p_str, EVP_MAX_MD_SIZE);
+  if (!X509_digest(p_cert, EVP_sha256(), (unsigned char*) str_getbuf(p_str),
+                   &num_bytes))
+  {
+    die("X509_digest failed");
+  }
+  X509_free(p_cert);
+  if (tunable_debug_ssl)
+  {
+    unsigned int i;
+    str_alloc_text(&debug_str, "Cert digest:");
+    for (i = 0; i < num_bytes; ++i)
+    { 
+      str_append_char(&debug_str, ' ');
+      str_append_ulong(
+        &debug_str, (unsigned long) (unsigned char) str_get_char_at(p_str, i));
+    }
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+  str_trunc(p_str, num_bytes);
+  return 1;
+}
+
+static char*
+get_ssl_error()
+{
+  SSL_load_error_strings();
+  return ERR_error_string(ERR_get_error(), NULL);
+}
+
+static void setup_bio_callbacks(SSL* p_ssl)
+{
+  BIO* p_bio = SSL_get_rbio(p_ssl);
+  BIO_set_callback(p_bio, bio_callback);
+  p_bio = SSL_get_wbio(p_ssl);
+  BIO_set_callback(p_bio, bio_callback);
+}
+
+static long
+bio_callback(
+  BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret)
+{
+  int retval = 0;
+  int fd = 0;
+  (void) p_arg;
+  (void) argi;
+  (void) argl;
+  if (oper == (BIO_CB_READ | BIO_CB_RETURN) ||
+      oper == (BIO_CB_WRITE | BIO_CB_RETURN))
+  {
+    retval = (int) ret;
+    fd = BIO_get_fd(p_bio, NULL);
+  }
+  vsf_sysutil_check_pending_actions(kVSFSysUtilIO, retval, fd);
+  return ret;
+}
+
+static int
+ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
+{
+  (void) p_ctx;
+  if (tunable_validate_cert)
+  {
+    return verify_ok;
+  }
+  return 1;
+}
+
+void
+ssl_add_entropy(struct vsf_session* p_sess)
+{
+  /* Although each child does seem to have its different pool of entropy, I
+   * don't trust the interaction of OpenSSL's opaque RAND API and fork(). So
+   * throw a bit more in (only works on systems with /dev/urandom for now).
+   */
+  int ret = RAND_load_file("/dev/urandom", 16);
+  if (ret != 16)
+  {
+    str_alloc_text(&debug_str, "Couldn't add extra OpenSSL entropy: ");
+    str_append_ulong(&debug_str, (unsigned long) ret);
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+}
+
+#else /* VSF_BUILD_SSL */
+
+void
+ssl_init(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+  die("SSL: ssl_enable is set but SSL support not compiled in");
+}
+
+void
+ssl_control_handshake(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+void
+handle_auth(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+void
+handle_pbsz(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+void
+handle_prot(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+int
+ssl_read(struct vsf_session* p_sess, void* p_ssl, char* p_buf, unsigned int len)
+{
+  (void) p_sess;
+  (void) p_ssl;
+  (void) p_buf;
+  (void) len;
+  return -1;
+}
+
+int
+ssl_peek(struct vsf_session* p_sess, void* p_ssl, char* p_buf, unsigned int len)
+{
+  (void) p_sess;
+  (void) p_ssl;
+  (void) p_buf;
+  (void) len;
+  return -1;
+}
+
+int
+ssl_write(void* p_ssl, const char* p_buf, unsigned int len)
+{
+  (void) p_ssl;
+  (void) p_buf;
+  (void) len;
+  return -1;
+}
+
+int
+ssl_write_str(void* p_ssl, const struct mystr* p_str)
+{
+  (void) p_ssl;
+  (void) p_str;
+  return -1;
+}
+
+int
+ssl_accept(struct vsf_session* p_sess, int fd)
+{
+  (void) p_sess;
+  (void) fd;
+  return -1;
+}
+
+int
+ssl_data_close(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+  return 1;
+}
+
+void
+ssl_comm_channel_init(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+void
+ssl_comm_channel_set_consumer_context(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+void
+ssl_comm_channel_set_producer_context(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+void
+ssl_add_entropy(struct vsf_session* p_sess)
+{
+  (void) p_sess;
+}
+
+int
+ssl_read_into_str(struct vsf_session* p_sess, void* p_ssl, struct mystr* p_str)
+{
+  (void) p_sess;
+  (void) p_ssl;
+  (void) p_str;
+  return -1;
+}
+
+#endif /* VSF_BUILD_SSL */
+

ssl.h

@@ -0,0 +1,33 @@
+#ifndef VSF_SSL_H
+#define VSF_SSL_H
+
+struct vsf_session;
+struct mystr;
+
+int ssl_read(struct vsf_session* p_sess,
+             void* p_ssl,
+             char* p_buf,
+             unsigned int len);
+int ssl_peek(struct vsf_session* p_sess,
+             void* p_ssl,
+             char* p_buf,
+             unsigned int len);
+int ssl_write(void* p_ssl, const char* p_buf, unsigned int len);
+int ssl_write_str(void* p_ssl, const struct mystr* p_str);
+int ssl_read_into_str(struct vsf_session* p_sess,
+                      void* p_ssl,
+                      struct mystr* p_str);
+void ssl_init(struct vsf_session* p_sess);
+int ssl_accept(struct vsf_session* p_sess, int fd);
+int ssl_data_close(struct vsf_session* p_sess);
+void ssl_comm_channel_init(struct vsf_session* p_sess);
+void ssl_comm_channel_set_consumer_context(struct vsf_session* p_sess);
+void ssl_comm_channel_set_producer_context(struct vsf_session* p_sess);
+void handle_auth(struct vsf_session* p_sess);
+void handle_pbsz(struct vsf_session* p_sess);
+void handle_prot(struct vsf_session* p_sess);
+void ssl_control_handshake(struct vsf_session* p_sess);
+void ssl_add_entropy(struct vsf_session* p_sess);
+
+#endif /* VSF_SSL_H */
+

sslslave.c

@@ -0,0 +1,128 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * sslslave.c
+ */
+
+#include "sslslave.h"
+#include "session.h"
+#include "privsock.h"
+#include "tunables.h"
+#include "sysutil.h"
+#include "sysdeputil.h"
+#include "utility.h"
+#include "ssl.h"
+#include "readwrite.h"
+#include "defs.h"
+
+void
+ssl_slave(struct vsf_session* p_sess)
+{
+  struct mystr data_str = INIT_MYSTR;
+  str_reserve(&data_str, VSFTP_DATA_BUFSIZE);
+  /* Before becoming the slave, clear the alarm for the FTP protocol. */
+  vsf_sysutil_clear_alarm();
+  /* No need for any further communications with the privileged parent. */
+  priv_sock_set_parent_context(p_sess);
+  if (tunable_setproctitle_enable)
+  {
+    vsf_sysutil_setproctitle("SSL handler");
+  }
+  while (1)
+  {
+    char cmd = priv_sock_get_cmd(p_sess->ssl_slave_fd);
+    int ret;
+    if (cmd == PRIV_SOCK_GET_USER_CMD)
+    {
+      ret = ftp_getline(p_sess, &p_sess->ftp_cmd_str,
+                        p_sess->p_control_line_buf);
+      priv_sock_send_int(p_sess->ssl_slave_fd, ret);
+      if (ret >= 0)
+      {
+        priv_sock_send_str(p_sess->ssl_slave_fd, &p_sess->ftp_cmd_str);
+      }
+    }
+    else if (cmd == PRIV_SOCK_WRITE_USER_RESP)
+    {
+      priv_sock_get_str(p_sess->ssl_slave_fd, &p_sess->ftp_cmd_str);
+      ret = ftp_write_str(p_sess, &p_sess->ftp_cmd_str, kVSFRWControl);
+      priv_sock_send_int(p_sess->ssl_slave_fd, ret);
+    }
+    else if (cmd == PRIV_SOCK_DO_SSL_HANDSHAKE)
+    {
+      char result = PRIV_SOCK_RESULT_BAD;
+      if (p_sess->data_fd != -1 || p_sess->p_data_ssl != 0)
+      {
+        bug("state not clean");
+      }
+      p_sess->data_fd = priv_sock_recv_fd(p_sess->ssl_slave_fd);
+      ret = ssl_accept(p_sess, p_sess->data_fd);
+      if (ret == 1)
+      {
+        result = PRIV_SOCK_RESULT_OK;
+      }
+      else
+      {
+        vsf_sysutil_close(p_sess->data_fd);
+        p_sess->data_fd = -1;
+      }
+      priv_sock_send_result(p_sess->ssl_slave_fd, result);
+    }
+    else if (cmd == PRIV_SOCK_DO_SSL_READ)
+    {
+      int size = priv_sock_get_int(p_sess->ssl_slave_fd);
+      if (size <= 0 || size > VSFTP_DATA_BUFSIZE)
+      {
+        bug("bad size");
+      }
+      if (p_sess->data_fd == -1 || p_sess->p_data_ssl == 0)
+      {
+        bug("invalid state");
+      }
+      str_trunc(&data_str, (unsigned int) size);
+      ret = ssl_read_into_str(p_sess, p_sess->p_data_ssl, &data_str);
+      priv_sock_send_int(p_sess->ssl_slave_fd, ret);
+      priv_sock_send_str(p_sess->ssl_slave_fd, &data_str);
+    }
+    else if (cmd == PRIV_SOCK_DO_SSL_WRITE)
+    {
+      if (p_sess->data_fd == -1 || p_sess->p_data_ssl == 0)
+      {
+        bug("invalid state");
+      }
+      priv_sock_get_str(p_sess->ssl_slave_fd, &data_str);
+      ret = ssl_write(p_sess->p_data_ssl,
+                      str_getbuf(&data_str),
+                      str_getlen(&data_str));
+      priv_sock_send_int(p_sess->ssl_slave_fd, ret);
+    }
+    else if (cmd == PRIV_SOCK_DO_SSL_CLOSE)
+    {
+      char result = PRIV_SOCK_RESULT_BAD;
+      if (p_sess->data_fd == -1 && p_sess->p_data_ssl == 0)
+      {
+        result = PRIV_SOCK_RESULT_OK;
+      }
+      else
+      {
+        if (p_sess->data_fd == -1 || p_sess->p_data_ssl == 0)
+        {
+          bug("invalid state");
+        }
+        ret = ssl_data_close(p_sess);
+        if (ret == 1)
+        {
+          result = PRIV_SOCK_RESULT_OK;
+        }
+        vsf_sysutil_close(p_sess->data_fd);
+        p_sess->data_fd = -1;
+      }
+      priv_sock_send_result(p_sess->ssl_slave_fd, result);
+    }
+    else
+    {
+      die("bad request in process_ssl_slave_req");
+    }
+  }
+}

sslslave.h

@@ -0,0 +1,17 @@
+#ifndef VSF_SSLSLAVE_H
+#define VSF_SSLSLAVE_H
+
+struct vsf_session;
+
+/* ssl_slave()
+ * PURPOSE
+ * An internal function that takes care of running the "SSL slave" process. It
+ * is needed because the initial SSL handshake state may belong to a different
+ * process that the process running the FTP protocol.
+ * PARAMETERS
+ * p_sess       - the session object
+ */
+void ssl_slave(struct vsf_session* p_sess);
+
+#endif /* VSF_SSLSLAVE_H */
+

standalone.c

@@ -0,0 +1,313 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * standalone.c
+ *
+ * Code to listen on the network and launch children servants.
+ */
+
+#include "standalone.h"
+
+#include "parseconf.h"
+#include "tunables.h"
+#include "sysutil.h"
+#include "sysdeputil.h"
+#include "utility.h"
+#include "defs.h"
+#include "hash.h"
+#include "str.h"
+#include "ipaddrparse.h"
+
+static unsigned int s_children;
+static struct hash* s_p_ip_count_hash;
+static struct hash* s_p_pid_ip_hash;
+static unsigned int s_ipaddr_size;
+
+static void handle_sigchld(void*  duff);
+static void handle_sighup(void*  duff);
+static void prepare_child(int sockfd);
+static unsigned int handle_ip_count(void* p_raw_addr);
+static void drop_ip_count(void* p_raw_addr);
+
+static unsigned int hash_ip(unsigned int buckets, void* p_key);
+static unsigned int hash_pid(unsigned int buckets, void* p_key);
+
+struct vsf_client_launch
+vsf_standalone_main(void)
+{
+  struct vsf_sysutil_sockaddr* p_accept_addr = 0;
+  int listen_sock = -1;
+  int retval;
+  s_ipaddr_size = vsf_sysutil_get_ipaddr_size();
+  if (tunable_listen && tunable_listen_ipv6)
+  {
+    die("run two copies of ftpz one for IPv4 and one for IPv6");
+  }
+  if (tunable_background)
+  {
+    int forkret = vsf_sysutil_fork();
+    if (forkret > 0)
+    {
+      /* Parent, just exit */
+      vsf_sysutil_exit(0);
+    }
+    /* Son, close standard FDs to avoid SSH hang-on-exit */
+    vsf_sysutil_reopen_standard_fds();
+    vsf_sysutil_make_session_leader();
+  }
+  if (tunable_listen)
+  {
+    listen_sock = vsf_sysutil_get_ipv4_sock();
+  }
+  else
+  {
+    listen_sock = vsf_sysutil_get_ipv6_sock();
+  }
+  vsf_sysutil_activate_reuseaddr(listen_sock);
+
+  s_p_ip_count_hash = hash_alloc(256, s_ipaddr_size,
+                                 sizeof(unsigned int), hash_ip);
+  s_p_pid_ip_hash = hash_alloc(256, sizeof(int),
+                               s_ipaddr_size, hash_pid);
+  if (tunable_setproctitle_enable)
+  {
+    vsf_sysutil_setproctitle("LISTENER");
+  }
+  vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
+  vsf_sysutil_install_sighandler(kVSFSysUtilSigHUP, handle_sighup, 0, 1);
+  if (tunable_listen)
+  {
+    struct vsf_sysutil_sockaddr* p_sockaddr = 0;
+    vsf_sysutil_sockaddr_alloc_ipv4(&p_sockaddr);
+    vsf_sysutil_sockaddr_set_port(p_sockaddr,
+                                  (unsigned short) tunable_listen_port);
+    if (!tunable_listen_address)
+    {
+      vsf_sysutil_sockaddr_set_any(p_sockaddr);
+    }
+    else
+    {
+      if (!vsf_sysutil_inet_aton(tunable_listen_address, p_sockaddr))
+      {
+        die2("bad listen_address: ", tunable_listen_address);
+      }
+    }
+    retval = vsf_sysutil_bind(listen_sock, p_sockaddr);
+    vsf_sysutil_free(p_sockaddr);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      die("could not bind listening IP socket");
+    }
+  }
+  else
+  {
+    struct vsf_sysutil_sockaddr* p_sockaddr = 0;
+    vsf_sysutil_sockaddr_alloc_ipv6(&p_sockaddr);
+    vsf_sysutil_sockaddr_set_port(p_sockaddr,
+                                  (unsigned short) tunable_listen_port);
+    if (!tunable_listen_address6)
+    {
+      vsf_sysutil_sockaddr_set_any(p_sockaddr);
+    }
+    else
+    {
+      struct mystr addr_str = INIT_MYSTR;
+      const unsigned char* p_raw_addr;
+      str_alloc_text(&addr_str, tunable_listen_address6);
+      p_raw_addr = vsf_sysutil_parse_ipv6(&addr_str);
+      str_free(&addr_str);
+      if (!p_raw_addr)
+      {
+        die2("bad listen_address6: ", tunable_listen_address6);
+      }
+      vsf_sysutil_sockaddr_set_ipv6addr(p_sockaddr, p_raw_addr);
+    }
+    retval = vsf_sysutil_bind(listen_sock, p_sockaddr);
+    vsf_sysutil_free(p_sockaddr);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      die("could not bind listening IP6 socket");
+    }
+  }
+  retval = vsf_sysutil_listen(listen_sock, VSFTP_LISTEN_BACKLOG);
+  if (vsf_sysutil_retval_is_error(retval))
+  {
+    die("could not listen");
+  }
+  vsf_sysutil_sockaddr_alloc(&p_accept_addr);
+  while (1)
+  {
+    struct vsf_client_launch child_info;
+    void* p_raw_addr;
+    int new_child;
+    int new_client_sock;
+    new_client_sock = vsf_sysutil_accept_timeout(
+        listen_sock, p_accept_addr, 0);
+    if (vsf_sysutil_retval_is_error(new_client_sock))
+    {
+      continue;
+    }
+    ++s_children;
+    child_info.num_children = s_children;
+    child_info.num_this_ip = 0;
+    p_raw_addr = vsf_sysutil_sockaddr_get_raw_addr(p_accept_addr);
+    child_info.num_this_ip = handle_ip_count(p_raw_addr);
+    if (tunable_isolate)
+    {
+      if (tunable_http_enable && tunable_isolate_network)
+      {
+        new_child = vsf_sysutil_fork_isolate_all_failok();
+      }
+      else
+      {
+        new_child = vsf_sysutil_fork_isolate_failok();
+      }
+    }
+    else
+    {
+      new_child = vsf_sysutil_fork_failok();
+    }
+    if (new_child != 0)
+    {
+      /* Parent context */
+      vsf_sysutil_close(new_client_sock);
+      if (new_child > 0)
+      {
+        hash_add_entry(s_p_pid_ip_hash, (void*)&new_child, p_raw_addr);
+      }
+      else
+      {
+        /* fork() failed, clear up! */
+        --s_children;
+        drop_ip_count(p_raw_addr);
+      }
+      /* Fall through to while() loop and accept() again */
+    }
+    else
+    {
+      /* Child context */
+      vsf_set_die_if_parent_dies();
+      vsf_sysutil_close(listen_sock);
+      prepare_child(new_client_sock);
+      /* By returning here we "launch" the child process with the same
+       * contract as xinetd would provide.
+       */
+      return child_info;
+    }
+  }
+}
+
+static void
+prepare_child(int new_client_sock)
+{
+  /* We must satisfy the contract: command socket on fd 0, 1, 2 */
+  vsf_sysutil_dupfd2(new_client_sock, 0);
+  vsf_sysutil_dupfd2(new_client_sock, 1);
+  vsf_sysutil_dupfd2(new_client_sock, 2);
+  if (new_client_sock > 2)
+  {
+    vsf_sysutil_close(new_client_sock);
+  }
+}
+
+static void
+drop_ip_count(void* p_raw_addr)
+{
+  unsigned int count;
+  unsigned int* p_count =
+    (unsigned int*)hash_lookup_entry(s_p_ip_count_hash, p_raw_addr);
+  if (!p_count)
+  {
+    bug("IP address missing from hash");
+  }
+  count = *p_count;
+  if (!count)
+  {
+    bug("zero count for IP address");
+  }
+  count--;
+  *p_count = count;
+  if (!count)
+  {
+    hash_free_entry(s_p_ip_count_hash, p_raw_addr);
+  }
+}
+
+static void
+handle_sigchld(void* duff)
+{
+  unsigned int reap_one = 1;
+  (void) duff;
+  while (reap_one)
+  {
+    reap_one = (unsigned int)vsf_sysutil_wait_reap_one();
+    if (reap_one)
+    {
+      struct vsf_sysutil_ipaddr* p_ip;
+      /* Account total number of instances */
+      --s_children;
+      /* Account per-IP limit */
+      p_ip = (struct vsf_sysutil_ipaddr*)
+        hash_lookup_entry(s_p_pid_ip_hash, (void*)&reap_one);
+      drop_ip_count(p_ip);      
+      hash_free_entry(s_p_pid_ip_hash, (void*)&reap_one);
+    }
+  }
+}
+
+static void
+handle_sighup(void* duff)
+{
+  (void) duff;
+  /* We don't crash the out the listener if an invalid config was added */
+  tunables_load_defaults();
+  vsf_parseconf_load_file(0, 0);
+}
+
+static unsigned int
+hash_ip(unsigned int buckets, void* p_key)
+{
+  const unsigned char* p_raw_ip = (const unsigned char*)p_key;
+  unsigned int val = 0;
+  int shift = 24;
+  unsigned int i;
+  for (i = 0; i < s_ipaddr_size; ++i)
+  {
+    val = val ^ (unsigned int) (p_raw_ip[i] << shift);
+    shift -= 8;
+    if (shift < 0)
+    {
+      shift = 24;
+    }
+  }
+  return val % buckets;
+}
+
+static unsigned int
+hash_pid(unsigned int buckets, void* p_key)
+{
+  unsigned int* p_pid = (unsigned int*)p_key;
+  return (*p_pid) % buckets;
+}
+
+static unsigned int
+handle_ip_count(void* p_ipaddr)
+{
+  unsigned int* p_count =
+    (unsigned int*)hash_lookup_entry(s_p_ip_count_hash, p_ipaddr);
+  unsigned int count;
+  if (!p_count)
+  {
+    count = 1;
+    hash_add_entry(s_p_ip_count_hash, p_ipaddr, (void*)&count);
+  }
+  else
+  {
+    count = *p_count;
+    count++;
+    *p_count = count;
+  }
+  return count;
+}
+

standalone.h

@@ -0,0 +1,23 @@
+#ifndef VSF_STANDALONE_H
+#define VSF_STANDALONE_H
+
+struct vsf_client_launch
+{
+  unsigned int num_children;
+  unsigned int num_this_ip;
+};
+
+/* vsf_standalone_main()
+ * PURPOSE
+ * This function starts listening on the network for incoming FTP connections.
+ * When it gets one, it returns to the caller in a new process, with file
+ * descriptor 0, 1 and 2 set to the network socket of the new client.
+ *
+ * RETURNS
+ * Returns a structure representing the current number of clients, and
+ * instances for this IP addresss.
+ */
+struct vsf_client_launch vsf_standalone_main(void);
+
+#endif /* VSF_STANDALONE_H */
+

str.c

@@ -0,0 +1,713 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * str.c
+ *
+ * Generic string handling functions. The fact that a string is implemented
+ * internally using a buffer is not exposed in the API. If you can't see
+ * the buffers, you can't handle them in a screwed way. Or so goes the
+ * theory, anyway...
+ */
+
+/* Anti-lamer measures deployed, sir! */
+#define PRIVATE_HANDS_OFF_p_buf p_buf
+#define PRIVATE_HANDS_OFF_len len
+#define PRIVATE_HANDS_OFF_alloc_bytes alloc_bytes
+#include "str.h"
+
+/* Ick. Its for die() */
+#include "utility.h"
+#include "sysutil.h"
+
+/* File local functions */
+static void str_split_text_common(struct mystr* p_src, struct mystr* p_rhs,
+                                  const char* p_text, int is_reverse);
+static int str_equal_internal(const char* p_buf1, unsigned int buf1_len,
+                              const char* p_buf2, unsigned int buf2_len);
+
+/* Private functions */
+static void
+s_setbuf(struct mystr* p_str, char* p_newbuf)
+{
+  if (p_str->p_buf != 0)
+  {
+    bug("p_buf not NULL when setting it");
+  }
+  p_str->p_buf = p_newbuf;
+}
+
+void
+private_str_alloc_memchunk(struct mystr* p_str, const char* p_src,
+                           unsigned int len)
+{
+  /* Make sure this will fit in the buffer */
+  unsigned int buf_needed;
+  if (len + 1 < len)
+  {
+    bug("integer overflow");
+  }
+  buf_needed = len + 1;
+  if (buf_needed > p_str->alloc_bytes)
+  {
+    str_free(p_str);
+    s_setbuf(p_str, vsf_sysutil_malloc(buf_needed));
+    p_str->alloc_bytes = buf_needed;
+  }
+  vsf_sysutil_memcpy(p_str->p_buf, p_src, len);
+  p_str->p_buf[len] = '\0';
+  p_str->len = len;
+}
+
+void
+private_str_append_memchunk(struct mystr* p_str, const char* p_src,
+                            unsigned int len)
+{
+  unsigned int buf_needed;
+  if (len + p_str->len < len)
+  {
+    bug("integer overflow");
+  }
+  buf_needed = len + p_str->len;
+  if (buf_needed + 1 < buf_needed)
+  {
+    bug("integer overflow");
+  }
+  buf_needed++;
+  if (buf_needed > p_str->alloc_bytes)
+  {
+    p_str->p_buf = vsf_sysutil_realloc(p_str->p_buf, buf_needed);
+    p_str->alloc_bytes = buf_needed;
+  }
+  vsf_sysutil_memcpy(p_str->p_buf + p_str->len, p_src, len);
+  p_str->p_buf[p_str->len + len] = '\0';
+  p_str->len += len;
+}
+
+/* Public functions */
+void
+str_alloc_text(struct mystr* p_str, const char* p_src)
+{
+  unsigned int len = vsf_sysutil_strlen(p_src);
+  private_str_alloc_memchunk(p_str, p_src, len);
+}
+
+void
+str_copy(struct mystr* p_dest, const struct mystr* p_src)
+{
+  private_str_alloc_memchunk(p_dest, p_src->p_buf, p_src->len);
+}
+
+const char*
+str_strdup(const struct mystr* p_str)
+{
+  return vsf_sysutil_strdup(str_getbuf(p_str));
+}
+
+void
+str_alloc_alt_term(struct mystr* p_str, const char* p_src, char term)
+{
+  const char* p_search = p_src;
+  unsigned int len = 0;
+  while (*p_search != term)
+  {
+    p_search++;
+    len++;
+    if (len == 0)
+    {
+      bug("integer overflow");
+    }
+  }
+  private_str_alloc_memchunk(p_str, p_src, len);
+}
+
+void
+str_alloc_ulong(struct mystr* p_str, unsigned long the_long)
+{
+  str_alloc_text(p_str, vsf_sysutil_ulong_to_str(the_long));
+}
+
+void
+str_alloc_filesize_t(struct mystr* p_str, filesize_t the_filesize)
+{
+  str_alloc_text(p_str, vsf_sysutil_filesize_t_to_str(the_filesize));
+}
+
+void
+str_free(struct mystr* p_str)
+{
+  if (p_str->p_buf != 0)
+  {
+    vsf_sysutil_free(p_str->p_buf);
+  }
+  p_str->p_buf = 0;
+  p_str->len = 0;
+  p_str->alloc_bytes = 0;
+}
+
+void
+str_empty(struct mystr* p_str)
+{
+  /* Ensure a buffer is allocated. */
+  (void) str_getbuf(p_str);
+  str_trunc(p_str, 0);
+}
+
+void
+str_trunc(struct mystr* p_str, unsigned int trunc_len)
+{
+  if (trunc_len >= p_str->alloc_bytes)
+  {
+    bug("trunc_len not smaller than alloc_bytes in str_trunc");
+  }
+  p_str->len = trunc_len;
+  p_str->p_buf[p_str->len] = '\0';
+}
+
+void
+str_reserve(struct mystr* p_str, unsigned int res_len)
+{
+  /* Reserve space for the trailing zero as well. */
+  res_len++;
+  if (res_len == 0)
+  {
+    bug("integer overflow");
+  }
+  if (res_len > p_str->alloc_bytes)
+  {
+    p_str->p_buf = vsf_sysutil_realloc(p_str->p_buf, res_len);
+    p_str->alloc_bytes = res_len;
+  }
+  p_str->p_buf[res_len - 1] = '\0';
+}
+
+int
+str_isempty(const struct mystr* p_str)
+{
+  return (p_str->len == 0);
+}
+
+unsigned int
+str_getlen(const struct mystr* p_str)
+{
+  return p_str->len;
+}
+
+const char*
+str_getbuf(const struct mystr* p_str)
+{
+  if (p_str->p_buf == 0)
+  {
+    if (p_str->len != 0 || p_str->alloc_bytes != 0)
+    {
+      bug("p_buf NULL and len or alloc_bytes != 0 in str_getbuf");
+    }
+    private_str_alloc_memchunk((struct mystr*)p_str, 0, 0);
+  }
+  return p_str->p_buf;
+}
+
+int
+str_strcmp(const struct mystr* p_str1, const struct mystr* p_str2)
+{
+  return str_equal_internal(p_str1->p_buf, p_str1->len,
+                            p_str2->p_buf, p_str2->len);
+}
+
+static int
+str_equal_internal(const char* p_buf1, unsigned int buf1_len,
+                   const char* p_buf2, unsigned int buf2_len)
+{
+  int retval;
+  unsigned int minlen = buf1_len;
+  if (buf2_len < minlen)
+  {
+    minlen = buf2_len;
+  }
+  retval = vsf_sysutil_memcmp(p_buf1, p_buf2, minlen);
+  if (retval != 0 || buf1_len == buf2_len)
+  {
+    return retval;
+  }
+  /* Strings equal but lengths differ. The greater one, then, is the longer */
+  return (int) (buf1_len - buf2_len);
+}
+
+int
+str_equal(const struct mystr* p_str1, const struct mystr* p_str2)
+{
+  return (str_strcmp(p_str1, p_str2) == 0);
+}
+
+int
+str_equal_text(const struct mystr* p_str, const char* p_text)
+{
+  unsigned int cmplen = vsf_sysutil_strlen(p_text);
+  return (str_equal_internal(p_str->p_buf, p_str->len, p_text, cmplen) == 0);
+}
+
+void
+str_append_str(struct mystr* p_str, const struct mystr* p_other)
+{
+  private_str_append_memchunk(p_str, p_other->p_buf, p_other->len);
+}
+
+void
+str_append_text(struct mystr* p_str, const char* p_src)
+{
+  unsigned int len = vsf_sysutil_strlen(p_src);
+  private_str_append_memchunk(p_str, p_src, len);
+}
+
+void
+str_append_char(struct mystr* p_str, char the_char)
+{
+  private_str_append_memchunk(p_str, &the_char, sizeof(the_char));
+}
+
+void
+str_append_ulong(struct mystr* p_str, unsigned long the_ulong)
+{
+  str_append_text(p_str, vsf_sysutil_ulong_to_str(the_ulong));
+}
+
+void
+str_append_filesize_t(struct mystr* p_str, filesize_t the_filesize)
+{
+  str_append_text(p_str, vsf_sysutil_filesize_t_to_str(the_filesize));
+}
+
+void
+str_append_double(struct mystr* p_str, double the_double)
+{
+  str_append_text(p_str, vsf_sysutil_double_to_str(the_double));
+}
+
+void
+str_upper(struct mystr* p_str)
+{
+  unsigned int i;
+  for (i=0; i < p_str->len; i++)
+  {
+    p_str->p_buf[i] = (char) vsf_sysutil_toupper(p_str->p_buf[i]);
+  }
+}
+
+void
+str_rpad(struct mystr* p_str, const unsigned int min_width)
+{
+  unsigned int to_pad;
+  if (p_str->len >= min_width)
+  {
+    return;
+  }
+  to_pad = min_width - p_str->len;
+  while (to_pad--)
+  {
+    str_append_char(p_str, ' ');
+  }
+}
+
+void
+str_lpad(struct mystr* p_str, const unsigned int min_width)
+{
+  static struct mystr s_tmp_str;
+  unsigned int to_pad;
+  if (p_str->len >= min_width)
+  {
+    return;
+  }
+  to_pad = min_width - p_str->len;
+  str_empty(&s_tmp_str);
+  while (to_pad--)
+  {
+    str_append_char(&s_tmp_str, ' ');
+  }
+  str_append_str(&s_tmp_str, p_str);
+  str_copy(p_str, &s_tmp_str);
+}
+
+void
+str_replace_char(struct mystr* p_str, char from, char to)
+{
+  unsigned int i;
+  for (i=0; i < p_str->len; i++)
+  {
+    if (p_str->p_buf[i] == from)
+    {
+      p_str->p_buf[i] = to;
+    }
+  }
+}
+
+void
+str_replace_text(struct mystr* p_str, const char* p_from, const char* p_to)
+{
+  static struct mystr s_lhs_chunk_str;
+  static struct mystr s_rhs_chunk_str;
+  unsigned int lhs_len;
+  str_copy(&s_lhs_chunk_str, p_str);
+  str_free(p_str);
+  do
+  {
+    lhs_len = str_getlen(&s_lhs_chunk_str);
+    str_split_text(&s_lhs_chunk_str, &s_rhs_chunk_str, p_from);
+    /* Copy lhs to destination */
+    str_append_str(p_str, &s_lhs_chunk_str);
+    /* If this was a 'hit', append the 'to' text */
+    if (str_getlen(&s_lhs_chunk_str) < lhs_len)
+    {
+      str_append_text(p_str, p_to);
+    }
+    /* Current rhs becomes new lhs */
+    str_copy(&s_lhs_chunk_str, &s_rhs_chunk_str);
+  } while (!str_isempty(&s_lhs_chunk_str));
+}
+
+void
+str_split_char(struct mystr* p_src, struct mystr* p_rhs, char c)
+{
+  /* Just use str_split_text */
+  char ministr[2];
+  ministr[0] = c;
+  ministr[1] = '\0';
+  str_split_text(p_src, p_rhs, ministr);
+}
+
+void
+str_split_char_reverse(struct mystr* p_src, struct mystr* p_rhs, char c)
+{
+  /* Just use str_split_text_reverse */
+  char ministr[2];
+  ministr[0] = c;
+  ministr[1] = '\0';
+  str_split_text_reverse(p_src, p_rhs, ministr);
+}
+
+void
+str_split_text(struct mystr* p_src, struct mystr* p_rhs, const char* p_text)
+{
+  str_split_text_common(p_src, p_rhs, p_text, 0);
+}
+
+void
+str_split_text_reverse(struct mystr* p_src, struct mystr* p_rhs,
+                       const char* p_text)
+{
+  str_split_text_common(p_src, p_rhs, p_text, 1);
+}
+
+static void
+str_split_text_common(struct mystr* p_src, struct mystr* p_rhs,
+                      const char* p_text, int is_reverse)
+{
+  struct str_locate_result locate_result;
+  unsigned int indexx;
+  unsigned int search_len = vsf_sysutil_strlen(p_text);
+  if (is_reverse)
+  {
+    locate_result = str_locate_text_reverse(p_src, p_text);
+  }
+  else
+  {
+    locate_result = str_locate_text(p_src, p_text);
+  }
+  /* Not found? */
+  if (!locate_result.found)
+  {
+    str_empty(p_rhs);
+    return;
+  }
+  indexx = locate_result.index;
+  if (indexx + search_len > p_src->len)
+  {
+    bug("indexx invalid in str_split_text");
+  } 
+  /* Build rhs */
+  private_str_alloc_memchunk(p_rhs, p_src->p_buf + indexx + search_len,
+                             p_src->len - indexx - search_len);
+  /* Build lhs */
+  str_trunc(p_src, indexx);
+}
+
+struct str_locate_result
+str_locate_str(const struct mystr* p_str, const struct mystr* p_look_str)
+{
+  return str_locate_text(p_str, str_getbuf(p_look_str));
+}
+
+struct str_locate_result
+str_locate_str_reverse(const struct mystr* p_str,
+                       const struct mystr* p_look_str)
+{
+  return str_locate_text_reverse(p_str, str_getbuf(p_look_str));
+}
+
+struct str_locate_result
+str_locate_char(const struct mystr* p_str, char look_char)
+{
+  char look_str[2];
+  look_str[0] = look_char;
+  look_str[1] = '\0';
+  return str_locate_text(p_str, look_str);
+}
+
+struct str_locate_result
+str_locate_chars(const struct mystr* p_str, const char* p_chars)
+{
+  struct str_locate_result retval;
+  unsigned int num_chars = vsf_sysutil_strlen(p_chars);
+  unsigned int i = 0;
+  retval.found = 0;
+  retval.char_found = 0;
+  retval.index = 0;
+  for (; i < p_str->len; ++i)
+  {
+    unsigned int j = 0;
+    char this_char = p_str->p_buf[i];
+    for (; j < num_chars; ++j)
+    {
+      if (p_chars[j] == this_char)
+      {
+        retval.found = 1;
+        retval.index = i;
+        retval.char_found = p_chars[j];
+        return retval;
+      }
+    }
+  }
+  return retval;
+}
+
+struct str_locate_result
+str_locate_text(const struct mystr* p_str, const char* p_text)
+{
+  struct str_locate_result retval;
+  unsigned int i;
+  unsigned int text_len = vsf_sysutil_strlen(p_text);
+  retval.found = 0;
+  retval.char_found = 0;
+  retval.index = 0;
+  if (text_len == 0 || text_len > p_str->len)
+  {
+    /* Not found */
+    return retval;
+  }
+  for (i=0; i <= (p_str->len - text_len); i++)
+  {
+    if (vsf_sysutil_memcmp(p_str->p_buf + i, p_text, text_len) == 0)
+    {
+      retval.found = 1;
+      retval.index = i;
+      return retval;
+    }
+  }
+  /* Not found */
+  return retval;
+}
+
+struct str_locate_result
+str_locate_text_reverse(const struct mystr* p_str, const char* p_text)
+{
+  struct str_locate_result retval;
+  unsigned int i;
+  unsigned int text_len = vsf_sysutil_strlen(p_text);
+  retval.found = 0;
+  retval.char_found = 0;
+  retval.index = 0;
+  if (text_len == 0 || text_len > p_str->len)
+  {
+    return retval;
+  }
+  i = p_str->len - text_len;
+  /* Want to go through loop once even if i==0 */
+  while (1)
+  {
+    if (vsf_sysutil_memcmp(p_str->p_buf + i, p_text, text_len) == 0)
+    {
+      retval.found = 1;
+      retval.index = i;
+      return retval;
+    }
+    if (i == 0)
+    {
+      break;
+    }
+    i--;
+  }
+  /* Not found */
+  return retval;
+}
+
+void
+str_left(const struct mystr* p_str, struct mystr* p_out, unsigned int chars)
+{
+  if (chars > p_str->len)
+  {
+    bug("chars invalid in str_left");
+  }
+  private_str_alloc_memchunk(p_out, p_str->p_buf, chars);
+}
+
+void
+str_right(const struct mystr* p_str, struct mystr* p_out, unsigned int chars)
+{
+  unsigned int indexx = p_str->len - chars;
+  if (chars > p_str->len)
+  {
+    bug("chars invalid in str_right");
+  }
+  private_str_alloc_memchunk(p_out, p_str->p_buf + indexx, chars);
+}
+
+void
+str_mid_to_end(const struct mystr* p_str, struct mystr* p_out,
+               unsigned int indexx)
+{
+  if (indexx > p_str->len)
+  {
+    bug("invalid indexx in str_mid_to_end");
+  }
+  private_str_alloc_memchunk(p_out, p_str->p_buf + indexx,
+                             p_str->len - indexx);
+}
+
+char
+str_get_char_at(const struct mystr* p_str, const unsigned int indexx)
+{
+  if (indexx >= p_str->len)
+  {
+    bug("bad indexx in str_get_char_at");
+  }
+  return p_str->p_buf[indexx];
+}
+
+int
+str_contains_space(const struct mystr* p_str)
+{
+  unsigned int i;
+  for (i=0; i < p_str->len; i++)
+  {
+    if (vsf_sysutil_isspace(p_str->p_buf[i]))
+    {
+      return 1;
+    }
+  }
+  return 0;
+}
+
+int
+str_all_space(const struct mystr* p_str)
+{
+  unsigned int i;
+  for (i=0; i < p_str->len; i++)
+  {
+    if (!vsf_sysutil_isspace(p_str->p_buf[i]))
+    {
+      return 0;
+    }
+  }
+  return 1;
+}
+
+int
+str_contains_unprintable(const struct mystr* p_str)
+{
+  unsigned int i;
+  for (i=0; i < p_str->len; i++)
+  {
+    if (!vsf_sysutil_isprint(p_str->p_buf[i]))
+    {
+      return 1;
+    }
+  }
+  return 0;
+}
+
+int
+str_atoi(const struct mystr* p_str)
+{
+  return vsf_sysutil_atoi(str_getbuf(p_str));
+}
+
+filesize_t
+str_a_to_filesize_t(const struct mystr* p_str)
+{
+  return vsf_sysutil_a_to_filesize_t(str_getbuf(p_str));
+}
+
+unsigned int
+str_octal_to_uint(const struct mystr* p_str)
+{
+  return vsf_sysutil_octal_to_uint(str_getbuf(p_str));
+}
+
+int
+str_getline(const struct mystr* p_str, struct mystr* p_line_str,
+            unsigned int* p_pos)
+{
+  unsigned int start_pos = *p_pos;
+  unsigned int curr_pos = start_pos;
+  unsigned int buf_len = str_getlen(p_str);
+  const char* p_buf = str_getbuf(p_str);
+  unsigned int out_len;
+  if (start_pos > buf_len)
+  {
+    bug("p_pos out of range in str_getline");
+  }
+  str_empty(p_line_str);
+  if (start_pos == buf_len)
+  {
+    return 0;
+  }
+  while (curr_pos < buf_len && p_buf[curr_pos] != '\n')
+  {
+    curr_pos++;
+    if (curr_pos == 0)
+    {
+      bug("integer overflow");
+    }
+  }
+  out_len = curr_pos - start_pos;
+  /* If we ended on a \n - skip it */
+  if (curr_pos < buf_len && p_buf[curr_pos] == '\n')
+  {
+    curr_pos++;
+    if (curr_pos == 0)
+    {
+      bug("integer overflow");
+    }
+  }
+  private_str_alloc_memchunk(p_line_str, p_buf + start_pos, out_len);
+  *p_pos = curr_pos;
+  return 1;
+}
+
+int
+str_contains_line(const struct mystr* p_str, const struct mystr* p_line_str)
+{
+  static struct mystr s_curr_line_str;
+  unsigned int pos = 0;
+  while (str_getline(p_str, &s_curr_line_str, &pos))
+  {
+    if (str_equal(&s_curr_line_str, p_line_str))
+    {
+      return 1;
+    }
+  }
+  return 0;
+}
+
+void
+str_replace_unprintable(struct mystr* p_str, char new_char)
+{
+  unsigned int i;
+  for (i=0; i < p_str->len; i++)
+  {
+    if (!vsf_sysutil_isprint(p_str->p_buf[i]))
+    {
+      p_str->p_buf[i] = new_char;
+    }
+  }
+}
+

str.h

@@ -0,0 +1,125 @@
+#ifndef VSFTP_STR_H
+#define VSFTP_STR_H
+
+/* TODO - document these functions ;-) */
+
+#ifndef VSF_FILESIZE_H
+#include "filesize.h"
+#endif
+
+struct mystr
+{
+  char* PRIVATE_HANDS_OFF_p_buf;
+  /* Internally, EXCLUDES trailing null */
+  unsigned int PRIVATE_HANDS_OFF_len;
+  unsigned int PRIVATE_HANDS_OFF_alloc_bytes;
+};
+
+#define INIT_MYSTR \
+  { (void*)0, 0, 0 }
+
+#ifdef VSFTP_STRING_HELPER
+#define str_alloc_memchunk private_str_alloc_memchunk
+#endif
+void private_str_alloc_memchunk(struct mystr* p_str, const char* p_src,
+                                unsigned int len);
+
+void str_alloc_text(struct mystr* p_str, const char* p_src);
+/* NOTE: String buffer data does NOT include terminating character */
+void str_alloc_alt_term(struct mystr* p_str, const char* p_src, char term);
+void str_alloc_ulong(struct mystr* p_str, unsigned long the_ulong);
+void str_alloc_filesize_t(struct mystr* p_str, filesize_t the_filesize);
+void str_copy(struct mystr* p_dest, const struct mystr* p_src);
+const char* str_strdup(const struct mystr* p_str);
+void str_empty(struct mystr* p_str);
+void str_free(struct mystr* p_str);
+void str_trunc(struct mystr* p_str, unsigned int trunc_len);
+void str_reserve(struct mystr* p_str, unsigned int res_len);
+
+int str_isempty(const struct mystr* p_str);
+unsigned int str_getlen(const struct mystr* p_str);
+const char* str_getbuf(const struct mystr* p_str);
+
+int str_strcmp(const struct mystr* p_str1, const struct mystr* p_str2);
+int str_equal(const struct mystr* p_str1, const struct mystr* p_str2);
+int str_equal_text(const struct mystr* p_str, const char* p_text);
+
+void str_append_str(struct mystr* p_str, const struct mystr* p_other);
+void str_append_text(struct mystr* p_str, const char* p_src);
+void str_append_ulong(struct mystr* p_str, unsigned long the_long);
+void str_append_filesize_t(struct mystr* p_str, filesize_t the_filesize);
+void str_append_char(struct mystr* p_str, char the_char);
+void str_append_double(struct mystr* p_str, double the_double);
+
+void str_upper(struct mystr* p_str);
+void str_rpad(struct mystr* p_str, const unsigned int min_width);
+void str_lpad(struct mystr* p_str, const unsigned int min_width);
+void str_replace_char(struct mystr* p_str, char from, char to);
+void str_replace_text(struct mystr* p_str, const char* p_from,
+                      const char* p_to);
+
+void str_split_char(struct mystr* p_src, struct mystr* p_rhs, char c);
+void str_split_char_reverse(struct mystr* p_src, struct mystr* p_rhs, char c);
+void str_split_text(struct mystr* p_src, struct mystr* p_rhs,
+                    const char* p_text);
+void str_split_text_reverse(struct mystr* p_src, struct mystr* p_rhs,
+                            const char* p_text);
+
+struct str_locate_result
+{
+  int found;
+  unsigned int index;
+  char char_found;
+};
+
+struct str_locate_result str_locate_char(
+  const struct mystr* p_str, char look_char);
+struct str_locate_result str_locate_str(
+  const struct mystr* p_str, const struct mystr* p_look_str);
+struct str_locate_result str_locate_str_reverse(
+  const struct mystr* p_str, const struct mystr* p_look_str);
+struct str_locate_result str_locate_text(
+  const struct mystr* p_str, const char* p_text);
+struct str_locate_result str_locate_text_reverse(
+  const struct mystr* p_str, const char* p_text);
+struct str_locate_result str_locate_chars(
+  const struct mystr* p_str, const char* p_chars);
+
+void str_left(const struct mystr* p_str, struct mystr* p_out,
+              unsigned int chars);
+void str_right(const struct mystr* p_str, struct mystr* p_out,
+               unsigned int chars);
+void str_mid_to_end(const struct mystr* p_str, struct mystr* p_out,
+                    unsigned int indexx);
+
+char str_get_char_at(const struct mystr* p_str, const unsigned int indexx);
+int str_contains_space(const struct mystr* p_str);
+int str_all_space(const struct mystr* p_str);
+int str_contains_unprintable(const struct mystr* p_str);
+void str_replace_unprintable(struct mystr* p_str, char new_char);
+int str_atoi(const struct mystr* p_str);
+filesize_t str_a_to_filesize_t(const struct mystr* p_str);
+unsigned int str_octal_to_uint(const struct mystr* p_str);
+
+/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
+ * buffer, starting at character position 'p_pos'. The extracted line will
+ * not contain the '\n' terminator.
+ *
+ * RETURNS: 0 if no more lines are available, 1 otherwise.
+ * The extracted text line is stored in 'p_line_str', which is
+ * emptied if there are no more lines. 'p_pos' is updated to point to the
+ * first character after the end of the line just extracted.
+ */
+int str_getline(const struct mystr* p_str, struct mystr* p_line_str,
+                unsigned int* p_pos);
+
+/* PURPOSE: Detect whether or not a string buffer contains a specific line
+ * of text (delimited by \n or EOF).
+ *
+ * RETURNS: 1 if there is a matching line, 0 otherwise.
+ */
+int str_contains_line(const struct mystr* p_str,
+                      const struct mystr* p_line_str);
+
+#endif /* VSFTP_STR_H */
+

strlist.c

@@ -0,0 +1,180 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * strlist.c
+ */
+
+/* Anti-lamer measures deployed, sir! */
+#define PRIVATE_HANDS_OFF_alloc_len alloc_len
+#define PRIVATE_HANDS_OFF_list_len list_len
+#define PRIVATE_HANDS_OFF_p_nodes p_nodes
+#include "strlist.h"
+
+#include "str.h"
+#include "utility.h"
+#include "sysutil.h"
+
+struct mystr_list_node
+{
+  struct mystr str;
+  struct mystr sort_key_str;
+};
+
+/* File locals */
+static const unsigned int kMaxStrlist = 10 * 1000 * 1000;
+
+static struct mystr s_null_str;
+
+static int sort_compare_func(const void* p1, const void* p2);
+static int sort_compare_func_reverse(const void* p1, const void* p2);
+static int sort_compare_common(const void* p1, const void* p2, int reverse);
+
+void
+str_list_free(struct mystr_list* p_list)
+{
+  unsigned int i;
+  for (i=0; i < p_list->list_len; ++i)
+  {
+    str_free(&p_list->p_nodes[i].str);
+    str_free(&p_list->p_nodes[i].sort_key_str);
+  }
+  p_list->list_len = 0;
+  p_list->alloc_len = 0;
+  if (p_list->p_nodes)
+  {
+    vsf_sysutil_free(p_list->p_nodes);
+    p_list->p_nodes = 0;
+  }
+}
+
+unsigned int
+str_list_get_length(const struct mystr_list* p_list)
+{
+  return p_list->list_len;
+}
+
+int
+str_list_contains_str(const struct mystr_list* p_list,
+                      const struct mystr* p_str)
+{
+  unsigned int i;
+  for (i=0; i < p_list->list_len; ++i)
+  {
+    if (str_equal(p_str, &p_list->p_nodes[i].str))
+    {
+      return 1;
+    }
+  }
+  return 0;
+}
+
+void
+str_list_add(struct mystr_list* p_list, const struct mystr* p_str,
+             const struct mystr* p_sort_key_str)
+{
+  struct mystr_list_node* p_node;
+  /* Expand the node allocation if we have to */
+  if (p_list->list_len == p_list->alloc_len)
+  {
+    if (p_list->alloc_len == 0)
+    {
+      p_list->alloc_len = 32;
+      p_list->p_nodes = vsf_sysutil_malloc(
+          p_list->alloc_len * (unsigned int) sizeof(struct mystr_list_node));
+    }
+    else
+    {
+      p_list->alloc_len *= 2;
+      if (p_list->alloc_len > kMaxStrlist)
+      {
+        die("excessive strlist");
+      }
+      p_list->p_nodes = vsf_sysutil_realloc(
+          p_list->p_nodes,
+          p_list->alloc_len * (unsigned int) sizeof(struct mystr_list_node));
+    }
+  }
+  p_node = &p_list->p_nodes[p_list->list_len];
+  p_node->str = s_null_str;
+  p_node->sort_key_str = s_null_str;
+  str_copy(&p_node->str, p_str);
+  if (p_sort_key_str)
+  {
+    str_copy(&p_node->sort_key_str, p_sort_key_str);
+  }
+  p_list->list_len++;
+}
+
+void
+str_list_sort(struct mystr_list* p_list, int reverse)
+{
+  if (!reverse)
+  {
+    vsf_sysutil_qsort(p_list->p_nodes, p_list->list_len,
+                      sizeof(struct mystr_list_node), sort_compare_func);
+  }
+  else
+  {
+    vsf_sysutil_qsort(p_list->p_nodes, p_list->list_len,
+                      sizeof(struct mystr_list_node),
+                      sort_compare_func_reverse);
+  }
+}
+
+static int
+sort_compare_func(const void* p1, const void* p2)
+{
+  return sort_compare_common(p1, p2, 0);
+}
+
+static int
+sort_compare_func_reverse(const void* p1, const void* p2)
+{
+  return sort_compare_common(p1, p2, 1);
+}
+
+static int
+sort_compare_common(const void* p1, const void* p2, int reverse)
+{
+  const struct mystr* p_cmp1;
+  const struct mystr* p_cmp2;
+  const struct mystr_list_node* p_node1 = (const struct mystr_list_node*) p1;
+  const struct mystr_list_node* p_node2 = (const struct mystr_list_node*) p2;
+  if (!str_isempty(&p_node1->sort_key_str))
+  {
+    p_cmp1 = &p_node1->sort_key_str;
+  }
+  else
+  {
+    p_cmp1 = &p_node1->str;
+  }
+  if (!str_isempty(&p_node2->sort_key_str))
+  {
+    p_cmp2 = &p_node2->sort_key_str;
+  }
+  else
+  {
+    p_cmp2 = &p_node2->str;
+  }
+
+  if (reverse)
+  {
+    return str_strcmp(p_cmp2, p_cmp1);
+  }
+  else
+  {
+    return str_strcmp(p_cmp1, p_cmp2);
+  }
+}
+
+const struct mystr*
+str_list_get_pstr(const struct mystr_list* p_list, unsigned int indexx)
+{
+  if (indexx >= p_list->list_len)
+  {
+    bug("indexx out of range in str_list_get_str");
+  }
+  return &p_list->p_nodes[indexx].str;
+}
+

strlist.h

@@ -0,0 +1,32 @@
+#ifndef VSF_STRLIST_H
+#define VSF_STRLIST_H
+
+/* Forward declarations */
+struct mystr;
+struct mystr_list_node;
+
+struct mystr_list
+{
+  unsigned int PRIVATE_HANDS_OFF_alloc_len;
+  unsigned int PRIVATE_HANDS_OFF_list_len;
+  struct mystr_list_node* PRIVATE_HANDS_OFF_p_nodes;
+};
+
+#define INIT_STRLIST \
+  { 0, 0, (void*)0 }
+
+void str_list_free(struct mystr_list* p_list);
+
+void str_list_add(struct mystr_list* p_list, const struct mystr* p_str,
+                  const struct mystr* p_sort_key_str);
+void str_list_sort(struct mystr_list* p_list, int reverse);
+
+unsigned int str_list_get_length(const struct mystr_list* p_list);
+int str_list_contains_str(const struct mystr_list* p_list,
+                          const struct mystr* p_str);
+
+const struct mystr* str_list_get_pstr(const struct mystr_list* p_list,
+                                      unsigned int indexx);
+
+#endif /* VSF_STRLIST_H */
+

sysdeputil.c

@@ -0,0 +1,1344 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * sysdeputil.c
+ *
+ * Highly system dependent utilities - e.g. authentication, capabilities.
+ */
+
+#include "sysdeputil.h"
+#include "str.h"
+#include "sysutil.h"
+#include "utility.h"
+#include "secbuf.h"
+#include "defs.h"
+#include "tunables.h"
+#include "builddefs.h"
+
+/* For Linux, this adds nothing :-) */
+#include "port/porting_junk.h"
+
+#if (defined(__FreeBSD__) && __FreeBSD__ >= 3)
+  #define _FILE_OFFSET_BITS 64
+  #define _LARGEFILE_SOURCE 1
+  #define _LARGEFILE64_SOURCE 1
+#endif
+
+/* For INT_MAX */
+#include <limits.h>
+
+/* For fd passing */
+#include <sys/types.h>
+#include <sys/socket.h>
+/* For FreeBSD */
+#include <sys/param.h>
+#include <sys/uio.h>
+
+#include <sys/prctl.h>
+#include <signal.h>
+
+/* Configuration.. here are the possibilities */
+#undef VSF_SYSDEP_HAVE_CAPABILITIES
+#undef VSF_SYSDEP_HAVE_SETKEEPCAPS
+#undef VSF_SYSDEP_HAVE_SETPDEATHSIG
+#undef VSF_SYSDEP_HAVE_LINUX_SENDFILE
+#undef VSF_SYSDEP_HAVE_FREEBSD_SENDFILE
+#undef VSF_SYSDEP_HAVE_HPUX_SENDFILE
+#undef VSF_SYSDEP_HAVE_AIX_SENDFILE
+#undef VSF_SYSDEP_HAVE_SETPROCTITLE
+#undef VSF_SYSDEP_TRY_LINUX_SETPROCTITLE_HACK
+#undef VSF_SYSDEP_HAVE_HPUX_SETPROCTITLE
+#undef VSF_SYSDEP_HAVE_MAP_ANON
+#undef VSF_SYSDEP_NEED_OLD_FD_PASSING
+#undef VSF_SYSDEP_HAVE_LINUX_CLONE
+#ifdef VSF_BUILD_PAM
+  #define VSF_SYSDEP_HAVE_PAM
+#endif
+#define VSF_SYSDEP_HAVE_SHADOW
+#define VSF_SYSDEP_HAVE_USERSHELL
+#define VSF_SYSDEP_HAVE_LIBCAP
+#define VSF_SYSDEP_HAVE_UTMPX
+
+#define __USE_GNU
+#include <utmpx.h>
+
+/* BEGIN config */
+#if defined(__linux__)
+  #include <errno.h>
+  #include <syscall.h>
+  #define VSF_SYSDEP_HAVE_LINUX_CLONE
+  #include <sched.h>
+  #ifndef CLONE_NEWPID
+    #define CLONE_NEWPID 0x20000000
+  #endif
+  #ifndef CLONE_NEWIPC
+    #define CLONE_NEWIPC 0x08000000
+  #endif
+  #ifndef CLONE_NEWNET
+    #define CLONE_NEWNET 0x40000000
+  #endif
+  #include <linux/unistd.h>
+  #include <errno.h>
+  #include <syscall.h>
+#endif
+
+#if defined(__linux__) && !defined(__ia64__) && !defined(__s390__)
+  #define VSF_SYSDEP_TRY_LINUX_SETPROCTITLE_HACK
+  #include <linux/version.h>
+  #if defined(LINUX_VERSION_CODE) && defined(KERNEL_VERSION)
+    #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0))
+      #define VSF_SYSDEP_HAVE_CAPABILITIES
+      #define VSF_SYSDEP_HAVE_LINUX_SENDFILE
+      #ifdef PR_SET_KEEPCAPS
+        #define VSF_SYSDEP_HAVE_SETKEEPCAPS
+      #endif
+      #ifdef PR_SET_PDEATHSIG
+        #define VSF_SYSDEP_HAVE_SETPDEATHSIG
+      #endif
+    #endif
+  #endif
+#endif
+
+#if (defined(__FreeBSD__) && __FreeBSD__ >= 3)
+  #define VSF_SYSDEP_HAVE_FREEBSD_SENDFILE
+  #define VSF_SYSDEP_HAVE_SETPROCTITLE
+#endif
+
+#if defined(__NetBSD__)
+  #include <stdlib.h>
+  #define VSF_SYSDEP_HAVE_SETPROCTITLE
+  #include <sys/param.h>
+  #if __NetBSD_Version__ >= 106070000
+    #define WTMPX_FILE _PATH_WTMPX
+  #else
+    #undef VSF_SYSDEP_HAVE_UTMPX
+  #endif
+#endif
+
+#ifdef __hpux
+  #include <sys/socket.h>
+  #ifdef SF_DISCONNECT
+    #define VSF_SYSDEP_HAVE_HPUX_SENDFILE
+  #endif
+  #include <sys/param.h>
+  #include <sys/pstat.h>
+  #ifdef PSTAT_SETCMD
+    #define VSF_SYSDEP_HAVE_HPUX_SETPROCTITLE
+  #endif
+  #undef VSF_SYSDEP_HAVE_UTMPX
+#endif
+
+#include <unistd.h>
+#include <sys/mman.h>
+#ifdef MAP_ANON
+  #define VSF_SYSDEP_HAVE_MAP_ANON
+#endif
+
+#ifdef __sgi
+  #undef VSF_SYSDEP_HAVE_USERSHELL
+  #undef VSF_SYSDEP_HAVE_LIBCAP
+#endif
+
+#ifdef _AIX
+  #undef VSF_SYSDEP_HAVE_USERSHELL
+  #undef VSF_SYSDEP_HAVE_LIBCAP
+  #undef VSF_SYSDEP_HAVE_UTMPX
+  #undef VSF_SYSDEP_HAVE_PAM
+  #undef VSF_SYSDEP_HAVE_SHADOW
+  #undef VSF_SYSDEP_HAVE_SETPROCTITLE
+  #define VSF_SYSDEP_HAVE_AIX_SENDFILE
+  #define VSF_SYSDEP_TRY_LINUX_SETPROCTITLE_HACK
+  #define VSF_SYSDEP_HAVE_MAP_ANON
+#endif
+
+#ifdef __osf__
+  #undef VSF_SYSDEP_HAVE_USERSHELL
+#endif
+
+#if (defined(__sgi) || defined(__hpux) || defined(__osf__))
+  #define VSF_SYSDEP_NEED_OLD_FD_PASSING
+#endif
+
+#ifdef __sun
+  #define VSF_SYSDEP_HAVE_SOLARIS_SENDFILE
+#endif
+/* END config */
+
+/* PAM support - we include our own dummy version if the system lacks this */
+#include <security/pam_appl.h>
+
+/* No PAM? Try getspnam() with a getpwnam() fallback */
+#ifndef VSF_SYSDEP_HAVE_PAM
+/* This may hit our own "dummy" include and undef VSF_SYSDEP_HAVE_SHADOW */
+#include <shadow.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <crypt.h>
+#endif
+
+/* Prefer libcap based capabilities over raw syscall capabilities */
+#include <sys/capability.h>
+
+#if defined(VSF_SYSDEP_HAVE_CAPABILITIES) && !defined(VSF_SYSDEP_HAVE_LIBCAP)
+#include <linux/unistd.h>
+#include <linux/capability.h>
+#include <errno.h>
+#include <syscall.h>
+int capset(cap_user_header_t header, const cap_user_data_t data)
+{
+  return syscall(__NR_capset, header, data);
+}
+/* Gross HACK to avoid warnings - linux headers overlap glibc headers */
+#undef __NFDBITS
+#undef __FDMASK
+#endif /* VSF_SYSDEP_HAVE_CAPABILITIES */
+
+#if defined(VSF_SYSDEP_HAVE_LINUX_SENDFILE) || \
+    defined(VSF_SYSDEP_HAVE_SOLARIS_SENDFILE)
+#include <sys/sendfile.h>
+#elif defined(VSF_SYSDEP_HAVE_FREEBSD_SENDFILE)
+#include <sys/types.h>
+#include <sys/socket.h>
+#elif defined(VSF_SYSDEP_HAVE_HPUX_SENDFILE)
+#include <sys/socket.h>
+#else /* VSF_SYSDEP_HAVE_LINUX_SENDFILE */
+#include <unistd.h>
+#endif /* VSF_SYSDEP_HAVE_LINUX_SENDFILE */
+
+#ifdef VSF_SYSDEP_HAVE_SETPROCTITLE
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+
+#ifdef VSF_SYSDEP_TRY_LINUX_SETPROCTITLE_HACK
+extern char** environ;
+static unsigned int s_proctitle_space = 0;
+static int s_proctitle_inited = 0;
+static char* s_p_proctitle = 0;
+#endif
+
+#ifndef VSF_SYSDEP_HAVE_MAP_ANON
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+static int s_zero_fd = -1;
+#endif
+
+/* File private functions/variables */
+static int do_sendfile(const int out_fd, const int in_fd,
+                       unsigned int num_send, filesize_t start_pos);
+static void vsf_sysutil_setproctitle_internal(const char* p_text);
+static struct mystr s_proctitle_prefix_str;
+
+/* These two aren't static to avoid OpenBSD build warnings. */
+void vsf_insert_uwtmp(const struct mystr* p_user_str,
+                      const struct mystr* p_host_str);
+void vsf_remove_uwtmp(void);
+
+#ifndef VSF_SYSDEP_HAVE_PAM
+int
+vsf_sysdep_check_auth(struct mystr* p_user_str,
+                      const struct mystr* p_pass_str,
+                      const struct mystr* p_remote_host)
+{
+  const char* p_crypted;
+  const struct passwd* p_pwd = getpwnam(str_getbuf(p_user_str));
+  (void) p_remote_host;
+  if (p_pwd == NULL)
+  {
+    return 0;
+  }
+  #ifdef VSF_SYSDEP_HAVE_USERSHELL
+  if (tunable_check_shell)
+  {
+    const char* p_shell;
+    while ((p_shell = getusershell()) != NULL)
+    {
+      if (!vsf_sysutil_strcmp(p_shell, p_pwd->pw_shell))
+      {
+        break;
+      }
+    }
+    endusershell();
+    if (p_shell == NULL)
+    {
+      return 0;
+    }
+  }
+  #endif
+  #ifdef VSF_SYSDEP_HAVE_SHADOW
+  {
+    const struct spwd* p_spwd = getspnam(str_getbuf(p_user_str));
+    if (p_spwd != NULL)
+    {
+      long curr_time = vsf_sysutil_get_time_sec();
+      int days;
+      days = curr_time / (60 * 60 * 24);
+      if (p_spwd->sp_expire > 0 && p_spwd->sp_expire < days)
+      {
+        return 0;
+      }
+      if (p_spwd->sp_lstchg > 0 && p_spwd->sp_max > 0 &&
+          p_spwd->sp_lstchg + p_spwd->sp_max < days)
+      {
+        return 0;
+      }
+      p_crypted = crypt(str_getbuf(p_pass_str), p_spwd->sp_pwdp);
+      if (!vsf_sysutil_strcmp(p_crypted, p_spwd->sp_pwdp))
+      {
+        return 1;
+      }
+    }
+  }
+  #endif /* VSF_SYSDEP_HAVE_SHADOW */
+  p_crypted = crypt(str_getbuf(p_pass_str), p_pwd->pw_passwd);
+  if (!vsf_sysutil_strcmp(p_crypted, p_pwd->pw_passwd))
+  {
+    return 1;
+  }
+  return 0;
+}
+
+#else /* VSF_SYSDEP_HAVE_PAM */
+
+#if (defined(__sun) || defined(__hpux)) && \
+    !defined(LINUX_PAM) && !defined(_OPENPAM)
+/* Sun's PAM doesn't use const here, while Linux-PAM and OpenPAM do */
+#define lo_const
+#else
+#define lo_const const
+#endif
+typedef lo_const void* pam_item_t;
+
+static pam_handle_t* s_pamh;
+static struct mystr s_pword_str;
+static int pam_conv_func(int nmsg, const struct pam_message** p_msg,
+                         struct pam_response** p_reply, void* p_addata);
+static void vsf_auth_shutdown(void);
+
+int
+vsf_sysdep_check_auth(struct mystr* p_user_str,
+                      const struct mystr* p_pass_str,
+                      const struct mystr* p_remote_host)
+{
+  int retval = -1;
+  pam_item_t item;
+  const char* pam_user_name = 0;
+  struct pam_conv the_conv =
+  {
+    &pam_conv_func,
+    0
+  };
+  if (s_pamh != 0)
+  {
+    bug("vsf_sysdep_check_auth");
+  }
+  str_copy(&s_pword_str, p_pass_str);
+  if (tunable_pam_service_name)
+  {
+    retval = pam_start(tunable_pam_service_name,
+                       str_getbuf(p_user_str), &the_conv, &s_pamh);
+  }
+  if (retval != PAM_SUCCESS)
+  {
+    s_pamh = 0;
+    return 0;
+  }
+#ifdef PAM_RHOST
+  retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host));
+  if (retval != PAM_SUCCESS)
+  {
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 0;
+  }
+#endif
+#ifdef PAM_TTY
+  retval = pam_set_item(s_pamh, PAM_TTY, "ftp");
+  if (retval != PAM_SUCCESS)
+  {
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 0;
+  }
+#endif
+#ifdef PAM_RUSER
+  retval = pam_set_item(s_pamh, PAM_RUSER, str_getbuf(p_user_str));
+  if (retval != PAM_SUCCESS)
+  {
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 0;
+  }
+#endif
+  retval = pam_authenticate(s_pamh, 0);
+  if (retval != PAM_SUCCESS)
+  {
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 0;
+  }
+#ifdef PAM_USER
+  retval = pam_get_item(s_pamh, PAM_USER, &item);
+  if (retval != PAM_SUCCESS)
+  {
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 0;
+  }
+  pam_user_name = item;
+  str_alloc_text(p_user_str, pam_user_name);
+#endif
+  retval = pam_acct_mgmt(s_pamh, 0);
+  if (retval != PAM_SUCCESS)
+  {
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 0;
+  }
+  retval = pam_setcred(s_pamh, PAM_ESTABLISH_CRED);
+  if (retval != PAM_SUCCESS)
+  {
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 0;
+  }
+  if (!tunable_session_support)
+  {
+    /* You're in already! */
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 1;
+  }
+  /* Must do this BEFORE opening a session for pam_limits to count us */
+  vsf_insert_uwtmp(p_user_str, p_remote_host);
+  retval = pam_open_session(s_pamh, 0);
+  if (retval != PAM_SUCCESS)
+  {
+    vsf_remove_uwtmp();
+    (void) pam_setcred(s_pamh, PAM_DELETE_CRED);
+    (void) pam_end(s_pamh, retval);
+    s_pamh = 0;
+    return 0;
+  }
+  /* We MUST ensure the PAM session, utmp, wtmp etc. are cleaned up, however
+   * we exit.
+   */
+  vsf_sysutil_set_exit_func(vsf_auth_shutdown);
+  /* You're in dude */
+  return 1;
+}
+
+static void
+vsf_auth_shutdown(void)
+{
+  if (s_pamh == 0)
+  {
+    bug("auth_shutdown");
+  }
+  (void) pam_close_session(s_pamh, 0);
+  (void) pam_setcred(s_pamh, PAM_DELETE_CRED);
+  (void) pam_end(s_pamh, PAM_SUCCESS);
+  s_pamh = 0;
+  vsf_remove_uwtmp();
+}
+
+static int
+pam_conv_func(int nmsg, const struct pam_message** p_msg,
+              struct pam_response** p_reply, void* p_addata)
+{
+  int i;
+  struct pam_response* p_resps = 0;
+  (void) p_addata;
+  if (nmsg < 0)
+  {
+    bug("dodgy nmsg in pam_conv_func");
+  }
+  p_resps = vsf_sysutil_malloc(sizeof(struct pam_response) * nmsg);
+  for (i=0; i<nmsg; i++)
+  {
+    switch (p_msg[i]->msg_style)
+    {
+      case PAM_PROMPT_ECHO_OFF:
+        p_resps[i].resp_retcode = PAM_SUCCESS;
+        p_resps[i].resp = (char*) str_strdup(&s_pword_str);
+        break;
+      case PAM_TEXT_INFO:
+      case PAM_ERROR_MSG:
+        p_resps[i].resp_retcode = PAM_SUCCESS;
+        p_resps[i].resp = 0;
+        break;
+      case PAM_PROMPT_ECHO_ON:
+      default:
+        vsf_sysutil_free(p_resps);
+        return PAM_CONV_ERR;
+        break;
+    }
+  }
+  *p_reply = p_resps;
+  return PAM_SUCCESS;
+}
+
+#endif /* VSF_SYSDEP_HAVE_PAM */
+
+/* Capabilities support (or lack thereof) */
+void
+vsf_sysdep_keep_capabilities(void)
+{
+  if (!vsf_sysdep_has_capabilities_as_non_root())
+  {
+    bug("asked to keep capabilities, but no support exists");
+  }
+#ifdef VSF_SYSDEP_HAVE_SETKEEPCAPS
+  {
+    int retval = prctl(PR_SET_KEEPCAPS, 1);
+    if (vsf_sysutil_retval_is_error(retval))
+    {
+      die("prctl");
+    }
+  }
+#endif /* VSF_SYSDEP_HAVE_SETKEEPCAPS */
+}
+#if !defined(VSF_SYSDEP_HAVE_CAPABILITIES) && !defined(VSF_SYSDEP_HAVE_LIBCAP)
+
+int
+vsf_sysdep_has_capabilities(void)
+{
+  return 0;
+}
+
+int
+vsf_sysdep_has_capabilities_as_non_root(void)
+{
+  return 0;
+}
+
+void
+vsf_sysdep_adopt_capabilities(unsigned int caps)
+{
+  (void) caps;
+  bug("asked to adopt capabilities, but no support exists");
+}
+
+#else /* VSF_SYSDEP_HAVE_CAPABILITIES || VSF_SYSDEP_HAVE_LIBCAP */
+
+static int do_checkcap(void);
+
+int
+vsf_sysdep_has_capabilities_as_non_root(void)
+{
+  static int s_prctl_checked;
+  static int s_runtime_prctl_works;
+  if (!s_prctl_checked)
+  {
+  #ifdef VSF_SYSDEP_HAVE_SETKEEPCAPS
+    /* Clarity: note embedded call to prctl() syscall */
+    if (!vsf_sysutil_retval_is_error(prctl(PR_SET_KEEPCAPS, 0)))
+    {
+      s_runtime_prctl_works = 1;
+    }
+  #endif /* VSF_SYSDEP_HAVE_SETKEEPCAPS */
+    s_prctl_checked = 1;
+  }
+  return s_runtime_prctl_works;
+}
+
+int
+vsf_sysdep_has_capabilities(void)
+{
+  /* Even though compiled with capabilities, the runtime system may lack them.
+   * Also, RH7.0 kernel headers advertise a 2.4.0 box, but on a 2.2.x kernel!
+   */
+  static int s_caps_checked;
+  static int s_runtime_has_caps;
+  if (!s_caps_checked)
+  {
+    s_runtime_has_caps = do_checkcap();
+    s_caps_checked = 1;
+  }
+  return s_runtime_has_caps;
+}
+  
+  #ifndef VSF_SYSDEP_HAVE_LIBCAP
+static int
+do_checkcap(void)
+{
+  /* EFAULT (EINVAL if page 0 mapped) vs. ENOSYS */
+  int retval = capset(0, 0);
+  if (!vsf_sysutil_retval_is_error(retval) ||
+      vsf_sysutil_get_error() != kVSFSysUtilErrNOSYS)
+  {
+    return 1;
+  }
+  return 0;
+}
+
+void
+vsf_sysdep_adopt_capabilities(unsigned int caps)
+{
+  /* n.b. yes I know I should be using libcap!! */
+  int retval;
+  struct __user_cap_header_struct cap_head;
+  struct __user_cap_data_struct cap_data;
+  __u32 cap_mask = 0;
+  if (!caps)
+  {
+    bug("asked to adopt no capabilities");
+  }
+  vsf_sysutil_memclr(&cap_head, sizeof(cap_head));
+  vsf_sysutil_memclr(&cap_data, sizeof(cap_data));
+  cap_head.version = _LINUX_CAPABILITY_VERSION;
+  cap_head.pid = 0;
+  if (caps & kCapabilityCAP_CHOWN)
+  {
+    cap_mask |= (1 << CAP_CHOWN);
+  }
+  if (caps & kCapabilityCAP_NET_BIND_SERVICE)
+  {
+    cap_mask |= (1 << CAP_NET_BIND_SERVICE);
+  }
+  cap_data.effective = cap_data.permitted = cap_mask;
+  cap_data.inheritable = 0;
+  retval = capset(&cap_head, &cap_data);
+  if (retval != 0)
+  {
+    die("capset");
+  }
+}
+
+  #else /* VSF_SYSDEP_HAVE_LIBCAP */
+static int
+do_checkcap(void)
+{
+  cap_t current_caps = cap_get_proc();
+  cap_free(current_caps);
+  if (current_caps != NULL)
+  {
+    return 1;
+  }
+  return 0;
+}
+
+void
+vsf_sysdep_adopt_capabilities(unsigned int caps)
+{
+  int retval;
+  cap_value_t cap_value;
+  cap_t adopt_caps = cap_init();
+  if (caps & kCapabilityCAP_CHOWN)
+  {
+    cap_value = CAP_CHOWN;
+    cap_set_flag(adopt_caps, CAP_EFFECTIVE, 1, &cap_value, CAP_SET);
+    cap_set_flag(adopt_caps, CAP_PERMITTED, 1, &cap_value, CAP_SET);
+  }
+  if (caps & kCapabilityCAP_NET_BIND_SERVICE)
+  {
+    cap_value = CAP_NET_BIND_SERVICE;
+    cap_set_flag(adopt_caps, CAP_EFFECTIVE, 1, &cap_value, CAP_SET);
+    cap_set_flag(adopt_caps, CAP_PERMITTED, 1, &cap_value, CAP_SET);
+  }
+  retval = cap_set_proc(adopt_caps);
+  if (retval != 0)
+  {
+    die("cap_set_proc");
+  }
+  cap_free(adopt_caps);
+}
+
+  #endif /* !VSF_SYSDEP_HAVE_LIBCAP */
+#endif /* VSF_SYSDEP_HAVE_CAPABILITIES || VSF_SYSDEP_HAVE_LIBCAP */
+
+int
+vsf_sysutil_sendfile(const int out_fd, const int in_fd,
+                     filesize_t* p_offset, filesize_t num_send,
+                     unsigned int max_chunk)
+{
+  /* Grr - why is off_t signed? */
+  if (*p_offset < 0 || num_send < 0)
+  {
+    die("invalid offset or send count in vsf_sysutil_sendfile");
+  }
+  if (max_chunk == 0)
+  {
+    max_chunk = INT_MAX;
+  }
+  while (num_send > 0)
+  {
+    int retval;
+    unsigned int send_this_time;
+    if (num_send > max_chunk)
+    {
+      send_this_time = max_chunk;
+    }
+    else
+    {
+      send_this_time = (unsigned int) num_send;
+    }
+    /* Keep input file position in line with sendfile() calls */
+    vsf_sysutil_lseek_to(in_fd, *p_offset);
+    retval = do_sendfile(out_fd, in_fd, send_this_time, *p_offset);
+    if (vsf_sysutil_retval_is_error(retval) || retval == 0)
+    {
+      return retval;
+    }
+    num_send -= retval;
+    *p_offset += retval;
+  }
+  return 0;
+}
+
+static int do_sendfile(const int out_fd, const int in_fd,
+                       unsigned int num_send, filesize_t start_pos)
+{
+  /* Probably should one day be shared with instance in ftpdataio.c */
+  static char* p_recvbuf;
+  unsigned int total_written = 0;
+  int retval;
+  enum EVSFSysUtilError error;
+  (void) start_pos;
+  (void) error;
+#if defined(VSF_SYSDEP_HAVE_LINUX_SENDFILE) || \
+    defined(VSF_SYSDEP_HAVE_FREEBSD_SENDFILE) || \
+    defined(VSF_SYSDEP_HAVE_HPUX_SENDFILE) || \
+    defined(VSF_SYSDEP_HAVE_AIX_SENDFILE) || \
+    defined(VSF_SYSDEP_HAVE_SOLARIS_SENDFILE)
+  if (tunable_use_sendfile)
+  {
+    static int s_sendfile_checked;
+    static int s_runtime_sendfile_works;
+    if (!s_sendfile_checked || s_runtime_sendfile_works)
+    {
+      do
+      {
+  #ifdef VSF_SYSDEP_HAVE_LINUX_SENDFILE
+        retval = sendfile(out_fd, in_fd, NULL, num_send);
+  #elif defined(VSF_SYSDEP_HAVE_FREEBSD_SENDFILE)
+        {
+          /* XXX - start_pos will truncate on 32-bit machines - can we
+           * say "start from current pos"?
+           */
+          off_t written = 0;
+          retval = sendfile(in_fd, out_fd, start_pos, num_send, NULL,
+                            &written, 0);
+          /* Translate to Linux-like retval */
+          if (written > 0)
+          {
+            retval = (int) written;
+          }
+        }
+  #elif defined(VSF_SYSDEP_HAVE_SOLARIS_SENDFILE)
+        {
+          size_t written = 0;
+          struct sendfilevec the_vec;
+          vsf_sysutil_memclr(&the_vec, sizeof(the_vec));
+          the_vec.sfv_fd = in_fd;
+          the_vec.sfv_off = start_pos;
+          the_vec.sfv_len = num_send;
+          retval = sendfilev(out_fd, &the_vec, 1, &written);
+          /* Translate to Linux-like retval */
+          if (written > 0)
+          {
+            retval = (int) written;
+          }
+        }
+  #elif defined(VSF_SYSDEP_HAVE_AIX_SENDFILE)
+        {
+          struct sf_parms sf_iobuf;
+          vsf_sysutil_memclr(&sf_iobuf, sizeof(sf_iobuf));
+          sf_iobuf.header_data = NULL;
+          sf_iobuf.header_length = 0;
+          sf_iobuf.trailer_data = NULL;
+          sf_iobuf.trailer_length = 0;
+          sf_iobuf.file_descriptor = in_fd;
+          sf_iobuf.file_offset = start_pos;
+          sf_iobuf.file_bytes = num_send;
+
+          retval = send_file((int*)&out_fd, &sf_iobuf, 0);
+          if (retval >= 0)
+          {
+            retval = sf_iobuf.bytes_sent;
+          }
+        }
+  #else /* must be VSF_SYSDEP_HAVE_HPUX_SENDFILE */
+        {
+          retval = sendfile(out_fd, in_fd, start_pos, num_send, NULL, 0);
+        }
+  #endif /* VSF_SYSDEP_HAVE_LINUX_SENDFILE */
+        error = vsf_sysutil_get_error();
+        vsf_sysutil_check_pending_actions(kVSFSysUtilIO, retval, out_fd);
+      }
+      while (vsf_sysutil_retval_is_error(retval) &&
+             error == kVSFSysUtilErrINTR);
+      if (!s_sendfile_checked)
+      {
+        s_sendfile_checked = 1;
+        if (!vsf_sysutil_retval_is_error(retval) ||
+            error != kVSFSysUtilErrNOSYS)
+        {
+          s_runtime_sendfile_works = 1;
+        }
+      }
+      if (!vsf_sysutil_retval_is_error(retval))
+      {
+        return retval;
+      }
+      if (s_runtime_sendfile_works && error != kVSFSysUtilErrINVAL &&
+          error != kVSFSysUtilErrOPNOTSUPP)
+      {
+        return retval;
+      }
+      /* Fall thru to normal implementation. We won't check again. NOTE -
+       * also falls through if sendfile() is OK but it returns EINVAL. For
+       * Linux this means the file was not page cache backed. Original
+       * complaint was trying to serve files from an NTFS filesystem!
+       */
+    }
+  }
+#endif /* VSF_SYSDEP_HAVE_LINUX_SENDFILE || VSF_SYSDEP_HAVE_FREEBSD_SENDFILE */
+  if (p_recvbuf == 0)
+  {
+    vsf_secbuf_alloc(&p_recvbuf, VSFTP_DATA_BUFSIZE);
+  }
+  while (1)
+  {
+    unsigned int num_read;
+    unsigned int num_written;
+    unsigned int num_read_this_time = VSFTP_DATA_BUFSIZE;
+    if (num_read_this_time > num_send)
+    {
+      num_read_this_time = num_send;
+    }
+    retval = vsf_sysutil_read(in_fd, p_recvbuf, num_read_this_time);
+    if (retval < 0)
+    {
+      return retval;
+    }
+    else if (retval == 0)
+    {
+      return -1;
+    }
+    num_read = (unsigned int) retval;
+    retval = vsf_sysutil_write_loop(out_fd, p_recvbuf, num_read);
+    if (retval < 0)
+    {
+      return retval;
+    }
+    num_written = (unsigned int) retval;
+    total_written += num_written;
+    if (num_written != num_read)
+    {
+      return num_written;
+    }
+    if (num_written > num_send)
+    {
+      bug("num_written bigger than num_send in do_sendfile");
+    }
+    num_send -= num_written;
+    if (num_send == 0)
+    {
+      /* Bingo! */
+      return total_written;
+    }
+  }
+}
+
+void
+vsf_sysutil_set_proctitle_prefix(const struct mystr* p_str)
+{
+  str_copy(&s_proctitle_prefix_str, p_str);
+}
+
+/* This delegation is common to all setproctitle() implementations */
+void
+vsf_sysutil_setproctitle_str(const struct mystr* p_str)
+{
+  vsf_sysutil_setproctitle(str_getbuf(p_str));
+}
+
+void
+vsf_sysutil_setproctitle(const char* p_text)
+{
+  struct mystr proctitle_str = INIT_MYSTR;
+  str_copy(&proctitle_str, &s_proctitle_prefix_str);
+  if (!str_isempty(&proctitle_str))
+  {
+    str_append_text(&proctitle_str, ": ");
+  }
+  str_append_text(&proctitle_str, p_text);
+  vsf_sysutil_setproctitle_internal(str_getbuf(&proctitle_str));
+  str_free(&proctitle_str);
+}
+
+#ifdef VSF_SYSDEP_HAVE_SETPROCTITLE
+void
+vsf_sysutil_setproctitle_init(int argc, const char* argv[])
+{
+  (void) argc;
+  (void) argv;
+}
+
+void
+vsf_sysutil_setproctitle_internal(const char* p_buf)
+{
+  setproctitle("%s", p_buf);
+}
+#elif defined(VSF_SYSDEP_HAVE_HPUX_SETPROCTITLE)
+void
+vsf_sysutil_setproctitle_init(int argc, const char* argv[])
+{
+  (void) argc;
+  (void) argv;
+}
+
+void
+vsf_sysutil_setproctitle_internal(const char* p_buf)
+{
+  struct mystr proctitle_str = INIT_MYSTR;
+  union pstun p;
+  str_alloc_text(&proctitle_str, "ftpz: ");
+  str_append_text(&proctitle_str, p_buf);
+  p.pst_command = str_getbuf(&proctitle_str);
+  pstat(PSTAT_SETCMD, p, 0, 0, 0);
+  str_free(&proctitle_str);
+}
+#elif defined(VSF_SYSDEP_TRY_LINUX_SETPROCTITLE_HACK)
+void
+vsf_sysutil_setproctitle_init(int argc, const char* argv[])
+{
+  int i;
+  char** p_env = environ;
+  if (s_proctitle_inited)
+  {
+    bug("sysutil_setproctitle_init called twice");
+  }
+  s_proctitle_inited = 1;
+  if (argv[0] == 0)
+  {
+    die("no argv[0] in sysutil_setproctitle_init");
+  }
+  for (i=0; i<argc; i++)
+  {
+    s_proctitle_space += vsf_sysutil_strlen(argv[i]) + 1;
+    if (i > 0)
+    {
+      argv[i] = 0;
+    }
+  }
+  while (*p_env != 0)
+  {
+    s_proctitle_space += vsf_sysutil_strlen(*p_env) + 1;
+    p_env++;
+  }
+  /* Oops :-) */
+  environ = 0;
+  s_p_proctitle = (char*) argv[0];
+  vsf_sysutil_memclr(s_p_proctitle, s_proctitle_space);
+}
+
+void
+vsf_sysutil_setproctitle_internal(const char* p_buf)
+{
+  struct mystr proctitle_str = INIT_MYSTR;
+  unsigned int to_copy;
+  if (!s_proctitle_inited)
+  {
+    bug("sysutil_setproctitle: not initialized");
+  }
+  vsf_sysutil_memclr(s_p_proctitle, s_proctitle_space);
+  if (s_proctitle_space < 32)
+  {
+    return;
+  }
+  str_alloc_text(&proctitle_str, "ftpz: ");
+  str_append_text(&proctitle_str, p_buf);
+  to_copy = str_getlen(&proctitle_str);
+  if (to_copy > s_proctitle_space - 1)
+  {
+    to_copy = s_proctitle_space - 1;
+  }
+  vsf_sysutil_memcpy(s_p_proctitle, str_getbuf(&proctitle_str), to_copy);
+  str_free(&proctitle_str);
+  s_p_proctitle[to_copy] = '\0';
+}
+#else /* VSF_SYSDEP_HAVE_SETPROCTITLE */
+void
+vsf_sysutil_setproctitle_init(int argc, const char* argv[])
+{
+  (void) argc;
+  (void) argv;
+}
+
+void
+vsf_sysutil_setproctitle_internal(const char* p_buf)
+{
+  (void) p_buf;
+}
+#endif /* VSF_SYSDEP_HAVE_SETPROCTITLE */
+
+#ifdef VSF_SYSDEP_HAVE_MAP_ANON
+void
+vsf_sysutil_map_anon_pages_init(void)
+{
+}
+
+void*
+vsf_sysutil_map_anon_pages(unsigned int length)
+{
+  char* retval = mmap(0, length, PROT_READ | PROT_WRITE,
+                      MAP_PRIVATE | MAP_ANON, -1, 0);
+  if (retval == MAP_FAILED)
+  {
+    die("mmap");
+  }
+  return retval;
+}
+#else /* VSF_SYSDEP_HAVE_MAP_ANON */
+void
+vsf_sysutil_map_anon_pages_init(void)
+{
+  if (s_zero_fd != -1)
+  {
+    bug("sysutil_map_anon_pages_init called twice");
+  }
+  s_zero_fd = open("/dev/zero", O_RDWR);
+  if (s_zero_fd < 0)
+  {
+    die("could not open /dev/zero");
+  }
+}
+
+void*
+vsf_sysutil_map_anon_pages(unsigned int length)
+{
+  char* retval = mmap(0, length, PROT_READ | PROT_WRITE,
+                      MAP_PRIVATE, s_zero_fd, 0);
+  if (retval == MAP_FAILED)
+  {
+    die("mmap");
+  }
+  return retval;
+}
+#endif /* VSF_SYSDEP_HAVE_MAP_ANON */
+
+#ifndef VSF_SYSDEP_NEED_OLD_FD_PASSING
+
+void
+vsf_sysutil_send_fd(int sock_fd, int send_fd)
+{
+  int retval;
+  struct msghdr msg;
+  struct cmsghdr* p_cmsg;
+  struct iovec vec;
+  char cmsgbuf[CMSG_SPACE(sizeof(send_fd))];
+  int* p_fds;
+  char sendchar = 0;
+  msg.msg_control = cmsgbuf;
+  msg.msg_controllen = sizeof(cmsgbuf);
+  p_cmsg = CMSG_FIRSTHDR(&msg);
+  p_cmsg->cmsg_level = SOL_SOCKET;
+  p_cmsg->cmsg_type = SCM_RIGHTS;
+  p_cmsg->cmsg_len = CMSG_LEN(sizeof(send_fd));
+  p_fds = (int*)CMSG_DATA(p_cmsg);
+  *p_fds = send_fd;
+  msg.msg_controllen = p_cmsg->cmsg_len;
+  msg.msg_name = NULL;
+  msg.msg_namelen = 0;
+  msg.msg_iov = &vec;
+  msg.msg_iovlen = 1;
+  msg.msg_flags = 0;
+  /* "To pass file descriptors or credentials you need to send/read at
+   * least on byte" (man 7 unix)
+   */
+  vec.iov_base = &sendchar;
+  vec.iov_len = sizeof(sendchar);
+  retval = sendmsg(sock_fd, &msg, 0);
+  if (retval != 1)
+  {
+    die("sendmsg");
+  }
+}
+
+int
+vsf_sysutil_recv_fd(const int sock_fd)
+{
+  int retval;
+  struct msghdr msg;
+  char recvchar;
+  struct iovec vec;
+  int recv_fd;
+  char cmsgbuf[CMSG_SPACE(sizeof(recv_fd))];
+  struct cmsghdr* p_cmsg;
+  int* p_fd;
+  vec.iov_base = &recvchar;
+  vec.iov_len = sizeof(recvchar);
+  msg.msg_name = NULL;
+  msg.msg_namelen = 0;
+  msg.msg_iov = &vec;
+  msg.msg_iovlen = 1;
+  msg.msg_control = cmsgbuf;
+  msg.msg_controllen = sizeof(cmsgbuf);
+  msg.msg_flags = 0;
+  /* In case something goes wrong, set the fd to -1 before the syscall */
+  p_fd = (int*)CMSG_DATA(CMSG_FIRSTHDR(&msg));
+  *p_fd = -1;  
+  retval = recvmsg(sock_fd, &msg, 0);
+  if (retval != 1)
+  {
+    die("recvmsg");
+  }
+  p_cmsg = CMSG_FIRSTHDR(&msg);
+  if (p_cmsg == NULL)
+  {
+    die("no passed fd");
+  }
+  /* We used to verify the returned cmsg_level, cmsg_type and cmsg_len here,
+   * but Linux 2.0 totally uselessly fails to fill these in.
+   */
+  p_fd = (int*)CMSG_DATA(p_cmsg);
+  recv_fd = *p_fd;
+  if (recv_fd == -1)
+  {
+    die("no passed fd");
+  }
+  return recv_fd;
+}
+
+#else /* !VSF_SYSDEP_NEED_OLD_FD_PASSING */
+
+void
+vsf_sysutil_send_fd(int sock_fd, int send_fd)
+{
+  int retval;
+  char send_char = 0;
+  struct msghdr msg;
+  struct iovec vec;
+  vec.iov_base = &send_char;
+  vec.iov_len = 1;
+  msg.msg_name = NULL;
+  msg.msg_namelen = 0;
+  msg.msg_iov = &vec;
+  msg.msg_iovlen = 1;
+  msg.msg_accrights = (caddr_t) &send_fd;
+  msg.msg_accrightslen = sizeof(send_fd);
+  retval = sendmsg(sock_fd, &msg, 0);
+  if (retval != 1)
+  {
+    die("sendmsg");
+  }
+}
+
+int
+vsf_sysutil_recv_fd(int sock_fd)
+{
+  int retval;
+  struct msghdr msg;
+  struct iovec vec;
+  char recv_char;
+  int recv_fd = -1;
+  vec.iov_base = &recv_char;
+  vec.iov_len = 1;
+  msg.msg_name = NULL;
+  msg.msg_namelen = 0;
+  msg.msg_iov = &vec;
+  msg.msg_iovlen = 1;
+  msg.msg_accrights = (caddr_t) &recv_fd;
+  msg.msg_accrightslen = sizeof(recv_fd);
+  retval = recvmsg(sock_fd, &msg, 0);
+  if (retval != 1)
+  {
+    die("recvmsg");
+  }
+  if (recv_fd == -1)
+  {
+    die("no passed fd");
+  }
+  return recv_fd;
+}
+
+#endif /* !VSF_SYSDEP_NEED_OLD_FD_PASSING */
+
+#ifndef VSF_SYSDEP_HAVE_UTMPX
+
+void
+vsf_insert_uwtmp(const struct mystr* p_user_str,
+                 const struct mystr* p_host_str)
+{
+  (void) p_user_str;
+  (void) p_host_str;
+}
+
+void
+vsf_remove_uwtmp(void)
+{
+}
+
+#else /* !VSF_SYSDEP_HAVE_UTMPX */
+
+/* IMHO, the pam_unix module REALLY should be doing this in its SM component */
+/* Statics */
+static int s_uwtmp_inserted;
+static struct utmpx s_utent;
+
+void
+vsf_insert_uwtmp(const struct mystr* p_user_str,
+                 const struct mystr* p_host_str)
+{
+  if (sizeof(s_utent.ut_line) < 16)
+  {
+    return;
+  }
+  if (s_uwtmp_inserted)
+  {
+    bug("insert_uwtmp");
+  }
+  {
+    struct mystr line_str = INIT_MYSTR;
+    str_alloc_text(&line_str, "ftpz:");
+    str_append_ulong(&line_str, vsf_sysutil_getpid());
+    if (str_getlen(&line_str) >= sizeof(s_utent.ut_line))
+    {
+      str_free(&line_str);
+      return;
+    }
+    vsf_sysutil_strcpy(s_utent.ut_line, str_getbuf(&line_str),
+                       sizeof(s_utent.ut_line));
+    str_free(&line_str);
+  }
+  s_uwtmp_inserted = 1;
+  s_utent.ut_type = USER_PROCESS;
+  s_utent.ut_pid = vsf_sysutil_getpid();
+  vsf_sysutil_strcpy(s_utent.ut_user, str_getbuf(p_user_str),
+                     sizeof(s_utent.ut_user));
+  vsf_sysutil_strcpy(s_utent.ut_host, str_getbuf(p_host_str),
+                     sizeof(s_utent.ut_host));
+  s_utent.ut_tv.tv_sec = vsf_sysutil_get_time_sec();
+  setutxent();
+  (void) pututxline(&s_utent);
+  endutxent();
+  updwtmpx(WTMPX_FILE, &s_utent);
+}
+
+void
+vsf_remove_uwtmp(void)
+{
+  if (!s_uwtmp_inserted)
+  {
+    return;
+  }
+  s_uwtmp_inserted = 0;
+  s_utent.ut_type = DEAD_PROCESS;
+  vsf_sysutil_memclr(s_utent.ut_user, sizeof(s_utent.ut_user));
+  vsf_sysutil_memclr(s_utent.ut_host, sizeof(s_utent.ut_host));
+  s_utent.ut_tv.tv_sec = 0;
+  setutxent();
+  (void) pututxline(&s_utent);
+  endutxent();
+  s_utent.ut_tv.tv_sec = vsf_sysutil_get_time_sec();
+  updwtmpx(WTMPX_FILE, &s_utent);
+}
+
+#endif /* !VSF_SYSDEP_HAVE_UTMPX */
+
+void
+vsf_set_die_if_parent_dies()
+{
+#ifdef VSF_SYSDEP_HAVE_SETPDEATHSIG
+  if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) != 0)
+  {
+    die("prctl");
+  }
+#endif
+}
+
+void
+vsf_set_term_if_parent_dies()
+{
+#ifdef VSF_SYSDEP_HAVE_SETPDEATHSIG
+  if (prctl(PR_SET_PDEATHSIG, SIGTERM, 0, 0, 0) != 0)
+  {
+    die("prctl");
+  }
+#endif
+}
+
+int
+vsf_sysutil_fork_isolate_all_failok()
+{
+#ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
+  static int cloneflags_work = 1;
+  if (cloneflags_work)
+  {
+    int ret = syscall(__NR_clone,
+                      CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD,
+                      NULL);
+    if (ret != -1 || (errno != EINVAL && errno != EPERM))
+    {
+      if (ret == 0)
+      {
+        vsf_sysutil_post_fork();
+      }
+      return ret;
+    }
+    cloneflags_work = 0;
+  }
+#endif
+  return vsf_sysutil_fork_isolate_failok();
+}
+
+int
+vsf_sysutil_fork_isolate_failok()
+{
+#ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
+  static int cloneflags_work = 1;
+  if (cloneflags_work)
+  {
+    int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL);
+    if (ret != -1 || (errno != EINVAL && errno != EPERM))
+    {
+      if (ret == 0)
+      {
+        vsf_sysutil_post_fork();
+      }
+      return ret;
+    }
+    cloneflags_work = 0;
+  }
+#endif
+  return vsf_sysutil_fork_failok();
+}
+
+int
+vsf_sysutil_fork_newnet()
+{
+#ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
+  static int cloneflags_work = 1;
+  if (cloneflags_work)
+  {
+    int ret = syscall(__NR_clone, CLONE_NEWNET | SIGCHLD, NULL);
+    if (ret != -1 || (errno != EINVAL && errno != EPERM))
+    {
+      if (ret == 0)
+      {
+        vsf_sysutil_post_fork();
+      }
+      return ret;
+    }
+    cloneflags_work = 0;
+  }
+#endif
+  return vsf_sysutil_fork();
+}
+
+int
+vsf_sysutil_getpid_nocache(void)
+{
+#ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
+  /* Need to defeat the glibc pid caching because we need to hit a raw
+   * sys_clone() above.
+   */
+  return syscall(__NR_getpid);
+#else
+  return getpid();
+#endif
+}

sysdeputil.h

@@ -0,0 +1,76 @@
+#ifndef VSF_SYSDEPUTIL_H
+#define VSF_SYSDEPUTIL_H
+
+#ifndef VSF_FILESIZE_H
+#include "filesize.h"
+#endif
+
+/* VSF_SYSDEPUTIL_H:
+ * Support for highly system dependent features, and querying for support
+ * or lack thereof
+ * TODO: document functions!
+ */
+
+struct mystr;
+
+/* Authentication of local users */
+/* Return 0 for fail, 1 for success */
+int vsf_sysdep_check_auth(struct mystr* p_user,
+                          const struct mystr* p_pass,
+                          const struct mystr* p_remote_host);
+
+/* Support for fine grained privilege (capabilities) */
+int vsf_sysdep_has_capabilities(void);
+int vsf_sysdep_has_capabilities_as_non_root(void);
+void vsf_sysdep_keep_capabilities(void);
+enum ESysdepCapabilities
+{
+  kCapabilityCAP_CHOWN = 1,
+  kCapabilityCAP_NET_BIND_SERVICE = 2
+  /* NOTE - next one will be 4, this is a bitfield */
+};
+void vsf_sysdep_adopt_capabilities(unsigned int caps);
+
+/* Support for sendfile(), Linux-like interface. Collapses to a read/write
+ * loop under the covers if the target system lacks support.
+ */
+int vsf_sysutil_sendfile(const int out_fd, const int in_fd,
+                         filesize_t* p_offset, filesize_t num_send,
+                         unsigned int max_chunk);
+
+/* Support for changing the process name as reported by the operating system.
+ * A useful status monitor. NOTE - we don't guarantee that this call will
+ * have any effect.
+ */
+void vsf_sysutil_setproctitle_init(int argc, const char* argv[]);
+void vsf_sysutil_setproctitle(const char* p_text);
+void vsf_sysutil_setproctitle_str(const struct mystr* p_str);
+void vsf_sysutil_set_proctitle_prefix(const struct mystr* p_str);
+
+/* For now, maps read/write private pages. API to be extended.. */
+void vsf_sysutil_map_anon_pages_init(void);
+void* vsf_sysutil_map_anon_pages(unsigned int length);
+
+/* File descriptor passing/receiving */
+void vsf_sysutil_send_fd(int sock_fd, int send_fd);
+int vsf_sysutil_recv_fd(int sock_fd);
+
+/* If supported, arrange for current process to die when parent dies. */
+void vsf_set_die_if_parent_dies();
+/* Or a softer version delivering SIGTERM. */
+void vsf_set_term_if_parent_dies();
+
+/* If supported, the ability to fork into different secure namespaces (PID
+ * and IPC. Fails back to normal fork() */
+int vsf_sysutil_fork_isolate_failok();
+/* Same as above, but in addition tries to fork into an empty network
+ * namespace. Falls back to vsf_sysutil_fork_isolate_failok then normal fork().
+ */
+int vsf_sysutil_fork_isolate_all_failok();
+/* If supported, the ability to fork into an empty network namespace.
+ * Fails back to normal fork() */
+int vsf_sysutil_fork_newnet();
+int vsf_sysutil_getpid_nocache();
+
+#endif /* VSF_SYSDEPUTIL_H */
+

sysstr.c

@@ -0,0 +1,179 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * sysstr.c
+ *
+ * This file basically wraps system functions so that we can deal in our
+ * nice abstracted string buffer objects.
+ */
+
+#include "sysstr.h"
+#include "str.h"
+#include "secbuf.h"
+#include "sysutil.h"
+#include "defs.h"
+#include "utility.h"
+#include "tunables.h"
+
+void
+str_getcwd(struct mystr* p_str)
+{
+  static char* p_getcwd_buf;
+  char* p_ret;
+  if (p_getcwd_buf == 0)
+  {
+    vsf_secbuf_alloc(&p_getcwd_buf, VSFTP_PATH_MAX);
+  }
+  /* In case getcwd() fails */
+  str_empty(p_str);
+  p_ret = vsf_sysutil_getcwd(p_getcwd_buf, VSFTP_PATH_MAX);
+  if (p_ret != 0)
+  {
+    str_alloc_text(p_str, p_getcwd_buf);
+  }
+}
+
+int
+str_write_loop(const struct mystr* p_str, const int fd)
+{
+  return vsf_sysutil_write_loop(fd, str_getbuf(p_str), str_getlen(p_str));
+}
+
+int
+str_read_loop(struct mystr* p_str, const int fd)
+{
+  return vsf_sysutil_read_loop(
+    fd, (char*) str_getbuf(p_str), str_getlen(p_str));
+}
+
+int
+str_mkdir(const struct mystr* p_str, const unsigned int mode)
+{
+  return vsf_sysutil_mkdir(str_getbuf(p_str), mode);
+}
+
+int
+str_rmdir(const struct mystr* p_str)
+{
+  return vsf_sysutil_rmdir(str_getbuf(p_str));
+}
+
+int
+str_unlink(const struct mystr* p_str)
+{
+  return vsf_sysutil_unlink(str_getbuf(p_str));
+}
+
+int
+str_chdir(const struct mystr* p_str)
+{
+  return vsf_sysutil_chdir(str_getbuf(p_str));
+}
+
+int
+str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
+{
+  enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown;
+  switch (mode)
+  {
+    case kVSFSysStrOpenReadOnly:
+      open_mode = kVSFSysUtilOpenReadOnly;
+      break;
+    case kVSFSysStrOpenUnknown:
+      /* Fall through */
+    default:
+      bug("unknown mode value in str_open");
+      break;
+  }
+  return vsf_sysutil_open_file(str_getbuf(p_str), open_mode);
+}
+
+int
+str_stat(const struct mystr* p_str, struct vsf_sysutil_statbuf** p_ptr)
+{
+  return vsf_sysutil_stat(str_getbuf(p_str), p_ptr);
+}
+
+int
+str_lstat(const struct mystr* p_str, struct vsf_sysutil_statbuf** p_ptr)
+{
+  return vsf_sysutil_lstat(str_getbuf(p_str), p_ptr);
+}
+
+int
+str_create_exclusive(const struct mystr* p_str)
+{
+  return vsf_sysutil_create_file_exclusive(str_getbuf(p_str));
+}
+
+int
+str_create(const struct mystr* p_str)
+{
+  return vsf_sysutil_create_or_open_file(
+      str_getbuf(p_str), tunable_file_open_mode);
+}
+
+int
+str_chmod(const struct mystr* p_str, unsigned int mode)
+{
+  return vsf_sysutil_chmod(str_getbuf(p_str), mode);
+}
+
+int
+str_rename(const struct mystr* p_from_str, const struct mystr* p_to_str)
+{
+  return vsf_sysutil_rename(str_getbuf(p_from_str), str_getbuf(p_to_str));
+}
+
+struct vsf_sysutil_dir*
+str_opendir(const struct mystr* p_str)
+{
+  return vsf_sysutil_opendir(str_getbuf(p_str));
+}
+
+void
+str_next_dirent(struct mystr* p_filename_str, struct vsf_sysutil_dir* p_dir)
+{
+  const char* p_filename = vsf_sysutil_next_dirent(p_dir);
+  str_empty(p_filename_str);
+  if (p_filename != 0)
+  {
+    str_alloc_text(p_filename_str, p_filename);
+  }
+}
+
+int
+str_readlink(struct mystr* p_str, const struct mystr* p_filename_str)
+{
+  static char* p_readlink_buf;
+  int retval;
+  if (p_readlink_buf == 0)
+  {
+    vsf_secbuf_alloc(&p_readlink_buf, VSFTP_PATH_MAX);
+  }
+  /* In case readlink() fails */
+  str_empty(p_str);
+  /* Note: readlink(2) does not NULL terminate, but our wrapper does */
+  retval = vsf_sysutil_readlink(str_getbuf(p_filename_str), p_readlink_buf,
+                                VSFTP_PATH_MAX);
+  if (vsf_sysutil_retval_is_error(retval))
+  {
+    return retval;
+  }
+  str_alloc_text(p_str, p_readlink_buf);
+  return 0;
+}
+
+struct vsf_sysutil_user*
+str_getpwnam(const struct mystr* p_user_str)
+{
+  return vsf_sysutil_getpwnam(str_getbuf(p_user_str));
+}
+
+void
+str_syslog(const struct mystr* p_str, int severe)
+{
+  vsf_sysutil_syslog(str_getbuf(p_str), severe);
+}
+

sysstr.h

@@ -0,0 +1,39 @@
+#ifndef VSF_SYSSTR_H
+#define VSF_SYSSTR_H
+
+/* Forward declarations */
+struct mystr;
+struct vsf_sysutil_statbuf;
+struct vsf_sysutil_dir;
+struct vsf_sysutil_user;
+
+void str_getcwd(struct mystr* p_str);
+int str_readlink(struct mystr* p_str, const struct mystr* p_filename_str);
+int str_write_loop(const struct mystr* p_str, const int fd);
+int str_read_loop(struct mystr* p_str, const int fd);
+int str_mkdir(const struct mystr* p_str, const unsigned int mode);
+int str_rmdir(const struct mystr* p_str);
+int str_unlink(const struct mystr* p_str);
+int str_chdir(const struct mystr* p_str);
+enum EVSFSysStrOpenMode
+{
+  kVSFSysStrOpenUnknown = 0,
+  kVSFSysStrOpenReadOnly = 1
+};
+int str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode);
+int str_create(const struct mystr* p_str);
+int str_create_exclusive(const struct mystr* p_str);
+int str_chmod(const struct mystr* p_str, unsigned int mode);
+int str_stat(const struct mystr* p_str, struct vsf_sysutil_statbuf** p_ptr);
+int str_lstat(const struct mystr* p_str, struct vsf_sysutil_statbuf** p_ptr);
+int str_rename(const struct mystr* p_from_str, const struct mystr* p_to_str);
+struct vsf_sysutil_dir* str_opendir(const struct mystr* p_str);
+void str_next_dirent(struct mystr* p_filename_str,
+                     struct vsf_sysutil_dir* p_dir);
+
+struct vsf_sysutil_user* str_getpwnam(const struct mystr* p_user_str);
+
+void str_syslog(const struct mystr* p_str, int severe);
+
+#endif /* VSF_SYSSTR_H */
+

sysutil.c

@@ -0,0 +1,2861 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * 
+ * sysutil.c
+ *
+ * Routines to make the libc/syscall API more pleasant to use. Long term,
+ * more libc/syscalls will go in here to reduce the number of .c files with
+ * dependencies on libc or syscalls.
+ */
+
+#define PRIVATE_HANDS_OFF_syscall_retval syscall_retval
+#define PRIVATE_HANDS_OFF_exit_status exit_status
+#include "sysutil.h"
+#include "utility.h"
+#include "tunables.h"
+#include "sysdeputil.h"
+
+/* Activate 64-bit file support on Linux/32bit plus others */
+#define _FILE_OFFSET_BITS 64
+#define _LARGEFILE_SOURCE 1
+#define _LARGEFILE64_SOURCE 1
+#define _LARGE_FILES 1
+
+/* For Linux, this adds nothing :-) */
+#include "port/porting_junk.h"
+
+#include <signal.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <time.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <pwd.h>
+#include <grp.h>
+#include <ctype.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+/* Must be before netinet/ip.h. Found on FreeBSD, Solaris */
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <limits.h>
+#include <syslog.h>
+#include <utime.h>
+#include <netdb.h>
+#include <sys/resource.h>
+
+/* Private variables to this file */
+/* Current umask() */
+static unsigned int s_current_umask;
+/* Cached time */
+static struct timeval s_current_time;
+/* Current pid */
+static int s_current_pid = -1;
+/* Exit function */
+static exitfunc_t s_exit_func;
+/* Difference in timezone from GMT in seconds */
+static long s_timezone;
+
+/* Our internal signal handling implementation details */
+static struct vsf_sysutil_sig_details
+{
+  vsf_sighandle_t sync_sig_handler;
+  void* p_private;
+  volatile sig_atomic_t pending;
+  int running;
+  int use_alarm;
+} s_sig_details[NSIG];
+
+static vsf_context_io_t s_io_handler;
+static void* s_p_io_handler_private;
+static int s_io_handler_running;
+
+struct vsf_sysutil_sockaddr
+{
+  union
+  {
+    struct sockaddr u_sockaddr;
+    struct sockaddr_in u_sockaddr_in;
+    struct sockaddr_in6 u_sockaddr_in6;
+  } u;
+};
+
+/* File locals */
+static void vsf_sysutil_common_sighandler(int signum);
+static void vsf_sysutil_alrm_sighandler(int signum);
+static int vsf_sysutil_translate_sig(const enum EVSFSysUtilSignal sig);
+static void vsf_sysutil_set_sighandler(int sig, void (*p_handlefunc)(int));
+static int vsf_sysutil_translate_memprot(
+  const enum EVSFSysUtilMapPermission perm);
+static int vsf_sysutil_translate_openmode(
+  const enum EVSFSysUtilOpenMode mode);
+static void vsf_sysutil_alloc_statbuf(struct vsf_sysutil_statbuf** p_ptr);
+void vsf_sysutil_sockaddr_alloc(struct vsf_sysutil_sockaddr** p_sockptr);
+static int lock_internal(int fd, int lock_type);
+
+static void
+vsf_sysutil_alrm_sighandler(int signum)
+{
+  (void) signum;
+  alarm(1);
+}
+
+static void
+vsf_sysutil_common_sighandler(int signum)
+{
+  if (signum < 0 || signum >= NSIG)
+  {
+    /* "cannot happen" */
+    return;
+  }
+  if (s_sig_details[signum].sync_sig_handler)
+  {
+    s_sig_details[signum].pending = 1;
+    /* Since this synchronous signal framework has a small race (signal coming
+     * in just before we start a blocking call), there's the option to fire an
+     * alarm repeatedly until the signal is handled.
+     */
+    if (s_sig_details[signum].use_alarm)
+    {
+      alarm(1);
+    }
+  }
+}
+
+/* Notes. This signal check is evaluated after potentially blocking system
+ * calls, i.e. at highly defined points in the code. Since we only interrupt
+ * at these definite locations, the signal handlers can be non-trivial
+ * without us having to worry about re-entrancy.
+ *
+ * We guarantee that a handler for a given signal is not re-entrant. This
+ * is taken care of by the "running" flag.
+ *
+ * This call itself can only be re-entered once we dereference the actual
+ * hander function pointer, so we are safe with respect to races modifying
+ * the "running" flag.
+ */
+void
+vsf_sysutil_check_pending_actions(
+  const enum EVSFSysUtilInterruptContext context, int retval, int fd)
+{
+  unsigned int i;
+  /* Check the i/o handler before the signal handlers */
+  if (s_io_handler && !s_io_handler_running && context == kVSFSysUtilIO)
+  {
+    s_io_handler_running = 1;
+    (*s_io_handler)(retval, fd, s_p_io_handler_private);
+    s_io_handler_running = 0;
+  }
+  for (i=0; i < NSIG; ++i)
+  {
+    if (s_sig_details[i].pending && !s_sig_details[i].running)
+    {
+      s_sig_details[i].running = 1;
+      if (s_sig_details[i].use_alarm)
+      {
+        alarm(0);
+      }
+      if (s_sig_details[i].sync_sig_handler)
+      {
+        s_sig_details[i].pending = 0;
+        (*(s_sig_details[i].sync_sig_handler))(s_sig_details[i].p_private);
+      }
+      s_sig_details[i].running = 0;
+    }
+  }
+}
+
+static int
+vsf_sysutil_translate_sig(const enum EVSFSysUtilSignal sig)
+{
+  int realsig = 0;
+  switch (sig)
+  {
+    case kVSFSysUtilSigALRM:
+      realsig = SIGALRM;
+      break;
+    case kVSFSysUtilSigTERM:
+      realsig = SIGTERM;
+      break;
+    case kVSFSysUtilSigCHLD:
+      realsig = SIGCHLD;
+      break;
+    case kVSFSysUtilSigPIPE:
+      realsig = SIGPIPE;
+      break;
+    case kVSFSysUtilSigURG:
+      realsig = SIGURG;
+      break;
+    case kVSFSysUtilSigHUP:
+      realsig = SIGHUP;
+      break;
+    default:
+      bug("unknown signal in sysutil_translate_sig");
+      break;
+  }
+  if (realsig < 0 || realsig >= NSIG)
+  {
+    bug("signal out of range in sysutil_translate_sig");
+  }
+  return realsig;
+}
+
+void
+vsf_sysutil_install_sighandler(const enum EVSFSysUtilSignal sig,
+                               vsf_sighandle_t handler,
+                               void* p_private,
+                               int use_alarm)
+{
+  int realsig = vsf_sysutil_translate_sig(sig);
+  s_sig_details[realsig].p_private = p_private;
+  s_sig_details[realsig].sync_sig_handler = handler;
+  s_sig_details[realsig].use_alarm = use_alarm;
+  vsf_sysutil_set_sighandler(realsig, vsf_sysutil_common_sighandler);
+  if (use_alarm && realsig != SIGALRM)
+  {
+    vsf_sysutil_set_sighandler(SIGALRM, vsf_sysutil_alrm_sighandler);
+  }
+}
+
+void
+vsf_sysutil_default_sig(const enum EVSFSysUtilSignal sig)
+{
+  int realsig = vsf_sysutil_translate_sig(sig);
+  vsf_sysutil_set_sighandler(realsig, SIG_DFL);
+  s_sig_details[realsig].p_private = NULL;
+  s_sig_details[realsig].sync_sig_handler = NULL;
+}
+
+void
+vsf_sysutil_install_null_sighandler(const enum EVSFSysUtilSignal sig)
+{
+  int realsig = vsf_sysutil_translate_sig(sig);
+  s_sig_details[realsig].p_private = NULL;
+  s_sig_details[realsig].sync_sig_handler = NULL;
+  vsf_sysutil_set_sighandler(realsig, vsf_sysutil_common_sighandler);
+}
+
+void
+vsf_sysutil_install_async_sighandler(const enum EVSFSysUtilSignal sig,
+                                     vsf_async_sighandle_t handler)
+{
+  int realsig = vsf_sysutil_translate_sig(sig);
+  s_sig_details[realsig].p_private = NULL;
+  s_sig_details[realsig].sync_sig_handler = NULL;
+  vsf_sysutil_block_sig(sig);
+  vsf_sysutil_set_sighandler(realsig, handler);
+}
+
+static void
+vsf_sysutil_set_sighandler(int sig, void (*p_handlefunc)(int))
+{
+  int retval;
+  struct sigaction sigact;
+  vsf_sysutil_memclr(&sigact, sizeof(sigact));
+  sigact.sa_handler = p_handlefunc;
+  retval = sigfillset(&sigact.sa_mask);
+  if (retval != 0)
+  {
+    die("sigfillset");
+  }
+  retval = sigaction(sig, &sigact, NULL);
+  if (retval != 0)
+  {
+    die("sigaction");
+  }
+}
+
+void
+vsf_sysutil_block_sig(const enum EVSFSysUtilSignal sig)
+{
+  sigset_t sset;
+  int retval;
+  int realsig = vsf_sysutil_translate_sig(sig);
+  retval = sigemptyset(&sset);
+  if (retval != 0)
+  {
+    die("sigemptyset");
+  }
+  retval = sigaddset(&sset, realsig);
+  if (retval != 0)
+  {
+    die("sigaddset");
+  }
+  retval = sigprocmask(SIG_BLOCK, &sset, NULL);
+  if (retval != 0)
+  {
+    die("sigprocmask");
+  }
+}
+
+void
+vsf_sysutil_unblock_sig(const enum EVSFSysUtilSignal sig)
+{
+  sigset_t sset;
+  int retval;
+  int realsig = vsf_sysutil_translate_sig(sig);
+  retval = sigemptyset(&sset);
+  if (retval != 0)
+  {
+    die("sigemptyset");
+  }
+  retval = sigaddset(&sset, realsig);
+  if (retval != 0)
+  {
+    die("sigaddset");
+  }
+  retval = sigprocmask(SIG_UNBLOCK, &sset, NULL);
+  if (retval != 0)
+  {
+    die("sigprocmask");
+  }
+}
+void
+vsf_sysutil_install_io_handler(vsf_context_io_t handler, void* p_private)
+{
+  if (s_io_handler != NULL)
+  {
+    bug("double register of i/o handler");
+  }
+  s_io_handler = handler;
+  s_p_io_handler_private = p_private;
+}
+
+void
+vsf_sysutil_uninstall_io_handler(void)
+{
+  if (s_io_handler == NULL)
+  {
+    bug("no i/o handler to unregister!");
+  }
+  s_io_handler = NULL;
+  s_p_io_handler_private = NULL;
+}
+
+void
+vsf_sysutil_set_alarm(const unsigned int trigger_seconds)
+{
+  (void) alarm(trigger_seconds);
+}
+
+void
+vsf_sysutil_clear_alarm(void)
+{
+  vsf_sysutil_set_alarm(0);
+}
+
+int
+vsf_sysutil_read(const int fd, void* p_buf, const unsigned int size)
+{
+  while (1)
+  {
+    int retval = read(fd, p_buf, size);
+    int saved_errno = errno;
+    vsf_sysutil_check_pending_actions(kVSFSysUtilIO, retval, fd);
+    if (retval < 0 && saved_errno == EINTR)
+    {
+      continue;
+    }
+    return retval;
+  }
+}
+
+int
+vsf_sysutil_write(const int fd, const void* p_buf, const unsigned int size)
+{
+  while (1)
+  {
+    int retval = write(fd, p_buf, size);
+    int saved_errno = errno;
+    vsf_sysutil_check_pending_actions(kVSFSysUtilIO, retval, fd);
+    if (retval < 0 && saved_errno == EINTR)
+    {
+      continue;
+    }
+    return retval;
+  }
+}
+
+int
+vsf_sysutil_read_loop(const int fd, void* p_buf, unsigned int size)
+{
+  int retval;
+  int num_read = 0;
+  if (size > INT_MAX)
+  {
+    die("size too big in sysutil_read_loop");
+  }
+  while (1)
+  {
+    retval = vsf_sysutil_read(fd, (char*)p_buf + num_read, size);
+    if (retval < 0)
+    {
+      return retval;
+    }
+    else if (retval == 0)
+    {
+      /* Read all we're going to read.. */
+      return num_read; 
+    }
+    if ((unsigned int) retval > size)
+    {
+      die("retval too big in vsf_sysutil_read_loop");
+    }
+    num_read += retval;
+    size -= (unsigned int) retval;
+    if (size == 0)
+    {
+      /* Hit the read target, cool. */
+      return num_read;
+    }
+  }
+}
+
+int
+vsf_sysutil_write_loop(const int fd, const void* p_buf, unsigned int size)
+{
+  int retval;
+  int num_written = 0;
+  if (size > INT_MAX)
+  {
+    die("size too big in sysutil_write_loop");
+  }
+  while (1)
+  {
+    retval = vsf_sysutil_write(fd, (const char*)p_buf + num_written, size);
+    if (retval < 0)
+    {
+      /* Error */
+      return retval;
+    }
+    else if (retval == 0)
+    {
+      /* Written all we're going to write.. */
+      return num_written;
+    }
+    if ((unsigned int) retval > size)
+    {
+      die("retval too big in sysutil_write_loop");
+    }
+    num_written += retval;
+    size -= (unsigned int) retval;
+    if (size == 0)
+    {
+      /* Hit the write target, cool. */
+      return num_written;
+    }
+  }
+}
+
+filesize_t
+vsf_sysutil_get_file_offset(const int file_fd)
+{
+  filesize_t retval = lseek(file_fd, 0, SEEK_CUR);
+  if (retval < 0)
+  {
+    die("lseek");
+  }
+  return retval;
+}
+
+void
+vsf_sysutil_lseek_to(const int fd, filesize_t seek_pos)
+{
+  filesize_t retval;
+  if (seek_pos < 0)
+  {
+    die("negative seek_pos in sysutil_lseek_to");
+  }
+  retval = lseek(fd, seek_pos, SEEK_SET);
+  if (retval < 0)
+  {
+    die("lseek");
+  }
+}
+
+void
+vsf_sysutil_lseek_end(const int fd)
+{
+  filesize_t retval;
+  retval = lseek(fd, 0, SEEK_END);
+  if (retval < 0)
+  {
+    die("lseek");
+  }
+}
+
+void*
+vsf_sysutil_malloc(unsigned int size)
+{
+  void* p_ret;
+  /* Paranoia - what if we got an integer overflow/underflow? */
+  if (size == 0 || size > INT_MAX)
+  {
+    bug("zero or big size in sysutil_malloc");
+  }  
+  p_ret = malloc(size);
+  if (p_ret == NULL)
+  {
+    die("malloc");
+  }
+  return p_ret;
+}
+
+void*
+vsf_sysutil_realloc(void* p_ptr, unsigned int size)
+{
+  void* p_ret;
+  if (size == 0 || size > INT_MAX)
+  {
+    bug("zero or big size in sysutil_realloc");
+  }
+  p_ret = realloc(p_ptr, size);
+  if (p_ret == NULL)
+  {
+    die("realloc");
+  }
+  return p_ret;
+}
+
+void
+vsf_sysutil_free(void* p_ptr)
+{
+  if (p_ptr == NULL)
+  {
+    bug("sysutil_free got a null pointer");
+  }
+  free(p_ptr);
+}
+
+unsigned int
+vsf_sysutil_getpid(void)
+{
+  if (s_current_pid == -1)
+  {
+    s_current_pid = vsf_sysutil_getpid_nocache();
+  }
+  return (unsigned int) s_current_pid;
+}
+
+int
+vsf_sysutil_fork(void)
+{
+  int retval = vsf_sysutil_fork_failok();
+  if (retval < 0)
+  {
+    die("fork");
+  }
+  return retval;
+}
+
+int
+vsf_sysutil_fork_failok(void)
+{
+  int retval;
+  retval = fork();
+  if (retval == 0)
+  {
+    vsf_sysutil_post_fork();
+  }
+  return retval;
+}
+
+void
+vsf_sysutil_set_exit_func(exitfunc_t exitfunc)
+{
+  s_exit_func = exitfunc;
+}
+
+void
+vsf_sysutil_exit(int exit_code)
+{
+  if (s_exit_func)
+  {
+    exitfunc_t curr_func = s_exit_func;
+    /* Prevent recursion */
+    s_exit_func = 0;
+    (*curr_func)();
+  }
+  _exit(exit_code);
+}
+
+struct vsf_sysutil_wait_retval
+vsf_sysutil_wait(void)
+{
+  struct vsf_sysutil_wait_retval retval;
+  vsf_sysutil_memclr(&retval, sizeof(retval));
+  while (1)
+  {
+    int sys_ret = wait(&retval.exit_status);
+    if (sys_ret < 0 && errno == EINTR)
+    {
+      vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
+      continue;
+    }
+    retval.syscall_retval = sys_ret;
+    return retval;
+  }
+}
+
+int
+vsf_sysutil_wait_reap_one(void)
+{
+  int retval = waitpid(-1, NULL, WNOHANG);
+  if (retval == 0 || (retval < 0 && errno == ECHILD))
+  {
+    /* No more children */
+    return 0;
+  }
+  if (retval < 0)
+  {
+    die("waitpid");
+  }
+  /* Got one */
+  return retval;
+}
+
+int
+vsf_sysutil_wait_get_retval(const struct vsf_sysutil_wait_retval* p_waitret)
+{
+  return p_waitret->syscall_retval;
+}
+
+int
+vsf_sysutil_wait_exited_normally(
+  const struct vsf_sysutil_wait_retval* p_waitret)
+{
+  int status = ((struct vsf_sysutil_wait_retval*) p_waitret)->exit_status;
+  return WIFEXITED(status);
+}
+
+int
+vsf_sysutil_wait_get_exitcode(const struct vsf_sysutil_wait_retval* p_waitret)
+{
+  int status;
+  if (!vsf_sysutil_wait_exited_normally(p_waitret))
+  {
+    bug("not a normal exit in sysutil_wait_get_exitcode");
+  }
+  status = ((struct vsf_sysutil_wait_retval*) p_waitret)->exit_status;
+  return WEXITSTATUS(status);
+}
+
+void
+vsf_sysutil_activate_keepalive(int fd)
+{
+  int keepalive = 1;
+  int retval = setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &keepalive,
+                          sizeof(keepalive));
+  if (retval != 0)
+  {
+    die("setsockopt: keepalive");
+  }
+}
+
+void
+vsf_sysutil_activate_reuseaddr(int fd)
+{
+  int reuseaddr = 1;
+  int retval = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &reuseaddr,
+                          sizeof(reuseaddr));
+  if (retval != 0)
+  {
+    die("setsockopt: reuseaddr");
+  }
+}
+
+void
+vsf_sysutil_set_nodelay(int fd)
+{
+  int nodelay = 1;
+  int retval = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &nodelay,
+                          sizeof(nodelay));
+  if (retval != 0)
+  {
+    die("setsockopt: nodelay");
+  }
+}
+
+void
+vsf_sysutil_activate_sigurg(int fd)
+{
+  int retval = fcntl(fd, F_SETOWN, vsf_sysutil_getpid());
+  if (retval != 0)
+  {
+    die("fcntl");
+  }
+}
+
+void
+vsf_sysutil_activate_oobinline(int fd)
+{
+  int oob_inline = 1;
+  int retval = setsockopt(fd, SOL_SOCKET, SO_OOBINLINE, &oob_inline,
+                          sizeof(oob_inline));
+  if (retval != 0)
+  {
+    die("setsockopt: oobinline");
+  }
+}
+
+void
+vsf_sysutil_set_iptos_throughput(int fd)
+{
+  int tos = IPTOS_THROUGHPUT;
+  /* Ignore failure to set (maybe this IP stack demands privilege for this) */
+  (void) setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
+}
+
+void
+vsf_sysutil_activate_linger(int fd)
+{
+  int retval;
+  struct linger the_linger;
+  vsf_sysutil_memclr(&the_linger, sizeof(the_linger));
+  the_linger.l_onoff = 1;
+  the_linger.l_linger = 60 * 10;
+  retval = setsockopt(fd, SOL_SOCKET, SO_LINGER, &the_linger,
+                      sizeof(the_linger));
+  if (retval != 0)
+  {
+    die("setsockopt: linger");
+  }
+}
+
+void
+vsf_sysutil_deactivate_linger_failok(int fd)
+{
+  struct linger the_linger;
+  the_linger.l_onoff = 0;
+  the_linger.l_linger = 0;
+  (void) setsockopt(fd, SOL_SOCKET, SO_LINGER, &the_linger, sizeof(the_linger));
+}
+
+void
+vsf_sysutil_activate_noblock(int fd)
+{
+  int retval;
+  int curr_flags = fcntl(fd, F_GETFL);
+  if (vsf_sysutil_retval_is_error(curr_flags))
+  {
+    die("fcntl");
+  }
+  curr_flags |= O_NONBLOCK;
+  retval = fcntl(fd, F_SETFL, curr_flags);
+  if (retval != 0)
+  {
+    die("fcntl");
+  }
+}
+
+void
+vsf_sysutil_deactivate_noblock(int fd)
+{
+  int retval;
+  int curr_flags = fcntl(fd, F_GETFL);
+  if (vsf_sysutil_retval_is_error(curr_flags))
+  {
+    die("fcntl");
+  }
+  curr_flags &= ~O_NONBLOCK;
+  retval = fcntl(fd, F_SETFL, curr_flags);
+  if (retval != 0)
+  {
+    die("fcntl");
+  }
+}
+
+int
+vsf_sysutil_recv_peek(const int fd, void* p_buf, unsigned int len)
+{
+  while (1)
+  {
+    int retval = recv(fd, p_buf, len, MSG_PEEK);
+    int saved_errno = errno;
+    vsf_sysutil_check_pending_actions(kVSFSysUtilIO, retval, fd);
+    if (retval < 0 && saved_errno == EINTR)
+    {
+      continue;
+    }
+    return retval;
+  }
+}
+
+int
+vsf_sysutil_atoi(const char* p_str)
+{
+  return atoi(p_str);
+}
+
+filesize_t
+vsf_sysutil_a_to_filesize_t(const char* p_str)
+{
+  /* atoll() is C99 standard - but even modern FreeBSD, OpenBSD don't have
+   * it, so we'll supply our own
+   */
+  filesize_t result = 0;
+  filesize_t mult = 1;
+  unsigned int len = vsf_sysutil_strlen(p_str);
+  unsigned int i;
+  /* Bail if the number is excessively big (petabytes!) */
+  if (len > 15)
+  {
+    return 0;
+  }
+  for (i=0; i<len; ++i)
+  {
+    char the_char = p_str[len-(i+1)];
+    filesize_t val;
+    if (the_char < '0' || the_char > '9')
+    {
+      return 0;
+    }
+    val = the_char - '0';
+    val *= mult;
+    result += val;
+    mult *= 10;
+  }
+  return result;
+}
+
+const char*
+vsf_sysutil_ulong_to_str(unsigned long the_ulong)
+{
+  static char ulong_buf[32];
+  (void) snprintf(ulong_buf, sizeof(ulong_buf), "%lu", the_ulong);
+  return ulong_buf;
+}
+
+const char*
+vsf_sysutil_filesize_t_to_str(filesize_t the_filesize)
+{
+  static char filesize_buf[32];
+  if (sizeof(long) == 8)
+  {
+    /* Avoid using non-standard %ll if we can */
+    (void) snprintf(filesize_buf, sizeof(filesize_buf), "%ld",
+                    (long) the_filesize);
+  }
+  else
+  {
+    (void) snprintf(filesize_buf, sizeof(filesize_buf), "%lld", the_filesize);
+  }
+  return filesize_buf;
+}
+
+const char*
+vsf_sysutil_double_to_str(double the_double)
+{
+  static char double_buf[32];
+  (void) snprintf(double_buf, sizeof(double_buf), "%.2f", the_double);
+  return double_buf;
+}
+
+const char*
+vsf_sysutil_uint_to_octal(unsigned int the_uint)
+{
+  static char octal_buf[32];
+  if (the_uint == 0)
+  {
+    octal_buf[0] = '0';
+    octal_buf[1] = '\0';
+  }
+  else
+  {
+    (void) snprintf(octal_buf, sizeof(octal_buf), "0%o", the_uint);
+  }
+  return octal_buf;
+}
+
+unsigned int
+vsf_sysutil_octal_to_uint(const char* p_str)
+{
+  /* NOTE - avoiding using sscanf() parser */
+  unsigned int result = 0;
+  int seen_non_zero_digit = 0;
+  while (*p_str != '\0')
+  {
+    int digit = *p_str;
+    if (!isdigit(digit) || digit > '7')
+    {
+      break;
+    }
+    if (digit != '0')
+    {
+      seen_non_zero_digit = 1;
+    }
+    if (seen_non_zero_digit)
+    {
+      result <<= 3;
+      result += (digit - '0');
+    }
+    p_str++;
+  }
+  return result;
+}
+
+int
+vsf_sysutil_toupper(int the_char)
+{
+  return toupper((unsigned char) the_char);
+}
+
+int
+vsf_sysutil_isspace(int the_char)
+{
+  return isspace((unsigned char) the_char);
+}
+
+int
+vsf_sysutil_isprint(int the_char)
+{
+  /* From Solar - we know better than some libc's! Don't let any potential
+   * control chars through
+   */
+  unsigned char uc = (unsigned char) the_char;
+  if (uc <= 31)
+  {
+    return 0;
+  }
+  if (uc == 177)
+  {
+    return 0;
+  }
+  if (uc >= 128 && uc <= 159)
+  {
+    return 0;
+  }
+  return isprint(the_char);
+}
+
+int
+vsf_sysutil_isalnum(int the_char)
+{
+  return isalnum((unsigned char) the_char);
+}
+
+int
+vsf_sysutil_isdigit(int the_char)
+{
+  return isdigit((unsigned char) the_char);
+}
+
+char*
+vsf_sysutil_getcwd(char* p_dest, const unsigned int buf_size)
+{
+  char* p_retval;
+  if (buf_size == 0) {
+    return p_dest;
+  }
+  p_retval = getcwd(p_dest, buf_size);
+  p_dest[buf_size - 1] = '\0';
+  return p_retval;
+}
+
+int
+vsf_sysutil_mkdir(const char* p_dirname, const unsigned int mode)
+{
+  return mkdir(p_dirname, mode);
+}
+
+int
+vsf_sysutil_rmdir(const char* p_dirname)
+{
+  return rmdir(p_dirname);
+}
+
+int
+vsf_sysutil_chdir(const char* p_dirname)
+{
+  return chdir(p_dirname);
+}
+
+int
+vsf_sysutil_rename(const char* p_from, const char* p_to)
+{
+  return rename(p_from, p_to);
+}
+
+struct vsf_sysutil_dir*
+vsf_sysutil_opendir(const char* p_dirname)
+{
+  return (struct vsf_sysutil_dir*) opendir(p_dirname);
+}
+
+void
+vsf_sysutil_closedir(struct vsf_sysutil_dir* p_dir)
+{
+  DIR* p_real_dir = (DIR*) p_dir;
+  int retval = closedir(p_real_dir);
+  if (retval != 0)
+  {
+    die("closedir");
+  }
+}
+
+const char*
+vsf_sysutil_next_dirent(struct vsf_sysutil_dir* p_dir)
+{
+  DIR* p_real_dir = (DIR*) p_dir;
+  struct dirent* p_dirent = readdir(p_real_dir);
+  if (p_dirent == NULL)
+  {
+    return NULL;
+  }
+  return p_dirent->d_name;
+}
+
+unsigned int
+vsf_sysutil_strlen(const char* p_text)
+{
+  size_t ret = strlen(p_text);
+  /* A defense in depth measure. */
+  if (ret > INT_MAX / 8)
+  {
+    die("string suspiciously long");
+  }
+  return (unsigned int) ret;
+}
+
+char*
+vsf_sysutil_strdup(const char* p_str)
+{
+  return strdup(p_str);
+}
+
+void
+vsf_sysutil_memclr(void* p_dest, unsigned int size)
+{
+  /* Safety */
+  if (size == 0)
+  {
+    return;
+  }
+  memset(p_dest, '\0', size);
+}
+
+void
+vsf_sysutil_memcpy(void* p_dest, const void* p_src, const unsigned int size)
+{
+  /* Safety */
+  if (size == 0)
+  {
+    return;
+  }
+  /* Defense in depth */
+  if (size > INT_MAX)
+  {
+    die("possible negative value to memcpy?");
+  }
+  memcpy(p_dest, p_src, size);
+}
+
+void
+vsf_sysutil_strcpy(char* p_dest, const char* p_src, unsigned int maxsize)
+{
+  if (maxsize == 0)
+  {
+    return;
+  }
+  strncpy(p_dest, p_src, maxsize);
+  p_dest[maxsize - 1] = '\0';
+}
+
+int
+vsf_sysutil_memcmp(const void* p_src1, const void* p_src2, unsigned int size)
+{
+  /* Safety */
+  if (size == 0)
+  {
+    return 0;
+  }
+  return memcmp(p_src1, p_src2, size);
+}
+
+int
+vsf_sysutil_strcmp(const char* p_src1, const char* p_src2)
+{
+  return strcmp(p_src1, p_src2);
+}
+
+unsigned int
+vsf_sysutil_getpagesize(void)
+{
+  static unsigned int s_page_size;
+  if (s_page_size == 0)
+  {
+    s_page_size = getpagesize();
+    if (s_page_size == 0)
+    {
+      die("getpagesize");
+    }
+  }
+  return s_page_size;
+}
+
+static int
+vsf_sysutil_translate_memprot(const enum EVSFSysUtilMapPermission perm)
+{
+  int retval = 0;
+  switch (perm)
+  {
+    case kVSFSysUtilMapProtReadOnly:
+      retval = PROT_READ;
+      break;
+    case kVSFSysUtilMapProtNone:
+      retval = PROT_NONE;
+      break;
+    default:
+      bug("bad value in sysutil_translate_memprot");
+      break;
+  }
+  return retval;
+}
+
+void
+vsf_sysutil_memprotect(void* p_addr, unsigned int len,
+                       const enum EVSFSysUtilMapPermission perm)
+{
+  int prot = vsf_sysutil_translate_memprot(perm);
+  int retval = mprotect(p_addr, len, prot);
+  if (retval != 0)
+  {
+    die("mprotect");
+  }
+}
+
+void
+vsf_sysutil_memunmap(void* p_start, unsigned int length)
+{
+  int retval = munmap(p_start, length);
+  if (retval != 0)
+  {
+    die("munmap");
+  }
+}
+
+static int
+vsf_sysutil_translate_openmode(const enum EVSFSysUtilOpenMode mode)
+{
+  int retval = 0;
+  switch (mode)
+  {
+    case kVSFSysUtilOpenReadOnly:
+      retval = O_RDONLY;
+      break;
+    case kVSFSysUtilOpenWriteOnly:
+      retval = O_WRONLY;
+      break;
+    case kVSFSysUtilOpenReadWrite:
+      retval = O_RDWR;
+      break;
+    default:
+      bug("bad mode in sysutil_translate_openmode");
+      break;
+  }
+  return retval;
+}
+
+int
+vsf_sysutil_open_file(const char* p_filename,
+                      const enum EVSFSysUtilOpenMode mode)
+{
+  return open(p_filename, vsf_sysutil_translate_openmode(mode) | O_NONBLOCK);
+}
+
+int
+vsf_sysutil_create_file_exclusive(const char* p_filename)
+{
+  /* umask() also contributes to end mode */
+  return open(p_filename, O_CREAT | O_EXCL | O_WRONLY | O_APPEND,
+              tunable_file_open_mode);
+}
+
+int
+vsf_sysutil_create_or_open_file(const char* p_filename, unsigned int mode)
+{
+  return open(p_filename, O_CREAT | O_WRONLY | O_NONBLOCK, mode);
+}
+
+int
+vsf_sysutil_create_or_open_file_append(const char* p_filename,
+                                       unsigned int mode)
+{
+  return open(p_filename, O_CREAT | O_WRONLY | O_NONBLOCK | O_APPEND, mode);
+}
+
+void
+vsf_sysutil_dupfd2(int old_fd, int new_fd)
+{
+  int retval;
+  if (old_fd == new_fd)
+  {
+    return;
+  }
+  retval = dup2(old_fd, new_fd);
+  if (retval != new_fd)
+  {
+    die("dup2");
+  }
+}
+
+void
+vsf_sysutil_close(int fd)
+{
+  while (1)
+  {
+    int retval = close(fd);
+    if (retval != 0)
+    {
+      if (errno == EINTR)
+      {
+        vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
+        continue;
+      }
+      die("close");
+    }
+    return;
+  }
+}
+
+int
+vsf_sysutil_close_failok(int fd)
+{
+  return close(fd);
+}
+
+int
+vsf_sysutil_unlink(const char* p_dead)
+{
+  return unlink(p_dead);
+}
+
+int
+vsf_sysutil_write_access(const char* p_filename)
+{
+  int retval = access(p_filename, W_OK);
+  return (retval == 0);
+}
+
+static void
+vsf_sysutil_alloc_statbuf(struct vsf_sysutil_statbuf** p_ptr)
+{
+  if (*p_ptr == NULL)
+  {
+    *p_ptr = vsf_sysutil_malloc(sizeof(struct stat));
+  }
+}
+
+void
+vsf_sysutil_fstat(int fd, struct vsf_sysutil_statbuf** p_ptr)
+{
+  int retval;
+  vsf_sysutil_alloc_statbuf(p_ptr);
+  retval = fstat(fd, (struct stat*) (*p_ptr));
+  if (retval != 0)
+  {
+    die("fstat");
+  }
+}
+
+int
+vsf_sysutil_stat(const char* p_name, struct vsf_sysutil_statbuf** p_ptr)
+{
+  vsf_sysutil_alloc_statbuf(p_ptr);
+  return stat(p_name, (struct stat*) (*p_ptr));
+}
+
+int
+vsf_sysutil_lstat(const char* p_name, struct vsf_sysutil_statbuf** p_ptr)
+{
+  vsf_sysutil_alloc_statbuf(p_ptr);
+  return lstat(p_name, (struct stat*) (*p_ptr));
+}
+
+void
+vsf_sysutil_dir_stat(const struct vsf_sysutil_dir* p_dir,
+                     struct vsf_sysutil_statbuf** p_ptr)
+{
+  int fd = dirfd((DIR*) p_dir);
+  vsf_sysutil_fstat(fd, p_ptr);
+}
+
+int
+vsf_sysutil_statbuf_is_regfile(const struct vsf_sysutil_statbuf* p_stat)
+{
+  const struct stat* p_realstat = (const struct stat*) p_stat;
+  return S_ISREG(p_realstat->st_mode);
+}
+
+int
+vsf_sysutil_statbuf_is_symlink(const struct vsf_sysutil_statbuf* p_stat)
+{
+  const struct stat* p_realstat = (const struct stat*) p_stat;
+  return S_ISLNK(p_realstat->st_mode);
+}
+
+int
+vsf_sysutil_statbuf_is_socket(const struct vsf_sysutil_statbuf* p_stat)
+{
+  const struct stat* p_realstat = (const struct stat*) p_stat;
+  return S_ISSOCK(p_realstat->st_mode);
+}
+
+int
+vsf_sysutil_statbuf_is_dir(const struct vsf_sysutil_statbuf* p_stat)
+{
+  const struct stat* p_realstat = (const struct stat*) p_stat;
+  return S_ISDIR(p_realstat->st_mode);
+}
+
+const char*
+vsf_sysutil_statbuf_get_perms(const struct vsf_sysutil_statbuf* p_statbuf)
+{
+  static char perms[11];
+  int i;
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  for (i=0; i<10; i++)
+  {
+    perms[i] = '-';
+  }
+  perms[0] = '?';
+  switch (p_stat->st_mode & S_IFMT)
+  {
+    case S_IFREG: perms[0] = '-'; break;
+    case S_IFDIR: perms[0] = 'd'; break;
+    case S_IFLNK: perms[0] = 'l'; break;
+    case S_IFIFO: perms[0] = 'p'; break;
+    case S_IFSOCK: perms[0] = 's'; break;
+    case S_IFCHR: perms[0] = 'c'; break;
+    case S_IFBLK: perms[0] = 'b'; break;
+    default: break;
+  }
+  if (p_stat->st_mode & S_IRUSR) perms[1] = 'r';
+  if (p_stat->st_mode & S_IWUSR) perms[2] = 'w';
+  if (p_stat->st_mode & S_IXUSR) perms[3] = 'x';
+  if (p_stat->st_mode & S_IRGRP) perms[4] = 'r';
+  if (p_stat->st_mode & S_IWGRP) perms[5] = 'w';
+  if (p_stat->st_mode & S_IXGRP) perms[6] = 'x';
+  if (p_stat->st_mode & S_IROTH) perms[7] = 'r';
+  if (p_stat->st_mode & S_IWOTH) perms[8] = 'w';
+  if (p_stat->st_mode & S_IXOTH) perms[9] = 'x';
+  if (p_stat->st_mode & S_ISUID) perms[3] = (perms[3] == 'x') ? 's' : 'S';
+  if (p_stat->st_mode & S_ISGID) perms[6] = (perms[6] == 'x') ? 's' : 'S';
+  if (p_stat->st_mode & S_ISVTX) perms[9] = (perms[9] == 'x') ? 't' : 'T';
+  perms[10] = '\0';
+  return perms;
+}
+
+const char*
+vsf_sysutil_statbuf_get_date(const struct vsf_sysutil_statbuf* p_statbuf,
+                             int use_localtime, long curr_time)
+{
+  static char datebuf[64];
+  int retval;
+  struct tm* p_tm;
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  const char* p_date_format = "%b %d %H:%M";
+  if (!use_localtime)
+  {
+    p_tm = gmtime(&p_stat->st_mtime);
+  }
+  else
+  {
+    p_tm = localtime(&p_stat->st_mtime);
+  }
+  /* Is this a future or 6 months old date? If so, we drop to year format */
+  if (p_stat->st_mtime > curr_time ||
+      (curr_time - p_stat->st_mtime) > 60*60*24*182)
+  {
+    p_date_format = "%b %d  %Y";
+  }
+  retval = strftime(datebuf, sizeof(datebuf), p_date_format, p_tm);
+  datebuf[sizeof(datebuf)-1] = '\0';
+  if (retval == 0)
+  {
+    die("strftime");
+  }
+  return datebuf;
+}
+
+const char*
+vsf_sysutil_statbuf_get_numeric_date(
+  const struct vsf_sysutil_statbuf* p_statbuf,
+  int use_localtime)
+{
+  static char datebuf[15];
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  struct tm* p_tm;
+  int retval;
+  if (!use_localtime)
+  {
+    p_tm = gmtime(&p_stat->st_mtime);
+  }
+  else
+  {
+    p_tm = localtime(&p_stat->st_mtime);
+  }
+  retval = strftime(datebuf, sizeof(datebuf), "%Y%m%d%H%M%S", p_tm);
+  if (retval == 0)
+  {
+    die("strftime");
+  }
+  return datebuf;
+}
+
+filesize_t
+vsf_sysutil_statbuf_get_size(const struct vsf_sysutil_statbuf* p_statbuf)
+{
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  if (p_stat->st_size < 0)
+  {
+    die("invalid inode size in vsf_sysutil_statbuf_get_size");
+  }
+  return p_stat->st_size;
+}
+
+int
+vsf_sysutil_statbuf_get_uid(const struct vsf_sysutil_statbuf* p_statbuf)
+{
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  return p_stat->st_uid;
+}
+
+int
+vsf_sysutil_statbuf_get_gid(const struct vsf_sysutil_statbuf* p_statbuf)
+{
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  return p_stat->st_gid;
+}
+
+unsigned int
+vsf_sysutil_statbuf_get_links(const struct vsf_sysutil_statbuf* p_statbuf)
+{
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  return p_stat->st_nlink;
+}
+
+int
+vsf_sysutil_statbuf_is_readable_other(
+  const struct vsf_sysutil_statbuf* p_statbuf)
+{
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  if (p_stat->st_mode & S_IROTH)
+  {
+    return 1;
+  }
+  return 0;
+}
+
+const char*
+vsf_sysutil_statbuf_get_sortkey_mtime(
+  const struct vsf_sysutil_statbuf* p_statbuf)
+{
+  static char intbuf[32];
+  const struct stat* p_stat = (const struct stat*) p_statbuf;
+  /* This slight hack function must return a character date format such that
+   * more recent dates appear later in the alphabet! Most notably, we must
+   * make sure we pad to the same length with 0's 
+   */
+  snprintf(intbuf, sizeof(intbuf), "%030ld", (long) p_stat->st_mtime);
+  return intbuf;
+}
+
+void
+vsf_sysutil_fchown(const int fd, const int uid, const int gid)
+{
+  if (fchown(fd, uid, gid) != 0)
+  {
+    die("fchown");
+  }
+}
+
+void
+vsf_sysutil_fchmod(const int fd, unsigned int mode)
+{
+  mode = mode & 0777;
+  if (fchmod(fd, mode))
+  {
+    die("fchmod");
+  }
+}
+
+int
+vsf_sysutil_chmod(const char* p_filename, unsigned int mode)
+{
+  /* Safety: mask "mode" to just access permissions, e.g. no suid setting! */
+  mode = mode & 0777;
+  return chmod(p_filename, mode);
+}
+
+int
+vsf_sysutil_lock_file_write(int fd)
+{
+  return lock_internal(fd, F_WRLCK);
+}
+
+int
+vsf_sysutil_lock_file_read(int fd)
+{
+  return lock_internal(fd, F_RDLCK);
+}
+
+static int
+lock_internal(int fd, int lock_type)
+{
+  struct flock the_lock;
+  int retval;
+  int saved_errno;
+  vsf_sysutil_memclr(&the_lock, sizeof(the_lock));
+  the_lock.l_type = lock_type;
+  the_lock.l_whence = SEEK_SET;
+  the_lock.l_start = 0;
+  the_lock.l_len = 0;
+  do
+  {
+    retval = fcntl(fd, F_SETLKW, &the_lock);
+    saved_errno = errno;
+    vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
+  }
+  while (retval < 0 && saved_errno == EINTR);
+  return retval;
+}
+
+void
+vsf_sysutil_unlock_file(int fd)
+{
+  int retval;
+  struct flock the_lock;
+  vsf_sysutil_memclr(&the_lock, sizeof(the_lock));
+  the_lock.l_type = F_UNLCK;
+  the_lock.l_whence = SEEK_SET;
+  the_lock.l_start = 0;
+  the_lock.l_len = 0;
+  retval = fcntl(fd, F_SETLK, &the_lock);
+  if (retval != 0)
+  {
+    die("fcntl");
+  }
+}
+
+int
+vsf_sysutil_readlink(const char* p_filename, char* p_dest, unsigned int bufsiz)
+{
+  int retval;
+  if (bufsiz == 0) {
+    return -1;
+  }
+  retval = readlink(p_filename, p_dest, bufsiz - 1);
+  if (retval < 0)
+  {
+    return retval;
+  }
+  /* Ensure buffer is NULL terminated; readlink(2) doesn't do that */
+  p_dest[retval] = '\0';
+  return retval;
+}
+
+int
+vsf_sysutil_retval_is_error(int retval)
+{
+  if (retval < 0)
+  {
+    return 1;
+  }
+  return 0;
+}
+
+enum EVSFSysUtilError
+vsf_sysutil_get_error(void)
+{
+  enum EVSFSysUtilError retval = kVSFSysUtilErrUnknown;
+  switch (errno)
+  {
+    case EADDRINUSE:
+      retval = kVSFSysUtilErrADDRINUSE;
+      break;
+    case ENOSYS:
+      retval = kVSFSysUtilErrNOSYS;
+      break;
+    case EINTR:
+      retval = kVSFSysUtilErrINTR;
+      break;
+    case EINVAL:
+      retval = kVSFSysUtilErrINVAL;
+      break;
+    case EOPNOTSUPP:
+      retval = kVSFSysUtilErrOPNOTSUPP;
+      break;
+    case EACCES:
+      retval = kVSFSysUtilErrACCES;
+      break;
+    case ENOENT:
+      retval = kVSFSysUtilErrNOENT;
+      break;
+    default:
+      break;
+  }
+  return retval;
+}
+
+int
+vsf_sysutil_get_ipv4_sock(void)
+{
+  int retval = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+  if (retval < 0)
+  {
+    die("socket");
+  }
+  return retval;
+}
+
+int
+vsf_sysutil_get_ipv6_sock(void)
+{
+  int retval = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP);
+  if (retval < 0)
+  {
+    die("socket");
+  }
+  return retval;
+}
+
+struct vsf_sysutil_socketpair_retval
+vsf_sysutil_unix_stream_socketpair(void)
+{
+  struct vsf_sysutil_socketpair_retval retval;
+  int the_sockets[2];
+  int sys_retval = socketpair(PF_UNIX, SOCK_STREAM, 0, the_sockets);
+  if (sys_retval != 0)
+  {
+    die("socketpair");
+  }
+  retval.socket_one = the_sockets[0];
+  retval.socket_two = the_sockets[1];
+  return retval;
+}
+
+int
+vsf_sysutil_bind(int fd, const struct vsf_sysutil_sockaddr* p_sockptr)
+{
+  const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr;
+  int len = 0;
+  if (p_sockaddr->sa_family == AF_INET)
+  {
+    len = sizeof(struct sockaddr_in);
+  }
+  else if (p_sockaddr->sa_family == AF_INET6)
+  {
+    len = sizeof(struct sockaddr_in6);
+  }
+  else
+  {
+    die("can only support ipv4 and ipv6 currently");
+  }
+  return bind(fd, p_sockaddr, len);
+}
+
+int
+vsf_sysutil_listen(int fd, const unsigned int backlog)
+{
+  int retval = listen(fd, backlog);
+  if (vsf_sysutil_retval_is_error(retval) &&
+      vsf_sysutil_get_error() != kVSFSysUtilErrADDRINUSE)
+  {
+    die("listen");
+  }
+  return retval;
+}
+
+/* Warning: callers of this function assume it does NOT make use of any
+ * non re-entrant calls such as malloc().
+ */
+int
+vsf_sysutil_accept_timeout(int fd, struct vsf_sysutil_sockaddr* p_sockaddr,
+                           unsigned int wait_seconds)
+{
+  struct vsf_sysutil_sockaddr remote_addr;
+  int retval;
+  int saved_errno;
+  fd_set accept_fdset;
+  struct timeval timeout;
+  socklen_t socklen = sizeof(remote_addr);
+  if (p_sockaddr)
+  {
+    vsf_sysutil_memclr(p_sockaddr, sizeof(*p_sockaddr));
+  }
+  if (wait_seconds > 0)
+  {
+    FD_ZERO(&accept_fdset);
+    FD_SET(fd, &accept_fdset);
+    timeout.tv_sec = wait_seconds;
+    timeout.tv_usec = 0;
+    do
+    {
+      retval = select(fd + 1, &accept_fdset, NULL, NULL, &timeout);
+      saved_errno = errno;
+      vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
+    }
+    while (retval < 0 && saved_errno == EINTR);
+    if (retval <= 0)
+    {
+      if (retval == 0)
+      {
+        errno = EAGAIN;
+      }
+      return -1;
+    }
+  }
+  retval = accept(fd, &remote_addr.u.u_sockaddr, &socklen);
+  vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
+  if (retval < 0)
+  {
+    return retval;
+  }
+  /* FreeBSD bug / paranoia: ai32@drexel.edu */
+  if (socklen == 0)
+  {
+    return -1;
+  }
+  if (remote_addr.u.u_sockaddr.sa_family != AF_INET &&
+      remote_addr.u.u_sockaddr.sa_family != AF_INET6)
+  {
+    die("can only support ipv4 and ipv6 currently");
+  }
+  if (p_sockaddr)
+  {
+    if (remote_addr.u.u_sockaddr.sa_family == AF_INET)
+    {
+      vsf_sysutil_memclr(&remote_addr.u.u_sockaddr_in.sin_zero,
+                         sizeof(remote_addr.u.u_sockaddr_in.sin_zero));
+      vsf_sysutil_memcpy(p_sockaddr, &remote_addr.u.u_sockaddr_in,
+                         sizeof(remote_addr.u.u_sockaddr_in));
+    }
+    else
+    {
+      vsf_sysutil_memcpy(p_sockaddr, &remote_addr.u.u_sockaddr_in6,
+                         sizeof(remote_addr.u.u_sockaddr_in6));
+    }
+  }
+  return retval;
+}
+
+int
+vsf_sysutil_connect_timeout(int fd, const struct vsf_sysutil_sockaddr* p_addr,
+                            unsigned int wait_seconds)
+{
+  const struct sockaddr* p_sockaddr = &p_addr->u.u_sockaddr;
+  unsigned int addrlen = 0;
+  int retval;
+  int saved_errno;
+  if (p_sockaddr->sa_family == AF_INET)
+  {
+    addrlen = sizeof(p_addr->u.u_sockaddr_in);
+  }
+  else if (p_sockaddr->sa_family == AF_INET6)
+  {
+    addrlen = sizeof(p_addr->u.u_sockaddr_in6);
+  }
+  else
+  {
+    die("can only support ipv4 and ipv6 currently");
+  }
+  if (wait_seconds > 0)
+  {
+    vsf_sysutil_activate_noblock(fd);
+  }
+  retval = connect(fd, p_sockaddr, addrlen);
+  if (retval < 0 && errno == EINPROGRESS)
+  {
+    fd_set connect_fdset;
+    struct timeval timeout;
+    FD_ZERO(&connect_fdset);
+    FD_SET(fd, &connect_fdset);
+    timeout.tv_sec = wait_seconds;
+    timeout.tv_usec = 0;
+    do
+    {
+      retval = select(fd + 1, NULL, &connect_fdset, NULL, &timeout);
+      saved_errno = errno;
+      vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
+    }
+    while (retval < 0 && saved_errno == EINTR);
+    if (retval <= 0)
+    {
+      if (retval == 0)
+      {
+        errno = EAGAIN;
+      }
+      retval = -1;
+    }
+    else
+    {
+      socklen_t socklen = sizeof(retval);
+      int sockoptret = getsockopt(fd, SOL_SOCKET, SO_ERROR, &retval, &socklen);
+      if (sockoptret != 0)
+      {
+        die("getsockopt");
+      }
+      if (retval != 0)
+      {
+        errno = retval;
+        retval = -1;
+      }
+    }
+  }
+  if (wait_seconds > 0)
+  {
+    vsf_sysutil_deactivate_noblock(fd);
+  }
+  return retval;
+}
+
+void
+vsf_sysutil_getsockname(int fd, struct vsf_sysutil_sockaddr** p_sockptr)
+{
+  struct vsf_sysutil_sockaddr the_addr;
+  int retval;
+  socklen_t socklen = sizeof(the_addr);
+  vsf_sysutil_sockaddr_clear(p_sockptr);
+  retval = getsockname(fd, &the_addr.u.u_sockaddr, &socklen);
+  if (retval != 0)
+  {
+    die("getsockname");
+  }
+  if (the_addr.u.u_sockaddr.sa_family != AF_INET &&
+      the_addr.u.u_sockaddr.sa_family != AF_INET6)
+  {
+    die("can only support ipv4 and ipv6 currently");
+  }
+  vsf_sysutil_sockaddr_alloc(p_sockptr);
+  if (socklen > sizeof(the_addr))
+  {
+    socklen = sizeof(the_addr);
+  }
+  vsf_sysutil_memcpy(*p_sockptr, &the_addr, socklen);
+}
+
+void
+vsf_sysutil_getpeername(int fd, struct vsf_sysutil_sockaddr** p_sockptr)
+{
+  struct vsf_sysutil_sockaddr the_addr;
+  int retval;
+  socklen_t socklen = sizeof(the_addr);
+  vsf_sysutil_sockaddr_clear(p_sockptr);
+  retval = getpeername(fd, &the_addr.u.u_sockaddr, &socklen);
+  if (retval != 0)
+  {
+    die("getpeername");
+  }
+  if (the_addr.u.u_sockaddr.sa_family != AF_INET &&
+      the_addr.u.u_sockaddr.sa_family != AF_INET6)
+  {
+    die("can only support ipv4 and ipv6 currently");
+  }
+  vsf_sysutil_sockaddr_alloc(p_sockptr);
+  if (socklen > sizeof(the_addr))
+  {
+    socklen = sizeof(the_addr);
+  }
+  vsf_sysutil_memcpy(*p_sockptr, &the_addr, socklen);
+}
+
+void
+vsf_sysutil_shutdown_failok(int fd)
+{
+  /* SHUT_RDWR is a relatively new addition */
+  #ifndef SHUT_RDWR
+  #define SHUT_RDWR 2
+  #endif
+  (void) shutdown(fd, SHUT_RDWR);
+}
+
+void
+vsf_sysutil_shutdown_read_failok(int fd)
+{
+  /* SHUT_RD is a relatively new addition */
+  #ifndef SHUT_RD
+  #define SHUT_RD 0
+  #endif
+  (void) shutdown(fd, SHUT_RD);
+}
+
+void
+vsf_sysutil_sockaddr_clear(struct vsf_sysutil_sockaddr** p_sockptr)
+{
+  if (*p_sockptr != NULL)
+  {
+    vsf_sysutil_free(*p_sockptr);
+    *p_sockptr = NULL;
+  }
+}
+
+void
+vsf_sysutil_sockaddr_alloc(struct vsf_sysutil_sockaddr** p_sockptr)
+{
+  vsf_sysutil_sockaddr_clear(p_sockptr);
+  *p_sockptr = vsf_sysutil_malloc(sizeof(**p_sockptr));
+  vsf_sysutil_memclr(*p_sockptr, sizeof(**p_sockptr));
+}
+
+void
+vsf_sysutil_sockaddr_alloc_ipv4(struct vsf_sysutil_sockaddr** p_sockptr)
+{
+  vsf_sysutil_sockaddr_alloc(p_sockptr);
+  (*p_sockptr)->u.u_sockaddr.sa_family = AF_INET;
+}
+
+void
+vsf_sysutil_sockaddr_alloc_ipv6(struct vsf_sysutil_sockaddr** p_sockptr)
+{
+  vsf_sysutil_sockaddr_alloc(p_sockptr);
+  (*p_sockptr)->u.u_sockaddr.sa_family = AF_INET6;
+}
+
+void
+vsf_sysutil_sockaddr_clone(struct vsf_sysutil_sockaddr** p_sockptr,
+                           const struct vsf_sysutil_sockaddr* p_src)
+{
+  struct vsf_sysutil_sockaddr* p_sockaddr = 0;
+  vsf_sysutil_sockaddr_alloc(p_sockptr);
+  p_sockaddr = *p_sockptr;
+  if (p_src->u.u_sockaddr.sa_family == AF_INET)
+  {
+    p_sockaddr->u.u_sockaddr.sa_family = AF_INET;
+    vsf_sysutil_memcpy(&p_sockaddr->u.u_sockaddr_in.sin_addr,
+                       &p_src->u.u_sockaddr_in.sin_addr,
+                       sizeof(p_sockaddr->u.u_sockaddr_in.sin_addr));
+  }
+  else if (p_src->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    p_sockaddr->u.u_sockaddr.sa_family = AF_INET6;
+    vsf_sysutil_memcpy(&p_sockaddr->u.u_sockaddr_in6.sin6_addr,
+                       &p_src->u.u_sockaddr_in6.sin6_addr,
+                       sizeof(p_sockaddr->u.u_sockaddr_in6.sin6_addr));
+    p_sockaddr->u.u_sockaddr_in6.sin6_scope_id =
+        p_src->u.u_sockaddr_in6.sin6_scope_id;
+  }
+  else
+  {
+    die("can only support ipv4 and ipv6 currently");
+  }
+}
+
+int
+vsf_sysutil_sockaddr_addr_equal(const struct vsf_sysutil_sockaddr* p1,
+                                const struct vsf_sysutil_sockaddr* p2)
+{
+  int family1 = p1->u.u_sockaddr.sa_family;
+  int family2 = p2->u.u_sockaddr.sa_family;
+  if (family1 != family2)
+  {
+    if (family1 == AF_INET && family2 == AF_INET6)
+    {
+      const void* p_ipv4_addr = vsf_sysutil_sockaddr_ipv6_v4(p2);
+      if (p_ipv4_addr &&
+          !vsf_sysutil_memcmp(p_ipv4_addr, &p1->u.u_sockaddr_in.sin_addr,
+                              sizeof(p1->u.u_sockaddr_in.sin_addr)))
+      {
+        return 1;
+      }
+    }
+    else if (family1 == AF_INET6 && family2 == AF_INET)
+    {
+      const void* p_ipv4_addr = vsf_sysutil_sockaddr_ipv6_v4(p1);
+      if (p_ipv4_addr &&
+          !vsf_sysutil_memcmp(p_ipv4_addr, &p2->u.u_sockaddr_in.sin_addr,
+                              sizeof(p2->u.u_sockaddr_in.sin_addr)))
+      {
+        return 1;
+      }
+    }
+    return 0;
+  }
+  if (family1 == AF_INET)
+  {
+    if (vsf_sysutil_memcmp(&p1->u.u_sockaddr_in.sin_addr,
+                           &p2->u.u_sockaddr_in.sin_addr,
+                           sizeof(p1->u.u_sockaddr_in.sin_addr)) == 0)
+    {
+      return 1;
+    }
+  }
+  else if (family1 == AF_INET6)
+  {
+    if (vsf_sysutil_memcmp(&p1->u.u_sockaddr_in6.sin6_addr,
+                           &p2->u.u_sockaddr_in6.sin6_addr,
+                           sizeof(p1->u.u_sockaddr_in6.sin6_addr)) == 0)
+    {
+      return 1;
+    }
+  }
+  return 0;
+}
+
+int
+vsf_sysutil_sockaddr_is_ipv6(const struct vsf_sysutil_sockaddr* p_sockaddr)
+{
+  if (p_sockaddr->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    return 1;
+  }
+  return 0;
+}
+
+void
+vsf_sysutil_sockaddr_set_ipv4addr(struct vsf_sysutil_sockaddr* p_sockptr,
+                                  const unsigned char* p_raw)
+{
+  if (p_sockptr->u.u_sockaddr.sa_family == AF_INET)
+  {
+    vsf_sysutil_memcpy(&p_sockptr->u.u_sockaddr_in.sin_addr, p_raw,
+                       sizeof(p_sockptr->u.u_sockaddr_in.sin_addr));
+  }
+  else if (p_sockptr->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    static struct vsf_sysutil_sockaddr* s_p_sockaddr;
+    vsf_sysutil_sockaddr_alloc_ipv4(&s_p_sockaddr);
+    vsf_sysutil_memcpy(&s_p_sockaddr->u.u_sockaddr_in.sin_addr, p_raw,
+                       sizeof(s_p_sockaddr->u.u_sockaddr_in.sin_addr));
+    vsf_sysutil_memcpy(&p_sockptr->u.u_sockaddr_in6.sin6_addr,
+                       vsf_sysutil_sockaddr_ipv4_v6(s_p_sockaddr),
+                       sizeof(p_sockptr->u.u_sockaddr_in6.sin6_addr));
+  }
+  else
+  {
+    bug("bad family");
+  }
+}
+
+void
+vsf_sysutil_sockaddr_set_ipv6addr(struct vsf_sysutil_sockaddr* p_sockptr,
+                                  const unsigned char* p_raw)
+{
+  if (p_sockptr->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    vsf_sysutil_memcpy(&p_sockptr->u.u_sockaddr_in6.sin6_addr, p_raw,
+                       sizeof(p_sockptr->u.u_sockaddr_in6.sin6_addr));
+  }
+  else
+  {
+    bug("bad family");
+  }
+}
+
+const void*
+vsf_sysutil_sockaddr_ipv6_v4(const struct vsf_sysutil_sockaddr* p_addr)
+{
+  static unsigned char pattern[12] =
+      { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF };
+  const unsigned char* p_addr_start;
+  if (p_addr->u.u_sockaddr.sa_family != AF_INET6)
+  {
+    return 0;
+  }
+  if (vsf_sysutil_memcmp(pattern, &p_addr->u.u_sockaddr_in6.sin6_addr, 12))
+  {
+    return 0;
+  }
+  p_addr_start = (const unsigned char*)&p_addr->u.u_sockaddr_in6.sin6_addr;
+  return &p_addr_start[12];
+}
+
+const void*
+vsf_sysutil_sockaddr_ipv4_v6(const struct vsf_sysutil_sockaddr* p_addr)
+{
+  static unsigned char ret[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF };
+  if (p_addr->u.u_sockaddr.sa_family != AF_INET)
+  {
+    return 0;
+  }
+  vsf_sysutil_memcpy(&ret[12], &p_addr->u.u_sockaddr_in.sin_addr, 4);
+  return ret;
+}
+
+void*
+vsf_sysutil_sockaddr_get_raw_addr(struct vsf_sysutil_sockaddr* p_sockptr)
+{
+  if (p_sockptr->u.u_sockaddr.sa_family == AF_INET)
+  {
+    return &p_sockptr->u.u_sockaddr_in.sin_addr;
+  }
+  else if (p_sockptr->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    return &p_sockptr->u.u_sockaddr_in6.sin6_addr;
+  }
+  else
+  {
+    bug("bad family");
+  }
+  return 0;
+}
+
+unsigned int
+vsf_sysutil_get_ipaddr_size(void)
+{
+  struct vsf_sysutil_sockaddr addr;
+  unsigned int size = sizeof(addr.u.u_sockaddr_in.sin_addr);
+  unsigned int size2 = sizeof(addr.u.u_sockaddr_in6.sin6_addr);
+  if (size2 > size)
+  {
+    size = size2;
+  }
+  return size;
+}
+
+int
+vsf_sysutil_get_ipsock(const struct vsf_sysutil_sockaddr* p_addr)
+{
+  if (p_addr->u.u_sockaddr.sa_family == AF_INET)
+  {
+    return vsf_sysutil_get_ipv4_sock();
+  }
+  else if (p_addr->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    return vsf_sysutil_get_ipv6_sock();
+  }
+  else
+  {
+    bug("bad family");
+  }
+  return -1;
+}
+
+void
+vsf_sysutil_sockaddr_set_any(struct vsf_sysutil_sockaddr* p_sockaddr)
+{
+  if (p_sockaddr->u.u_sockaddr.sa_family == AF_INET)
+  {
+    vsf_sysutil_memclr(&p_sockaddr->u.u_sockaddr_in.sin_addr,
+                       sizeof(p_sockaddr->u.u_sockaddr_in.sin_addr));
+  }
+  else if (p_sockaddr->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    vsf_sysutil_memclr(&p_sockaddr->u.u_sockaddr_in6.sin6_addr,
+                       sizeof(p_sockaddr->u.u_sockaddr_in6.sin6_addr));
+  }
+  else
+  {
+    bug("bad family");
+  }
+}
+
+unsigned short
+vsf_sysutil_sockaddr_get_port(const struct vsf_sysutil_sockaddr* p_sockptr)
+{
+  if (p_sockptr->u.u_sockaddr.sa_family == AF_INET)
+  {
+    return ntohs(p_sockptr->u.u_sockaddr_in.sin_port);
+  }
+  else if (p_sockptr->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    return ntohs(p_sockptr->u.u_sockaddr_in6.sin6_port);
+  }
+  else
+  {
+    bug("bad family");
+  }
+  /* NOTREACHED */
+  return 0;
+}
+
+void
+vsf_sysutil_sockaddr_set_port(struct vsf_sysutil_sockaddr* p_sockptr,
+                              unsigned short the_port)
+{
+  if (p_sockptr->u.u_sockaddr.sa_family == AF_INET)
+  {
+    p_sockptr->u.u_sockaddr_in.sin_port = htons(the_port);
+  }
+  else if (p_sockptr->u.u_sockaddr.sa_family == AF_INET6)
+  {
+    p_sockptr->u.u_sockaddr_in6.sin6_port = htons(the_port);
+  }
+  else
+  {
+    bug("bad family");
+  }
+}
+
+int
+vsf_sysutil_is_port_reserved(unsigned short the_port)
+{
+  if (the_port < IPPORT_RESERVED)
+  {
+    return 1;
+  }
+  return 0;
+}
+
+const char*
+vsf_sysutil_inet_ntop(const struct vsf_sysutil_sockaddr* p_sockptr)
+{
+  const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr;
+  if (p_sockaddr->sa_family == AF_INET)
+  {
+    return inet_ntoa(p_sockptr->u.u_sockaddr_in.sin_addr);
+  }
+  else if (p_sockaddr->sa_family == AF_INET6)
+  {
+    static char inaddr_buf[64];
+    const char* p_ret = inet_ntop(AF_INET6,
+                                  &p_sockptr->u.u_sockaddr_in6.sin6_addr,
+                                  inaddr_buf, sizeof(inaddr_buf));
+    inaddr_buf[sizeof(inaddr_buf) - 1] = '\0';
+    if (p_ret == NULL)
+    {
+      inaddr_buf[0] = '\0';
+    }
+    return inaddr_buf;
+  }
+  else
+  {
+    die("can only support ipv4 and ipv6 currently");
+    return 0;
+  }
+}
+
+const char*
+vsf_sysutil_inet_ntoa(const void* p_raw_addr)
+{
+  return inet_ntoa(*((struct in_addr*)p_raw_addr));
+}
+
+int
+vsf_sysutil_inet_aton(const char* p_text, struct vsf_sysutil_sockaddr* p_addr)
+{
+  struct in_addr sin_addr;
+  if (p_addr->u.u_sockaddr.sa_family != AF_INET)
+  {
+    bug("bad family");
+  }
+  if (inet_aton(p_text, &sin_addr))
+  {
+    vsf_sysutil_memcpy(&p_addr->u.u_sockaddr_in.sin_addr,
+                       &sin_addr, sizeof(p_addr->u.u_sockaddr_in.sin_addr));
+    return 1;
+  }
+  else
+  {
+    return 0;
+  }
+}
+
+void
+vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr,
+                        const char* p_name)
+{
+  struct hostent* hent = gethostbyname(p_name);
+  if (hent == NULL)
+  {
+    die2("cannot resolve host:", p_name);
+  }
+  vsf_sysutil_sockaddr_clear(p_sockptr);
+  if (hent->h_addrtype == AF_INET)
+  {
+    unsigned int len = hent->h_length;
+    if (len > sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr))
+    {
+      len = sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr);
+    }
+    vsf_sysutil_sockaddr_alloc_ipv4(p_sockptr);
+    vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in.sin_addr,
+                       hent->h_addr_list[0], len);
+  }
+  else if (hent->h_addrtype == AF_INET6)
+  {
+    unsigned int len = hent->h_length;
+    if (len > sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr))
+    {
+      len = sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr);
+    }
+    vsf_sysutil_sockaddr_alloc_ipv6(p_sockptr);
+    vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in6.sin6_addr,
+                       hent->h_addr_list[0], len);
+  }
+  else
+  {
+    die("gethostbyname(): neither IPv4 nor IPv6");
+  }
+}
+
+struct vsf_sysutil_user*
+vsf_sysutil_getpwuid(const int uid)
+{
+  if (uid < 0)
+  {
+    bug("negative uid in vsf_sysutil_getpwuid");
+  }
+  return (struct vsf_sysutil_user*) getpwuid((unsigned int) uid);
+}
+
+struct vsf_sysutil_user*
+vsf_sysutil_getpwnam(const char* p_user)
+{
+  return (struct vsf_sysutil_user*) getpwnam(p_user);
+}
+
+const char*
+vsf_sysutil_user_getname(const struct vsf_sysutil_user* p_user)
+{
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  return p_passwd->pw_name;
+}
+
+const char*
+vsf_sysutil_user_get_homedir(const struct vsf_sysutil_user* p_user)
+{
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  return p_passwd->pw_dir;
+}
+
+int
+vsf_sysutil_user_getuid(const struct vsf_sysutil_user* p_user)
+{
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  return p_passwd->pw_uid;
+}
+
+int
+vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user)
+{ 
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  return p_passwd->pw_gid;
+}
+
+struct vsf_sysutil_group*
+vsf_sysutil_getgrgid(const int gid)
+{
+  if (gid < 0)
+  {
+    die("negative gid in vsf_sysutil_getgrgid");
+  }
+  return (struct vsf_sysutil_group*) getgrgid((unsigned int) gid);
+}
+
+const char*
+vsf_sysutil_group_getname(const struct vsf_sysutil_group* p_group)
+{
+  const struct group* p_grp = (const struct group*) p_group;
+  return p_grp->gr_name;
+}
+
+unsigned char
+vsf_sysutil_get_random_byte(void)
+{
+  static int seeded;
+  unsigned int uint_res;
+  unsigned char c1, c2, c3, c4;
+  if (!seeded)
+  {
+    struct timeval tv;
+    int retval = gettimeofday(&tv, NULL);
+    if (retval != 0)
+    {
+      die("gettimeofday");
+    }
+    srand((unsigned)tv.tv_usec);
+    seeded = 1;
+  }
+  uint_res = rand();
+  c1 = uint_res & 0x000000ff;
+  c2 = (uint_res >> 8) & 0x000000ff;
+  c3 = (uint_res >> 16) & 0x000000ff;
+  c4 = (uint_res >> 24) & 0x000000ff;
+  return c1 ^ c2 ^ c3 ^ c4;    
+}
+
+int
+vsf_sysutil_running_as_root(void)
+{
+  return (getuid() == 0);
+}
+
+void
+vsf_sysutil_setuid(const struct vsf_sysutil_user* p_user)
+{
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  vsf_sysutil_setuid_numeric(p_passwd->pw_uid);
+}
+
+void
+vsf_sysutil_setuid_numeric(int uid)
+{
+  int retval = setuid(uid);
+  if (retval != 0)
+  {
+    die("setuid");
+  }
+}
+
+void
+vsf_sysutil_setgid(const struct vsf_sysutil_user* p_user)
+{
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  vsf_sysutil_setgid_numeric(p_passwd->pw_gid);
+}
+
+void
+vsf_sysutil_setgid_numeric(int gid)
+{
+  int retval = setgid(gid);
+  if (retval != 0)
+  {
+    die("setgid");
+  }
+}
+
+int
+vsf_sysutil_geteuid(void)
+{
+  int retval = geteuid();
+  if (retval < 0)
+  {
+    die("geteuid");
+  }
+  return retval;
+}
+
+int
+vsf_sysutil_getegid(void)
+{
+  int retval = getegid();
+  if (retval < 0)
+  {
+    die("getegid");
+  }
+  return retval;
+}
+
+void
+vsf_sysutil_seteuid(const struct vsf_sysutil_user* p_user)
+{
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  vsf_sysutil_seteuid_numeric(p_passwd->pw_uid);
+}
+
+void
+vsf_sysutil_setegid(const struct vsf_sysutil_user* p_user)
+{
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  vsf_sysutil_setegid_numeric(p_passwd->pw_gid);
+}
+
+void
+vsf_sysutil_seteuid_numeric(int uid)
+{
+  /* setreuid() would seem to be more portable than seteuid() */
+  int retval = setreuid(-1, uid);
+  if (retval != 0)
+  {
+    die("seteuid");
+  }
+}
+
+void
+vsf_sysutil_setegid_numeric(int gid)
+{
+  /* setregid() would seem to be more portable than setegid() */
+  int retval = setregid(-1, gid);
+  if (retval != 0)
+  {
+    die("setegid");
+  }
+}
+
+void
+vsf_sysutil_clear_supp_groups(void)
+{
+  int retval = setgroups(0, NULL);
+  if (retval != 0)
+  {
+    die("setgroups");
+  }
+}
+
+void
+vsf_sysutil_initgroups(const struct vsf_sysutil_user* p_user)
+{
+  const struct passwd* p_passwd = (const struct passwd*) p_user;
+  int retval = initgroups(p_passwd->pw_name, p_passwd->pw_gid);
+  if (retval != 0)
+  {
+    die("initgroups");
+  }
+}
+
+void
+vsf_sysutil_chroot(const char* p_root_path)
+{
+  int retval = chroot(p_root_path);
+  if (retval != 0)
+  {
+    die("chroot");
+  }
+}
+
+unsigned int
+vsf_sysutil_get_umask(void)
+{
+  return s_current_umask;
+}
+
+void
+vsf_sysutil_set_umask(unsigned int new_umask)
+{
+  s_current_umask = (new_umask & 0777);
+  (void) umask(s_current_umask);
+}
+
+void
+vsf_sysutil_make_session_leader(void)
+{
+  /* This makes us the leader if we are not already */
+  (void) setsid();
+  /* Check we're the leader */
+  if ((int) vsf_sysutil_getpid() != getpgrp())
+  {
+    die("not session leader");
+  }
+}
+
+void
+vsf_sysutil_reopen_standard_fds(void)
+{
+  /* This reopens STDIN, STDOUT and STDERR to /dev/null */
+  int fd;
+  if ((fd = open("/dev/null", O_RDWR, 0)) < 0)
+  {
+    goto error;
+  }
+  vsf_sysutil_dupfd2(fd, STDIN_FILENO);
+  vsf_sysutil_dupfd2(fd, STDOUT_FILENO);
+  vsf_sysutil_dupfd2(fd, STDERR_FILENO);
+  if ( fd > 2 )
+  {
+    vsf_sysutil_close(fd);
+  }
+  return;
+
+error:
+  die("reopening standard file descriptors to /dev/null failed");
+}
+
+void
+vsf_sysutil_tzset(void)
+{
+  int retval;
+  char tzbuf[sizeof("+HHMM!")];
+  time_t the_time = time(NULL);
+  struct tm* p_tm;
+  tzset();
+  p_tm = localtime(&the_time);
+  if (p_tm == NULL)
+  {
+    die("localtime");
+  }
+  /* Set our timezone in the TZ environment variable to cater for the fact
+   * that modern glibc does not cache /etc/localtime (which becomes inaccessible
+   * when we chroot().
+   */
+  retval = strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
+  tzbuf[sizeof(tzbuf) - 1] = '\0';
+  if (retval == 5)
+  {
+    /* Static because putenv() does not copy the string. */
+    static char envtz[sizeof("TZ=UTC-hh:mm")];
+    /* Insert a colon so we have e.g. -05:00 instead of -0500 */
+    tzbuf[5] = tzbuf[4];
+    tzbuf[4] = tzbuf[3];
+    tzbuf[3] = ':';
+    /* Invert the sign - we just got the offset _from_ UTC but for TZ, we need
+     * the offset _to_ UTC.
+     */
+    if (tzbuf[0] == '+')
+    {
+      tzbuf[0] = '-';
+    }
+    else
+    {
+      tzbuf[0] = '+';
+    }
+    snprintf(envtz, sizeof(envtz), "TZ=UTC%s", tzbuf);
+    putenv(envtz);
+    s_timezone = ((tzbuf[1] - '0') * 10 + (tzbuf[2] - '0')) * 60 * 60;
+    s_timezone += ((tzbuf[4] - '0') * 10 + (tzbuf[5] - '0')) * 60;
+    if (tzbuf[0] == '-')
+    {
+      s_timezone *= -1;
+    }
+  }
+  /* Call in to the time subsystem again now that TZ is set, trying to force
+   * caching of the actual zoneinfo for the timezone.
+   */
+  p_tm = localtime(&the_time);
+  if (p_tm == NULL)
+  {
+    die("localtime #2");
+  }
+  p_tm = gmtime(&the_time);
+  if (p_tm == NULL)
+  {
+    die("gmtime");
+  }
+}
+
+const char*
+vsf_sysutil_get_current_date(void)
+{
+  static char datebuf[64];
+  time_t curr_time;
+  const struct tm* p_tm;
+  int i = 0;
+  curr_time = vsf_sysutil_get_time_sec();
+  p_tm = localtime(&curr_time);
+  if (strftime(datebuf, sizeof(datebuf), "%a %b!%d %H:%M:%S %Y", p_tm) == 0)
+  {
+    die("strftime");
+  }
+  datebuf[sizeof(datebuf) - 1] = '\0';
+  /* This hack is because %e in strftime() isn't so portable */
+  while (datebuf[i] != '!' && datebuf[i] != '\0')
+  {
+    ++i;
+  }
+  if (datebuf[i] == '!')
+  {
+    datebuf[i] = ' ';
+    if (datebuf[i+1] == '0')
+    {
+      datebuf[i+1] = ' ';
+    }
+  }
+  return datebuf;
+}
+
+long
+vsf_sysutil_get_time_sec(void)
+{
+  if (gettimeofday(&s_current_time, NULL) != 0)
+  {
+    die("gettimeofday");
+  }
+  return s_current_time.tv_sec;
+}
+
+long
+vsf_sysutil_get_time_usec(void)
+{
+  return s_current_time.tv_usec;
+}
+
+void
+vsf_sysutil_qsort(void* p_base, unsigned int num_elem, unsigned int elem_size,
+                  int (*p_compar)(const void *, const void *))
+{
+  qsort(p_base, num_elem, elem_size, p_compar);
+}
+
+void
+vsf_sysutil_sleep(double seconds)
+{
+  int retval;
+  int saved_errno;
+  double fractional;
+  time_t secs;
+  struct timespec ts;
+  secs = (time_t) seconds;
+  fractional = seconds - (double) secs;
+  ts.tv_sec = secs;
+  ts.tv_nsec = (long) (fractional * (double) 1000000000);
+  do
+  {
+    retval = nanosleep(&ts, &ts);
+    saved_errno = errno;
+    vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
+  } while (retval == -1 && saved_errno == EINTR);
+}
+
+char*
+vsf_sysutil_getenv(const char* p_var)
+{
+  return getenv(p_var);
+}
+
+void
+vsf_sysutil_openlog(int force)
+{
+  int facility = LOG_DAEMON;
+  int option = LOG_PID;
+  if (!force)
+  {
+    option |= LOG_NDELAY;
+  }
+#ifdef LOG_FTP
+  facility = LOG_FTP;
+#endif
+  openlog("ftpc", option, facility);
+}
+
+void
+vsf_sysutil_closelog(void)
+{
+  closelog();
+}
+
+void
+vsf_sysutil_syslog(const char* p_text, int severe)
+{
+  int prio = LOG_INFO;
+  if (severe)
+  {
+    prio = LOG_WARNING;
+  }
+  syslog(prio, "%s", p_text);
+}
+
+long
+vsf_sysutil_parse_time(const char* p_text)
+{
+  struct tm the_time;
+  unsigned int len = vsf_sysutil_strlen(p_text);
+  vsf_sysutil_memclr(&the_time, sizeof(the_time));
+  if (len >= 8)
+  {
+    char yr[5];
+    char mon[3];
+    char day[3];
+    vsf_sysutil_strcpy(yr, p_text, 5);
+    vsf_sysutil_strcpy(mon, p_text + 4, 3);
+    vsf_sysutil_strcpy(day, p_text + 6, 3);
+    the_time.tm_year = vsf_sysutil_atoi(yr) - 1900;
+    the_time.tm_mon = vsf_sysutil_atoi(mon) - 1;
+    the_time.tm_mday = vsf_sysutil_atoi(day);
+  }
+  if (len >= 14)
+  {
+    char hr[3];
+    char mins[3];
+    char sec[3];
+    vsf_sysutil_strcpy(hr, p_text + 8, 3);
+    vsf_sysutil_strcpy(mins, p_text + 10, 3);
+    vsf_sysutil_strcpy(sec, p_text + 12, 3);
+    the_time.tm_hour = vsf_sysutil_atoi(hr);
+    the_time.tm_min = vsf_sysutil_atoi(mins);
+    the_time.tm_sec = vsf_sysutil_atoi(sec);
+  }
+  return mktime(&the_time);
+}
+
+int
+vsf_sysutil_setmodtime(const char* p_file, long the_time, int is_localtime)
+{
+  struct utimbuf new_times;
+  if (!is_localtime)
+  {
+    the_time -= s_timezone;
+  }
+  vsf_sysutil_memclr(&new_times, sizeof(new_times));
+  new_times.actime = the_time;
+  new_times.modtime = the_time;
+  return utime(p_file, &new_times);
+}
+
+void
+vsf_sysutil_ftruncate(int fd)
+{
+  int ret = ftruncate(fd, 0);
+  if (ret != 0)
+  {
+    die("ftruncate");
+  }
+}
+
+int
+vsf_sysutil_getuid(void)
+{
+  return getuid();
+}
+
+void
+vsf_sysutil_set_address_space_limit(unsigned long bytes)
+{
+  /* Unfortunately, OpenBSD is missing RLIMIT_AS. */
+#ifdef RLIMIT_AS
+  int ret;
+  struct rlimit rlim;
+  rlim.rlim_cur = bytes;
+  rlim.rlim_max = bytes;
+  ret = setrlimit(RLIMIT_AS, &rlim);
+  /* Permit EPERM as this could indicate that the shell launching vsftpd already
+   * has a lower limit.
+   */
+  if (ret != 0 && errno != EPERM)
+  {
+    die("setrlimit");
+  }
+#endif /* RLIMIT_AS */
+  (void) bytes;
+}
+
+void
+vsf_sysutil_set_no_fds()
+{
+  int ret;
+  struct rlimit rlim;
+  rlim.rlim_cur = 0;
+  rlim.rlim_max = 0;
+  ret = setrlimit(RLIMIT_NOFILE, &rlim);
+  if (ret != 0)
+  {
+    die("setrlimit NOFILE");
+  }
+}
+
+void
+vsf_sysutil_set_no_procs()
+{
+#ifdef RLIMIT_NPROC
+  int ret;
+  struct rlimit rlim;
+  rlim.rlim_cur = 0;
+  rlim.rlim_max = 0;
+  ret = setrlimit(RLIMIT_NPROC, &rlim);
+  if (ret != 0)
+  {
+    die("setrlimit NPROC");
+  }
+#endif
+}
+
+void
+vsf_sysutil_post_fork()
+{
+  int i;
+  /* Don't inherit any exit function. */
+  s_exit_func = NULL;
+  /* Uncached the current PID. */ 
+  s_current_pid = -1;
+  /* Don't inherit anything relating to the synchronous signal system */
+  s_io_handler = NULL;
+  for (i=0; i < NSIG; ++i)
+  {
+    s_sig_details[i].sync_sig_handler = NULL;
+  }
+  for (i=0; i < NSIG; ++i)
+  {
+    s_sig_details[i].pending = 0;
+  }
+}

sysutil.h

@@ -0,0 +1,352 @@
+#ifndef VSF_SYSUTIL_H
+#define VSF_SYSUTIL_H
+
+/* TODO: these functions need proper documenting! */
+
+#ifndef VSF_FILESIZE_H
+#include "filesize.h"
+#endif
+
+/* Return value queries */
+int vsf_sysutil_retval_is_error(int retval);
+enum EVSFSysUtilError
+{
+  kVSFSysUtilErrUnknown = 1,
+  kVSFSysUtilErrADDRINUSE,
+  kVSFSysUtilErrNOSYS,
+  kVSFSysUtilErrINTR,
+  kVSFSysUtilErrINVAL,
+  kVSFSysUtilErrOPNOTSUPP,
+  kVSFSysUtilErrACCES,
+  kVSFSysUtilErrNOENT
+};
+enum EVSFSysUtilError vsf_sysutil_get_error(void);
+
+/* Signal handling utility functions */
+enum EVSFSysUtilSignal
+{
+  kVSFSysUtilSigALRM = 1,
+  kVSFSysUtilSigTERM,
+  kVSFSysUtilSigCHLD,
+  kVSFSysUtilSigPIPE,
+  kVSFSysUtilSigURG,
+  kVSFSysUtilSigHUP
+};
+enum EVSFSysUtilInterruptContext
+{
+  kVSFSysUtilUnknown,
+  kVSFSysUtilIO
+};
+typedef void (*vsf_sighandle_t)(void*);
+typedef void (*vsf_async_sighandle_t)(int);
+typedef void (*vsf_context_io_t)(int, int, void*);
+
+void vsf_sysutil_install_null_sighandler(const enum EVSFSysUtilSignal sig);
+void vsf_sysutil_install_sighandler(const enum EVSFSysUtilSignal,
+                                    vsf_sighandle_t handler,
+                                    void* p_private,
+                                    int use_alarm);
+void vsf_sysutil_install_async_sighandler(const enum EVSFSysUtilSignal sig,
+                                          vsf_async_sighandle_t handler);
+void vsf_sysutil_default_sig(const enum EVSFSysUtilSignal sig);
+void vsf_sysutil_install_io_handler(vsf_context_io_t handler, void* p_private);
+void vsf_sysutil_uninstall_io_handler(void);
+void vsf_sysutil_check_pending_actions(
+  const enum EVSFSysUtilInterruptContext context, int retval, int fd);
+void vsf_sysutil_block_sig(const enum EVSFSysUtilSignal sig);
+void vsf_sysutil_unblock_sig(const enum EVSFSysUtilSignal sig);
+
+/* Alarm setting/clearing utility functions */
+void vsf_sysutil_set_alarm(const unsigned int trigger_seconds);
+void vsf_sysutil_clear_alarm(void);
+
+/* Directory related things */
+char* vsf_sysutil_getcwd(char* p_dest, const unsigned int buf_size);
+int vsf_sysutil_mkdir(const char* p_dirname, const unsigned int mode);
+int vsf_sysutil_rmdir(const char* p_dirname);
+int vsf_sysutil_chdir(const char* p_dirname);
+int vsf_sysutil_rename(const char* p_from, const char* p_to);
+
+struct vsf_sysutil_dir;
+struct vsf_sysutil_dir* vsf_sysutil_opendir(const char* p_dirname);
+void vsf_sysutil_closedir(struct vsf_sysutil_dir* p_dir);
+const char* vsf_sysutil_next_dirent(struct vsf_sysutil_dir* p_dir);
+
+/* File create/open/close etc. */
+enum EVSFSysUtilOpenMode
+{
+  kVSFSysUtilOpenReadOnly = 1,
+  kVSFSysUtilOpenWriteOnly,
+  kVSFSysUtilOpenReadWrite
+};
+int vsf_sysutil_open_file(const char* p_filename,
+                          const enum EVSFSysUtilOpenMode);
+/* Fails if file already exists */
+int vsf_sysutil_create_file_exclusive(const char* p_filename);
+/* Creates file or appends if already exists */
+int vsf_sysutil_create_or_open_file_append(const char* p_filename,
+                                           unsigned int mode);
+/* Creates or appends */
+int vsf_sysutil_create_or_open_file(const char* p_filename, unsigned int mode);
+void vsf_sysutil_dupfd2(int old_fd, int new_fd);
+void vsf_sysutil_close(int fd);
+int vsf_sysutil_close_failok(int fd);
+int vsf_sysutil_unlink(const char* p_dead);
+int vsf_sysutil_write_access(const char* p_filename);
+void vsf_sysutil_ftruncate(int fd);
+
+/* Reading and writing */
+void vsf_sysutil_lseek_to(const int fd, filesize_t seek_pos);
+void vsf_sysutil_lseek_end(const int fd);
+filesize_t vsf_sysutil_get_file_offset(const int file_fd);
+int vsf_sysutil_read(const int fd, void* p_buf, const unsigned int size);
+int vsf_sysutil_write(const int fd, const void* p_buf,
+                      const unsigned int size);
+/* Reading and writing, with handling of interrupted system calls and partial
+ * reads/writes. Slightly more usable than the standard UNIX API!
+ */
+int vsf_sysutil_read_loop(const int fd, void* p_buf, unsigned int size);
+int vsf_sysutil_write_loop(const int fd, const void* p_buf, unsigned int size);
+
+struct vsf_sysutil_statbuf;
+int vsf_sysutil_stat(const char* p_name, struct vsf_sysutil_statbuf** p_ptr);
+int vsf_sysutil_lstat(const char* p_name, struct vsf_sysutil_statbuf** p_ptr);
+void vsf_sysutil_fstat(int fd, struct vsf_sysutil_statbuf** p_ptr);
+void vsf_sysutil_dir_stat(const struct vsf_sysutil_dir* p_dir,
+                          struct vsf_sysutil_statbuf** p_ptr);
+int vsf_sysutil_statbuf_is_regfile(const struct vsf_sysutil_statbuf* p_stat);
+int vsf_sysutil_statbuf_is_symlink(const struct vsf_sysutil_statbuf* p_stat);
+int vsf_sysutil_statbuf_is_socket(const struct vsf_sysutil_statbuf* p_stat);
+int vsf_sysutil_statbuf_is_dir(const struct vsf_sysutil_statbuf* p_stat);
+filesize_t vsf_sysutil_statbuf_get_size(
+  const struct vsf_sysutil_statbuf* p_stat);
+const char* vsf_sysutil_statbuf_get_perms(
+  const struct vsf_sysutil_statbuf* p_stat);
+const char* vsf_sysutil_statbuf_get_date(
+  const struct vsf_sysutil_statbuf* p_stat, int use_localtime, long curr_time);
+const char* vsf_sysutil_statbuf_get_numeric_date(
+  const struct vsf_sysutil_statbuf* p_stat, int use_localtime);
+unsigned int vsf_sysutil_statbuf_get_links(
+  const struct vsf_sysutil_statbuf* p_stat);
+int vsf_sysutil_statbuf_get_uid(const struct vsf_sysutil_statbuf* p_stat);
+int vsf_sysutil_statbuf_get_gid(const struct vsf_sysutil_statbuf* p_stat);
+int vsf_sysutil_statbuf_is_readable_other(
+  const struct vsf_sysutil_statbuf* p_stat);
+const char* vsf_sysutil_statbuf_get_sortkey_mtime(
+  const struct vsf_sysutil_statbuf* p_stat);
+
+int vsf_sysutil_chmod(const char* p_filename, unsigned int mode);
+void vsf_sysutil_fchown(const int fd, const int uid, const int gid);
+void vsf_sysutil_fchmod(const int fd, unsigned int mode);
+int vsf_sysutil_readlink(const char* p_filename, char* p_dest,
+                         unsigned int bufsiz);
+
+/* Get / unget various locks. Lock gets are blocking. Write locks are
+ * exclusive; read locks are shared.
+ */
+int vsf_sysutil_lock_file_write(int fd);
+int vsf_sysutil_lock_file_read(int fd);
+void vsf_sysutil_unlock_file(int fd);
+
+/* Mapping/unmapping */
+enum EVSFSysUtilMapPermission
+{
+  kVSFSysUtilMapProtReadOnly = 1,
+  kVSFSysUtilMapProtNone
+};
+void vsf_sysutil_memprotect(void* p_addr, unsigned int len,
+                            const enum EVSFSysUtilMapPermission perm);
+void vsf_sysutil_memunmap(void* p_start, unsigned int length);
+
+/* Memory allocating/freeing */
+void* vsf_sysutil_malloc(unsigned int size);
+void* vsf_sysutil_realloc(void* p_ptr, unsigned int size);
+void vsf_sysutil_free(void* p_ptr);
+
+/* Process creation/exit/process handling */
+unsigned int vsf_sysutil_getpid(void);
+void vsf_sysutil_post_fork(void);
+int vsf_sysutil_fork(void);
+int vsf_sysutil_fork_failok(void);
+void vsf_sysutil_exit(int exit_code);
+struct vsf_sysutil_wait_retval
+{
+  int PRIVATE_HANDS_OFF_syscall_retval;
+  int PRIVATE_HANDS_OFF_exit_status;
+};
+struct vsf_sysutil_wait_retval vsf_sysutil_wait(void);
+int vsf_sysutil_wait_reap_one(void);
+int vsf_sysutil_wait_get_retval(
+  const struct vsf_sysutil_wait_retval* p_waitret);
+int vsf_sysutil_wait_exited_normally(
+  const struct vsf_sysutil_wait_retval* p_waitret);
+int vsf_sysutil_wait_get_exitcode(
+  const struct vsf_sysutil_wait_retval* p_waitret);
+
+/* Various string functions */
+unsigned int vsf_sysutil_strlen(const char* p_text);
+char* vsf_sysutil_strdup(const char* p_str);
+void vsf_sysutil_memclr(void* p_dest, unsigned int size);
+void vsf_sysutil_memcpy(void* p_dest, const void* p_src,
+                        const unsigned int size);
+void vsf_sysutil_strcpy(char* p_dest, const char* p_src, unsigned int maxsize);
+int vsf_sysutil_memcmp(const void* p_src1, const void* p_src2,
+                       unsigned int size);
+int vsf_sysutil_strcmp(const char* p_src1, const char* p_src2);
+int vsf_sysutil_atoi(const char* p_str);
+filesize_t vsf_sysutil_a_to_filesize_t(const char* p_str);
+const char* vsf_sysutil_ulong_to_str(unsigned long the_ulong);
+const char* vsf_sysutil_filesize_t_to_str(filesize_t the_filesize);
+const char* vsf_sysutil_double_to_str(double the_double);
+const char* vsf_sysutil_uint_to_octal(unsigned int the_uint);
+unsigned int vsf_sysutil_octal_to_uint(const char* p_str);
+int vsf_sysutil_toupper(int the_char);
+int vsf_sysutil_isspace(int the_char);
+int vsf_sysutil_isprint(int the_char);
+int vsf_sysutil_isalnum(int the_char);
+int vsf_sysutil_isdigit(int the_char);
+
+/* Socket handling */
+struct vsf_sysutil_sockaddr;
+struct vsf_sysutil_socketpair_retval
+{
+  int socket_one;
+  int socket_two;
+};
+void vsf_sysutil_sockaddr_alloc(struct vsf_sysutil_sockaddr** p_sockptr);
+void vsf_sysutil_sockaddr_clear(struct vsf_sysutil_sockaddr** p_sockptr);
+void vsf_sysutil_sockaddr_alloc_ipv4(struct vsf_sysutil_sockaddr** p_sockptr);
+void vsf_sysutil_sockaddr_alloc_ipv6(struct vsf_sysutil_sockaddr** p_sockptr);
+void vsf_sysutil_sockaddr_clone(
+  struct vsf_sysutil_sockaddr** p_sockptr,
+  const struct vsf_sysutil_sockaddr* p_src);
+int vsf_sysutil_sockaddr_addr_equal(const struct vsf_sysutil_sockaddr* p1,
+                                    const struct vsf_sysutil_sockaddr* p2);
+int vsf_sysutil_sockaddr_is_ipv6(
+  const struct vsf_sysutil_sockaddr* p_sockaddr);
+void vsf_sysutil_sockaddr_set_ipv4addr(struct vsf_sysutil_sockaddr* p_sockptr,
+                                       const unsigned char* p_raw);
+void vsf_sysutil_sockaddr_set_ipv6addr(struct vsf_sysutil_sockaddr* p_sockptr,
+                                       const unsigned char* p_raw);
+void vsf_sysutil_sockaddr_set_any(struct vsf_sysutil_sockaddr* p_sockaddr);
+unsigned short vsf_sysutil_sockaddr_get_port(
+    const struct vsf_sysutil_sockaddr* p_sockptr);
+void vsf_sysutil_sockaddr_set_port(struct vsf_sysutil_sockaddr* p_sockptr,
+                                   unsigned short the_port);
+int vsf_sysutil_is_port_reserved(unsigned short port);
+int vsf_sysutil_get_ipsock(const struct vsf_sysutil_sockaddr* p_sockaddr);
+unsigned int vsf_sysutil_get_ipaddr_size(void);
+void* vsf_sysutil_sockaddr_get_raw_addr(
+  struct vsf_sysutil_sockaddr* p_sockaddr);
+const void* vsf_sysutil_sockaddr_ipv6_v4(
+  const struct vsf_sysutil_sockaddr* p_sockaddr);
+const void* vsf_sysutil_sockaddr_ipv4_v6(
+  const struct vsf_sysutil_sockaddr* p_sockaddr);
+int vsf_sysutil_get_ipv4_sock(void);
+int vsf_sysutil_get_ipv6_sock(void);
+struct vsf_sysutil_socketpair_retval
+  vsf_sysutil_unix_stream_socketpair(void);
+int vsf_sysutil_bind(int fd, const struct vsf_sysutil_sockaddr* p_sockptr);
+int vsf_sysutil_listen(int fd, const unsigned int backlog);
+void vsf_sysutil_getsockname(int fd, struct vsf_sysutil_sockaddr** p_sockptr);
+void vsf_sysutil_getpeername(int fd, struct vsf_sysutil_sockaddr** p_sockptr);
+int vsf_sysutil_accept_timeout(int fd, struct vsf_sysutil_sockaddr* p_sockaddr,
+                               unsigned int wait_seconds);
+int vsf_sysutil_connect_timeout(int fd,
+                                const struct vsf_sysutil_sockaddr* p_sockaddr,
+                                unsigned int wait_seconds);
+void vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr,
+                             const char* p_name);
+/* Option setting on sockets */
+void vsf_sysutil_activate_keepalive(int fd);
+void vsf_sysutil_set_iptos_throughput(int fd);
+void vsf_sysutil_activate_reuseaddr(int fd);
+void vsf_sysutil_set_nodelay(int fd);
+void vsf_sysutil_activate_sigurg(int fd);
+void vsf_sysutil_activate_oobinline(int fd);
+void vsf_sysutil_activate_linger(int fd);
+void vsf_sysutil_deactivate_linger_failok(int fd);
+void vsf_sysutil_activate_noblock(int fd);
+void vsf_sysutil_deactivate_noblock(int fd);
+/* This does SHUT_RDWR */
+void vsf_sysutil_shutdown_failok(int fd);
+/* And this does SHUT_RD */
+void vsf_sysutil_shutdown_read_failok(int fd);
+int vsf_sysutil_recv_peek(const int fd, void* p_buf, unsigned int len);
+
+const char* vsf_sysutil_inet_ntop(
+  const struct vsf_sysutil_sockaddr* p_sockptr);
+const char* vsf_sysutil_inet_ntoa(const void* p_raw_addr);
+int vsf_sysutil_inet_aton(
+  const char* p_text, struct vsf_sysutil_sockaddr* p_addr);
+
+/* User database queries etc. */
+struct vsf_sysutil_user;
+struct vsf_sysutil_group;
+
+struct vsf_sysutil_user* vsf_sysutil_getpwuid(const int uid);
+struct vsf_sysutil_user* vsf_sysutil_getpwnam(const char* p_user);
+const char* vsf_sysutil_user_getname(const struct vsf_sysutil_user* p_user);
+const char* vsf_sysutil_user_get_homedir(
+  const struct vsf_sysutil_user* p_user);
+int vsf_sysutil_user_getuid(const struct vsf_sysutil_user* p_user);
+int vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user);
+
+struct vsf_sysutil_group* vsf_sysutil_getgrgid(const int gid);
+const char* vsf_sysutil_group_getname(const struct vsf_sysutil_group* p_group);
+
+/* More random things */
+unsigned int vsf_sysutil_getpagesize(void);
+unsigned char vsf_sysutil_get_random_byte(void);
+unsigned int vsf_sysutil_get_umask(void);
+void vsf_sysutil_set_umask(unsigned int umask);
+void vsf_sysutil_make_session_leader(void);
+void vsf_sysutil_reopen_standard_fds(void);
+void vsf_sysutil_tzset(void);
+const char* vsf_sysutil_get_current_date(void);
+void vsf_sysutil_qsort(void* p_base, unsigned int num_elem,
+                       unsigned int elem_size,
+                       int (*p_compar)(const void *, const void *));
+char* vsf_sysutil_getenv(const char* p_var);
+typedef void (*exitfunc_t)(void);
+void vsf_sysutil_set_exit_func(exitfunc_t exitfunc);
+int vsf_sysutil_getuid(void);
+
+/* Syslogging (bah) */
+void vsf_sysutil_openlog(int force);
+void vsf_sysutil_syslog(const char* p_text, int severe);
+void vsf_sysutil_closelog(void);
+
+/* Credentials handling */
+int vsf_sysutil_running_as_root(void);
+void vsf_sysutil_setuid(const struct vsf_sysutil_user* p_user);
+void vsf_sysutil_setgid(const struct vsf_sysutil_user* p_user);
+void vsf_sysutil_setuid_numeric(int uid);
+void vsf_sysutil_setgid_numeric(int gid);
+int vsf_sysutil_geteuid(void);
+int vsf_sysutil_getegid(void);
+void vsf_sysutil_seteuid(const struct vsf_sysutil_user* p_user);
+void vsf_sysutil_setegid(const struct vsf_sysutil_user* p_user);
+void vsf_sysutil_seteuid_numeric(int uid);
+void vsf_sysutil_setegid_numeric(int gid);
+void vsf_sysutil_clear_supp_groups(void);
+void vsf_sysutil_initgroups(const struct vsf_sysutil_user* p_user);
+void vsf_sysutil_chroot(const char* p_root_path);
+
+/* Time handling */
+/* Do not call get_time_usec() without calling get_time_sec()
+ * first otherwise you will get stale data.
+ */
+long vsf_sysutil_get_time_sec(void);
+long vsf_sysutil_get_time_usec(void);
+long vsf_sysutil_parse_time(const char* p_text);
+void vsf_sysutil_sleep(double seconds);
+int vsf_sysutil_setmodtime(const char* p_file, long the_time, int is_localtime);
+
+/* Limits */
+void vsf_sysutil_set_address_space_limit(unsigned long bytes);
+void vsf_sysutil_set_no_fds(void);
+void vsf_sysutil_set_no_procs(void);
+
+#endif /* VSF_SYSUTIL_H */
+

tcpwrap.c

@@ -0,0 +1,54 @@
+/*
+ * Part of Very Secure FTPd
+ * Licence: GPL v2
+ * Author: Chris Evans
+ * tcpwrap.c
+ *
+ * Routines to encapsulate the usage of tcp_wrappers.
+ */
+
+#include "tcpwrap.h"
+#include "builddefs.h"
+#include "utility.h"
+#include "sysutil.h"
+
+#ifdef VSF_BUILD_TCPWRAPPERS
+  #include <tcpd.h>
+#endif
+
+#ifdef VSF_BUILD_TCPWRAPPERS
+
+#include <sys/syslog.h>
+
+int deny_severity = LOG_WARNING;
+int allow_severity = LOG_INFO;
+
+int
+vsf_tcp_wrapper_ok(int remote_fd)
+{
+  struct request_info req;
+  vsf_sysutil_openlog(0);
+  request_init(&req, RQ_DAEMON, "ftpz", RQ_FILE, remote_fd, 0);
+  fromhost(&req);
+  if (!hosts_access(&req))
+  {
+    vsf_sysutil_closelog();
+    return 0;
+  }
+  vsf_sysutil_closelog();
+  return 1;
+}
+
+#else /* VSF_BUILD_TCPWRAPPERS */
+
+int
+vsf_tcp_wrapper_ok(int remote_fd)
+{
+  (void) remote_fd;
+  die("tcp_wrappers is set to YES but no tcp wrapper support compiled in");
+  return 0;
+}
+
+#endif /* VSF_BUILD_TCPWRAPPERS */
+
+

tcpwrap.h

@@ -0,0 +1,7 @@
+#ifndef VSF_TCPWRAP_H
+#define VSF_TCPWRAP_H
+
+int vsf_tcp_wrapper_ok(int remote_fd);
+
+#endif /* VSF_TCPWRAP_H */
+