Sync from SUSE:SLFO:Main vsftpd revision 2da05debc592f7936f2ab5233a1d8112
This commit is contained in:
commit
7a52c51f25
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
@ -0,0 +1,29 @@
|
||||
From 9cba9e81aa96e1d64ae2eaaf88330e09dadfce79 Mon Sep 17 00:00:00 2001
|
||||
From: =?utf8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Fri, 5 Jan 2018 09:40:09 +0100
|
||||
Subject: [PATCH 01/27] Fix default value of strict_ssl_read_eof in man page
|
||||
|
||||
---
|
||||
vsftpd.conf.5 | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
||||
index a5abeb2..43b0435 100644
|
||||
--- a/vsftpd.conf.5
|
||||
+++ b/vsftpd.conf.5
|
||||
@@ -574,10 +574,9 @@ Default: YES
|
||||
.B strict_ssl_read_eof
|
||||
If enabled, SSL data uploads are required to terminate via SSL, not an
|
||||
EOF on the socket. This option is required to be sure that an attacker did
|
||||
-not terminate an upload prematurely with a faked TCP FIN. Unfortunately, it
|
||||
-is not enabled by default because so few clients get it right. (New in v2.0.7).
|
||||
+not terminate an upload prematurely with a faked TCP FIN. (New in v2.0.7).
|
||||
|
||||
-Default: NO
|
||||
+Default: YES
|
||||
.TP
|
||||
.B strict_ssl_write_shutdown
|
||||
If enabled, SSL data downloads are required to terminate via SSL, not an
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001
|
||||
From: =?utf8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Thu, 21 Dec 2017 14:29:25 +0100
|
||||
Subject: [PATCH] When handling FEAT command, check ssl_tlsv1_1 and ssl_tlsv1_2
|
||||
|
||||
Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1
|
||||
or ssl_tlsv1_2 configuration option is enabled.
|
||||
|
||||
The patch was written by Martin Sehnoutka.
|
||||
|
||||
Resolves: rhbz#1432054
|
||||
---
|
||||
features.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/features.c b/features.c
|
||||
index 1212980..d024366 100644
|
||||
--- a/features.c
|
||||
+++ b/features.c
|
||||
@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
|
||||
{
|
||||
vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
|
||||
}
|
||||
- if (tunable_tlsv1)
|
||||
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
|
||||
{
|
||||
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
|
||||
}
|
||||
--
|
||||
2.29.0
|
||||
|
12
README.SUSE
Normal file
12
README.SUSE
Normal file
@ -0,0 +1,12 @@
|
||||
vsftpd-3.0.0 made the listen mode default. In order to maintain backward
|
||||
compatibility, default /etc/vsftpd.conf in SUSE contains
|
||||
|
||||
listen=NO
|
||||
listen_ipv6=YES
|
||||
|
||||
if you plan to use xinetd (/etc/xinetd.d/vsftp) you don't need to change
|
||||
anything by default, but if you have ipv6 available you have to set
|
||||
listen_ipv6=NO too in order for xinetd to work.
|
||||
Alternatively you can also use systemd socket service that listens on
|
||||
port 21 and starts the server like xinetd would. This service does
|
||||
not require you to change ANY variable in the /etc/vsftpd.conf.
|
14
disable-tls13-to-support-older-openssl-versions.patch
Normal file
14
disable-tls13-to-support-older-openssl-versions.patch
Normal file
@ -0,0 +1,14 @@
|
||||
Index: vsftpd-3.0.5/ssl.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/ssl.c
|
||||
+++ vsftpd-3.0.5/ssl.c
|
||||
@@ -95,7 +95,9 @@ ssl_init(struct vsf_session* p_sess)
|
||||
}
|
||||
if (!tunable_tlsv1_3)
|
||||
{
|
||||
+#ifdef SSL_OP_NO_TLSv1_3
|
||||
options |= SSL_OP_NO_TLSv1_3;
|
||||
+#endif
|
||||
}
|
||||
SSL_CTX_set_options(p_ctx, options);
|
||||
if (tunable_rsa_cert_file)
|
17
revert-undocumented-config-file-format-changes.patch
Normal file
17
revert-undocumented-config-file-format-changes.patch
Normal file
@ -0,0 +1,17 @@
|
||||
Index: vsftpd-3.0.5/parseconf.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/parseconf.c 2022-02-01 20:35:02.703078850 +0100
|
||||
+++ vsftpd-3.0.5/parseconf.c 2022-02-01 20:35:44.042486850 +0100
|
||||
@@ -85,9 +85,9 @@ parseconf_bool_array[] =
|
||||
{ "ssl_sslv2", &tunable_sslv2 },
|
||||
{ "ssl_sslv3", &tunable_sslv3 },
|
||||
{ "ssl_tlsv1", &tunable_tlsv1 },
|
||||
- { "ssl_tlsv11", &tunable_tlsv1_1 },
|
||||
- { "ssl_tlsv12", &tunable_tlsv1_2 },
|
||||
- { "ssl_tlsv13", &tunable_tlsv1_3 },
|
||||
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
|
||||
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
|
||||
+ { "ssl_tlsv1_3", &tunable_tlsv1_3 },
|
||||
{ "tilde_user_enable", &tunable_tilde_user_enable },
|
||||
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
|
||||
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
|
43
seccomp-fixes.patch
Normal file
43
seccomp-fixes.patch
Normal file
@ -0,0 +1,43 @@
|
||||
Index: vsftpd-3.0.4/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.4.orig/seccompsandbox.c 2021-06-15 08:06:29.165512830 +0000
|
||||
+++ vsftpd-3.0.4/seccompsandbox.c 2021-06-15 08:06:42.778484808 +0000
|
||||
@@ -18,6 +18,7 @@
|
||||
#include "utility.h"
|
||||
|
||||
#include <errno.h>
|
||||
+#include <stdio.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/tcp.h>
|
||||
@@ -63,6 +64,7 @@
|
||||
|
||||
#define kMaxSyscalls 100
|
||||
|
||||
+//#define DEBUG_SIGSYS
|
||||
#ifdef DEBUG_SIGSYS
|
||||
|
||||
#include <signal.h>
|
||||
@@ -71,7 +73,10 @@
|
||||
void
|
||||
handle_sigsys(int sig)
|
||||
{
|
||||
- (void) sig;
|
||||
+ char str[21];
|
||||
+ snprintf(str, 21, "Rejected syscall %d", sig);
|
||||
+
|
||||
+ die(str);
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -586,8 +591,8 @@ seccomp_sandbox_lockdown()
|
||||
p_filter->code = BPF_LD+BPF_W+BPF_ABS;
|
||||
p_filter->jt = 0;
|
||||
p_filter->jf = 0;
|
||||
- /* Offset 4 for syscall architecture. */
|
||||
- p_filter->k = 4;
|
||||
+ /* Offset 5 for syscall architecture. */
|
||||
+ p_filter->k = 5;
|
||||
p_filter++;
|
||||
p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
|
||||
p_filter->jt = 1;
|
26
use-system-wide-tls-cipher-policy.patch
Normal file
26
use-system-wide-tls-cipher-policy.patch
Normal file
@ -0,0 +1,26 @@
|
||||
Index: vsftpd-3.0.5/tunables.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/tunables.c 2022-02-02 10:58:56.589962539 +0100
|
||||
+++ vsftpd-3.0.5/tunables.c 2022-02-02 11:00:17.600782133 +0100
|
||||
@@ -295,7 +295,7 @@ tunables_load_defaults()
|
||||
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
|
||||
&tunable_rsa_cert_file);
|
||||
install_str_setting(0, &tunable_dsa_cert_file);
|
||||
- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
|
||||
+ install_str_setting("DEFAULT_SUSE", &tunable_ssl_ciphers);
|
||||
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||
install_str_setting(0, &tunable_dsa_private_key_file);
|
||||
install_str_setting(0, &tunable_ca_certs_file);
|
||||
Index: vsftpd-3.0.5/vsftpd.conf.5
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/vsftpd.conf.5 2022-02-02 10:58:56.589962539 +0100
|
||||
+++ vsftpd-3.0.5/vsftpd.conf.5 2022-02-02 11:01:58.855306755 +0100
|
||||
@@ -1025,7 +1025,7 @@ man page for further details. Note that
|
||||
security precaution as it prevents malicious remote parties forcing a cipher
|
||||
which they have found problems with.
|
||||
|
||||
-Default: DES-CBC3-SHA
|
||||
+Default: DEFAULT_SUSE
|
||||
.TP
|
||||
.B ssl_sni_hostname
|
||||
If set, SSL connections will be rejected unless the SNI hostname in the
|
16
vsftpd-2.0.4-dmapi.patch
Normal file
16
vsftpd-2.0.4-dmapi.patch
Normal file
@ -0,0 +1,16 @@
|
||||
Index: vsftpd-3.0.5/postlogin.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/postlogin.c 2015-07-22 21:03:22.000000000 +0200
|
||||
+++ vsftpd-3.0.5/postlogin.c 2022-02-01 20:12:02.710908421 +0100
|
||||
@@ -1061,6 +1061,11 @@ handle_upload_common(struct vsf_session*
|
||||
{
|
||||
do_truncate = 1;
|
||||
}
|
||||
+ if (new_file_fd >= 0) {
|
||||
+ vsf_sysutil_fstat(new_file_fd, &s_p_statbuf);
|
||||
+ if (vsf_sysutil_statbuf_is_regfile(s_p_statbuf))
|
||||
+ vsf_sysutil_deactivate_noblock(new_file_fd);
|
||||
+ }
|
||||
}
|
||||
if (vsf_sysutil_retval_is_error(new_file_fd))
|
||||
{
|
13
vsftpd-2.0.4-enable-ssl.patch
Normal file
13
vsftpd-2.0.4-enable-ssl.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: vsftpd-3.0.5/builddefs.h
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/builddefs.h 2021-08-02 09:01:43.000000000 +0200
|
||||
+++ vsftpd-3.0.5/builddefs.h 2022-02-01 20:12:01.538925293 +0100
|
||||
@@ -3,7 +3,7 @@
|
||||
|
||||
#undef VSF_BUILD_TCPWRAPPERS
|
||||
#define VSF_BUILD_PAM
|
||||
-#undef VSF_BUILD_SSL
|
||||
+#define VSF_BUILD_SSL
|
||||
|
||||
#endif /* VSF_BUILDDEFS_H */
|
||||
|
28
vsftpd-2.0.4-lib64.diff
Normal file
28
vsftpd-2.0.4-lib64.diff
Normal file
@ -0,0 +1,28 @@
|
||||
Index: vsftpd-3.0.4/vsf_findlibs.sh
|
||||
===================================================================
|
||||
--- vsftpd-3.0.4.orig/vsf_findlibs.sh 2021-05-18 07:14:35.000000000 +0000
|
||||
+++ vsftpd-3.0.4/vsf_findlibs.sh 2021-06-29 09:24:32.833223756 +0000
|
||||
@@ -14,6 +14,7 @@ fi
|
||||
# crypt library.
|
||||
if find_func pam_start sysdeputil.o; then
|
||||
locate_library /lib/libpam.so.0 && echo "/lib/libpam.so.0";
|
||||
+ locate_library /lib64/libpam.so.0 && echo "/lib64/libpam.so.0";
|
||||
locate_library /usr/lib/libpam.so && echo "-lpam";
|
||||
locate_library /usr/lib64/libpam.so && echo "-lpam";
|
||||
locate_library /lib/x86_64-linux-gnu/libpam.so.0 && echo "-lpam";
|
||||
@@ -23,6 +24,7 @@ if find_func pam_start sysdeputil.o; the
|
||||
locate_library /usr/lib/libpam.a && echo "-lpam";
|
||||
else
|
||||
locate_library /lib/libcrypt.so && echo "-lcrypt";
|
||||
+ locate_library /lib64/libcrypt.so && echo "-lcrypt";
|
||||
locate_library /usr/lib/libcrypt.so && echo "-lcrypt";
|
||||
locate_library /usr/lib64/libcrypt.so && echo "-lcrypt";
|
||||
locate_library /lib/x86_64-linux-gnu/libcrypt.so && echo "-lcrypt";
|
||||
@@ -52,6 +54,7 @@ locate_library /usr/lib/libsec.sl && ech
|
||||
# /usr/bin/ld: cannot find -lcap
|
||||
# If the libcap-devel package isn't installed.
|
||||
locate_library /usr/lib/libcap.so && echo "-lcap";
|
||||
+locate_library /usr/lib64/libcap.so && echo "-lcap";
|
||||
locate_library /lib/libcap.so && echo "-lcap";
|
||||
locate_library /lib64/libcap.so && echo "-lcap";
|
||||
|
37
vsftpd-2.0.4-xinetd.diff
Normal file
37
vsftpd-2.0.4-xinetd.diff
Normal file
@ -0,0 +1,37 @@
|
||||
diff -urN vsftpd-3.0.2.old/xinetd.d/vsftpd vsftpd-3.0.2/xinetd.d/vsftpd
|
||||
--- vsftpd-3.0.2.old/xinetd.d/vsftpd 2014-05-26 14:38:40.717042497 +0200
|
||||
+++ vsftpd-3.0.2/xinetd.d/vsftpd 2014-05-26 14:41:23.753049249 +0200
|
||||
@@ -1,18 +1,26 @@
|
||||
-# default: on
|
||||
+# default: off
|
||||
# description:
|
||||
# The vsftpd FTP server serves FTP connections. It uses
|
||||
# normal, unencrypted usernames and passwords for authentication.
|
||||
# vsftpd is designed to be secure.
|
||||
+#
|
||||
+# NOTE: This file contains the configuration for xinetd to start vsftpd.
|
||||
+# the configuration file for vsftp itself is in /etc/vsftpd.conf
|
||||
+#
|
||||
+# NOTE: Remember to set both listen and listen_ipv6 to NO in /etc/vsftpd.conf
|
||||
+# in order to have working xinetd connection.
|
||||
+#
|
||||
service ftp
|
||||
{
|
||||
socket_type = stream
|
||||
+ protocol = tcp
|
||||
wait = no
|
||||
user = root
|
||||
- server = /usr/local/sbin/vsftpd
|
||||
-# server_args =
|
||||
-# log_on_success += DURATION USERID
|
||||
-# log_on_failure += USERID
|
||||
- nice = 10
|
||||
- disable = no
|
||||
+ server = /usr/sbin/vsftpd
|
||||
+ server_args = /etc/vsftpd.conf
|
||||
+# log_on_success += DURATION USERID
|
||||
+# log_on_failure += USERID
|
||||
+# nice = 10
|
||||
+ disable = yes
|
||||
}
|
||||
|
21
vsftpd-2.0.5-enable-debuginfo.patch
Normal file
21
vsftpd-2.0.5-enable-debuginfo.patch
Normal file
@ -0,0 +1,21 @@
|
||||
Index: vsftpd-3.0.5/Makefile
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/Makefile 2012-09-16 09:27:35.000000000 +0200
|
||||
+++ vsftpd-3.0.5/Makefile 2022-02-01 20:12:04.538882105 +0100
|
||||
@@ -9,7 +9,6 @@ CFLAGS = -O2 -fPIE -fstack-protector --p
|
||||
#-pedantic -Wconversion
|
||||
|
||||
LIBS = `./vsf_findlibs.sh`
|
||||
-LINK = -Wl,-s
|
||||
LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now
|
||||
|
||||
OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
|
||||
@@ -26,7 +25,7 @@ OBJS = main.o utility.o prelogin.o ftpcm
|
||||
$(CC) -c $*.c $(CFLAGS) $(IFLAGS)
|
||||
|
||||
vsftpd: $(OBJS)
|
||||
- $(CC) -o vsftpd $(OBJS) $(LINK) $(LDFLAGS) $(LIBS)
|
||||
+ $(CC) -o vsftpd $(OBJS) $(LDFLAGS) $(LIBS)
|
||||
|
||||
install:
|
||||
if [ -x /usr/local/sbin ]; then \
|
102
vsftpd-2.0.5-utf8-log-names.patch
Normal file
102
vsftpd-2.0.5-utf8-log-names.patch
Normal file
@ -0,0 +1,102 @@
|
||||
Index: vsftpd-3.0.5/str.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/str.c 2012-09-16 09:09:06.000000000 +0200
|
||||
+++ vsftpd-3.0.5/str.c 2022-02-01 20:12:05.458868861 +0100
|
||||
@@ -27,6 +27,24 @@ static int str_equal_internal(const char
|
||||
const char* p_buf2, unsigned int buf2_len);
|
||||
|
||||
/* Private functions */
|
||||
+static int
|
||||
+continuation_char(unsigned char str, int* val)
|
||||
+{
|
||||
+ if ((str & 0xc0) != 0x80) /* 10xxxxxx */
|
||||
+ return 0;
|
||||
+ (*val) <<= 6;
|
||||
+ (*val) |= str & 0x3f;
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+unicode_valid(int b)
|
||||
+{
|
||||
+ return (b < 0x110000 && ((b & 0xFFFFF800) != 0xD800)
|
||||
+ && (b < 0xFDD0 || b > 0xFDEF)
|
||||
+ && (b & 0xFFFE) != 0xFFFE);
|
||||
+}
|
||||
+
|
||||
static void
|
||||
s_setbuf(struct mystr* p_str, char* p_newbuf)
|
||||
{
|
||||
@@ -181,6 +199,45 @@ str_reserve(struct mystr* p_str, unsigne
|
||||
p_str->p_buf[res_len - 1] = '\0';
|
||||
}
|
||||
|
||||
+int str_is_utf8( const struct mystr* p_str )
|
||||
+{
|
||||
+ unsigned int i;
|
||||
+ int min = 0, val = 0;
|
||||
+
|
||||
+ for(i = 0; i < p_str->len; i++)
|
||||
+ {
|
||||
+ if( (unsigned char)p_str->p_buf[i] < 128) continue;
|
||||
+
|
||||
+ if((p_str->p_buf[i] & 0xe0) == 0xc0) { /* 110xxxxx */
|
||||
+ if((p_str->p_buf[i] & 0x1e) == 0) return 0;
|
||||
+ i++;
|
||||
+ if((p_str->p_buf[i] & 0xc0) != 0x80) /* 10xxxxxx */
|
||||
+ return 0;
|
||||
+ } else {
|
||||
+ if((p_str->p_buf[i] & 0xf0) == 0xe0) { /* 1110xxxx */
|
||||
+ min = (1 << 11);
|
||||
+ val = p_str->p_buf[i] & 0x0f;
|
||||
+ goto TWO_REMAINING;
|
||||
+ } else if((p_str->p_buf[i] & 0xf8) == 0xf0) { /* 11110xxx */
|
||||
+ min = (1 << 16);
|
||||
+ val = p_str->p_buf[i] & 0x07;
|
||||
+ } else {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ i++;
|
||||
+ if(!continuation_char(p_str->p_buf[i], &val)) return 0;
|
||||
+TWO_REMAINING:
|
||||
+ i++;
|
||||
+ if(!continuation_char(p_str->p_buf[i], &val)) return 0;
|
||||
+ i++;
|
||||
+ if(!continuation_char(p_str->p_buf[i], &val)) return 0;
|
||||
+ if(val < min || !unicode_valid(val)) return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+
|
||||
int
|
||||
str_isempty(const struct mystr* p_str)
|
||||
{
|
||||
@@ -702,6 +759,7 @@ void
|
||||
str_replace_unprintable(struct mystr* p_str, char new_char)
|
||||
{
|
||||
unsigned int i;
|
||||
+ if( !str_is_utf8( p_str ) ) {
|
||||
for (i=0; i < p_str->len; i++)
|
||||
{
|
||||
if (!vsf_sysutil_isprint(p_str->p_buf[i]))
|
||||
@@ -709,5 +767,6 @@ str_replace_unprintable(struct mystr* p_
|
||||
p_str->p_buf[i] = new_char;
|
||||
}
|
||||
}
|
||||
+ }
|
||||
}
|
||||
|
||||
Index: vsftpd-3.0.5/str.h
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/str.h 2012-09-16 09:01:52.000000000 +0200
|
||||
+++ vsftpd-3.0.5/str.h 2022-02-01 20:12:05.458868861 +0100
|
||||
@@ -36,6 +36,7 @@ void str_free(struct mystr* p_str);
|
||||
void str_trunc(struct mystr* p_str, unsigned int trunc_len);
|
||||
void str_reserve(struct mystr* p_str, unsigned int res_len);
|
||||
|
||||
+int str_is_utf8(const struct mystr* p_str);
|
||||
int str_isempty(const struct mystr* p_str);
|
||||
unsigned int str_getlen(const struct mystr* p_str);
|
||||
const char* str_getbuf(const struct mystr* p_str);
|
9
vsftpd-2.0.5-vuser.patch
Normal file
9
vsftpd-2.0.5-vuser.patch
Normal file
@ -0,0 +1,9 @@
|
||||
Index: vsftpd-3.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/EXAMPLE/VIRTUAL_USERS/vsftpd.pam 2008-02-02 02:30:40.000000000 +0100
|
||||
+++ vsftpd-3.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam 2022-02-01 20:12:03.670894600 +0100
|
||||
@@ -1,2 +1,2 @@
|
||||
-auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
|
||||
-account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
|
||||
+auth required pam_userdb.so db=/etc/vsftpd_login
|
||||
+account required pam_userdb.so db=/etc/vsftpd_login
|
66
vsftpd-2.1.0-filter.patch
Normal file
66
vsftpd-2.1.0-filter.patch
Normal file
@ -0,0 +1,66 @@
|
||||
diff -up vsftpd-2.1.0/ls.c.filter vsftpd-2.1.0/ls.c
|
||||
--- vsftpd-2.1.0/ls.c.filter 2008-02-02 02:30:41.000000000 +0100
|
||||
+++ vsftpd-2.1.0/ls.c 2009-01-08 19:31:15.000000000 +0100
|
||||
@@ -239,9 +239,31 @@ vsf_filename_passes_filter(const struct
|
||||
int ret = 0;
|
||||
char last_token = 0;
|
||||
int must_match_at_current_pos = 1;
|
||||
+
|
||||
+
|
||||
str_copy(&filter_remain_str, p_filter_str);
|
||||
- str_copy(&name_remain_str, p_filename_str);
|
||||
-
|
||||
+
|
||||
+ if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) {
|
||||
+ if (str_get_char_at(p_filter_str, 0) == '/') {
|
||||
+ if (str_get_char_at(p_filename_str, 0) != '/') {
|
||||
+ str_getcwd (&name_remain_str);
|
||||
+
|
||||
+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
|
||||
+ str_append_char (&name_remain_str, '/');
|
||||
+
|
||||
+ str_append_str (&name_remain_str, p_filename_str);
|
||||
+ }
|
||||
+ else
|
||||
+ str_copy (&name_remain_str, p_filename_str);
|
||||
+ } else {
|
||||
+ if (str_get_char_at(p_filter_str, 0) != '{')
|
||||
+ str_basename (&name_remain_str, p_filename_str);
|
||||
+ else
|
||||
+ str_copy (&name_remain_str, p_filename_str);
|
||||
+ }
|
||||
+ } else
|
||||
+ str_copy(&name_remain_str, p_filename_str);
|
||||
+
|
||||
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
|
||||
{
|
||||
static struct mystr s_match_needed_str;
|
||||
diff -up vsftpd-2.1.0/str.c.filter vsftpd-2.1.0/str.c
|
||||
--- vsftpd-2.1.0/str.c.filter 2008-12-17 06:54:16.000000000 +0100
|
||||
+++ vsftpd-2.1.0/str.c 2009-01-08 19:31:15.000000000 +0100
|
||||
@@ -680,3 +680,14 @@ str_replace_unprintable(struct mystr* p_
|
||||
}
|
||||
}
|
||||
|
||||
+void
|
||||
+str_basename (struct mystr* d_str, const struct mystr* path)
|
||||
+{
|
||||
+ static struct mystr tmp;
|
||||
+
|
||||
+ str_copy (&tmp, path);
|
||||
+ str_split_char_reverse(&tmp, d_str, '/');
|
||||
+
|
||||
+ if (str_isempty(d_str))
|
||||
+ str_copy (d_str, path);
|
||||
+}
|
||||
diff -up vsftpd-2.1.0/str.h.filter vsftpd-2.1.0/str.h
|
||||
--- vsftpd-2.1.0/str.h.filter 2008-12-17 06:53:23.000000000 +0100
|
||||
+++ vsftpd-2.1.0/str.h 2009-01-08 19:32:14.000000000 +0100
|
||||
@@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst
|
||||
int str_atoi(const struct mystr* p_str);
|
||||
filesize_t str_a_to_filesize_t(const struct mystr* p_str);
|
||||
unsigned int str_octal_to_uint(const struct mystr* p_str);
|
||||
+void str_basename (struct mystr* d_str, const struct mystr* path);
|
||||
|
||||
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
|
||||
* buffer, starting at character position 'p_pos'. The extracted line will
|
24
vsftpd-2.2.0-wildchar.patch
Normal file
24
vsftpd-2.2.0-wildchar.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up vsftpd-2.3.2/ls.c.tmp vsftpd-2.3.2/ls.c
|
||||
--- vsftpd-2.3.2/ls.c.tmp 2010-08-20 13:18:54.397583558 +0200
|
||||
+++ vsftpd-2.3.2/ls.c 2010-08-20 13:14:59.047831385 +0200
|
||||
@@ -305,6 +305,20 @@ vsf_filename_passes_filter(const struct
|
||||
{
|
||||
goto out;
|
||||
}
|
||||
+ if (!must_match_at_current_pos && last_token == 0)
|
||||
+ {
|
||||
+ struct mystr last_str = INIT_MYSTR;
|
||||
+ str_mid_to_end(&name_remain_str, &last_str,
|
||||
+ str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str));
|
||||
+ locate_result = str_locate_str(&last_str, &s_match_needed_str);
|
||||
+ str_free(&last_str);
|
||||
+
|
||||
+ if (locate_result.found)
|
||||
+ {
|
||||
+ ret = 1;
|
||||
+ }
|
||||
+ goto out;
|
||||
+ }
|
||||
/* Chop matched string out of remainder */
|
||||
str_mid_to_end(&name_remain_str, &temp_str,
|
||||
indexx + str_getlen(&s_match_needed_str));
|
128
vsftpd-2.3.4-sqb.patch
Normal file
128
vsftpd-2.3.4-sqb.patch
Normal file
@ -0,0 +1,128 @@
|
||||
Index: vsftpd-2.0.7/ls.c
|
||||
===================================================================
|
||||
--- vsftpd-2.0.7.orig/ls.c
|
||||
+++ vsftpd-2.0.7/ls.c
|
||||
@@ -243,7 +243,7 @@ vsf_filename_passes_filter(const struct
|
||||
int ret = 0;
|
||||
char last_token = 0;
|
||||
int must_match_at_current_pos = 1;
|
||||
-
|
||||
+ int matched = 0;
|
||||
|
||||
str_copy(&filter_remain_str, p_filter_str);
|
||||
|
||||
@@ -273,7 +273,7 @@ vsf_filename_passes_filter(const struct
|
||||
static struct mystr s_match_needed_str;
|
||||
/* Locate next special token */
|
||||
struct str_locate_result locate_result =
|
||||
- str_locate_chars(&filter_remain_str, "*?{");
|
||||
+ str_locate_chars(&filter_remain_str, "*?{[");
|
||||
(*iters)++;
|
||||
/* Isolate text leading up to token (if any) - needs to be matched */
|
||||
if (locate_result.found)
|
||||
@@ -291,8 +291,14 @@ vsf_filename_passes_filter(const struct
|
||||
str_empty(&filter_remain_str);
|
||||
last_token = 0;
|
||||
}
|
||||
+
|
||||
+ matched = 0;
|
||||
if (!str_isempty(&s_match_needed_str))
|
||||
{
|
||||
+ if (!matched)
|
||||
+ {
|
||||
+ matched = 1;
|
||||
+ }
|
||||
/* Need to match something.. could be a match which has to start at
|
||||
* current position, or we could allow it to start anywhere
|
||||
*/
|
||||
@@ -344,13 +350,20 @@ vsf_filename_passes_filter(const struct
|
||||
must_match_at_current_pos = 1;
|
||||
if (end_brace.found)
|
||||
{
|
||||
+ int entire = (*iters == 1 && last_token == '{');
|
||||
+
|
||||
str_split_char(&filter_remain_str, &temp_str, '}');
|
||||
str_copy(&brace_list_str, &filter_remain_str);
|
||||
str_copy(&filter_remain_str, &temp_str);
|
||||
str_split_char(&brace_list_str, &temp_str, ',');
|
||||
while (!str_isempty(&brace_list_str))
|
||||
{
|
||||
- str_copy(&new_filter_str, &brace_list_str);
|
||||
+ str_empty(&new_filter_str);
|
||||
+ if (!matched && !entire)
|
||||
+ {
|
||||
+ str_append_char(&new_filter_str, '*');
|
||||
+ }
|
||||
+ str_append_str(&new_filter_str, &brace_list_str);
|
||||
str_append_str(&new_filter_str, &filter_remain_str);
|
||||
if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
|
||||
iters))
|
||||
@@ -368,6 +381,68 @@ vsf_filename_passes_filter(const struct
|
||||
{
|
||||
goto out;
|
||||
}
|
||||
+ else
|
||||
+ {
|
||||
+ str_right(&name_remain_str, &temp_str,
|
||||
+ str_getlen(&name_remain_str) - 1);
|
||||
+ str_copy(&name_remain_str, &temp_str);
|
||||
+ }
|
||||
+ }
|
||||
+ else if (last_token == '[')
|
||||
+ {
|
||||
+ struct str_locate_result end_sqb =
|
||||
+ str_locate_char(&filter_remain_str, ']');
|
||||
+ must_match_at_current_pos = 1;
|
||||
+ if (end_sqb.found)
|
||||
+ {
|
||||
+ unsigned int cur_pos;
|
||||
+ char stch, ench;
|
||||
+ const char *p_brace;
|
||||
+
|
||||
+ str_split_char(&filter_remain_str, &temp_str, ']');
|
||||
+ str_copy(&brace_list_str, &filter_remain_str);
|
||||
+ str_copy(&filter_remain_str, &temp_str);
|
||||
+ p_brace = str_getbuf(&brace_list_str);
|
||||
+ for (cur_pos = 0; cur_pos < str_getlen(&brace_list_str);)
|
||||
+ {
|
||||
+ stch = p_brace[cur_pos];
|
||||
+ // char vers. range
|
||||
+ if (cur_pos + 2 < str_getlen(&brace_list_str) &&
|
||||
+ p_brace[cur_pos+1] == '-')
|
||||
+ {
|
||||
+ ench = p_brace[cur_pos+2];
|
||||
+ cur_pos += 3;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ ench = stch;
|
||||
+ cur_pos++;
|
||||
+ }
|
||||
+ // expand char[s]
|
||||
+ for (;stch <= ench && !str_isempty(&brace_list_str); stch++)
|
||||
+ {
|
||||
+ str_empty(&new_filter_str);
|
||||
+ if (!matched)
|
||||
+ {
|
||||
+ str_append_char(&new_filter_str, '*');
|
||||
+ }
|
||||
+ str_append_char(&new_filter_str, stch);
|
||||
+ str_append_str(&new_filter_str, &filter_remain_str);
|
||||
+ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
|
||||
+ iters))
|
||||
+ {
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ goto out;
|
||||
+ }
|
||||
+ else if (str_isempty(&name_remain_str) ||
|
||||
+ str_get_char_at(&name_remain_str, 0) != '[')
|
||||
+ {
|
||||
+ goto out;
|
||||
+ }
|
||||
else
|
||||
{
|
||||
str_right(&name_remain_str, &temp_str,
|
250
vsftpd-2.3.5-conf.patch
Normal file
250
vsftpd-2.3.5-conf.patch
Normal file
@ -0,0 +1,250 @@
|
||||
Index: vsftpd-3.0.5/vsftpd.conf
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/vsftpd.conf 2011-12-17 19:24:40.000000000 +0100
|
||||
+++ vsftpd-3.0.5/vsftpd.conf 2022-02-01 20:12:06.546853199 +0100
|
||||
@@ -4,23 +4,89 @@
|
||||
# loosens things up a bit, to make the ftp daemon more usable.
|
||||
# Please see vsftpd.conf.5 for all compiled in defaults.
|
||||
#
|
||||
+# If you do not change anything here you will have a minimum setup for an
|
||||
+# anonymus FTP server.
|
||||
+#
|
||||
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
|
||||
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
|
||||
# capabilities.
|
||||
#
|
||||
-# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
|
||||
-anonymous_enable=YES
|
||||
-#
|
||||
-# Uncomment this to allow local users to log in.
|
||||
-#local_enable=YES
|
||||
+# ################
|
||||
+# General Settings
|
||||
+# ################
|
||||
#
|
||||
# Uncomment this to enable any form of FTP write command.
|
||||
-#write_enable=YES
|
||||
+write_enable=NO
|
||||
+#
|
||||
+# Activate directory messages - messages given to remote users when they
|
||||
+# go into a certain directory.
|
||||
+dirmessage_enable=YES
|
||||
+#
|
||||
+# It is recommended that you define on your system a unique user which the
|
||||
+# ftp server can use as a totally isolated and unprivileged user.
|
||||
+nopriv_user=ftpsecure
|
||||
+#
|
||||
+# You may fully customise the login banner string:
|
||||
+#ftpd_banner=Welcome to blah FTP service.
|
||||
+#
|
||||
+# You may activate the "-R" option to the builtin ls. This is disabled by
|
||||
+# default to avoid remote users being able to cause excessive I/O on large
|
||||
+# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
|
||||
+# the presence of the "-R" option, so there is a strong case for enabling it.
|
||||
+#ls_recurse_enable=YES
|
||||
+#
|
||||
+# You may specify a file of disallowed anonymous e-mail addresses. Apparently
|
||||
+# useful for combatting certain DoS attacks.
|
||||
+#deny_email_enable=YES
|
||||
+# (default follows)
|
||||
+#banned_email_file=/etc/vsftpd.banned_emails
|
||||
+#
|
||||
+# If enabled, all user and group information in
|
||||
+# directory listings will be displayed as "ftp".
|
||||
+#hide_ids=YES
|
||||
+#
|
||||
+# #######################
|
||||
+# Local FTP user Settings
|
||||
+# #######################
|
||||
+#
|
||||
+# Uncomment this to allow local users to log in.
|
||||
+local_enable=YES
|
||||
#
|
||||
# Default umask for local users is 077. You may wish to change this to 022,
|
||||
# if your users expect that (022 is used by most other ftpd's)
|
||||
#local_umask=022
|
||||
#
|
||||
+# You may specify an explicit list of local users to chroot() to their home
|
||||
+# directory. If chroot_local_user is YES, then this list becomes a list of
|
||||
+# users to NOT chroot().
|
||||
+#chroot_local_user=YES
|
||||
+#chroot_list_enable=YES
|
||||
+# (default follows)
|
||||
+#chroot_list_file=/etc/vsftpd.chroot_list
|
||||
+#
|
||||
+# The maximum data transfer rate permitted, in bytes per second, for
|
||||
+# local authenticated users. The default is 0 (unlimited).
|
||||
+#local_max_rate=7200
|
||||
+#
|
||||
+# ##########################
|
||||
+# Anonymus FTP user Settings
|
||||
+# ##########################
|
||||
+#
|
||||
+# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
|
||||
+anonymous_enable=YES
|
||||
+#
|
||||
+# The maximum data transfer rate permitted, in bytes per second, for anonymous
|
||||
+# authenticated users. The default is 0 (unlimited).
|
||||
+#anon_max_rate=7200
|
||||
+#
|
||||
+# Anonymous users will only be allowed to download files which are
|
||||
+# world readable.
|
||||
+anon_world_readable_only=YES
|
||||
+#
|
||||
+# Default umask for anonymus users is 077. You may wish to change this to 022,
|
||||
+# if your users expect that (022 is used by most other ftpd's)
|
||||
+#anon_umask=022
|
||||
+#
|
||||
# Uncomment this to allow the anonymous FTP user to upload files. This only
|
||||
# has an effect if the above global write enable is activated. Also, you will
|
||||
# obviously need to create a directory writable by the FTP user.
|
||||
@@ -30,15 +96,9 @@ anonymous_enable=YES
|
||||
# new directories.
|
||||
#anon_mkdir_write_enable=YES
|
||||
#
|
||||
-# Activate directory messages - messages given to remote users when they
|
||||
-# go into a certain directory.
|
||||
-dirmessage_enable=YES
|
||||
-#
|
||||
-# Activate logging of uploads/downloads.
|
||||
-xferlog_enable=YES
|
||||
-#
|
||||
-# Make sure PORT transfer connections originate from port 20 (ftp-data).
|
||||
-connect_from_port_20=YES
|
||||
+# Uncomment this to enable anonymus FTP users to perform other write operations
|
||||
+# like deletion and renaming.
|
||||
+#anon_other_write_enable=YES
|
||||
#
|
||||
# If you want, you can arrange for uploaded anonymous files to be owned by
|
||||
# a different user. Note! Using "root" for uploaded files is not
|
||||
@@ -46,24 +106,51 @@ connect_from_port_20=YES
|
||||
#chown_uploads=YES
|
||||
#chown_username=whoever
|
||||
#
|
||||
+# ############
|
||||
+# Log Settings
|
||||
+# ############
|
||||
+#
|
||||
+# Log to the syslog daemon instead of using an logfile.
|
||||
+syslog_enable=YES
|
||||
+#
|
||||
+# Uncomment this to log all FTP requests and responses.
|
||||
+#log_ftp_protocol=YES
|
||||
+#
|
||||
+# Activate logging of uploads/downloads.
|
||||
+#xferlog_enable=YES
|
||||
+#
|
||||
# You may override where the log file goes if you like. The default is shown
|
||||
# below.
|
||||
-#xferlog_file=/var/log/vsftpd.log
|
||||
+#
|
||||
+#vsftpd_log_file=/var/log/vsftpd.log
|
||||
#
|
||||
# If you want, you can have your log file in standard ftpd xferlog format.
|
||||
# Note that the default log file location is /var/log/xferlog in this case.
|
||||
#xferlog_std_format=YES
|
||||
#
|
||||
+# You may override where the log file goes if you like. The default is shown
|
||||
+# below.
|
||||
+#xferlog_file=/var/log/vsftpd.log
|
||||
+#
|
||||
+# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
|
||||
+#dual_log_enable=YES
|
||||
+#
|
||||
+# Uncomment this to enable session status information in the system process listing.
|
||||
+#setproctitle_enable=YES
|
||||
+#
|
||||
+# #################
|
||||
+# Transfer Settings
|
||||
+# #################
|
||||
+#
|
||||
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
|
||||
+connect_from_port_20=YES
|
||||
+#
|
||||
# You may change the default value for timing out an idle session.
|
||||
#idle_session_timeout=600
|
||||
#
|
||||
# You may change the default value for timing out a data connection.
|
||||
#data_connection_timeout=120
|
||||
#
|
||||
-# It is recommended that you define on your system a unique user which the
|
||||
-# ftp server can use as a totally isolated and unprivileged user.
|
||||
-#nopriv_user=ftpsecure
|
||||
-#
|
||||
# Enable this and the server will recognise asynchronous ABOR requests. Not
|
||||
# recommended for security (the code is non-trivial). Not enabling it,
|
||||
# however, may confuse older FTP clients.
|
||||
@@ -77,41 +164,46 @@ connect_from_port_20=YES
|
||||
# predicted this attack and has always been safe, reporting the size of the
|
||||
# raw file.
|
||||
# ASCII mangling is a horrible feature of the protocol.
|
||||
-#ascii_upload_enable=YES
|
||||
+ascii_upload_enable=YES
|
||||
#ascii_download_enable=YES
|
||||
#
|
||||
-# You may fully customise the login banner string:
|
||||
-#ftpd_banner=Welcome to blah FTP service.
|
||||
-#
|
||||
-# You may specify a file of disallowed anonymous e-mail addresses. Apparently
|
||||
-# useful for combatting certain DoS attacks.
|
||||
-#deny_email_enable=YES
|
||||
-# (default follows)
|
||||
-#banned_email_file=/etc/vsftpd.banned_emails
|
||||
-#
|
||||
-# You may specify an explicit list of local users to chroot() to their home
|
||||
-# directory. If chroot_local_user is YES, then this list becomes a list of
|
||||
-# users to NOT chroot().
|
||||
-# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
|
||||
-# the user does not have write access to the top level directory within the
|
||||
-# chroot)
|
||||
-#chroot_local_user=YES
|
||||
-#chroot_list_enable=YES
|
||||
-# (default follows)
|
||||
-#chroot_list_file=/etc/vsftpd.chroot_list
|
||||
+# Set to NO if you want to disallow the PASV method of obtaining a data
|
||||
+# connection.
|
||||
+#pasv_enable=NO
|
||||
#
|
||||
-# You may activate the "-R" option to the builtin ls. This is disabled by
|
||||
-# default to avoid remote users being able to cause excessive I/O on large
|
||||
-# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
|
||||
-# the presence of the "-R" option, so there is a strong case for enabling it.
|
||||
-#ls_recurse_enable=YES
|
||||
+# PAM setting. Do NOT change this unless you know what you do!
|
||||
+pam_service_name=vsftpd
|
||||
#
|
||||
# When "listen" directive is enabled, vsftpd runs in standalone mode and
|
||||
# listens on IPv4 sockets. This directive cannot be used in conjunction
|
||||
# with the listen_ipv6 directive.
|
||||
-listen=YES
|
||||
+listen=NO
|
||||
#
|
||||
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
|
||||
# sockets, you must run two copies of vsftpd with two configuration files.
|
||||
# Make sure, that one of the listen options is commented !!
|
||||
-#listen_ipv6=YES
|
||||
+listen_ipv6=YES
|
||||
+#
|
||||
+# Set to ssl_enable=YES if you want to enable SSL
|
||||
+ssl_enable=NO
|
||||
+#
|
||||
+# Limit passive ports to this range to assis firewalling
|
||||
+pasv_min_port=30000
|
||||
+pasv_max_port=30100
|
||||
+
|
||||
+### security features that are incompatible with some other settings. ###
|
||||
+
|
||||
+# isolate_network ensures the vsftpd subprocess is started in own network
|
||||
+# namespace (see CLONE_NEWNET in clone(2)). It however disables the
|
||||
+# authentication methods needs the network access (LDAP, NIS, ...).
|
||||
+#isolate_network=NO
|
||||
+
|
||||
+# seccomp_sanbox add an aditional security layer limiting the number of a
|
||||
+# syscalls can be performed via vsftpd. However it might happen that a
|
||||
+# whitelist don't allow a legitimate call (usually indirectly triggered by
|
||||
+# third-party library like pam, or openssl) and the process is being killed by kernel.
|
||||
+#
|
||||
+# Therefor if your server dies on common situations (file download, upload),
|
||||
+# uncomment following line and don't forget to open bug at
|
||||
+# https://bugzilla.novell.com
|
||||
+#seccomp_sandbox=NO
|
11
vsftpd-3.0.0-optional-seccomp.patch
Normal file
11
vsftpd-3.0.0-optional-seccomp.patch
Normal file
@ -0,0 +1,11 @@
|
||||
--- vsftpd-3.0.0/seccompsandbox.c 2012-04-04 18:41:51.000000000 -0400
|
||||
+++ vsftpd-3.0.0+/seccompsandbox.c 2012-04-23 06:06:00.000000000 -0400
|
||||
@@ -10,7 +10,7 @@
|
||||
|
||||
#include "seccompsandbox.h"
|
||||
|
||||
-#if defined(__linux__) && defined(__x86_64__)
|
||||
+#if defined(__linux__) && defined(__x86_64__) && defined(USE_SECCOMP)
|
||||
|
||||
#include "session.h"
|
||||
#include "sysutil.h"
|
13
vsftpd-3.0.0_gnu_source_defines.patch
Normal file
13
vsftpd-3.0.0_gnu_source_defines.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff -aur vsftpd-3.0.0/sysdeputil.c vsftpd-3.0.0+/sysdeputil.c
|
||||
--- vsftpd-3.0.0/sysdeputil.c 2010-03-25 23:25:33.000000000 -0400
|
||||
+++ vsftpd-3.0.0+/sysdeputil.c 2012-04-23 04:39:39.000000000 -0400
|
||||
@@ -60,7 +60,9 @@
|
||||
#define VSF_SYSDEP_HAVE_LIBCAP
|
||||
#define VSF_SYSDEP_HAVE_UTMPX
|
||||
|
||||
+#ifndef __USE_GNU
|
||||
#define __USE_GNU
|
||||
+#endif
|
||||
#include <utmpx.h>
|
||||
|
||||
/* BEGIN config */
|
28
vsftpd-3.0.2-fix-chown-uploads.patch
Normal file
28
vsftpd-3.0.2-fix-chown-uploads.patch
Normal file
@ -0,0 +1,28 @@
|
||||
Index: vsftpd-3.0.2/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
||||
+++ vsftpd-3.0.2/seccompsandbox.c
|
||||
@@ -475,6 +475,10 @@ seccomp_sandbox_setup_postlogin(const st
|
||||
/* Need to send file descriptors to privileged broker. */
|
||||
allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
|
||||
}
|
||||
+ if (is_anon && tunable_chown_uploads)
|
||||
+ {
|
||||
+ allow_nr(__NR_fchmod);
|
||||
+ }
|
||||
}
|
||||
|
||||
if (tunable_syslog_enable)
|
||||
@@ -538,6 +542,12 @@ seccomp_sandbox_setup_postlogin_broker()
|
||||
seccomp_sandbox_setup_base();
|
||||
seccomp_sandbox_setup_data_connections();
|
||||
allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
|
||||
+ if (tunable_chown_uploads)
|
||||
+ {
|
||||
+ allow_nr(__NR_fstat);
|
||||
+ allow_nr(__NR_fchown);
|
||||
+ allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
|
||||
+ }
|
||||
}
|
||||
|
||||
void
|
13
vsftpd-3.0.2-s390.patch
Normal file
13
vsftpd-3.0.2-s390.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: vsftpd-3.0.2/sysdeputil.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/sysdeputil.c 2014-08-21 16:12:59.845872489 +0200
|
||||
+++ vsftpd-3.0.2/sysdeputil.c 2014-08-21 16:14:59.641431931 +0200
|
||||
@@ -66,7 +66,7 @@
|
||||
#include <utmpx.h>
|
||||
|
||||
/* BEGIN config */
|
||||
-#if defined(__linux__)
|
||||
+#if defined(__linux__) && !defined(__s390__)
|
||||
#include <errno.h>
|
||||
#include <syscall.h>
|
||||
#define VSF_SYSDEP_HAVE_LINUX_CLONE
|
59
vsftpd-3.0.2-wnohang.patch
Normal file
59
vsftpd-3.0.2-wnohang.patch
Normal file
@ -0,0 +1,59 @@
|
||||
--- vsftpd-3.0.2/sysutil.c.wnohang 2015-08-03 07:35:33.619620425 +0200
|
||||
+++ vsftpd-3.0.2/sysutil.c 2015-08-03 07:35:33.626620480 +0200
|
||||
@@ -608,13 +608,13 @@ vsf_sysutil_exit(int exit_code)
|
||||
}
|
||||
|
||||
struct vsf_sysutil_wait_retval
|
||||
-vsf_sysutil_wait(void)
|
||||
+vsf_sysutil_wait(int hang)
|
||||
{
|
||||
struct vsf_sysutil_wait_retval retval;
|
||||
vsf_sysutil_memclr(&retval, sizeof(retval));
|
||||
while (1)
|
||||
{
|
||||
- int sys_ret = wait(&retval.exit_status);
|
||||
+ int sys_ret = waitpid(-1, &retval.exit_status, hang ? 0 : WNOHANG);
|
||||
if (sys_ret < 0 && errno == EINTR)
|
||||
{
|
||||
vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
|
||||
--- vsftpd-3.0.2/sysutil.h.wnohang 2015-08-03 07:35:33.610620354 +0200
|
||||
+++ vsftpd-3.0.2/sysutil.h 2015-08-03 07:35:33.626620480 +0200
|
||||
@@ -176,7 +176,7 @@ struct vsf_sysutil_wait_retval
|
||||
int PRIVATE_HANDS_OFF_syscall_retval;
|
||||
int PRIVATE_HANDS_OFF_exit_status;
|
||||
};
|
||||
-struct vsf_sysutil_wait_retval vsf_sysutil_wait(void);
|
||||
+struct vsf_sysutil_wait_retval vsf_sysutil_wait(int hang);
|
||||
int vsf_sysutil_wait_reap_one(void);
|
||||
int vsf_sysutil_wait_get_retval(
|
||||
const struct vsf_sysutil_wait_retval* p_waitret);
|
||||
--- vsftpd-3.0.2/twoprocess.c.wnohang 2012-09-16 09:15:49.000000000 +0200
|
||||
+++ vsftpd-3.0.2/twoprocess.c 2015-08-03 07:35:33.626620480 +0200
|
||||
@@ -47,8 +47,17 @@ static void
|
||||
handle_sigchld(void* duff)
|
||||
{
|
||||
|
||||
- struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait();
|
||||
+ struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait(0);
|
||||
(void) duff;
|
||||
+ if (!vsf_sysutil_wait_get_exitcode(&wait_retval) &&
|
||||
+ !vsf_sysutil_wait_get_retval(&wait_retval))
|
||||
+ /* There was nobody to wait for, possibly caused by underlying library
|
||||
+ * which created a new process through fork()/vfork() and already picked
|
||||
+ * it up, e.g. by pam_exec.so or integrity check routines for libraries
|
||||
+ * when FIPS mode is on (nss freebl), which can lead to calling prelink
|
||||
+ * if the prelink package is installed.
|
||||
+ */
|
||||
+ return;
|
||||
/* Child died, so we'll do the same! Report it as an error unless the child
|
||||
* exited normally with zero exit code
|
||||
*/
|
||||
@@ -390,7 +399,7 @@ common_do_login(struct vsf_session* p_se
|
||||
priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
|
||||
if (!p_sess->control_use_ssl)
|
||||
{
|
||||
- (void) vsf_sysutil_wait();
|
||||
+ (void) vsf_sysutil_wait(1);
|
||||
}
|
||||
else
|
||||
{
|
81
vsftpd-3.0.3-address_space_limit.patch
Normal file
81
vsftpd-3.0.3-address_space_limit.patch
Normal file
@ -0,0 +1,81 @@
|
||||
Index: vsftpd-3.0.2/main.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/main.c 2018-06-28 15:45:11.373254606 +0000
|
||||
+++ vsftpd-3.0.2/main.c 2018-06-28 15:45:16.700973780 +0000
|
||||
@@ -320,7 +320,7 @@ env_init(void)
|
||||
static void
|
||||
limits_init(void)
|
||||
{
|
||||
- unsigned long limit = VSFTP_AS_LIMIT;
|
||||
+ unsigned long limit = tunable_address_space_limit ?: VSFTP_AS_LIMIT;
|
||||
if (tunable_text_userdb_names)
|
||||
{
|
||||
/* Turns out, LDAP lookups for lots of userid -> name mappings can really
|
||||
Index: vsftpd-3.0.2/parseconf.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/parseconf.c 2018-06-28 15:45:11.373254606 +0000
|
||||
+++ vsftpd-3.0.2/parseconf.c 2018-06-28 15:45:16.700973780 +0000
|
||||
@@ -138,6 +138,7 @@ parseconf_uint_array[] =
|
||||
{ "delay_successful_login", &tunable_delay_successful_login },
|
||||
{ "max_login_fails", &tunable_max_login_fails },
|
||||
{ "chown_upload_mode", &tunable_chown_upload_mode },
|
||||
+ { "address_space_limit", &tunable_address_space_limit },
|
||||
{ 0, 0 }
|
||||
};
|
||||
|
||||
Index: vsftpd-3.0.2/tunables.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/tunables.c 2018-06-28 15:45:11.373254606 +0000
|
||||
+++ vsftpd-3.0.2/tunables.c 2018-06-28 15:45:16.700973780 +0000
|
||||
@@ -110,6 +110,7 @@ unsigned int tunable_delay_failed_login;
|
||||
unsigned int tunable_delay_successful_login;
|
||||
unsigned int tunable_max_login_fails;
|
||||
unsigned int tunable_chown_upload_mode;
|
||||
+unsigned int tunable_address_space_limit;
|
||||
|
||||
const char* tunable_secure_chroot_dir;
|
||||
const char* tunable_ftp_username;
|
||||
@@ -255,6 +256,7 @@ tunables_load_defaults()
|
||||
tunable_max_login_fails = 3;
|
||||
/* -rw------- */
|
||||
tunable_chown_upload_mode = 0600;
|
||||
+ tunable_address_space_limit = 0; /* See main.c:limits_init */
|
||||
|
||||
install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
|
||||
install_str_setting("ftp", &tunable_ftp_username);
|
||||
Index: vsftpd-3.0.2/tunables.h
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/tunables.h 2018-06-28 15:45:11.373254606 +0000
|
||||
+++ vsftpd-3.0.2/tunables.h 2018-06-28 15:45:16.700973780 +0000
|
||||
@@ -112,6 +112,7 @@ extern unsigned int tunable_delay_failed
|
||||
extern unsigned int tunable_delay_successful_login;
|
||||
extern unsigned int tunable_max_login_fails;
|
||||
extern unsigned int tunable_chown_upload_mode;
|
||||
+extern unsigned int tunable_address_space_limit;
|
||||
|
||||
/* String defines */
|
||||
extern const char* tunable_secure_chroot_dir;
|
||||
Index: vsftpd-3.0.2/vsftpd.conf.5
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/vsftpd.conf.5 2018-06-28 15:45:06.882648441 +0000
|
||||
+++ vsftpd-3.0.2/vsftpd.conf.5 2018-06-28 15:55:42.806639732 +0000
|
||||
@@ -639,6 +639,19 @@ The timeout, in seconds, for a remote cl
|
||||
a PASV style data connection.
|
||||
|
||||
Default: 60
|
||||
+
|
||||
+.TP
|
||||
+.B address_space_limit
|
||||
+Set the amount of memory vsftpd can use (in bytes). This limit exists so that
|
||||
+attackers cannot exploit any potential bugs in the server that might result in
|
||||
+vsftpd allocating huge amounts of memory that would affect the host system
|
||||
+negatively, e.g. causing thrashing or killing random processes due to Linux's
|
||||
+OOM system. If the value is configured too low, vsftpd will fail with "out of
|
||||
+memory" errors during normal operations. Oftentimes, this occurs inside of the
|
||||
+PAM stack on systems that have many memory-intensive PAM modules enabled.
|
||||
+
|
||||
+Default: 104857600 (100MB)
|
||||
+
|
||||
.TP
|
||||
.B anon_max_rate
|
||||
The maximum data transfer rate permitted, in bytes per second, for anonymous
|
13
vsftpd-3.0.3-build-with-openssl-1.1.patch
Normal file
13
vsftpd-3.0.3-build-with-openssl-1.1.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: vsftpd-3.0.4/vsf_findlibs.sh
|
||||
===================================================================
|
||||
--- vsftpd-3.0.4.orig/vsf_findlibs.sh 2021-06-15 07:58:45.004475824 +0000
|
||||
+++ vsftpd-3.0.4/vsf_findlibs.sh 2021-06-15 07:59:59.039320940 +0000
|
||||
@@ -69,7 +69,7 @@ locate_library /usr/shlib/librt.so && ec
|
||||
locate_library /usr/lib/libsendfile.so && echo "-lsendfile";
|
||||
|
||||
# OpenSSL
|
||||
-if find_func SSL_library_init ssl.o; then
|
||||
+if find_func SSL_CTX_new ssl.o; then
|
||||
echo "-lssl -lcrypto";
|
||||
elif find_func SSL_new ssl.o; then
|
||||
echo "-lssl -lcrypto";
|
BIN
vsftpd-3.0.5.tar.gz
(Stored with Git LFS)
Normal file
BIN
vsftpd-3.0.5.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
17
vsftpd-3.0.5.tar.gz.asc
Normal file
17
vsftpd-3.0.5.tar.gz.asc
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJKBAABCAA0FiEEZ6KrT0H5lywh9r9me4kBG8rhz+oFAmEHmVAWHHNjYXJ5YmVh
|
||||
c3RzQGdtYWlsLmNvbQAKCRB7iQEbyuHP6ulCEACeXHUCc3nHICqIMZ6kginHRwTP
|
||||
vVlfMkGCYNRXc8c0Dw1oC02G0L2Zh5ZqQ4unkEN5tUeI3chRAQJ8LpQHrdWxT+3d
|
||||
DIT7t3k8NkJDEkLps/gxdGdHoxv0I/6E/BE4UmbsRGH+FI7r/HOcG37Z7pqcEdWm
|
||||
aU0WS9mdr7EuQdyUPJikIXZ8xyAmUg2BruZKJSu44jOK2oiTK1OX3NDkAuFhFNFe
|
||||
AKU7lduHHYMeNaPtejt9FpCQ8knbf3XhCtqdNo6Ye15Gk2H4/8zjYCAvjTIZu5wX
|
||||
YdaSaREfa8k7xbWKrLY6UQPbpsgDeW2mAtYwW7E7Rz/+Slq+LgnWiAXNliWe1Ko3
|
||||
G9qJ0AueUw6sa3/YQllfmfFer7ayU/Delg20Evffhrt9YPWvv6hErOoeadLCuZtH
|
||||
s0MjL1LgWAEMPvb1fpY4+qx2LJEwCh31/ezdkw7oxu+OpNbcowTp5aM8KCLkn8Hj
|
||||
7EIflvE4alFwK2FKaPhFL16egw0vpNCSlVUPD9XwIcTRUvPqhfri4agOXBX6bses
|
||||
M7U8yJgQsHQF0RMQvFNdhoCC3fSLwAH/gHWHjPchuhXlZjZQJnti5Nttzel4jcCb
|
||||
DuES/mnQVHKoiW9cTuMa8K64C70yHksJYgndSm56zSDTyNxMZQKX2Rt7JLQZTAPU
|
||||
XUu2PDcK9KmF+5ltbg==
|
||||
=puYU
|
||||
-----END PGP SIGNATURE-----
|
30
vsftpd-allow-dev-log-socket.patch
Normal file
30
vsftpd-allow-dev-log-socket.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From: mvyskocil@suse.com
|
||||
Subject: enable /dev/log related socket call
|
||||
|
||||
Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
|
||||
sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
|
||||
with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
|
||||
pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
|
||||
|
||||
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
|
||||
|
||||
Index: vsftpd-3.0.5/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/seccompsandbox.c 2022-02-02 11:03:38.133860169 +0100
|
||||
+++ vsftpd-3.0.5/seccompsandbox.c 2022-02-02 11:03:38.177859528 +0100
|
||||
@@ -366,6 +366,15 @@ seccomp_sandbox_init()
|
||||
{
|
||||
bug("bad state in seccomp_sandbox_init");
|
||||
}
|
||||
+
|
||||
+ //this is very probably an attempt to open /dev/log
|
||||
+ //it fails because process cannot open any file, so it might be safe
|
||||
+ //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
|
||||
+ allow_nr_3_arg_match(__NR_socket,
|
||||
+ 1, PF_FILE,
|
||||
+ 2, SOCK_DGRAM | SOCK_CLOEXEC,
|
||||
+ 3, 0);
|
||||
+
|
||||
}
|
||||
|
||||
void
|
14
vsftpd-append-seek-pipe.patch
Normal file
14
vsftpd-append-seek-pipe.patch
Normal file
@ -0,0 +1,14 @@
|
||||
Index: vsftpd-3.0.2/sysutil.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/sysutil.c
|
||||
+++ vsftpd-3.0.2/sysutil.c
|
||||
@@ -490,7 +490,8 @@ vsf_sysutil_lseek_end(const int fd)
|
||||
{
|
||||
filesize_t retval;
|
||||
retval = lseek(fd, 0, SEEK_END);
|
||||
- if (retval < 0)
|
||||
+ /* Ignore ESPIPE to allow append to fifos */
|
||||
+ if (retval < 0 && errno != ESPIPE)
|
||||
{
|
||||
die("lseek");
|
||||
}
|
19
vsftpd-avoid-bogus-ssl-write.patch
Normal file
19
vsftpd-avoid-bogus-ssl-write.patch
Normal file
@ -0,0 +1,19 @@
|
||||
Index: vsftpd-3.0.2/utility.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/utility.c
|
||||
+++ vsftpd-3.0.2/utility.c
|
||||
@@ -104,11 +104,13 @@ bug(const char* p_text)
|
||||
{
|
||||
if (s_p_sess->ssl_slave_active)
|
||||
{
|
||||
+ /* Write error through ssl_slave process */
|
||||
priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP);
|
||||
priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len);
|
||||
}
|
||||
- else
|
||||
+ else if (s_p_sess->p_control_ssl)
|
||||
{
|
||||
+ /* From ssl_slave write the message directly */
|
||||
(void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len);
|
||||
}
|
||||
}
|
155
vsftpd-die-with-session.patch
Normal file
155
vsftpd-die-with-session.patch
Normal file
@ -0,0 +1,155 @@
|
||||
Index: vsftpd-3.0.2/main.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/main.c
|
||||
+++ vsftpd-3.0.2/main.c
|
||||
@@ -155,6 +155,9 @@ main(int argc, const char* argv[])
|
||||
the_session.num_clients = ret.num_children;
|
||||
the_session.num_this_ip = ret.num_this_ip;
|
||||
}
|
||||
+
|
||||
+ die_init(&the_session);
|
||||
+
|
||||
if (tunable_tcp_wrappers)
|
||||
{
|
||||
the_session.tcp_wrapper_ok = vsf_tcp_wrapper_ok(VSFTP_COMMAND_FD);
|
||||
Index: vsftpd-3.0.2/utility.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/utility.c
|
||||
+++ vsftpd-3.0.2/utility.c
|
||||
@@ -9,9 +9,22 @@
|
||||
#include "sysutil.h"
|
||||
#include "str.h"
|
||||
#include "defs.h"
|
||||
+#include "session.h"
|
||||
+#include "tunables.h"
|
||||
+#include "privsock.h"
|
||||
+#include "ssl.h"
|
||||
+#include <stdio.h>
|
||||
|
||||
#define DIE_DEBUG
|
||||
|
||||
+static struct vsf_session *s_p_sess = NULL;
|
||||
+
|
||||
+void
|
||||
+die_init(struct vsf_session *p_sess)
|
||||
+{
|
||||
+ s_p_sess = p_sess;
|
||||
+}
|
||||
+
|
||||
void
|
||||
die(const char* p_text)
|
||||
{
|
||||
@@ -40,12 +53,70 @@ die2(const char* p_text1, const char* p_
|
||||
void
|
||||
bug(const char* p_text)
|
||||
{
|
||||
+ /* Detect calls caused by failed logging from bug() itself
|
||||
+ * to prevent infinite loops */
|
||||
+ static int s_in_bug = 0;
|
||||
+ const unsigned int buffer_size = 256;
|
||||
+ char text_buffer[buffer_size];
|
||||
+ unsigned int text_len;
|
||||
+
|
||||
+ if (s_in_bug)
|
||||
+ return;
|
||||
+
|
||||
+ s_in_bug = 1;
|
||||
+
|
||||
+ if (s_p_sess)
|
||||
+ {
|
||||
+ /* Try to write the message to logs */
|
||||
+ if (s_p_sess->vsftpd_log_fd != -1)
|
||||
+ {
|
||||
+ snprintf(text_buffer, buffer_size,
|
||||
+ "%s vsftpd [pid %d]: \"%s\" from \"%s\": %s",
|
||||
+ vsf_sysutil_get_current_date(), vsf_sysutil_getpid(),
|
||||
+ str_getbuf(&s_p_sess->user_str),
|
||||
+ str_getbuf(&s_p_sess->remote_ip_str), p_text);
|
||||
+ text_len = vsf_sysutil_strlen(text_buffer);
|
||||
+ vsf_sysutil_write_loop(s_p_sess->vsftpd_log_fd, text_buffer, text_len);
|
||||
+ }
|
||||
+
|
||||
+ if (tunable_syslog_enable)
|
||||
+ {
|
||||
+ snprintf(text_buffer, buffer_size, "\"%s\" from \"%s\": %s",
|
||||
+ str_getbuf(&s_p_sess->user_str),
|
||||
+ str_getbuf(&s_p_sess->remote_ip_str), p_text);
|
||||
+ vsf_sysutil_syslog(text_buffer, 1);
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ /* dummy logging before the system is fully set up */
|
||||
+ if (tunable_syslog_enable)
|
||||
+ {
|
||||
+ vsf_sysutil_syslog(p_text, 1);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ snprintf(text_buffer, buffer_size, "500 OOPS: %s\r\n", p_text);
|
||||
+ text_len = vsf_sysutil_strlen(text_buffer);
|
||||
+
|
||||
/* Rats. Try and write the reason to the network for diagnostics */
|
||||
- vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
|
||||
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "500 OOPS: ", 10);
|
||||
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, p_text,
|
||||
- vsf_sysutil_strlen(p_text));
|
||||
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "\r\n", 2);
|
||||
+ if (s_p_sess && s_p_sess->control_use_ssl)
|
||||
+ {
|
||||
+ if (s_p_sess->ssl_slave_active)
|
||||
+ {
|
||||
+ priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP);
|
||||
+ priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ (void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len);
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
|
||||
+ (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, text_buffer, text_len);
|
||||
+ }
|
||||
vsf_sysutil_exit(2);
|
||||
}
|
||||
|
||||
Index: vsftpd-3.0.2/utility.h
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/utility.h
|
||||
+++ vsftpd-3.0.2/utility.h
|
||||
@@ -2,6 +2,18 @@
|
||||
#define VSF_UTILITY_H
|
||||
|
||||
struct mystr;
|
||||
+struct vsf_session;
|
||||
+
|
||||
+/* die_init
|
||||
+ * PURPOSE
|
||||
+ * Initialize static pointer to vsf_session used for
|
||||
+ * logging and SSL support used by die() and bug().
|
||||
+ * If not set (or set to NULL) only dummy write
|
||||
+ * to VSFTP_COMMAND_FD will be done.
|
||||
+ * PARAMETERS
|
||||
+ * p_sess - pointer to vsf_session or NULL
|
||||
+ */
|
||||
+void die_init(struct vsf_session *p_sess);
|
||||
|
||||
/* die()
|
||||
* PURPOSE
|
||||
Index: vsftpd-3.0.2/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
||||
+++ vsftpd-3.0.2/seccompsandbox.c
|
||||
@@ -556,6 +556,10 @@ seccomp_sandbox_setup_postlogin_broker()
|
||||
allow_nr(__NR_fchown);
|
||||
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
|
||||
}
|
||||
+ if (tunable_syslog_enable)
|
||||
+ {
|
||||
+ allow_nr_1_arg_match(__NR_sendto, 6, 0);
|
||||
+ }
|
||||
}
|
||||
|
||||
void
|
35
vsftpd-drop-newpid-from-clone.patch
Normal file
35
vsftpd-drop-newpid-from-clone.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From: Michal Vyskocil <mvyskocil@suse.cz>
|
||||
Subject: Drop CLONE_NEWPID from clone call
|
||||
|
||||
Kernel autid system prohibits the processes created with CLONE_NEWPID, so an
|
||||
attempt to log into ftp server ends with
|
||||
|
||||
audit_log_acct_message() failed: Operation not permitted
|
||||
|
||||
https://bugzilla.novell.com/show_bug.cgi?id=786024#c38
|
||||
|
||||
identified-by: Tony Jones <tonyj@suse.com>
|
||||
fixes: bnc#786024
|
||||
|
||||
Index: vsftpd-3.0.2/sysdeputil.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/sysdeputil.c
|
||||
+++ vsftpd-3.0.2/sysdeputil.c
|
||||
@@ -1272,7 +1272,7 @@ vsf_sysutil_fork_isolate_all_failok()
|
||||
if (cloneflags_work)
|
||||
{
|
||||
int ret = syscall(__NR_clone,
|
||||
- CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD,
|
||||
+ CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD,
|
||||
NULL);
|
||||
if (ret != -1 || (errno != EINVAL && errno != EPERM))
|
||||
{
|
||||
@@ -1295,7 +1295,7 @@ vsf_sysutil_fork_isolate_failok()
|
||||
static int cloneflags_work = 1;
|
||||
if (cloneflags_work)
|
||||
{
|
||||
- int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL);
|
||||
+ int ret = syscall(__NR_clone, CLONE_NEWIPC | SIGCHLD, NULL);
|
||||
if (ret != -1 || (errno != EINVAL && errno != EPERM))
|
||||
{
|
||||
if (ret == 0)
|
33
vsftpd-enable-dev-log-sendto.patch
Normal file
33
vsftpd-enable-dev-log-sendto.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From: mvyskocil@suse.com
|
||||
Subject: enable sendto to /dev/log
|
||||
|
||||
vsftpd is killed once a file is downloaded and it try to log the success to
|
||||
/dev/log. This patch enables a sendto on fd 4, in a case the syslog logging is
|
||||
enabled.
|
||||
|
||||
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=812406
|
||||
|
||||
---
|
||||
seccompsandbox.c | 17 +++++++++++++++--
|
||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: vsftpd-3.0.2/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
||||
+++ vsftpd-3.0.2/seccompsandbox.c
|
||||
@@ -503,6 +501,15 @@ seccomp_sandbox_setup_postlogin(const st
|
||||
allow_nr(__NR_chmod);
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * MV: this enables logging to the syslog - the vsf_log_do_log are in postlogin.c and privops.c, but hopefully this is enough
|
||||
+ */
|
||||
+ if (tunable_syslog_enable)
|
||||
+ {
|
||||
+ allow_nr_1_arg_mask(__NR_sendto, 1, 4);
|
||||
+ }
|
||||
+
|
||||
}
|
||||
|
||||
void
|
44
vsftpd-enable-fcntl-f_setfl.patch
Normal file
44
vsftpd-enable-fcntl-f_setfl.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From: Michal Vyskocil <mvyskocil@suse.cz>
|
||||
Subject: Enable fcntl F_SETFL
|
||||
|
||||
The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add
|
||||
it unconditionally to seccomp sandbox. I've failed to limit it more, however
|
||||
most arguments of F_SETFL are ignored on Linux and the remaining set seems to be
|
||||
safe.
|
||||
|
||||
fixes: bnc#786024
|
||||
|
||||
---
|
||||
seccompsandbox.c | 22 ++++++++++++++++++++++
|
||||
5 files changed, 45 insertions(+), 6 deletions(-)
|
||||
|
||||
Index: vsftpd-3.0.2/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
||||
+++ vsftpd-3.0.2/seccompsandbox.c
|
||||
@@ -306,6 +306,25 @@ seccomp_sandbox_setup_base()
|
||||
|
||||
/* Always need to be able to exit ! */
|
||||
allow_nr(__NR_exit_group);
|
||||
+
|
||||
+ /*
|
||||
+ * MV: this is needed for
|
||||
+ * vsf_sysutil_activate_noblock
|
||||
+ * vsf_sysutil_deactivate_noblock
|
||||
+ *
|
||||
+ * both called from various places (like all those die, bug in utilities),
|
||||
+ * so lets enable it by default
|
||||
+ */
|
||||
+ allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
|
||||
+ allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL);
|
||||
+
|
||||
+ /*
|
||||
+ * MV: this form have newer worked, neither with O_RDWR, O_RDWR|O_NONBLOCK
|
||||
+ * however fcntl(2) says that most of arguments to fcntl are ignored on Linux
|
||||
+ * thus this might be safe to do
|
||||
+ */
|
||||
+ //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);
|
||||
+
|
||||
}
|
||||
|
||||
void
|
18
vsftpd-enable-gettimeofday-sec.patch
Normal file
18
vsftpd-enable-gettimeofday-sec.patch
Normal file
@ -0,0 +1,18 @@
|
||||
diff -urN vsftpd-3.0.2/seccompsandbox.c vsftpd-3.0.2.new/seccompsandbox.c
|
||||
--- vsftpd-3.0.2/seccompsandbox.c 2012-09-18 08:52:30.000000000 +0200
|
||||
+++ vsftpd-3.0.2.new/seccompsandbox.c 2014-04-10 14:55:30.855607231 +0200
|
||||
@@ -303,6 +303,14 @@
|
||||
allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
|
||||
allow_nr(__NR_restart_syscall);
|
||||
allow_nr(__NR_close);
|
||||
+
|
||||
+ /*
|
||||
+ * Calls to alarm and date
|
||||
+ * Seems to be some part of the logging
|
||||
+ * wrt bnc#870122
|
||||
+ */
|
||||
+ allow_nr(__NR_alarm);
|
||||
+ allow_nr(__NR_gettimeofday);
|
||||
|
||||
/* Always need to be able to exit ! */
|
||||
allow_nr(__NR_exit_group);
|
21
vsftpd-enable-sendto-for-prelogin-syslog.patch
Normal file
21
vsftpd-enable-sendto-for-prelogin-syslog.patch
Normal file
@ -0,0 +1,21 @@
|
||||
Enable sendto for syslog logging to /dev/log in prelogin
|
||||
|
||||
We write to log from check_limits() and therefore we have to allow
|
||||
sendto() for syslog otherwise sandbox will kill the child.
|
||||
|
||||
Index: vsftpd-3.0.2/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
||||
+++ vsftpd-3.0.2/seccompsandbox.c
|
||||
@@ -388,6 +388,11 @@ seccomp_sandbox_setup_prelogin(const str
|
||||
1, PF_FILE,
|
||||
2, SOCK_DGRAM | SOCK_CLOEXEC,
|
||||
3, 0);
|
||||
+ // allow syslog logs from check_limits()
|
||||
+ if (tunable_syslog_enable)
|
||||
+ {
|
||||
+ allow_nr_1_arg_match(__NR_sendto, 6, 0);
|
||||
+ }
|
||||
|
||||
}
|
||||
|
18
vsftpd-enable-syscalls-needed-by-sle15.patch
Normal file
18
vsftpd-enable-syscalls-needed-by-sle15.patch
Normal file
@ -0,0 +1,18 @@
|
||||
Index: vsftpd-3.0.3/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.3.orig/seccompsandbox.c 2018-04-25 06:34:52.154728803 +0000
|
||||
+++ vsftpd-3.0.3/seccompsandbox.c 2018-04-25 06:37:43.071314942 +0000
|
||||
@@ -306,6 +306,13 @@ seccomp_sandbox_setup_base()
|
||||
allow_nr(__NR_restart_syscall);
|
||||
allow_nr(__NR_close);
|
||||
|
||||
+ /* Required on SLE-15 because of changes in 3rd party libraries.
|
||||
+ * Reported in bsc#1089088.
|
||||
+ */
|
||||
+ allow_nr(__NR_wait4);
|
||||
+ allow_nr(__NR_sysinfo);
|
||||
+ allow_nr(__NR_shutdown);
|
||||
+
|
||||
/*
|
||||
* Calls to alarm and date
|
||||
* Seems to be some part of the logging
|
11
vsftpd-ls-memleak.patch
Normal file
11
vsftpd-ls-memleak.patch
Normal file
@ -0,0 +1,11 @@
|
||||
Index: vsftpd-2.0.7/ls.c
|
||||
===================================================================
|
||||
--- vsftpd-2.0.7.orig/ls.c
|
||||
+++ vsftpd-2.0.7/ls.c
|
||||
@@ -558,5 +559,6 @@ build_dir_line(struct mystr* p_str, cons
|
||||
/* Filename */
|
||||
str_append_str(p_str, p_filename_str);
|
||||
str_append_text(p_str, "\r\n");
|
||||
+ str_free(&s_tmp_str);
|
||||
}
|
||||
|
41
vsftpd-mdtm-in-utc.patch
Normal file
41
vsftpd-mdtm-in-utc.patch
Normal file
@ -0,0 +1,41 @@
|
||||
Index: vsftpd-3.0.2/postlogin.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/postlogin.c 2017-04-06 12:40:37.413294178 +0200
|
||||
+++ vsftpd-3.0.2/postlogin.c 2017-04-06 12:40:37.610294876 +0200
|
||||
@@ -1639,7 +1639,7 @@ handle_mdtm(struct vsf_session* p_sess)
|
||||
else
|
||||
{
|
||||
retval = vsf_sysutil_setmodtime(
|
||||
- str_getbuf(&p_sess->ftp_arg_str), modtime, tunable_use_localtime);
|
||||
+ str_getbuf(&p_sess->ftp_arg_str), modtime, 0);
|
||||
if (retval != 0)
|
||||
{
|
||||
vsf_cmdio_write(p_sess, FTP_FILEFAIL,
|
||||
@@ -1664,7 +1664,7 @@ handle_mdtm(struct vsf_session* p_sess)
|
||||
static struct mystr s_mdtm_res_str;
|
||||
str_alloc_text(&s_mdtm_res_str,
|
||||
vsf_sysutil_statbuf_get_numeric_date(
|
||||
- s_p_statbuf, tunable_use_localtime));
|
||||
+ s_p_statbuf, 0));
|
||||
vsf_cmdio_write_str(p_sess, FTP_MDTMOK, &s_mdtm_res_str);
|
||||
}
|
||||
}
|
||||
Index: vsftpd-3.0.2/vsftpd.conf.5
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/vsftpd.conf.5 2017-04-06 12:40:37.496294472 +0200
|
||||
+++ vsftpd-3.0.2/vsftpd.conf.5 2017-04-06 12:41:50.271557442 +0200
|
||||
@@ -556,9 +556,11 @@ may be found within the _current_ chroot
|
||||
Default: NO
|
||||
.TP
|
||||
.B use_localtime
|
||||
-If enabled, vsftpd will display directory listings with the time in your
|
||||
-local time zone. The default is to display GMT. The times returned by the
|
||||
-MDTM FTP command are also affected by this option.
|
||||
+If enabled, vsftpd will display directory listings with the time in your local
|
||||
+time zone. The default is to display GMT. Note that this setting will NOT
|
||||
+affect the times returned by the MDTM FTP command in this version of the
|
||||
+daemon. This behavior deviates from the upstream version, which violated
|
||||
+RFC3659 and subsequently caused problems with popular FTP clients.
|
||||
|
||||
Default: NO
|
||||
.TP
|
18
vsftpd-openlog-force.patch
Normal file
18
vsftpd-openlog-force.patch
Normal file
@ -0,0 +1,18 @@
|
||||
Force openlog() to open log immediately iff force!=0.
|
||||
Otherwise is log opened on first syslog() call which may be
|
||||
after the privileges are dropped and new file descriptors
|
||||
cannot be created.
|
||||
|
||||
Index: vsftpd-3.0.5/sysutil.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/sysutil.c 2022-02-01 19:38:36.487789134 +0100
|
||||
+++ vsftpd-3.0.5/sysutil.c 2022-02-01 19:44:08.787005494 +0100
|
||||
@@ -2700,7 +2700,7 @@ vsf_sysutil_openlog(int force)
|
||||
{
|
||||
int facility = LOG_DAEMON;
|
||||
int option = LOG_PID;
|
||||
- if (!force)
|
||||
+ if (force)
|
||||
{
|
||||
option |= LOG_NDELAY;
|
||||
}
|
171
vsftpd-path-normalize.patch
Normal file
171
vsftpd-path-normalize.patch
Normal file
@ -0,0 +1,171 @@
|
||||
Index: vsftpd-3.0.2/str.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/str.c
|
||||
+++ vsftpd-3.0.2/str.c
|
||||
@@ -16,6 +16,12 @@
|
||||
#define PRIVATE_HANDS_OFF_alloc_bytes alloc_bytes
|
||||
#include "str.h"
|
||||
|
||||
+/* normalize filepath */
|
||||
+#include <stdio.h>
|
||||
+#include <string.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <libgen.h>
|
||||
+
|
||||
/* Ick. Its for die() */
|
||||
#include "utility.h"
|
||||
#include "sysutil.h"
|
||||
@@ -781,3 +787,60 @@ str_basename (struct mystr* d_str, const
|
||||
if (str_isempty(d_str))
|
||||
str_copy (d_str, path);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+str_normalize_filepath(struct mystr* filepath)
|
||||
+{
|
||||
+ char *path;
|
||||
+ char *normdir;
|
||||
+ char *dir;
|
||||
+ char *filename;
|
||||
+ static struct mystr tmp;
|
||||
+
|
||||
+ /* normalize filepath */
|
||||
+ path = str_strdup(filepath);
|
||||
+ if (path == NULL)
|
||||
+ {
|
||||
+ return;
|
||||
+ }
|
||||
+ char *ch1 = strdup(path);
|
||||
+ char *ch2 = strdup(path);
|
||||
+ if (ch1 == NULL || ch2 == NULL)
|
||||
+ {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ /* we split dir/file as realpath /home/REGEXP is NULL so we need dir
|
||||
+ * dir only to function correctly, later on we need to glue back the
|
||||
+ * file if there is some
|
||||
+ */
|
||||
+ dir = dirname(ch1);
|
||||
+ filename = basename(ch2);
|
||||
+ normdir = realpath(dir, NULL);
|
||||
+ if (normdir == NULL)
|
||||
+ {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ str_alloc_text(&tmp, normdir);
|
||||
+ unsigned int len = str_getlen(&tmp);
|
||||
+ if (str_get_char_at(&tmp, len - 1) != '/')
|
||||
+ {
|
||||
+ str_append_char(&tmp, '/');
|
||||
+ }
|
||||
+ /* / is special it ends in both dirname and basename so ignore it here */
|
||||
+ if (strcmp(filename, "/") != 0)
|
||||
+ {
|
||||
+ str_append_text(&tmp, filename);
|
||||
+ }
|
||||
+ /* TODO: here we should run one more stat to determine if the whole thing
|
||||
+ * is a directory and append trailing / (ie. /home -> /home/).
|
||||
+ * This will make the deny_file=/home/<REGEXP> work contrary to currently
|
||||
+ * needed /home<REGEXP>.
|
||||
+ */
|
||||
+ str_copy(filepath, &tmp);
|
||||
+ free(normdir);
|
||||
+ str_free(&tmp);
|
||||
+out:
|
||||
+ free(path);
|
||||
+ free(ch1);
|
||||
+ free(ch2);
|
||||
+}
|
||||
Index: vsftpd-3.0.2/str.h
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/str.h
|
||||
+++ vsftpd-3.0.2/str.h
|
||||
@@ -102,6 +102,7 @@ int str_atoi(const struct mystr* p_str);
|
||||
filesize_t str_a_to_filesize_t(const struct mystr* p_str);
|
||||
unsigned int str_octal_to_uint(const struct mystr* p_str);
|
||||
void str_basename (struct mystr* d_str, const struct mystr* path);
|
||||
+void str_normalize_filepath(struct mystr* filepath);
|
||||
|
||||
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
|
||||
* buffer, starting at character position 'p_pos'. The extracted line will
|
||||
Index: vsftpd-3.0.2/ls.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/ls.c
|
||||
+++ vsftpd-3.0.2/ls.c
|
||||
@@ -117,11 +117,13 @@ vsf_ls_populate_dir_list(struct mystr_li
|
||||
{
|
||||
continue;
|
||||
}
|
||||
+ str_copy(&s_next_path_and_filename_str, &normalised_base_dir_str);
|
||||
+ str_append_str(&s_next_path_and_filename_str, &s_next_filename_str);
|
||||
/* If we have an ls option which is a filter, apply it */
|
||||
if (!str_isempty(p_filter_str))
|
||||
{
|
||||
unsigned int iters = 0;
|
||||
- if (!vsf_filename_passes_filter(&s_next_filename_str, p_filter_str,
|
||||
+ if (!vsf_filename_passes_filter(&s_next_path_and_filename_str, p_filter_str,
|
||||
&iters))
|
||||
{
|
||||
continue;
|
||||
@@ -130,8 +132,6 @@ vsf_ls_populate_dir_list(struct mystr_li
|
||||
/* Calculate the full path (relative to CWD) for lstat() and
|
||||
* output purposes
|
||||
*/
|
||||
- str_copy(&s_next_path_and_filename_str, &normalised_base_dir_str);
|
||||
- str_append_str(&s_next_path_and_filename_str, &s_next_filename_str);
|
||||
if (do_stat)
|
||||
{
|
||||
/* lstat() the file. Of course there's a race condition - the
|
||||
@@ -239,6 +239,7 @@ vsf_filename_passes_filter(const struct
|
||||
* for /a/?/c will not.
|
||||
*/
|
||||
struct mystr filter_remain_str = INIT_MYSTR;
|
||||
+ struct mystr basic_name_str = INIT_MYSTR;
|
||||
struct mystr name_remain_str = INIT_MYSTR;
|
||||
struct mystr temp_str = INIT_MYSTR;
|
||||
struct mystr brace_list_str = INIT_MYSTR;
|
||||
@@ -249,27 +250,29 @@ vsf_filename_passes_filter(const struct
|
||||
int matched = 0;
|
||||
|
||||
str_copy(&filter_remain_str, p_filter_str);
|
||||
+ str_copy(&basic_name_str, p_filename_str);
|
||||
+ str_normalize_filepath(&basic_name_str);
|
||||
|
||||
- if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) {
|
||||
+ if (!str_isempty (&filter_remain_str) && !str_isempty(&basic_name_str)) {
|
||||
if (str_get_char_at(p_filter_str, 0) == '/') {
|
||||
- if (str_get_char_at(p_filename_str, 0) != '/') {
|
||||
+ if (str_get_char_at(&basic_name_str, 0) != '/') {
|
||||
str_getcwd (&name_remain_str);
|
||||
|
||||
if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
|
||||
str_append_char (&name_remain_str, '/');
|
||||
|
||||
- str_append_str (&name_remain_str, p_filename_str);
|
||||
+ str_append_str (&name_remain_str, &basic_name_str);
|
||||
}
|
||||
else
|
||||
- str_copy (&name_remain_str, p_filename_str);
|
||||
+ str_copy (&name_remain_str, &basic_name_str);
|
||||
} else {
|
||||
if (str_get_char_at(p_filter_str, 0) != '{')
|
||||
- str_basename (&name_remain_str, p_filename_str);
|
||||
+ str_basename (&name_remain_str, &basic_name_str);
|
||||
else
|
||||
- str_copy (&name_remain_str, p_filename_str);
|
||||
+ str_copy (&name_remain_str, &basic_name_str);
|
||||
}
|
||||
} else
|
||||
- str_copy(&name_remain_str, p_filename_str);
|
||||
+ str_copy(&name_remain_str, &basic_name_str);
|
||||
|
||||
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
|
||||
{
|
||||
@@ -475,6 +475,7 @@ vsf_filename_passes_filter(const struct
|
||||
}
|
||||
out:
|
||||
str_free(&filter_remain_str);
|
||||
+ str_free(&basic_name_str);
|
||||
str_free(&name_remain_str);
|
||||
str_free(&temp_str);
|
||||
str_free(&brace_list_str);
|
112
vsftpd-root-squashed-chroot.patch
Normal file
112
vsftpd-root-squashed-chroot.patch
Normal file
@ -0,0 +1,112 @@
|
||||
---
|
||||
parseconf.c | 1 +
|
||||
secutil.c | 6 ++++--
|
||||
secutil.h | 2 ++
|
||||
tunables.c | 2 ++
|
||||
tunables.h | 1 +
|
||||
twoprocess.c | 6 ++++++
|
||||
vsftpd.conf | 4 ++++
|
||||
vsftpd.conf.5 | 7 +++++++
|
||||
8 files changed, 27 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: vsftpd-3.0.2/tunables.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/tunables.c
|
||||
+++ vsftpd-3.0.2/tunables.c
|
||||
@@ -88,6 +88,7 @@ int tunable_ftp_enable;
|
||||
int tunable_http_enable;
|
||||
int tunable_seccomp_sandbox;
|
||||
int tunable_allow_writeable_chroot;
|
||||
+int tunable_allow_root_squashed_chroot;
|
||||
|
||||
unsigned int tunable_accept_timeout;
|
||||
unsigned int tunable_connect_timeout;
|
||||
@@ -228,6 +229,7 @@ tunables_load_defaults()
|
||||
tunable_http_enable = 0;
|
||||
tunable_seccomp_sandbox = 1;
|
||||
tunable_allow_writeable_chroot = 0;
|
||||
+ tunable_allow_root_squashed_chroot = 0;
|
||||
|
||||
tunable_accept_timeout = 60;
|
||||
tunable_connect_timeout = 60;
|
||||
Index: vsftpd-3.0.2/tunables.h
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/tunables.h
|
||||
+++ vsftpd-3.0.2/tunables.h
|
||||
@@ -89,6 +89,7 @@ extern int tunable_ftp_enable;
|
||||
extern int tunable_http_enable; /* Allow HTTP protocol */
|
||||
extern int tunable_seccomp_sandbox; /* seccomp filter sandbox */
|
||||
extern int tunable_allow_writeable_chroot; /* Allow misconfiguration */
|
||||
+extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */
|
||||
|
||||
/* Integer/numeric defines */
|
||||
extern unsigned int tunable_accept_timeout;
|
||||
Index: vsftpd-3.0.2/parseconf.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/parseconf.c
|
||||
+++ vsftpd-3.0.2/parseconf.c
|
||||
@@ -107,6 +107,7 @@ parseconf_bool_array[] =
|
||||
{ "http_enable", &tunable_http_enable },
|
||||
{ "seccomp_sandbox", &tunable_seccomp_sandbox },
|
||||
{ "allow_writeable_chroot", &tunable_allow_writeable_chroot },
|
||||
+ { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot },
|
||||
{ 0, 0 }
|
||||
};
|
||||
|
||||
Index: vsftpd-3.0.2/twoprocess.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/twoprocess.c
|
||||
+++ vsftpd-3.0.2/twoprocess.c
|
||||
@@ -164,6 +164,9 @@ drop_all_privs(void)
|
||||
{
|
||||
str_alloc_text(&dir_str, tunable_secure_chroot_dir);
|
||||
}
|
||||
+ if (tunable_allow_root_squashed_chroot) {
|
||||
+ option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
|
||||
+ }
|
||||
/* Be kind: give good error message if the secure dir is missing */
|
||||
{
|
||||
struct vsf_sysutil_statbuf* p_statbuf = 0;
|
||||
@@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se
|
||||
{
|
||||
secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;
|
||||
}
|
||||
+ if (do_chroot && tunable_allow_root_squashed_chroot) {
|
||||
+ secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
|
||||
+ }
|
||||
calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
|
||||
p_user_str, p_orig_user_str);
|
||||
vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
|
||||
Index: vsftpd-3.0.2/vsftpd.conf.5
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/vsftpd.conf.5
|
||||
+++ vsftpd-3.0.2/vsftpd.conf.5
|
||||
@@ -42,6 +42,13 @@ connections.
|
||||
|
||||
Default: NO
|
||||
.TP
|
||||
+.B allow_root_squashed_chroot
|
||||
+If set to YES, chroot is called with non-root credentials. This enabled chroot
|
||||
+on squashed nfs. This option is applied only if chroot is performed, otherwise
|
||||
+ignored.
|
||||
+
|
||||
+Default: NO
|
||||
+.TP
|
||||
.B anon_mkdir_write_enable
|
||||
If set to YES, anonymous users will be permitted to create new directories
|
||||
under certain conditions. For this to work, the option
|
||||
Index: vsftpd-3.0.2/vsftpd.conf
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/vsftpd.conf
|
||||
+++ vsftpd-3.0.2/vsftpd.conf
|
||||
@@ -64,6 +64,10 @@ local_enable=YES
|
||||
# (default follows)
|
||||
#chroot_list_file=/etc/vsftpd.chroot_list
|
||||
#
|
||||
+# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root,
|
||||
+# where root becomes nobody and would need -x access.
|
||||
+#allow_root_squashed_chroot=YES
|
||||
+#
|
||||
# The maximum data transfer rate permitted, in bytes per second, for
|
||||
# local authenticated users. The default is 0 (unlimited).
|
||||
#local_max_rate=7200
|
15
vsftpd-seccomp-getrandom.patch
Normal file
15
vsftpd-seccomp-getrandom.patch
Normal file
@ -0,0 +1,15 @@
|
||||
Index: vsftpd-3.0.5/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/seccompsandbox.c 2022-02-01 19:47:13.916340458 +0100
|
||||
+++ vsftpd-3.0.5/seccompsandbox.c 2022-02-01 19:51:24.196737535 +0100
|
||||
@@ -406,6 +406,10 @@ seccomp_sandbox_setup_prelogin(const str
|
||||
{
|
||||
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
|
||||
allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
|
||||
+ // called from openssl's RAND_poll which is invoked in FIPS mode when the DRBG is seeded
|
||||
+ allow_nr(__NR_getrandom);
|
||||
+ allow_nr_1_arg_mask(__NR_open, 2, O_RDONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC);
|
||||
+ allow_nr(__NR_getuid);
|
||||
}
|
||||
if (tunable_syslog_enable)
|
||||
{
|
15
vsftpd-seccomp-ssl.patch
Normal file
15
vsftpd-seccomp-ssl.patch
Normal file
@ -0,0 +1,15 @@
|
||||
SSL initialization calls RAND_load_file() which needs stat() enabled.
|
||||
|
||||
Index: vsftpd-3.0.3/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.3.orig/seccompsandbox.c 2021-12-21 15:33:01.491786690 +0100
|
||||
+++ vsftpd-3.0.3/seccompsandbox.c 2021-12-21 15:33:01.499786535 +0100
|
||||
@@ -559,6 +559,8 @@ seccomp_sandbox_setup_postlogin_broker()
|
||||
allow_nr(__NR_fstat);
|
||||
allow_nr(__NR_fchown);
|
||||
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
|
||||
+ // called by RAND_load_file
|
||||
+ allow_nr(__NR_stat);
|
||||
}
|
||||
if (tunable_syslog_enable)
|
||||
{
|
14
vsftpd-seccomp-wait4.patch
Normal file
14
vsftpd-seccomp-wait4.patch
Normal file
@ -0,0 +1,14 @@
|
||||
Broker has to wait for its child.
|
||||
|
||||
Index: vsftpd-3.0.2/seccompsandbox.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.2.orig/seccompsandbox.c
|
||||
+++ vsftpd-3.0.2/seccompsandbox.c
|
||||
@@ -540,6 +540,7 @@ seccomp_sandbox_setup_postlogin_broker()
|
||||
seccomp_sandbox_setup_base();
|
||||
seccomp_sandbox_setup_data_connections();
|
||||
allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
|
||||
+ allow_nr(__NR_wait4);
|
||||
if (tunable_chown_uploads)
|
||||
{
|
||||
allow_nr(__NR_fstat);
|
18
vsftpd-support-dsa-only-setups.patch
Normal file
18
vsftpd-support-dsa-only-setups.patch
Normal file
@ -0,0 +1,18 @@
|
||||
Index: vsftpd-3.0.3/vsftpd.conf
|
||||
===================================================================
|
||||
--- vsftpd-3.0.3.orig/vsftpd.conf 2018-06-21 11:01:12.125258812 +0000
|
||||
+++ vsftpd-3.0.3/vsftpd.conf 2018-06-21 11:04:43.355979116 +0000
|
||||
@@ -188,8 +188,12 @@ listen=NO
|
||||
# Make sure, that one of the listen options is commented !!
|
||||
listen_ipv6=YES
|
||||
#
|
||||
-# Set to ssl_enable=YES if you want to enable SSL
|
||||
+# Set "ssl_enable=YES" to enable SSL support and configure the location of
|
||||
+# your local certificate (RSA, DSA, or both). Note that vsftpd won't start
|
||||
+# if either of the "xxx_cert_file" options sets a path that doesn't exist.
|
||||
ssl_enable=NO
|
||||
+rsa_cert_file=
|
||||
+dsa_cert_file=
|
||||
#
|
||||
# Limit passive ports to this range to assis firewalling
|
||||
pasv_min_port=30000
|
30
vsftpd-use-system-wide-crypto-policy.patch
Normal file
30
vsftpd-use-system-wide-crypto-policy.patch
Normal file
@ -0,0 +1,30 @@
|
||||
Index: vsftpd-3.0.5/tunables.c
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/tunables.c
|
||||
+++ vsftpd-3.0.5/tunables.c
|
||||
@@ -295,7 +295,7 @@ tunables_load_defaults()
|
||||
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
|
||||
&tunable_rsa_cert_file);
|
||||
install_str_setting(0, &tunable_dsa_cert_file);
|
||||
- install_str_setting("DEFAULT_SUSE", &tunable_ssl_ciphers);
|
||||
+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
|
||||
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||
install_str_setting(0, &tunable_dsa_private_key_file);
|
||||
install_str_setting(0, &tunable_ca_certs_file);
|
||||
Index: vsftpd-3.0.5/vsftpd.conf.5
|
||||
===================================================================
|
||||
--- vsftpd-3.0.5.orig/vsftpd.conf.5
|
||||
+++ vsftpd-3.0.5/vsftpd.conf.5
|
||||
@@ -1024,7 +1024,11 @@ man page for further details. Note that
|
||||
security precaution as it prevents malicious remote parties forcing a cipher
|
||||
which they have found problems with.
|
||||
|
||||
-Default: DEFAULT_SUSE
|
||||
+By default, the system-wide crypto policy is used. See
|
||||
+.BR update-crypto-policies(8)
|
||||
+for further details.
|
||||
+
|
||||
+Default: PROFILE=SYSTEM
|
||||
.TP
|
||||
.B ssl_sni_hostname
|
||||
If set, SSL connections will be rejected unless the SNI hostname in the
|
1334
vsftpd.changes
Normal file
1334
vsftpd.changes
Normal file
File diff suppressed because it is too large
Load Diff
17
vsftpd.firewall
Normal file
17
vsftpd.firewall
Normal file
@ -0,0 +1,17 @@
|
||||
## Name: vsftpd Server
|
||||
## Description: Opens ports for vsftpd Server.
|
||||
|
||||
# space separated list of allowed TCP ports
|
||||
TCP="ftp 30000:30100"
|
||||
|
||||
# space separated list of allowed UDP ports
|
||||
UDP=""
|
||||
|
||||
# space separated list of allowed RPC services
|
||||
RPC=""
|
||||
|
||||
# space separated list of allowed IP protocols
|
||||
IP=""
|
||||
|
||||
# space separated list of allowed UDP broadcast ports
|
||||
BROADCAST=""
|
8
vsftpd.firewalld
Normal file
8
vsftpd.firewalld
Normal file
@ -0,0 +1,8 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<service>
|
||||
<short>vsftpd ports</short>
|
||||
<description>vsftpd ports for both active and passive connections</description>
|
||||
<port protocol="tcp" port="21"/> <!-- control connection port -->
|
||||
<port protocol="tcp" port="30000-30100"/> <!-- passive mode port range -->
|
||||
</service>
|
||||
|
16
vsftpd.ftpusers
Normal file
16
vsftpd.ftpusers
Normal file
@ -0,0 +1,16 @@
|
||||
#
|
||||
# ftpusers This file describes the names of the users that may
|
||||
# _*NOT*_ log into the system via the FTP server.
|
||||
# This usually includes "root", "uucp", "news" and the
|
||||
# like, because those users have too much power to be
|
||||
# allowed to do "just" FTP...
|
||||
#
|
||||
adm
|
||||
bin
|
||||
daemon
|
||||
games
|
||||
mail
|
||||
news
|
||||
nobody
|
||||
root
|
||||
uucp
|
107
vsftpd.init
Normal file
107
vsftpd.init
Normal file
@ -0,0 +1,107 @@
|
||||
#! /bin/sh
|
||||
# Copyright (c) 1995-2005 SUSE Linux GmbH, Nuernberg, Germany.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Author: Mads Martin Joergensen
|
||||
#
|
||||
# /etc/init.d/vsftpd
|
||||
# and its symbolic link
|
||||
# /usr/sbin/rcvsftpd
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: ftpd
|
||||
# Required-Start: $local_fs $remote_fs $syslog network-remotefs
|
||||
# Required-Stop: $local_fs $remote_fs $syslog network-remotefs
|
||||
# Default-Start: 3 5
|
||||
# Default-Stop: 0 1 2 6
|
||||
# Description: very secure ftp daemon
|
||||
# Short-Description: very secure ftp daemon
|
||||
### END INIT INFO
|
||||
# Note on runlevels:
|
||||
# 0 - halt/poweroff 6 - reboot
|
||||
# 1 - single user 2 - multiuser without network exported
|
||||
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
|
||||
#
|
||||
# Note on script names:
|
||||
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
|
||||
# A registry has been set up to manage the init script namespace.
|
||||
# http://www.lanana.org/
|
||||
# Please use the names already registered or register one or use a
|
||||
# vendor prefix.
|
||||
|
||||
VSFTPD_BIN=/usr/sbin/vsftpd
|
||||
test -x $VSFTPD_BIN || { echo "$VSFTPD_BIN not installed";
|
||||
if [ "$1" = "stop" ]; then exit 0;
|
||||
else exit 5; fi; }
|
||||
|
||||
. /etc/rc.status
|
||||
|
||||
rc_reset
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
echo -n "Starting vsftpd "
|
||||
/sbin/startproc -l /var/log/rcvsftp.log $VSFTPD_BIN
|
||||
rc_status -v
|
||||
;;
|
||||
stop)
|
||||
echo -n "Shutting down vsftpd "
|
||||
/sbin/killproc -TERM $VSFTPD_BIN
|
||||
rc_status -v
|
||||
;;
|
||||
try-restart|condrestart)
|
||||
## Do a restart only if the service was active before.
|
||||
## Note: try-restart is now part of LSB (as of 1.9).
|
||||
## RH has a similar command named condrestart.
|
||||
if test "$1" = "condrestart"; then
|
||||
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
|
||||
fi
|
||||
$0 status
|
||||
if test $? = 0; then
|
||||
$0 restart
|
||||
else
|
||||
rc_reset # Not running is not a failure.
|
||||
fi
|
||||
|
||||
rc_status
|
||||
;;
|
||||
restart)
|
||||
$0 stop
|
||||
$0 start
|
||||
rc_status
|
||||
;;
|
||||
force-reload)
|
||||
echo -n "Reload service vsftpd "
|
||||
/sbin/killproc -HUP $VSFTPD_BIN
|
||||
rc_status -v
|
||||
;;
|
||||
reload)
|
||||
echo -n "Reload service vsftpd "
|
||||
/sbin/killproc -HUP $VSFTPD_BIN
|
||||
rc_status -v
|
||||
;;
|
||||
status)
|
||||
echo -n "Checking for service vsftpd "
|
||||
/sbin/checkproc $VSFTPD_BIN
|
||||
rc_status -v
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
rc_exit
|
52
vsftpd.keyring
Normal file
52
vsftpd.keyring
Normal file
@ -0,0 +1,52 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBGCyyncBEADCkx7Uh4mO2Q590LFi7gCh+Ivm1MqsK+pBXmIiIMBPFLMKqmji
|
||||
boJiJFu4QcB/ZJZOLVBKKwbQfN/7IeulNkrvMhnu+jJizz0hUDDLQjuoScx53+MW
|
||||
zwIPhI7OAJ6kurlHo0b1wvNnJD5ENmwxrOTYL5bHxut/05a+uTaruPFQPNOMYMzs
|
||||
rOvIZrzv0lcW/8ZL4tAFvlkogfiGNC9Vfxy4Px8lyVhhfiVzVY3+UNJMM69n6QAt
|
||||
kUH07xpV+vn7I3lD4dZM96zFnrXuQhwJba3fbCY9vFN0NDRVdF3tYl2xwJhXMJtM
|
||||
jtQ1Tw9ykRMPsLlaiow0/uW3mYrTYjDP12VxukCEg6a240mhT4jAVA4cSoOCdGBJ
|
||||
AZCQk5SLbr/MwikggUyS9Fu3d10WKUSyQFS8NWQGHpaFSIIp3T/dGTe6fprhXzFo
|
||||
vvLv26OCFNvn4vTHz4lMzZZJjYLNtlcriJoSPCCe8/fI9BmgARmFxiKgY5ENQOrY
|
||||
cZUJJ3sHre52aqCETgz+w8j5o/cAU8iizlYxYsJK/Y+QXlVIzyV8oQGm/jvXhrhi
|
||||
CgB4xx96cthfolv2Lj+Dz90d/MYKB3suX38Q1ZNhxCZjIcoE+dcn+uGHUqzm4sot
|
||||
gN37P1Xfijn15L2cHoV1itasVlOc92HrEUEaBWpB6QXF6nEYkkgA2agnMwARAQAB
|
||||
tCNDaHJpcyBFdmFucyA8c2NhcnliZWFzdHNAZ21haWwuY29tPokCVAQTAQgAPhYh
|
||||
BGeiq09B+ZcsIfa/ZnuJARvK4c/qBQJgssp3AhsDBQkSzAMABQsJCAcCBhUKCQgL
|
||||
AgQWAgMBAh4BAheAAAoJEHuJARvK4c/qW6QP/2dZFkqxQl7hGJizaGIMCHXV1R2G
|
||||
0r1S3GyVSRZEUWuVvv2UMjxYx6DZhhoaTGRNi0gXVrTVL3FG8yBfLN2LQQCSXK4k
|
||||
eee8FIXSp1LhwciAJKN+Z5nc0i7R6Qy6cIvc82DO6Y4FaMJZoO5lWbl1WjEYO/oN
|
||||
NJAp7U3J+BWYKTzIB+Nh2vaapzj2XrNB6dh3ry2nj7yZmerPquYtXsuNRfi/c/Z0
|
||||
2t+TiSEFZW83/NZFGbDhhzWB19TMFM5oUpSBH6Yw02ASseaZBRBK0gLhfKGEnf2W
|
||||
KgrwcGd41kMxia6UsrXiG3ZjDR+gF/sed93ZdLWpyYxN4DinirCt/+i1/L5RWCSg
|
||||
Xus1SviMmnTfhB7WB+WfrIauLpPZOZhdLc3vSBdBmOZ6+p0qLQC2eK2rehM6kQzw
|
||||
nd9vmCtws2l5HGsBngrBEIkXsPVSVZKEUB8xH57nbIzn7igsUgrTBdz8K61oMaAu
|
||||
iEZzRJ35P81B3uJqZyqjkONm/1J9d081V2aiASJw/vfiAEkjpws488ZWkg9FFSFJ
|
||||
VqvAUu6p/g152GP+vatqFT1sH8zxXLLrwGlcktZFNfTYSnscQ9NU/L761anjrgM4
|
||||
Oi7ks4jLq91vwvxW9E9TNyuMUJj85412xPIwx1o1+fKGwzi1d+01uQ73aPmp6Z4l
|
||||
idE6tmV5wVSuMGSCuQINBGCyyncBEADIM7Z+1GxMvEtKRyWukfL5w8C4Bqid6M7N
|
||||
yCCs8bT1lunc7/weiNCOFigZDfAaSoFQpVe22YZABeWD/wO0iY9x+wOwpnsGhmC9
|
||||
7H/c0+g4IT7fKkaNVMbvUGfo9dWrXD2gtFzZJruMnPbj0HeFqSHvkGbMM7dLyMlF
|
||||
K295F901iFvvfw7jSQyVGVS97i7swXj9F/O13jedIbh+3TWdkKk/YqmMsETjkcOe
|
||||
UvmY7P7pTKEpdimvY2I1B8PsBJkyjdZA8G+eiG1STa0+Vj4yVtMJodKJDJbY6+y7
|
||||
M9hajCdUTplLWTbxzPMo54KjTOzyLVT7mfugUlS7WQWrVWVtvScJsvaec95+p/Bx
|
||||
UdJVwylVjQrxJxI8Bk2yrIgu7/rj+uYGV5+TNKjJWFkQw0YDJ1NkcvVjU7WIwNCl
|
||||
X6s5s/tuX+yzUA+DBSHx0WuqtGWYaFgXeO/pWPidc8ovYFVIAr3QB76AeEL3ZJj3
|
||||
ttN5jk96zOlaVxOOlEC6zX5TJ7Z+aQHBPq8RN/G8o99sOdx5QuKqvhHe8673eIMY
|
||||
CWPgNSSMJ/7I5IBLsIfIv2UWgLPPHS8s/HTwPacU0/L4pahh553uAhC4QP7BPkYw
|
||||
p4KXGasR3v9YxuSa33IraJALC6eF2t3L0CLUMzsc0pgLCmGqzskbrP8p0daBjFCS
|
||||
KofV+jOiQQARAQABiQI8BBgBCAAmFiEEZ6KrT0H5lywh9r9me4kBG8rhz+oFAmCy
|
||||
yncCGwwFCRLMAwAACgkQe4kBG8rhz+qDNRAAsG3lta/eQ+yWTHCXxXYfw94jm/bx
|
||||
XFUcvSOwjO+vB5tCt8Q0JmxoZ6PDD/bkcGSDz8FHjhxiIGYKPQiyu7jeZDAijBzu
|
||||
MLf3yGuubM6SUoXB1olkTbs9DTSFdTPqbM8eYn14CVHk19w/in/Oe11BD0I7D4Qg
|
||||
bkjIAkIKf01AxbcLFKOMihqhSEIEeqP70DIP8hT3arefk2wgEKG108SOzCPD1YQ7
|
||||
sEkYX2lRXjqBefHmIGLVllF3v+jUHYFIVz62i/OVMBHXF0D9Qn39cE5e94VdRZIf
|
||||
0hdizes1w48o9DxVSs+5TTtuLfFtsY+22OqZZ1cxXrdNUBCB4XEllrDdu58Qr7No
|
||||
fpDPDB4AVatWkpB288C/USl1UJgvhuvZs1AKChi9egfoMJczkZMvgQeiKagQkyeb
|
||||
l/W7vT3wX4R2WvcM4n6rlPkvRNvO+jw9owSDWuF+6iB0DWEpv5hMjPEfTBv0sYTH
|
||||
T/sOcV7vKV9Q6JsQwvfOagI9OAkXbxbjpbQgk/jlaaz/9+5wIy2vvW69Nh7ZfFNO
|
||||
RU1GhwNbghLwbHF7rrGvpwlV9hwpaMYcplvkW9bMgjPGpwxecE1zDdhO8Zq9QXyb
|
||||
dvDqRPNAqsWd/LwwqRpG36/YI4f5Pdv38W9/HoXlqj9+Uaa/TyDl9TIlBCYcnrzM
|
||||
SEfMQy8pH/YWOBk=
|
||||
=QcZC
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
14
vsftpd.logrotate
Normal file
14
vsftpd.logrotate
Normal file
@ -0,0 +1,14 @@
|
||||
/var/log/vsftpd.log {
|
||||
compress
|
||||
dateext
|
||||
maxage 365
|
||||
rotate 99
|
||||
size +1024k
|
||||
notifempty
|
||||
missingok
|
||||
create 600 root root
|
||||
sharedscripts
|
||||
postrotate
|
||||
pgrep vsftpd && killall -HUP vsftpd || exit 0
|
||||
endscript
|
||||
}
|
16
vsftpd.pam
Normal file
16
vsftpd.pam
Normal file
@ -0,0 +1,16 @@
|
||||
#%PAM-1.0
|
||||
|
||||
# Uncomment this to achieve what used to be ftpd -A.
|
||||
# auth required pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail
|
||||
|
||||
auth required pam_listfile.so item=user sense=deny file=/etc/vftpd/ftpusers onerr=succeed
|
||||
# Uncomment the following line for anonymous ftp.
|
||||
#auth sufficient pam_ftp.so
|
||||
auth required pam_shells.so
|
||||
auth include common-auth
|
||||
account include common-account
|
||||
password include common-password
|
||||
session required pam_keyinit.so force revoke
|
||||
session required pam_loginuid.so
|
||||
session include common-session
|
||||
session include postlogin-session
|
20
vsftpd.service
Normal file
20
vsftpd.service
Normal file
@ -0,0 +1,20 @@
|
||||
[Unit]
|
||||
Description=Vsftpd ftp daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
9
vsftpd.socket
Normal file
9
vsftpd.socket
Normal file
@ -0,0 +1,9 @@
|
||||
[Unit]
|
||||
Conflicts=vsftpd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=21
|
||||
Accept=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
322
vsftpd.spec
Normal file
322
vsftpd.spec
Normal file
@ -0,0 +1,322 @@
|
||||
#
|
||||
# spec file for package vsftpd
|
||||
#
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
%if 0%{?suse_version} > 1210
|
||||
%global with_systemd 1
|
||||
%else
|
||||
%global with_systemd 0
|
||||
%endif
|
||||
%if 0%{?suse_version} >= 1500
|
||||
%define use_firewalld 1
|
||||
%else
|
||||
%define use_firewalld 0
|
||||
%endif
|
||||
Name: vsftpd
|
||||
Version: 3.0.5
|
||||
Release: 0
|
||||
Summary: Very Secure FTP Daemon - Written from Scratch
|
||||
License: SUSE-GPL-2.0-with-openssl-exception
|
||||
Group: Productivity/Networking/Ftp/Servers
|
||||
URL: https://security.appspot.com/vsftpd.html
|
||||
Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
|
||||
Source1: %{name}.pam
|
||||
Source2: %{name}.logrotate
|
||||
Source3: %{name}.init
|
||||
Source4: README.SUSE
|
||||
Source5: %{name}.ftpusers
|
||||
Source6: %{name}.firewall
|
||||
Source7: vsftpd.service
|
||||
Source8: vsftpd@.service
|
||||
Source9: %{name}.keyring
|
||||
Source10: vsftpd.socket
|
||||
Source11: %{name}.firewalld
|
||||
Source1000: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz.asc
|
||||
Patch1: vsftpd-2.0.4-lib64.diff
|
||||
Patch3: vsftpd-2.0.4-xinetd.diff
|
||||
Patch4: vsftpd-2.0.4-enable-ssl.patch
|
||||
Patch5: vsftpd-2.0.4-dmapi.patch
|
||||
Patch6: vsftpd-2.0.5-vuser.patch
|
||||
Patch7: vsftpd-2.0.5-enable-debuginfo.patch
|
||||
Patch8: vsftpd-2.0.5-utf8-log-names.patch
|
||||
Patch9: vsftpd-2.3.5-conf.patch
|
||||
Patch10: vsftpd-3.0.0_gnu_source_defines.patch
|
||||
Patch11: vsftpd-3.0.0-optional-seccomp.patch
|
||||
#PATCH-FIX-OPENSUSE: bnc#786024, second issue with pam_login_acct
|
||||
Patch13: vsftpd-drop-newpid-from-clone.patch
|
||||
#PATCH-FIX-OPENSUSE: bnc#812406
|
||||
Patch14: vsftpd-enable-fcntl-f_setfl.patch
|
||||
#PATCH-FIX-OPENSUSE: bnc#812406
|
||||
Patch15: vsftpd-enable-dev-log-sendto.patch
|
||||
#PATCH-FEATURE-SUSE: FATE#311051, call chroot with user credentials to enable nsf with squash_root option
|
||||
Patch16: vsftpd-root-squashed-chroot.patch
|
||||
#PATCH-FIX-UPSTREAM: bnc#870122
|
||||
Patch17: vsftpd-enable-gettimeofday-sec.patch
|
||||
#PATCH-FIX-UPSTREAM: bnc#890469 fix broken syscall on s390
|
||||
Patch18: vsftpd-3.0.2-s390.patch
|
||||
#PATCH-FIX-UPSTREAM: bnc#900326 deny_file filtering acts weirdly (19-22)
|
||||
Patch19: vsftpd-2.1.0-filter.patch
|
||||
Patch20: vsftpd-2.2.0-wildchar.patch
|
||||
Patch21: vsftpd-2.3.4-sqb.patch
|
||||
Patch22: vsftpd-path-normalize.patch
|
||||
Patch23: vsftpd-ls-memleak.patch
|
||||
#PATCH-FIX-UPSTREAM: bnc#970982
|
||||
Patch24: vsftpd-3.0.2-wnohang.patch
|
||||
Patch25: vsftpd-3.0.2-fix-chown-uploads.patch
|
||||
#FIX-FIX-OPENSUSE: bsc#1042673
|
||||
Patch26: vsftpd-3.0.3-build-with-openssl-1.1.patch
|
||||
Patch27: vsftpd-mdtm-in-utc.patch
|
||||
Patch28: vsftpd-die-with-session.patch
|
||||
Patch29: vsftpd-append-seek-pipe.patch
|
||||
Patch30: vsftpd-3.0.3-address_space_limit.patch
|
||||
Patch31: vsftpd-enable-syscalls-needed-by-sle15.patch
|
||||
Patch32: vsftpd-support-dsa-only-setups.patch
|
||||
Patch33: vsftpd-avoid-bogus-ssl-write.patch
|
||||
Patch35: 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
|
||||
# PATCH-FIX-UPSTREAM https://bugzilla.suse.com/show_bug.cgi?id=1179553
|
||||
Patch36: seccomp-fixes.patch
|
||||
Patch37: vsftpd-openlog-force.patch
|
||||
Patch38: vsftpd-seccomp-getrandom.patch
|
||||
Patch39: vsftpd-seccomp-ssl.patch
|
||||
Patch40: vsftpd-seccomp-wait4.patch
|
||||
Patch41: revert-undocumented-config-file-format-changes.patch
|
||||
Patch42: use-system-wide-tls-cipher-policy.patch
|
||||
Patch43: vsftpd-allow-dev-log-socket.patch
|
||||
Patch44: vsftpd-enable-sendto-for-prelogin-syslog.patch
|
||||
Patch45: disable-tls13-to-support-older-openssl-versions.patch
|
||||
Patch46: 0001-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch
|
||||
#PATCH-FIX-OPENSUSE bsc#1211301 Enable crypto-policies support
|
||||
Patch47: vsftpd-use-system-wide-crypto-policy.patch
|
||||
BuildRequires: libcap-devel
|
||||
%if 0%{?suse_version} == 1315
|
||||
BuildRequires: libopenssl-1_1-devel >= 1.1.1
|
||||
%else
|
||||
%if 0%{?sle_version} == 150000
|
||||
BuildRequires: libopenssl-1_1-devel >= 1.1.0
|
||||
%else
|
||||
BuildRequires: libopenssl-devel >= 1.1.1
|
||||
%endif
|
||||
%endif
|
||||
BuildRequires: pam-devel
|
||||
Requires: logrotate
|
||||
Requires(pre): shadow
|
||||
Provides: ftp-server
|
||||
%if %{use_firewalld}
|
||||
BuildRequires: firewall-macros
|
||||
%endif
|
||||
%if 0%{?suse_version} >= 1330
|
||||
Requires: group(nobody)
|
||||
Requires: user(ftp)
|
||||
Requires(pre): group(nobody)
|
||||
%endif
|
||||
%if %{with_systemd}
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%{?systemd_requires}
|
||||
%else
|
||||
Requires(post): %insserv_prereq
|
||||
%endif
|
||||
|
||||
%description
|
||||
Vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure.
|
||||
Obviously this is not a guarantee, but the entire codebase was written
|
||||
with security in mind, and carefully designed to be resilient to
|
||||
attack.
|
||||
|
||||
Recent evidence suggests that vsftpd is also extremely fast (and this
|
||||
is before any explicit performance tuning!). In tests against wu-ftpd,
|
||||
vsftpd was always faster, supporting over twice as many users in some
|
||||
tests.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
%patch42 -p1
|
||||
%patch43 -p1
|
||||
%patch44 -p1
|
||||
%if 0%{?sle_version} == 150000
|
||||
%patch45 -p1
|
||||
%endif
|
||||
%patch46 -p1
|
||||
%patch47 -p1
|
||||
|
||||
%build
|
||||
%define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP
|
||||
rm dummyinc/sys/capability.h vsf_findlibs.sh
|
||||
make CFLAGS="%{optflags} -DOPENSSL_NO_SSL_INTERN -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -fstack-protector --param=ssp-buffer-size=4 %{seccomp_opts}" \
|
||||
LIBS="-lpam -lcap -lssl -lcrypto"
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}%{_datadir}/empty
|
||||
cp %{SOURCE4} .
|
||||
install -D -m 755 %{name} %{buildroot}%{_sbindir}/%{name}
|
||||
install -D -m 600 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}.conf
|
||||
%if 0%{?suse_version} < 1330
|
||||
install -D -m 600 xinetd.d/%{name} %{buildroot}%{_sysconfdir}/xinetd.d/%{name}
|
||||
%endif
|
||||
install -D -m 644 $RPM_SOURCE_DIR/%{name}.pam %{buildroot}%{_pam_vendordir}/%{name}
|
||||
install -D -m 600 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/vsftpd/ftpusers
|
||||
%if 0%{?suse_version} > 1500
|
||||
mkdir -p %{buildroot}%{_distconfdir}/logrotate.d
|
||||
install -D -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_distconfdir}/logrotate.d/%{name}
|
||||
%else
|
||||
install -D -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
||||
%endif
|
||||
install -D -m 644 %{name}.conf.5 %{buildroot}/%{_mandir}/man5/%{name}.conf.5
|
||||
install -D -m 644 %{name}.8 %{buildroot}/%{_mandir}/man8/%{name}.8
|
||||
%if %{with_systemd}
|
||||
ln -sf service %{buildroot}/%{_sbindir}/rc%{name}
|
||||
install -D -m 0644 %{SOURCE7} %{buildroot}/%{_unitdir}/%{name}.service
|
||||
%if 0%{?sle_version} && 0%{?sle_version} < 150300
|
||||
sed -r -i '/^(Protect(Home|Hostname|KernelLogs|Clock|KernelTunables|KernelModules|ControlGroups)|RestrictRealtime|PrivateMounts)=/d' %{buildroot}/%{_unitdir}/%{name}.service
|
||||
%endif
|
||||
install -D -m 0644 %{SOURCE8} %{buildroot}/%{_unitdir}/%{name}@.service
|
||||
install -D -m 0644 %{SOURCE10} %{buildroot}/%{_unitdir}/%{name}.socket
|
||||
%else
|
||||
install -D -m 755 %{SOURCE3} %{buildroot}%{_initddir}/%{name}
|
||||
ln -sf %{_initddir}/%{name} %{buildroot}/%{_sbindir}/rc%{name}
|
||||
%endif
|
||||
# install firewall information file
|
||||
%if %{use_firewalld}
|
||||
install -D -m 644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
|
||||
%else
|
||||
install -d %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/
|
||||
install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}
|
||||
%endif
|
||||
|
||||
%pre
|
||||
getent passwd ftpsecure >/dev/null || useradd -r -g nobody -s /bin/false -c "Secure FTP User" -d %{_localstatedir}/lib/empty ftpsecure
|
||||
%if %{with_systemd}
|
||||
%service_add_pre %{name}.service %{name}.socket
|
||||
%endif
|
||||
%if 0%{?suse_version} > 1500
|
||||
# Prepare for migration to /usr/etc; save any old .rpmsave
|
||||
for i in logrotate.d/%{name} ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
|
||||
done
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} > 1500
|
||||
%posttrans
|
||||
# Migration to /usr/etc, restore just created .rpmsave
|
||||
for i in logrotate.d/%{name} ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
|
||||
done
|
||||
%endif
|
||||
|
||||
%preun
|
||||
%if %{with_systemd}
|
||||
%service_del_preun %{name}.service %{name}.socket
|
||||
%else
|
||||
%stop_on_removal %{name}
|
||||
%endif
|
||||
|
||||
%post
|
||||
%if %{with_systemd}
|
||||
%service_add_post %{name}.service %{name}.socket
|
||||
%else
|
||||
%insserv_cleanup
|
||||
%restart_on_update %{name}
|
||||
%endif
|
||||
%if %{use_firewalld}
|
||||
%{firewalld_reload}
|
||||
%endif
|
||||
|
||||
%postun
|
||||
%if %{with_systemd}
|
||||
%service_del_postun %{name}.service %{name}.socket
|
||||
%else
|
||||
%insserv_cleanup
|
||||
%restart_on_update %{name}
|
||||
%endif
|
||||
|
||||
%files
|
||||
%if %{with_systemd}
|
||||
%{_unitdir}/%{name}.service
|
||||
%{_unitdir}/%{name}.socket
|
||||
%{_unitdir}/%{name}@.service
|
||||
%else
|
||||
%{_initddir}/%{name}
|
||||
%endif
|
||||
%{_sbindir}/%{name}
|
||||
%{_sbindir}/rc%{name}
|
||||
%dir %{_datadir}/empty
|
||||
%if 0%{?suse_version} < 1330
|
||||
%config(noreplace) %{_sysconfdir}/xinetd.d/%{name}
|
||||
%endif
|
||||
%config(noreplace) %{_sysconfdir}/%{name}.conf
|
||||
%if 0%{?suse_version} > 1500
|
||||
%config %{_pam_vendordir}/%{name}
|
||||
%{_distconfdir}/logrotate.d/%{name}
|
||||
%else
|
||||
%config %{_pam_sysconfdir}/pam.d/%{name}
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
|
||||
%endif
|
||||
%dir %{_sysconfdir}/vsftpd
|
||||
%config %{_sysconfdir}/vsftpd/ftpusers
|
||||
%{_mandir}/man5/%{name}.conf.*
|
||||
%{_mandir}/man8/%{name}.*
|
||||
%license LICENSE
|
||||
%doc BUGS AUDIT Changelog README README.security
|
||||
%license COPYING
|
||||
%doc REWARD SPEED TODO SECURITY TUNING SIZE FAQ EXAMPLE
|
||||
%doc README.SUSE
|
||||
%if %{use_firewalld}
|
||||
%dir %{_prefix}/lib/firewalld
|
||||
%dir %{_prefix}/lib/firewalld/services
|
||||
%{_prefix}/lib/firewalld/services/%{name}.xml
|
||||
%else
|
||||
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}
|
||||
%endif
|
||||
|
||||
%changelog
|
8
vsftpd@.service
Normal file
8
vsftpd@.service
Normal file
@ -0,0 +1,8 @@
|
||||
[Unit]
|
||||
Description=Very Secure FTP Daemon
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf -obackground=NO -olisten=NO -olisten_ipv6=NO
|
||||
StandardInput=socket
|
||||
SuccessExitStatus=2
|
Loading…
Reference in New Issue
Block a user