diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2001-08-22 05:28:17 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2001-08-22 05:28:17 +0000 |
| commit | 0fc3ca7ddfeb031be48404c0c22d0fce5291149a (patch) | |
| tree | de635a7b7c0bf782069c4f448cf6bb7f77a5db61 /libexec/ftp-proxy/ftp-proxy.8 | |
| parent | a227322023011403151ff4c663609508a313c03f (diff) | |
-Functionify some of the main loop, so it isn't so horrificly deep and is
a bit easier to look at, for small values of easier.
-Add two options for -u user and -g group to optionally make the proxy drop
privs after doing it's pf ioctl's to find out where to go. Running as non
root does mean that the PORT and EPRT backchannels do not come from port 20,
but this isn't a problem for most sensible ftp clients and sets of packet
filter rules that aren't written by a knuckle dragging ape living in the 90's.
I would make it drop privs by default, but technically this breaks the ftp
specs, and for the upcoming stuff to deal with EPRT, we will need root privs
to manipulate rdr rules).
Diffstat (limited to 'libexec/ftp-proxy/ftp-proxy.8')
| -rw-r--r-- | libexec/ftp-proxy/ftp-proxy.8 | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/libexec/ftp-proxy/ftp-proxy.8 b/libexec/ftp-proxy/ftp-proxy.8 index d0a83a64bce..3162bb8af1e 100644 --- a/libexec/ftp-proxy/ftp-proxy.8 +++ b/libexec/ftp-proxy/ftp-proxy.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.2 2001/08/19 13:43:09 deraadt Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.3 2001/08/22 05:28:15 beck Exp $ .\" .\" Copyright (c) 1996-2001 .\" Obtuse Systems Corporation, All rights reserved. @@ -56,6 +56,26 @@ The options are as follows: Permit only anonymous ftp connections. The proxy will allow connections to log in to other sites as the user "ftp" or "anonymous" only. Any attempt to log in as another user will be blocked by the proxy. +.It Fl g groupname +specify the named group to drop group priviledges to, after doing pf lookups +which require root. By default +.Nm ftp-proxy +uses the default group of the user it drops priviledge to. +.It Fl u username +specify the named user to drop priviledge to, after doing pf lookups +which require root priviledge. By default +.Nm ftp-proxy +does not drop priviledge and runs as root. +.Pp +Running as root means that the source of data connections the proxy makes +for PORT and EPRT will be the RFC mandated port 20. When +running as a non-root user the source of the data connections from +.Nm ftp-proxy +will be chosen randomly from the range +.Nm minport +to +.Nm maxport +as described below. .It Fl n Activate network address translation mode. in this mode, the proxy will not attempt to proxy passive mode (PASV or EPSV) data connections, |