On Tue, 8 Feb 2005 23:22:15 +0100, Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > On Mon, Feb 07, 2005 at 10:08:24AM -0500, Peter Fraser wrote: > > After reading the ftp rfc's (959 and 1123) I don't understand > > how ftp-proxy can work without support of pf, and any > > ftp client that works in active mode with the current ftp-proxy > > is in violation of these rfc's. > > > > In particular section 3.2 of rfc949 and 4.1.2.12 of rfc1123 > > together say that the data from an active ftp connection > > must come from port ftp-data and the IP address of the > > control channel( i.e. the IP address the ftp open command) > > The requirement that the data connection must come from port ftp-data is > commonly relaxed. In order for the ftp server to use port 20 (which is > privileged, < 1024), the server would have to run as root permanently.
Systrace can enable specific operations as root without running the daemon under the root UID. The ftp-proxy process currently uses root to access /dev/pf for the DIOCNATLOOK ioctl; that also could be handled by systrace. Would it be reasonable to modify ftp-proxy to attempt to bind the source port to ftp-data (port 20) even when not running as root, then fallback to a socket in the designated range only if binding ftp-data fails? Looking at ftp-proxy.c, the change to handle this would be minor, I can submit a diff if there is interest. Kevin Kadow
