1 /* $OpenBSD: sftp-server.c,v 1.105 2015/01/20 23:14:00 deraadt Exp $ */
3 * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 #include <sys/param.h> /* MIN */
21 #include <sys/types.h>
23 #ifdef HAVE_SYS_TIME_H
24 # include <sys/time.h>
26 #ifdef HAVE_SYS_MOUNT_H
27 #include <sys/mount.h>
29 #ifdef HAVE_SYS_STATVFS_H
30 #include <sys/statvfs.h>
32 #ifdef HAVE_SYS_PRCTL_H
33 #include <sys/prctl.h>
57 #include "sftp-common.h"
60 static LogLevel log_level = SYSLOG_LEVEL_ERROR;
63 static struct passwd *pw = NULL;
64 static char *client_addr = NULL;
66 /* input and output queue */
67 struct sshbuf *iqueue;
68 struct sshbuf *oqueue;
70 /* Version of client */
73 /* SSH2_FXP_INIT received */
79 /* Requests that are allowed/denied */
80 static char *request_whitelist, *request_blacklist;
82 /* portable attributes, etc. */
83 typedef struct Stat Stat;
92 static void process_open(u_int32_t id);
93 static void process_close(u_int32_t id);
94 static void process_read(u_int32_t id);
95 static void process_write(u_int32_t id);
96 static void process_stat(u_int32_t id);
97 static void process_lstat(u_int32_t id);
98 static void process_fstat(u_int32_t id);
99 static void process_setstat(u_int32_t id);
100 static void process_fsetstat(u_int32_t id);
101 static void process_opendir(u_int32_t id);
102 static void process_readdir(u_int32_t id);
103 static void process_remove(u_int32_t id);
104 static void process_mkdir(u_int32_t id);
105 static void process_rmdir(u_int32_t id);
106 static void process_realpath(u_int32_t id);
107 static void process_rename(u_int32_t id);
108 static void process_readlink(u_int32_t id);
109 static void process_symlink(u_int32_t id);
110 static void process_extended_posix_rename(u_int32_t id);
111 static void process_extended_statvfs(u_int32_t id);
112 static void process_extended_fstatvfs(u_int32_t id);
113 static void process_extended_hardlink(u_int32_t id);
114 static void process_extended_fsync(u_int32_t id);
115 static void process_extended(u_int32_t id);
117 struct sftp_handler {
118 const char *name; /* user-visible name for fine-grained perms */
119 const char *ext_name; /* extended request name */
120 u_int type; /* packet type, for non extended packets */
121 void (*handler)(u_int32_t);
122 int does_write; /* if nonzero, banned for readonly mode */
125 struct sftp_handler handlers[] = {
126 /* NB. SSH2_FXP_OPEN does the readonly check in the handler itself */
127 { "open", NULL, SSH2_FXP_OPEN, process_open, 0 },
128 { "close", NULL, SSH2_FXP_CLOSE, process_close, 0 },
129 { "read", NULL, SSH2_FXP_READ, process_read, 0 },
130 { "write", NULL, SSH2_FXP_WRITE, process_write, 1 },
131 { "lstat", NULL, SSH2_FXP_LSTAT, process_lstat, 0 },
132 { "fstat", NULL, SSH2_FXP_FSTAT, process_fstat, 0 },
133 { "setstat", NULL, SSH2_FXP_SETSTAT, process_setstat, 1 },
134 { "fsetstat", NULL, SSH2_FXP_FSETSTAT, process_fsetstat, 1 },
135 { "opendir", NULL, SSH2_FXP_OPENDIR, process_opendir, 0 },
136 { "readdir", NULL, SSH2_FXP_READDIR, process_readdir, 0 },
137 { "remove", NULL, SSH2_FXP_REMOVE, process_remove, 1 },
138 { "mkdir", NULL, SSH2_FXP_MKDIR, process_mkdir, 1 },
139 { "rmdir", NULL, SSH2_FXP_RMDIR, process_rmdir, 1 },
140 { "realpath", NULL, SSH2_FXP_REALPATH, process_realpath, 0 },
141 { "stat", NULL, SSH2_FXP_STAT, process_stat, 0 },
142 { "rename", NULL, SSH2_FXP_RENAME, process_rename, 1 },
143 { "readlink", NULL, SSH2_FXP_READLINK, process_readlink, 0 },
144 { "symlink", NULL, SSH2_FXP_SYMLINK, process_symlink, 1 },
145 { NULL, NULL, 0, NULL, 0 }
148 /* SSH2_FXP_EXTENDED submessages */
149 struct sftp_handler extended_handlers[] = {
150 { "posix-rename", "posix-rename@openssh.com", 0,
151 process_extended_posix_rename, 1 },
152 { "statvfs", "statvfs@openssh.com", 0, process_extended_statvfs, 0 },
153 { "fstatvfs", "fstatvfs@openssh.com", 0, process_extended_fstatvfs, 0 },
154 { "hardlink", "hardlink@openssh.com", 0, process_extended_hardlink, 1 },
155 { "fsync", "fsync@openssh.com", 0, process_extended_fsync, 1 },
156 { NULL, NULL, 0, NULL, 0 }
160 request_permitted(struct sftp_handler *h)
164 if (readonly && h->does_write) {
165 verbose("Refusing %s request in read-only mode", h->name);
168 if (request_blacklist != NULL &&
169 ((result = match_list(h->name, request_blacklist, NULL))) != NULL) {
171 verbose("Refusing blacklisted %s request", h->name);
174 if (request_whitelist != NULL &&
175 ((result = match_list(h->name, request_whitelist, NULL))) != NULL) {
177 debug2("Permitting whitelisted %s request", h->name);
180 if (request_whitelist != NULL) {
181 verbose("Refusing non-whitelisted %s request", h->name);
188 errno_to_portable(int unixerrno)
200 ret = SSH2_FX_NO_SUCH_FILE;
205 ret = SSH2_FX_PERMISSION_DENIED;
209 ret = SSH2_FX_BAD_MESSAGE;
212 ret = SSH2_FX_OP_UNSUPPORTED;
215 ret = SSH2_FX_FAILURE;
222 flags_from_portable(int pflags)
226 if ((pflags & SSH2_FXF_READ) &&
227 (pflags & SSH2_FXF_WRITE)) {
229 } else if (pflags & SSH2_FXF_READ) {
231 } else if (pflags & SSH2_FXF_WRITE) {
234 if (pflags & SSH2_FXF_APPEND)
236 if (pflags & SSH2_FXF_CREAT)
238 if (pflags & SSH2_FXF_TRUNC)
240 if (pflags & SSH2_FXF_EXCL)
246 string_from_portable(int pflags)
248 static char ret[128];
252 #define PAPPEND(str) { \
254 strlcat(ret, ",", sizeof(ret)); \
255 strlcat(ret, str, sizeof(ret)); \
258 if (pflags & SSH2_FXF_READ)
260 if (pflags & SSH2_FXF_WRITE)
262 if (pflags & SSH2_FXF_APPEND)
264 if (pflags & SSH2_FXF_CREAT)
266 if (pflags & SSH2_FXF_TRUNC)
268 if (pflags & SSH2_FXF_EXCL)
276 typedef struct Handle Handle;
283 u_int64_t bytes_read, bytes_write;
293 Handle *handles = NULL;
294 u_int num_handles = 0;
295 int first_unused_handle = -1;
297 static void handle_unused(int i)
299 handles[i].use = HANDLE_UNUSED;
300 handles[i].next_unused = first_unused_handle;
301 first_unused_handle = i;
305 handle_new(int use, const char *name, int fd, int flags, DIR *dirp)
309 if (first_unused_handle == -1) {
310 if (num_handles + 1 <= num_handles)
313 handles = xrealloc(handles, num_handles, sizeof(Handle));
314 handle_unused(num_handles - 1);
317 i = first_unused_handle;
318 first_unused_handle = handles[i].next_unused;
320 handles[i].use = use;
321 handles[i].dirp = dirp;
323 handles[i].flags = flags;
324 handles[i].name = xstrdup(name);
325 handles[i].bytes_read = handles[i].bytes_write = 0;
331 handle_is_ok(int i, int type)
333 return i >= 0 && (u_int)i < num_handles && handles[i].use == type;
337 handle_to_string(int handle, u_char **stringp, int *hlenp)
339 if (stringp == NULL || hlenp == NULL)
341 *stringp = xmalloc(sizeof(int32_t));
342 put_u32(*stringp, handle);
343 *hlenp = sizeof(int32_t);
348 handle_from_string(const u_char *handle, u_int hlen)
352 if (hlen != sizeof(int32_t))
354 val = get_u32(handle);
355 if (handle_is_ok(val, HANDLE_FILE) ||
356 handle_is_ok(val, HANDLE_DIR))
362 handle_to_name(int handle)
364 if (handle_is_ok(handle, HANDLE_DIR)||
365 handle_is_ok(handle, HANDLE_FILE))
366 return handles[handle].name;
371 handle_to_dir(int handle)
373 if (handle_is_ok(handle, HANDLE_DIR))
374 return handles[handle].dirp;
379 handle_to_fd(int handle)
381 if (handle_is_ok(handle, HANDLE_FILE))
382 return handles[handle].fd;
387 handle_to_flags(int handle)
389 if (handle_is_ok(handle, HANDLE_FILE))
390 return handles[handle].flags;
395 handle_update_read(int handle, ssize_t bytes)
397 if (handle_is_ok(handle, HANDLE_FILE) && bytes > 0)
398 handles[handle].bytes_read += bytes;
402 handle_update_write(int handle, ssize_t bytes)
404 if (handle_is_ok(handle, HANDLE_FILE) && bytes > 0)
405 handles[handle].bytes_write += bytes;
409 handle_bytes_read(int handle)
411 if (handle_is_ok(handle, HANDLE_FILE))
412 return (handles[handle].bytes_read);
417 handle_bytes_write(int handle)
419 if (handle_is_ok(handle, HANDLE_FILE))
420 return (handles[handle].bytes_write);
425 handle_close(int handle)
429 if (handle_is_ok(handle, HANDLE_FILE)) {
430 ret = close(handles[handle].fd);
431 free(handles[handle].name);
432 handle_unused(handle);
433 } else if (handle_is_ok(handle, HANDLE_DIR)) {
434 ret = closedir(handles[handle].dirp);
435 free(handles[handle].name);
436 handle_unused(handle);
444 handle_log_close(int handle, char *emsg)
446 if (handle_is_ok(handle, HANDLE_FILE)) {
447 logit("%s%sclose \"%s\" bytes read %llu written %llu",
448 emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
449 handle_to_name(handle),
450 (unsigned long long)handle_bytes_read(handle),
451 (unsigned long long)handle_bytes_write(handle));
453 logit("%s%sclosedir \"%s\"",
454 emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
455 handle_to_name(handle));
460 handle_log_exit(void)
464 for (i = 0; i < num_handles; i++)
465 if (handles[i].use != HANDLE_UNUSED)
466 handle_log_close(i, "forced");
470 get_handle(struct sshbuf *queue, int *hp)
477 if ((r = sshbuf_get_string(queue, &handle, &hlen)) != 0)
480 *hp = handle_from_string(handle, hlen);
488 send_msg(struct sshbuf *m)
492 if ((r = sshbuf_put_stringb(oqueue, m)) != 0)
493 fatal("%s: buffer error: %s", __func__, ssh_err(r));
498 status_to_message(u_int32_t status)
500 const char *status_messages[] = {
501 "Success", /* SSH_FX_OK */
502 "End of file", /* SSH_FX_EOF */
503 "No such file", /* SSH_FX_NO_SUCH_FILE */
504 "Permission denied", /* SSH_FX_PERMISSION_DENIED */
505 "Failure", /* SSH_FX_FAILURE */
506 "Bad message", /* SSH_FX_BAD_MESSAGE */
507 "No connection", /* SSH_FX_NO_CONNECTION */
508 "Connection lost", /* SSH_FX_CONNECTION_LOST */
509 "Operation unsupported", /* SSH_FX_OP_UNSUPPORTED */
510 "Unknown error" /* Others */
512 return (status_messages[MIN(status,SSH2_FX_MAX)]);
516 send_status(u_int32_t id, u_int32_t status)
521 debug3("request %u: sent status %u", id, status);
522 if (log_level > SYSLOG_LEVEL_VERBOSE ||
523 (status != SSH2_FX_OK && status != SSH2_FX_EOF))
524 logit("sent status %s", status_to_message(status));
525 if ((msg = sshbuf_new()) == NULL)
526 fatal("%s: sshbuf_new failed", __func__);
527 if ((r = sshbuf_put_u8(msg, SSH2_FXP_STATUS)) != 0 ||
528 (r = sshbuf_put_u32(msg, id)) != 0 ||
529 (r = sshbuf_put_u32(msg, status)) != 0)
530 fatal("%s: buffer error: %s", __func__, ssh_err(r));
532 if ((r = sshbuf_put_cstring(msg,
533 status_to_message(status))) != 0 ||
534 (r = sshbuf_put_cstring(msg, "")) != 0)
535 fatal("%s: buffer error: %s", __func__, ssh_err(r));
541 send_data_or_handle(char type, u_int32_t id, const u_char *data, int dlen)
546 if ((msg = sshbuf_new()) == NULL)
547 fatal("%s: sshbuf_new failed", __func__);
548 if ((r = sshbuf_put_u8(msg, type)) != 0 ||
549 (r = sshbuf_put_u32(msg, id)) != 0 ||
550 (r = sshbuf_put_string(msg, data, dlen)) != 0)
551 fatal("%s: buffer error: %s", __func__, ssh_err(r));
557 send_data(u_int32_t id, const u_char *data, int dlen)
559 debug("request %u: sent data len %d", id, dlen);
560 send_data_or_handle(SSH2_FXP_DATA, id, data, dlen);
564 send_handle(u_int32_t id, int handle)
569 handle_to_string(handle, &string, &hlen);
570 debug("request %u: sent handle handle %d", id, handle);
571 send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen);
576 send_names(u_int32_t id, int count, const Stat *stats)
581 if ((msg = sshbuf_new()) == NULL)
582 fatal("%s: sshbuf_new failed", __func__);
583 if ((r = sshbuf_put_u8(msg, SSH2_FXP_NAME)) != 0 ||
584 (r = sshbuf_put_u32(msg, id)) != 0 ||
585 (r = sshbuf_put_u32(msg, count)) != 0)
586 fatal("%s: buffer error: %s", __func__, ssh_err(r));
587 debug("request %u: sent names count %d", id, count);
588 for (i = 0; i < count; i++) {
589 if ((r = sshbuf_put_cstring(msg, stats[i].name)) != 0 ||
590 (r = sshbuf_put_cstring(msg, stats[i].long_name)) != 0 ||
591 (r = encode_attrib(msg, &stats[i].attrib)) != 0)
592 fatal("%s: buffer error: %s", __func__, ssh_err(r));
599 send_attrib(u_int32_t id, const Attrib *a)
604 debug("request %u: sent attrib have 0x%x", id, a->flags);
605 if ((msg = sshbuf_new()) == NULL)
606 fatal("%s: sshbuf_new failed", __func__);
607 if ((r = sshbuf_put_u8(msg, SSH2_FXP_ATTRS)) != 0 ||
608 (r = sshbuf_put_u32(msg, id)) != 0 ||
609 (r = encode_attrib(msg, a)) != 0)
610 fatal("%s: buffer error: %s", __func__, ssh_err(r));
616 send_statvfs(u_int32_t id, struct statvfs *st)
622 flag = (st->f_flag & ST_RDONLY) ? SSH2_FXE_STATVFS_ST_RDONLY : 0;
623 flag |= (st->f_flag & ST_NOSUID) ? SSH2_FXE_STATVFS_ST_NOSUID : 0;
625 if ((msg = sshbuf_new()) == NULL)
626 fatal("%s: sshbuf_new failed", __func__);
627 if ((r = sshbuf_put_u8(msg, SSH2_FXP_EXTENDED_REPLY)) != 0 ||
628 (r = sshbuf_put_u32(msg, id)) != 0 ||
629 (r = sshbuf_put_u64(msg, st->f_bsize)) != 0 ||
630 (r = sshbuf_put_u64(msg, st->f_frsize)) != 0 ||
631 (r = sshbuf_put_u64(msg, st->f_blocks)) != 0 ||
632 (r = sshbuf_put_u64(msg, st->f_bfree)) != 0 ||
633 (r = sshbuf_put_u64(msg, st->f_bavail)) != 0 ||
634 (r = sshbuf_put_u64(msg, st->f_files)) != 0 ||
635 (r = sshbuf_put_u64(msg, st->f_ffree)) != 0 ||
636 (r = sshbuf_put_u64(msg, st->f_favail)) != 0 ||
637 (r = sshbuf_put_u64(msg, FSID_TO_ULONG(st->f_fsid))) != 0 ||
638 (r = sshbuf_put_u64(msg, flag)) != 0 ||
639 (r = sshbuf_put_u64(msg, st->f_namemax)) != 0)
640 fatal("%s: buffer error: %s", __func__, ssh_err(r));
653 if ((r = sshbuf_get_u32(iqueue, &version)) != 0)
654 fatal("%s: buffer error: %s", __func__, ssh_err(r));
655 verbose("received client version %u", version);
656 if ((msg = sshbuf_new()) == NULL)
657 fatal("%s: sshbuf_new failed", __func__);
658 if ((r = sshbuf_put_u8(msg, SSH2_FXP_VERSION)) != 0 ||
659 (r = sshbuf_put_u32(msg, SSH2_FILEXFER_VERSION)) != 0 ||
660 /* POSIX rename extension */
661 (r = sshbuf_put_cstring(msg, "posix-rename@openssh.com")) != 0 ||
662 (r = sshbuf_put_cstring(msg, "1")) != 0 || /* version */
663 /* statvfs extension */
664 (r = sshbuf_put_cstring(msg, "statvfs@openssh.com")) != 0 ||
665 (r = sshbuf_put_cstring(msg, "2")) != 0 || /* version */
666 /* fstatvfs extension */
667 (r = sshbuf_put_cstring(msg, "fstatvfs@openssh.com")) != 0 ||
668 (r = sshbuf_put_cstring(msg, "2")) != 0 || /* version */
669 /* hardlink extension */
670 (r = sshbuf_put_cstring(msg, "hardlink@openssh.com")) != 0 ||
671 (r = sshbuf_put_cstring(msg, "1")) != 0 || /* version */
672 /* fsync extension */
673 (r = sshbuf_put_cstring(msg, "fsync@openssh.com")) != 0 ||
674 (r = sshbuf_put_cstring(msg, "1")) != 0) /* version */
675 fatal("%s: buffer error: %s", __func__, ssh_err(r));
681 process_open(u_int32_t id)
686 int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
688 if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
689 (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
690 (r = decode_attrib(iqueue, &a)) != 0)
691 fatal("%s: buffer error: %s", __func__, ssh_err(r));
693 debug3("request %u: open flags %d", id, pflags);
694 flags = flags_from_portable(pflags);
695 mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
696 logit("open \"%s\" flags %s mode 0%o",
697 name, string_from_portable(pflags), mode);
699 ((flags & O_ACCMODE) == O_WRONLY ||
700 (flags & O_ACCMODE) == O_RDWR)) {
701 verbose("Refusing open request in read-only mode");
702 status = SSH2_FX_PERMISSION_DENIED;
704 fd = open(name, flags, mode);
706 status = errno_to_portable(errno);
708 handle = handle_new(HANDLE_FILE, name, fd, flags, NULL);
712 send_handle(id, handle);
717 if (status != SSH2_FX_OK)
718 send_status(id, status);
723 process_close(u_int32_t id)
725 int r, handle, ret, status = SSH2_FX_FAILURE;
727 if ((r = get_handle(iqueue, &handle)) != 0)
728 fatal("%s: buffer error: %s", __func__, ssh_err(r));
730 debug3("request %u: close handle %u", id, handle);
731 handle_log_close(handle, NULL);
732 ret = handle_close(handle);
733 status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
734 send_status(id, status);
738 process_read(u_int32_t id)
742 int r, handle, fd, ret, status = SSH2_FX_FAILURE;
745 if ((r = get_handle(iqueue, &handle)) != 0 ||
746 (r = sshbuf_get_u64(iqueue, &off)) != 0 ||
747 (r = sshbuf_get_u32(iqueue, &len)) != 0)
748 fatal("%s: buffer error: %s", __func__, ssh_err(r));
750 debug("request %u: read \"%s\" (handle %d) off %llu len %d",
751 id, handle_to_name(handle), handle, (unsigned long long)off, len);
752 if (len > sizeof buf) {
754 debug2("read change len %d", len);
756 fd = handle_to_fd(handle);
758 if (lseek(fd, off, SEEK_SET) < 0) {
759 error("process_read: seek failed");
760 status = errno_to_portable(errno);
762 ret = read(fd, buf, len);
764 status = errno_to_portable(errno);
765 } else if (ret == 0) {
766 status = SSH2_FX_EOF;
768 send_data(id, buf, ret);
770 handle_update_read(handle, ret);
774 if (status != SSH2_FX_OK)
775 send_status(id, status);
779 process_write(u_int32_t id)
783 int r, handle, fd, ret, status;
786 if ((r = get_handle(iqueue, &handle)) != 0 ||
787 (r = sshbuf_get_u64(iqueue, &off)) != 0 ||
788 (r = sshbuf_get_string(iqueue, &data, &len)) != 0)
789 fatal("%s: buffer error: %s", __func__, ssh_err(r));
791 debug("request %u: write \"%s\" (handle %d) off %llu len %zu",
792 id, handle_to_name(handle), handle, (unsigned long long)off, len);
793 fd = handle_to_fd(handle);
796 status = SSH2_FX_FAILURE;
798 if (!(handle_to_flags(handle) & O_APPEND) &&
799 lseek(fd, off, SEEK_SET) < 0) {
800 status = errno_to_portable(errno);
801 error("process_write: seek failed");
804 ret = write(fd, data, len);
806 error("process_write: write failed");
807 status = errno_to_portable(errno);
808 } else if ((size_t)ret == len) {
810 handle_update_write(handle, ret);
812 debug2("nothing at all written");
813 status = SSH2_FX_FAILURE;
817 send_status(id, status);
822 process_do_stat(u_int32_t id, int do_lstat)
827 int r, status = SSH2_FX_FAILURE;
829 if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
830 fatal("%s: buffer error: %s", __func__, ssh_err(r));
832 debug3("request %u: %sstat", id, do_lstat ? "l" : "");
833 verbose("%sstat name \"%s\"", do_lstat ? "l" : "", name);
834 r = do_lstat ? lstat(name, &st) : stat(name, &st);
836 status = errno_to_portable(errno);
838 stat_to_attrib(&st, &a);
842 if (status != SSH2_FX_OK)
843 send_status(id, status);
848 process_stat(u_int32_t id)
850 process_do_stat(id, 0);
854 process_lstat(u_int32_t id)
856 process_do_stat(id, 1);
860 process_fstat(u_int32_t id)
864 int fd, r, handle, status = SSH2_FX_FAILURE;
866 if ((r = get_handle(iqueue, &handle)) != 0)
867 fatal("%s: buffer error: %s", __func__, ssh_err(r));
868 debug("request %u: fstat \"%s\" (handle %u)",
869 id, handle_to_name(handle), handle);
870 fd = handle_to_fd(handle);
874 status = errno_to_portable(errno);
876 stat_to_attrib(&st, &a);
881 if (status != SSH2_FX_OK)
882 send_status(id, status);
885 static struct timeval *
886 attrib_to_tv(const Attrib *a)
888 static struct timeval tv[2];
890 tv[0].tv_sec = a->atime;
892 tv[1].tv_sec = a->mtime;
898 process_setstat(u_int32_t id)
902 int r, status = SSH2_FX_OK;
904 if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
905 (r = decode_attrib(iqueue, &a)) != 0)
906 fatal("%s: buffer error: %s", __func__, ssh_err(r));
908 debug("request %u: setstat name \"%s\"", id, name);
909 if (a.flags & SSH2_FILEXFER_ATTR_SIZE) {
910 logit("set \"%s\" size %llu",
911 name, (unsigned long long)a.size);
912 r = truncate(name, a.size);
914 status = errno_to_portable(errno);
916 if (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
917 logit("set \"%s\" mode %04o", name, a.perm);
918 r = chmod(name, a.perm & 07777);
920 status = errno_to_portable(errno);
922 if (a.flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
926 strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
928 logit("set \"%s\" modtime %s", name, buf);
929 r = utimes(name, attrib_to_tv(&a));
931 status = errno_to_portable(errno);
933 if (a.flags & SSH2_FILEXFER_ATTR_UIDGID) {
934 logit("set \"%s\" owner %lu group %lu", name,
935 (u_long)a.uid, (u_long)a.gid);
936 r = chown(name, a.uid, a.gid);
938 status = errno_to_portable(errno);
940 send_status(id, status);
945 process_fsetstat(u_int32_t id)
949 int status = SSH2_FX_OK;
951 if ((r = get_handle(iqueue, &handle)) != 0 ||
952 (r = decode_attrib(iqueue, &a)) != 0)
953 fatal("%s: buffer error: %s", __func__, ssh_err(r));
955 debug("request %u: fsetstat handle %d", id, handle);
956 fd = handle_to_fd(handle);
958 status = SSH2_FX_FAILURE;
960 char *name = handle_to_name(handle);
962 if (a.flags & SSH2_FILEXFER_ATTR_SIZE) {
963 logit("set \"%s\" size %llu",
964 name, (unsigned long long)a.size);
965 r = ftruncate(fd, a.size);
967 status = errno_to_portable(errno);
969 if (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
970 logit("set \"%s\" mode %04o", name, a.perm);
972 r = fchmod(fd, a.perm & 07777);
974 r = chmod(name, a.perm & 07777);
977 status = errno_to_portable(errno);
979 if (a.flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
983 strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
985 logit("set \"%s\" modtime %s", name, buf);
987 r = futimes(fd, attrib_to_tv(&a));
989 r = utimes(name, attrib_to_tv(&a));
992 status = errno_to_portable(errno);
994 if (a.flags & SSH2_FILEXFER_ATTR_UIDGID) {
995 logit("set \"%s\" owner %lu group %lu", name,
996 (u_long)a.uid, (u_long)a.gid);
998 r = fchown(fd, a.uid, a.gid);
1000 r = chown(name, a.uid, a.gid);
1003 status = errno_to_portable(errno);
1006 send_status(id, status);
1010 process_opendir(u_int32_t id)
1014 int r, handle, status = SSH2_FX_FAILURE;
1016 if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
1017 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1019 debug3("request %u: opendir", id);
1020 logit("opendir \"%s\"", path);
1021 dirp = opendir(path);
1023 status = errno_to_portable(errno);
1025 handle = handle_new(HANDLE_DIR, path, 0, 0, dirp);
1029 send_handle(id, handle);
1030 status = SSH2_FX_OK;
1034 if (status != SSH2_FX_OK)
1035 send_status(id, status);
1040 process_readdir(u_int32_t id)
1047 if ((r = get_handle(iqueue, &handle)) != 0)
1048 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1050 debug("request %u: readdir \"%s\" (handle %d)", id,
1051 handle_to_name(handle), handle);
1052 dirp = handle_to_dir(handle);
1053 path = handle_to_name(handle);
1054 if (dirp == NULL || path == NULL) {
1055 send_status(id, SSH2_FX_FAILURE);
1058 char pathname[PATH_MAX];
1060 int nstats = 10, count = 0, i;
1062 stats = xcalloc(nstats, sizeof(Stat));
1063 while ((dp = readdir(dirp)) != NULL) {
1064 if (count >= nstats) {
1066 stats = xrealloc(stats, nstats, sizeof(Stat));
1068 /* XXX OVERFLOW ? */
1069 snprintf(pathname, sizeof pathname, "%s%s%s", path,
1070 strcmp(path, "/") ? "/" : "", dp->d_name);
1071 if (lstat(pathname, &st) < 0)
1073 stat_to_attrib(&st, &(stats[count].attrib));
1074 stats[count].name = xstrdup(dp->d_name);
1075 stats[count].long_name = ls_file(dp->d_name, &st, 0, 0);
1077 /* send up to 100 entries in one message */
1078 /* XXX check packet size instead */
1083 send_names(id, count, stats);
1084 for (i = 0; i < count; i++) {
1085 free(stats[i].name);
1086 free(stats[i].long_name);
1089 send_status(id, SSH2_FX_EOF);
1096 process_remove(u_int32_t id)
1099 int r, status = SSH2_FX_FAILURE;
1101 if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
1102 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1104 debug3("request %u: remove", id);
1105 logit("remove name \"%s\"", name);
1107 status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1108 send_status(id, status);
1113 process_mkdir(u_int32_t id)
1117 int r, mode, status = SSH2_FX_FAILURE;
1119 if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
1120 (r = decode_attrib(iqueue, &a)) != 0)
1121 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1123 mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
1124 a.perm & 07777 : 0777;
1125 debug3("request %u: mkdir", id);
1126 logit("mkdir name \"%s\" mode 0%o", name, mode);
1127 r = mkdir(name, mode);
1128 status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1129 send_status(id, status);
1134 process_rmdir(u_int32_t id)
1139 if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
1140 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1142 debug3("request %u: rmdir", id);
1143 logit("rmdir name \"%s\"", name);
1145 status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1146 send_status(id, status);
1151 process_realpath(u_int32_t id)
1153 char resolvedname[PATH_MAX];
1157 if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
1158 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1160 if (path[0] == '\0') {
1162 path = xstrdup(".");
1164 debug3("request %u: realpath", id);
1165 verbose("realpath \"%s\"", path);
1166 if (realpath(path, resolvedname) == NULL) {
1167 send_status(id, errno_to_portable(errno));
1170 attrib_clear(&s.attrib);
1171 s.name = s.long_name = resolvedname;
1172 send_names(id, 1, &s);
1178 process_rename(u_int32_t id)
1180 char *oldpath, *newpath;
1184 if ((r = sshbuf_get_cstring(iqueue, &oldpath, NULL)) != 0 ||
1185 (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
1186 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1188 debug3("request %u: rename", id);
1189 logit("rename old \"%s\" new \"%s\"", oldpath, newpath);
1190 status = SSH2_FX_FAILURE;
1191 if (lstat(oldpath, &sb) == -1)
1192 status = errno_to_portable(errno);
1193 else if (S_ISREG(sb.st_mode)) {
1194 /* Race-free rename of regular files */
1195 if (link(oldpath, newpath) == -1) {
1196 if (errno == EOPNOTSUPP || errno == ENOSYS
1200 #ifdef LINK_OPNOTSUPP_ERRNO
1201 || errno == LINK_OPNOTSUPP_ERRNO
1207 * fs doesn't support links, so fall back to
1208 * stat+rename. This is racy.
1210 if (stat(newpath, &st) == -1) {
1211 if (rename(oldpath, newpath) == -1)
1213 errno_to_portable(errno);
1215 status = SSH2_FX_OK;
1218 status = errno_to_portable(errno);
1220 } else if (unlink(oldpath) == -1) {
1221 status = errno_to_portable(errno);
1222 /* clean spare link */
1225 status = SSH2_FX_OK;
1226 } else if (stat(newpath, &sb) == -1) {
1227 if (rename(oldpath, newpath) == -1)
1228 status = errno_to_portable(errno);
1230 status = SSH2_FX_OK;
1232 send_status(id, status);
1238 process_readlink(u_int32_t id)
1244 if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
1245 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1247 debug3("request %u: readlink", id);
1248 verbose("readlink \"%s\"", path);
1249 if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1)
1250 send_status(id, errno_to_portable(errno));
1255 attrib_clear(&s.attrib);
1256 s.name = s.long_name = buf;
1257 send_names(id, 1, &s);
1263 process_symlink(u_int32_t id)
1265 char *oldpath, *newpath;
1268 if ((r = sshbuf_get_cstring(iqueue, &oldpath, NULL)) != 0 ||
1269 (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
1270 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1272 debug3("request %u: symlink", id);
1273 logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);
1274 /* this will fail if 'newpath' exists */
1275 r = symlink(oldpath, newpath);
1276 status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1277 send_status(id, status);
1283 process_extended_posix_rename(u_int32_t id)
1285 char *oldpath, *newpath;
1288 if ((r = sshbuf_get_cstring(iqueue, &oldpath, NULL)) != 0 ||
1289 (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
1290 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1292 debug3("request %u: posix-rename", id);
1293 logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath);
1294 r = rename(oldpath, newpath);
1295 status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1296 send_status(id, status);
1302 process_extended_statvfs(u_int32_t id)
1308 if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
1309 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1310 debug3("request %u: statvfs", id);
1311 logit("statvfs \"%s\"", path);
1313 if (statvfs(path, &st) != 0)
1314 send_status(id, errno_to_portable(errno));
1316 send_statvfs(id, &st);
1321 process_extended_fstatvfs(u_int32_t id)
1326 if ((r = get_handle(iqueue, &handle)) != 0)
1327 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1328 debug("request %u: fstatvfs \"%s\" (handle %u)",
1329 id, handle_to_name(handle), handle);
1330 if ((fd = handle_to_fd(handle)) < 0) {
1331 send_status(id, SSH2_FX_FAILURE);
1334 if (fstatvfs(fd, &st) != 0)
1335 send_status(id, errno_to_portable(errno));
1337 send_statvfs(id, &st);
1341 process_extended_hardlink(u_int32_t id)
1343 char *oldpath, *newpath;
1346 if ((r = sshbuf_get_cstring(iqueue, &oldpath, NULL)) != 0 ||
1347 (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
1348 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1350 debug3("request %u: hardlink", id);
1351 logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath);
1352 r = link(oldpath, newpath);
1353 status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1354 send_status(id, status);
1360 process_extended_fsync(u_int32_t id)
1362 int handle, fd, r, status = SSH2_FX_OP_UNSUPPORTED;
1364 if ((r = get_handle(iqueue, &handle)) != 0)
1365 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1366 debug3("request %u: fsync (handle %u)", id, handle);
1367 verbose("fsync \"%s\"", handle_to_name(handle));
1368 if ((fd = handle_to_fd(handle)) < 0)
1369 status = SSH2_FX_NO_SUCH_FILE;
1370 else if (handle_is_ok(handle, HANDLE_FILE)) {
1372 status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
1374 send_status(id, status);
1378 process_extended(u_int32_t id)
1383 if ((r = sshbuf_get_cstring(iqueue, &request, NULL)) != 0)
1384 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1385 for (i = 0; extended_handlers[i].handler != NULL; i++) {
1386 if (strcmp(request, extended_handlers[i].ext_name) == 0) {
1387 if (!request_permitted(&extended_handlers[i]))
1388 send_status(id, SSH2_FX_PERMISSION_DENIED);
1390 extended_handlers[i].handler(id);
1394 if (extended_handlers[i].handler == NULL) {
1395 error("Unknown extended request \"%.100s\"", request);
1396 send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */
1401 /* stolen from ssh-agent */
1414 buf_len = sshbuf_len(iqueue);
1416 return; /* Incomplete message. */
1417 cp = sshbuf_ptr(iqueue);
1418 msg_len = get_u32(cp);
1419 if (msg_len > SFTP_MAX_MSG_LENGTH) {
1420 error("bad message from %s local user %s",
1421 client_addr, pw->pw_name);
1422 sftp_server_cleanup_exit(11);
1424 if (buf_len < msg_len + 4)
1426 if ((r = sshbuf_consume(iqueue, 4)) != 0)
1427 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1429 if ((r = sshbuf_get_u8(iqueue, &type)) != 0)
1430 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1437 case SSH2_FXP_EXTENDED:
1439 fatal("Received extended request before init");
1440 if ((r = sshbuf_get_u32(iqueue, &id)) != 0)
1441 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1442 process_extended(id);
1446 fatal("Received %u request before init", type);
1447 if ((r = sshbuf_get_u32(iqueue, &id)) != 0)
1448 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1449 for (i = 0; handlers[i].handler != NULL; i++) {
1450 if (type == handlers[i].type) {
1451 if (!request_permitted(&handlers[i])) {
1453 SSH2_FX_PERMISSION_DENIED);
1455 handlers[i].handler(id);
1460 if (handlers[i].handler == NULL)
1461 error("Unknown message %u", type);
1463 /* discard the remaining bytes from the current packet */
1464 if (buf_len < sshbuf_len(iqueue)) {
1465 error("iqueue grew unexpectedly");
1466 sftp_server_cleanup_exit(255);
1468 consumed = buf_len - sshbuf_len(iqueue);
1469 if (msg_len < consumed) {
1470 error("msg_len %u < consumed %u", msg_len, consumed);
1471 sftp_server_cleanup_exit(255);
1473 if (msg_len > consumed &&
1474 (r = sshbuf_consume(iqueue, msg_len - consumed)) != 0)
1475 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1478 /* Cleanup handler that logs active handles upon normal exit */
1480 sftp_server_cleanup_exit(int i)
1482 if (pw != NULL && client_addr != NULL) {
1484 logit("session closed for local user %s from [%s]",
1485 pw->pw_name, client_addr);
1491 sftp_server_usage(void)
1493 extern char *__progname;
1496 "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
1497 "[-l log_level]\n\t[-P blacklisted_requests] "
1498 "[-p whitelisted_requests] [-u umask]\n"
1499 " %s -Q protocol_feature\n",
1500 __progname, __progname);
1505 sftp_server_main(int argc, char **argv, struct passwd *user_pw)
1507 fd_set *rset, *wset;
1508 int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
1509 ssize_t len, olen, set_size;
1510 SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
1511 char *cp, *homedir = NULL, buf[4*4096];
1514 extern char *optarg;
1515 extern char *__progname;
1517 __progname = ssh_get_progname(argv[0]);
1518 log_init(__progname, log_level, log_facility, log_stderr);
1520 pw = pwcopy(user_pw);
1522 while (!skipargs && (ch = getopt(argc, argv,
1523 "d:f:l:P:p:Q:u:cehR")) != -1) {
1526 if (strcasecmp(optarg, "requests") != 0) {
1527 fprintf(stderr, "Invalid query type\n");
1530 for (i = 0; handlers[i].handler != NULL; i++)
1531 printf("%s\n", handlers[i].name);
1532 for (i = 0; extended_handlers[i].handler != NULL; i++)
1533 printf("%s\n", extended_handlers[i].name);
1541 * Ignore all arguments if we are invoked as a
1542 * shell using "sftp-server -c command"
1550 log_level = log_level_number(optarg);
1551 if (log_level == SYSLOG_LEVEL_NOT_SET)
1552 error("Invalid log level \"%s\"", optarg);
1555 log_facility = log_facility_number(optarg);
1556 if (log_facility == SYSLOG_FACILITY_NOT_SET)
1557 error("Invalid log facility \"%s\"", optarg);
1560 cp = tilde_expand_filename(optarg, user_pw->pw_uid);
1561 homedir = percent_expand(cp, "d", user_pw->pw_dir,
1562 "u", user_pw->pw_name, (char *)NULL);
1566 if (request_whitelist != NULL)
1567 fatal("Permitted requests already set");
1568 request_whitelist = xstrdup(optarg);
1571 if (request_blacklist != NULL)
1572 fatal("Refused requests already set");
1573 request_blacklist = xstrdup(optarg);
1577 mask = strtol(optarg, &cp, 8);
1578 if (mask < 0 || mask > 0777 || *cp != '\0' ||
1579 cp == optarg || (mask == 0 && errno != 0))
1580 fatal("Invalid umask \"%s\"", optarg);
1581 (void)umask((mode_t)mask);
1585 sftp_server_usage();
1589 log_init(__progname, log_level, log_facility, log_stderr);
1591 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
1593 * On Linux, we should try to avoid making /proc/self/{mem,maps}
1594 * available to the user so that sftp access doesn't automatically
1595 * imply arbitrary code execution access that will break
1596 * restricted configurations.
1598 if (prctl(PR_SET_DUMPABLE, 0) != 0)
1599 fatal("unable to make the process undumpable");
1600 #endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
1602 if ((cp = getenv("SSH_CONNECTION")) != NULL) {
1603 client_addr = xstrdup(cp);
1604 if ((cp = strchr(client_addr, ' ')) == NULL) {
1605 error("Malformed SSH_CONNECTION variable: \"%s\"",
1606 getenv("SSH_CONNECTION"));
1607 sftp_server_cleanup_exit(255);
1611 client_addr = xstrdup("UNKNOWN");
1613 logit("session opened for local user %s from [%s]",
1614 pw->pw_name, client_addr);
1617 out = STDOUT_FILENO;
1620 setmode(in, O_BINARY);
1621 setmode(out, O_BINARY);
1630 if ((iqueue = sshbuf_new()) == NULL)
1631 fatal("%s: sshbuf_new failed", __func__);
1632 if ((oqueue = sshbuf_new()) == NULL)
1633 fatal("%s: sshbuf_new failed", __func__);
1635 set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
1636 rset = (fd_set *)xmalloc(set_size);
1637 wset = (fd_set *)xmalloc(set_size);
1639 if (homedir != NULL) {
1640 if (chdir(homedir) != 0) {
1641 error("chdir to \"%s\" failed: %s", homedir,
1647 memset(rset, 0, set_size);
1648 memset(wset, 0, set_size);
1651 * Ensure that we can read a full buffer and handle
1652 * the worst-case length packet it can generate,
1653 * otherwise apply backpressure by stopping reads.
1655 if ((r = sshbuf_check_reserve(iqueue, sizeof(buf))) == 0 &&
1656 (r = sshbuf_check_reserve(oqueue,
1657 SFTP_MAX_MSG_LENGTH)) == 0)
1659 else if (r != SSH_ERR_NO_BUFFER_SPACE)
1660 fatal("%s: sshbuf_check_reserve failed: %s",
1661 __func__, ssh_err(r));
1663 olen = sshbuf_len(oqueue);
1667 if (select(max+1, rset, wset, NULL, NULL) < 0) {
1670 error("select: %s", strerror(errno));
1671 sftp_server_cleanup_exit(2);
1674 /* copy stdin to iqueue */
1675 if (FD_ISSET(in, rset)) {
1676 len = read(in, buf, sizeof buf);
1679 sftp_server_cleanup_exit(0);
1680 } else if (len < 0) {
1681 error("read: %s", strerror(errno));
1682 sftp_server_cleanup_exit(1);
1683 } else if ((r = sshbuf_put(iqueue, buf, len)) != 0) {
1684 fatal("%s: buffer error: %s",
1685 __func__, ssh_err(r));
1688 /* send oqueue to stdout */
1689 if (FD_ISSET(out, wset)) {
1690 len = write(out, sshbuf_ptr(oqueue), olen);
1692 error("write: %s", strerror(errno));
1693 sftp_server_cleanup_exit(1);
1694 } else if ((r = sshbuf_consume(oqueue, len)) != 0) {
1695 fatal("%s: buffer error: %s",
1696 __func__, ssh_err(r));
1701 * Process requests from client if we can fit the results
1702 * into the output buffer, otherwise stop processing input
1703 * and let the output queue drain.
1705 r = sshbuf_check_reserve(oqueue, SFTP_MAX_MSG_LENGTH);
1708 else if (r != SSH_ERR_NO_BUFFER_SPACE)
1709 fatal("%s: sshbuf_check_reserve: %s",
1710 __func__, ssh_err(r));