Oberon || Library || Module Index || Search Engine || Definition || Module

Ulm's Oberon Library:
FTPUnixPaths

NAME

SYNOPSIS

TYPE Path = POINTER TO PathRec;
TYPE PathRec = RECORD (Disciplines.ObjectRec) END;



PROCEDURE CreatePath(VAR path: Path;
                     root, pathname: ARRAY OF CHAR);
PROCEDURE CreateDerivedPath(VAR path: Path; oldpath: Path;
                            pathname: ARRAY OF CHAR);
PROCEDURE GetRelPath(path: Path; VAR pathname: ARRAY OF CHAR);
PROCEDURE GetAbsPath(path: Path; VAR pathname: ARRAY OF CHAR);
PROCEDURE Upward(path: Path);
PROCEDURE ChangeDir(path: Path; dirname: ARRAY OF CHAR);



PROCEDURE CheckAndProcessSymLinks(path: Path;
                                  newfile: BOOLEAN;
                                  VAR expandedPath: ARRAY OF CHAR;
                                  errors: RelatedEvents.Object) : BOOLEAN;

DESCRIPTION

CreatePath and CreateDerivedPath create paths that may be later manipulated using Upward and ChangeDir. Before accessing a file or directory, CheckAndProcessSymLinks is to be used to convert a path into a pathname free of symbolic links and uplinks which resides inside the simulated chroot jail.

CreatePath creates path out of pathname that is to be taken relative to root, the assumed pseudo root. CreateDerivedPath creates a new path out of oldpath with relative path pathname. The new path shares its root with the old path.

GetRelPath returns the relative uplink-free pathname of path as string, while GetAbsPath returns the absolute uplink-free pathname including its root. Neither GetRelPath nor GetAbsPath check for symlinks.

ChangeDir appends dirname to path. References to the upward directory (``..'') and to the same directory (``.'') are processed as by the constructors CreateDerivedPath and CheckAndProcessSymLinks. Likewise is the upward link of the pseudo root is interpreted to point to the pseudo root itself. Upward is equivalent to ChangeDir with ``..'' as dirname.

CheckAndProcessSymLinks should be used to extract a path name usable for UnixFiles or similar modules before accessing files or directories. It checks the entire path for symbolic links and interpretes them relative to the pseudo root of path. The last component of path may be non-existant if newfile is set to TRUE. On success, a symlink-free absolute path that points inside of the pseudo root is returned in expandedPath. Access errors, if any, are related to errors.

DIAGNOSTICS

SECURITY CONSIDERATIONS

• The process is still free to access files and directories outside the pseudo root. That means that if an attacker is able to execute supplied code inside a FTP server process he or she is not bound to the restrictions of CheckAndProcessSymLinks.
• In the time frame between the check using CheckAndProcessSymLinks and the actual access of the path found in expandedPath, symbolic links could be added that would direct the access outside of the pseudo chroot jail.

In summary, FTPUnixPaths helps to restrict FTP accesses to a particular directory and below (a home directory, for example) while running not with super-user privileges. This is an improvement in comparison to FTP servers that, if not logged in anonymously, provide unrestricted access to the whole file system including shared spaces like /tmp. But it is far from offering the security of a chroot jail based on chroot(2).

SEE ALSO

FTPUnixFileSystems

FTP command handler that implements file and directory accesses on base of this module.

BUGS

• An entire path that is extracted as string is limited to 8192 bytes. This limit applies to pseudo roots as well.
• Path components are limited to 512 bytes.

Oberon || Library || Module Index || Search Engine || Definition || Module