[comp.sys.sun] ftp logging

koreth@ssyx.ucsc.edu (Steven Grimm) (01/07/89)

We run an anonymous FTP service on ssyx.ucsc.edu, and we like to know
which files are being transfered and by whom.  To keep track of this
information, I have made the following additions to the in.ftpd source
(these are for SunOS 4.0; the patches are easy to adapt to other versions
of the OS).  Files modified are ftpcmd.y, ftpd.c, and ftpd.8c (the manual
page).  This patch is also useful for system security purposes, as it logs
all ftp sessions; if an intruder is transferring files from your site, the
transfers will show up in the logfile.

---
Steven Grimm		Moderator, comp.{sources,binaries}.atari.st
koreth@ssyx.ucsc.edu	uunet!ucbvax!ucscc!ssyx!koreth
University of California, Santa Cruz; Social Sciences Division

[[ The patch has been placed in the archives under "sun-source" as
"ftp.logging.patch".  It is 7191 bytes long.  It can be retrieved via
anonymous FTP from the host "titan.rice.edu" or via the archive server.
For more information about the archive server, send a mail message
containing the word "help" to the address "archive-server@rice.edu".
--wnl ]]

cyrus@pprg.unm.edu (Tait Cyrus) (01/14/89)

>The patch has been placed in the archives under "sun-source" as
>"ftp.logging.patch"....

Really???  Not when I looked (Jan 9, 1989 around 15:30 MST).  When will
they be made available?

Thanks

	++Tait
	cyrus@pprg.unm.edu

[[ There was a slight delay in placing that file and the
gnuchesstool.patch files in the archives.  My apologies: they are both
there now.  --wnl ]]

cyrus@pprg.unm.edu (Tait Cyrus) (01/16/89)

koreth@ssyx.ucsc.edu (Steven Grimm) writes:
>We run an anonymous FTP service on ssyx.ucsc.edu, and we like to know
>which files are being transfered and by whom.  To keep track of this
>information, I have made the following additions to the in.ftpd source

Looking at these patches, I can't see how they work for anonymous ftp
(they appear to work for regular users).  The only way I can see these
patches working with anonymous ftp is iff the anonymous ftp directory is
/.  The reason I make this statement is because the log file is opened
before the chroot.  After the chroot, you can no longer access the file.
I wanted to do the same thing (with the BSD 4.3 src posted a while back)
and ran into this problem under SunOS 4.0 on my Sun 3/160.  The way I
solved this problem was to open the log file AFTER the chroot, though I
don't log what "regular" users do.

If I am overlooking something, I would appreciate someone telling me
because my "method" is a real hack, though it gets the job done very well.

W. Tait Cyrus   (505) 277-0806		e-mail: cyrus@pprg.unm.edu
University of New Mexico			
Dept of ECE - Parallel Processing Research Group
Albuquerque, New Mexico 87131

[[ I want to provide an explanation here, but it would probably just be
wrong.  --wnl ]]

koreth@ssyx.ucsc.edu (Steven Grimm) (01/28/89)

>Looking at these patches, I can't see how they work for anonymous ftp
>(they appear to work for regular users).  The only way I can see these
>patches working with anonymous ftp is iff the anonymous ftp directory is
>/.  The reason I make this statement is because the log file is opened
>before the chroot.  After the chroot, you can no longer access the file.

Not true.  Once a file is open, it doesn't matter where it is on the
directory tree.  The filesystem already has a dev/inode pair for the file,
and it doesn't matter WHERE in the directory tree that pair is.  As
evidence, I offer the fact that my ftp logging patches work, and have been
working for quite a while now.

[[ The chroot-ed environment only matters when a file is opened.  Once you
have an open file descriptor, any amount of chroot-ing isn't going to
affect it.  --wnl ]]