Home / server / Questions / 166098
Accepted
Joris
Asked: 2010-08-02 11:16:36 +0800 CST

active-to-passive ftp solution

  • 772

I have an ftp client (.NET app I don't have the source to) that only does active mode that needs to push data to an appliances ftp-server that only speaks passive.

There is nothing I can do to modify the software on either end; but everything in between is fair game. (routing, windows or linux software, firewall tricks, ...)

Is there some kind of ftp proxy software? Or some kind of solution I could try?

ftp passive

1 Answers

  1. Best Answer

    There is (or, perhaps, was?) a very nice daemon called SuSE Proxy Suite. It was intercepting FTP traffic and allowed one to redirect ftp-client to some specific backend-server and if my memory serves me, it allowed active<->passive conversions, too. I used the program in pretty heavy environment for years without troubles.

    Unfortunately my old bookmark (http://proxy-suite.suse.de) seems to redirect itself to Novell's page. Several package repositories (FreeBSD, Debian after quick googling) seems to still include the software, so you may have some hope.

    FreshPorts seems to have a nice description about the software:

    http://www.freshports.org/net/proxy-suite/

    EDIT: One more thing. I have no idea if this small issue was patched later (it wasn't back in 2004 I last used this thing), but by default proxy-suite is running as root since it needs to bind to low ports. And it was running as Really Root, since it didn't take an advantage of Linux capabilities.

    Today it should be possible to set the file capabilities through the setcap command like this:

    sudo setcap 'cap_net_bind_service=+ep' /path/to/file

    But if this does not work (even though capabilities did exist, setcap command was not very common when I patched proxy-suite), here's another workaround.

    Back in 2004 or so I wrote a small patch which dropped all the capabilities except CAP_NET_BIND_SERVICE right after the startup, so even some potential security holes would be less dangerous. You normally might not need this patch, but if you have this disease called security paranoia and your file transfer occurs between some dark corners of the Internet instead of your cushy office LAN, the patch might be a good idea.

    To see if ftp-proxy is running as full root privileges, check out if getpcaps returns something like this:

    yourserver root# getpcaps `pidof ftp-proxy`
Capabilities for `16982': =eip cap_setpcap-eip

    A patched version should return like this:

    yourserver root# getpcaps `pidof ftp-proxy`
Capabilities for `9522': = cap_net_bind_service+ep

    And finally, here's the patch I wrote millions of moons ago, I hope it still can be applied.

    --- common/com-misc.c.orig      2006-11-20 13:54:59.000000000 +0200
+++ common/com-misc.c   2006-11-20 14:40:47.000000000 +0200
@@ -36,0 +37 @@
+#include <sys/capability.h>
@@ -748,0 +750,18 @@
+        /*
+        * If running as root, drop all the privileges except CAP_NET_BIND
+        */
+        if (geteuid() == 0) {
+                cap_t caps = cap_init();
+                static cap_value_t capv[] = {CAP_NET_BIND_SERVICE};
+                const int numcaps = sizeof(capv) / sizeof(capv[0]);
+                if (caps == NULL)
+                        syslog_error("cap_init() failed; errno = %d", errno);
+                if (cap_set_flag(caps, CAP_PERMITTED, numcaps, capv, CAP_SET) < 0)
+                        syslog_error("Could not set permitted capabilities;
errno = %d", errno);
+                if (cap_set_flag(caps, CAP_EFFECTIVE, numcaps, capv, CAP_SET) < 0)
+                        syslog_error("Could not set effective capabilities;
errno = %d", errno);
+                if (cap_set_proc(caps) < 0)
+                        syslog_error("Could not apply capability set; errno =
%d", errno);
+                cap_free(caps);
+        }
+
    • 2