Sync from SUSE:SLFO:Main vsftpd revision 2da05debc592f7936f2ab5233a1d8112

This commit is contained in:
Adrian Schröter 2024-05-04 01:48:08 +02:00
commit 7a52c51f25
60 changed files with 3882 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

View File

@ -0,0 +1,29 @@
From 9cba9e81aa96e1d64ae2eaaf88330e09dadfce79 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
Date: Fri, 5 Jan 2018 09:40:09 +0100
Subject: [PATCH 01/27] Fix default value of strict_ssl_read_eof in man page
---
vsftpd.conf.5 | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index a5abeb2..43b0435 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -574,10 +574,9 @@ Default: YES
.B strict_ssl_read_eof
If enabled, SSL data uploads are required to terminate via SSL, not an
EOF on the socket. This option is required to be sure that an attacker did
-not terminate an upload prematurely with a faked TCP FIN. Unfortunately, it
-is not enabled by default because so few clients get it right. (New in v2.0.7).
+not terminate an upload prematurely with a faked TCP FIN. (New in v2.0.7).
-Default: NO
+Default: YES
.TP
.B strict_ssl_write_shutdown
If enabled, SSL data downloads are required to terminate via SSL, not an
--
2.40.1

View File

@ -0,0 +1,31 @@
From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
Date: Thu, 21 Dec 2017 14:29:25 +0100
Subject: [PATCH] When handling FEAT command, check ssl_tlsv1_1 and ssl_tlsv1_2
Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1
or ssl_tlsv1_2 configuration option is enabled.
The patch was written by Martin Sehnoutka.
Resolves: rhbz#1432054
---
features.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/features.c b/features.c
index 1212980..d024366 100644
--- a/features.c
+++ b/features.c
@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
{
vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
}
- if (tunable_tlsv1)
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
{
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
}
--
2.29.0

12
README.SUSE Normal file
View File

@ -0,0 +1,12 @@
vsftpd-3.0.0 made the listen mode default. In order to maintain backward
compatibility, default /etc/vsftpd.conf in SUSE contains
listen=NO
listen_ipv6=YES
if you plan to use xinetd (/etc/xinetd.d/vsftp) you don't need to change
anything by default, but if you have ipv6 available you have to set
listen_ipv6=NO too in order for xinetd to work.
Alternatively you can also use systemd socket service that listens on
port 21 and starts the server like xinetd would. This service does
not require you to change ANY variable in the /etc/vsftpd.conf.

View File

@ -0,0 +1,14 @@
Index: vsftpd-3.0.5/ssl.c
===================================================================
--- vsftpd-3.0.5.orig/ssl.c
+++ vsftpd-3.0.5/ssl.c
@@ -95,7 +95,9 @@ ssl_init(struct vsf_session* p_sess)
}
if (!tunable_tlsv1_3)
{
+#ifdef SSL_OP_NO_TLSv1_3
options |= SSL_OP_NO_TLSv1_3;
+#endif
}
SSL_CTX_set_options(p_ctx, options);
if (tunable_rsa_cert_file)

View File

@ -0,0 +1,17 @@
Index: vsftpd-3.0.5/parseconf.c
===================================================================
--- vsftpd-3.0.5.orig/parseconf.c 2022-02-01 20:35:02.703078850 +0100
+++ vsftpd-3.0.5/parseconf.c 2022-02-01 20:35:44.042486850 +0100
@@ -85,9 +85,9 @@ parseconf_bool_array[] =
{ "ssl_sslv2", &tunable_sslv2 },
{ "ssl_sslv3", &tunable_sslv3 },
{ "ssl_tlsv1", &tunable_tlsv1 },
- { "ssl_tlsv11", &tunable_tlsv1_1 },
- { "ssl_tlsv12", &tunable_tlsv1_2 },
- { "ssl_tlsv13", &tunable_tlsv1_3 },
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
+ { "ssl_tlsv1_3", &tunable_tlsv1_3 },
{ "tilde_user_enable", &tunable_tilde_user_enable },
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },

43
seccomp-fixes.patch Normal file
View File

@ -0,0 +1,43 @@
Index: vsftpd-3.0.4/seccompsandbox.c
===================================================================
--- vsftpd-3.0.4.orig/seccompsandbox.c 2021-06-15 08:06:29.165512830 +0000
+++ vsftpd-3.0.4/seccompsandbox.c 2021-06-15 08:06:42.778484808 +0000
@@ -18,6 +18,7 @@
#include "utility.h"
#include <errno.h>
+#include <stdio.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
@@ -63,6 +64,7 @@
#define kMaxSyscalls 100
+//#define DEBUG_SIGSYS
#ifdef DEBUG_SIGSYS
#include <signal.h>
@@ -71,7 +73,10 @@
void
handle_sigsys(int sig)
{
- (void) sig;
+ char str[21];
+ snprintf(str, 21, "Rejected syscall %d", sig);
+
+ die(str);
}
#endif
@@ -586,8 +591,8 @@ seccomp_sandbox_lockdown()
p_filter->code = BPF_LD+BPF_W+BPF_ABS;
p_filter->jt = 0;
p_filter->jf = 0;
- /* Offset 4 for syscall architecture. */
- p_filter->k = 4;
+ /* Offset 5 for syscall architecture. */
+ p_filter->k = 5;
p_filter++;
p_filter->code = BPF_JMP+BPF_JEQ+BPF_K;
p_filter->jt = 1;

View File

@ -0,0 +1,26 @@
Index: vsftpd-3.0.5/tunables.c
===================================================================
--- vsftpd-3.0.5.orig/tunables.c 2022-02-02 10:58:56.589962539 +0100
+++ vsftpd-3.0.5/tunables.c 2022-02-02 11:00:17.600782133 +0100
@@ -295,7 +295,7 @@ tunables_load_defaults()
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
+ install_str_setting("DEFAULT_SUSE", &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
Index: vsftpd-3.0.5/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.5.orig/vsftpd.conf.5 2022-02-02 10:58:56.589962539 +0100
+++ vsftpd-3.0.5/vsftpd.conf.5 2022-02-02 11:01:58.855306755 +0100
@@ -1025,7 +1025,7 @@ man page for further details. Note that
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.
-Default: DES-CBC3-SHA
+Default: DEFAULT_SUSE
.TP
.B ssl_sni_hostname
If set, SSL connections will be rejected unless the SNI hostname in the

16
vsftpd-2.0.4-dmapi.patch Normal file
View File

@ -0,0 +1,16 @@
Index: vsftpd-3.0.5/postlogin.c
===================================================================
--- vsftpd-3.0.5.orig/postlogin.c 2015-07-22 21:03:22.000000000 +0200
+++ vsftpd-3.0.5/postlogin.c 2022-02-01 20:12:02.710908421 +0100
@@ -1061,6 +1061,11 @@ handle_upload_common(struct vsf_session*
{
do_truncate = 1;
}
+ if (new_file_fd >= 0) {
+ vsf_sysutil_fstat(new_file_fd, &s_p_statbuf);
+ if (vsf_sysutil_statbuf_is_regfile(s_p_statbuf))
+ vsf_sysutil_deactivate_noblock(new_file_fd);
+ }
}
if (vsf_sysutil_retval_is_error(new_file_fd))
{

View File

@ -0,0 +1,13 @@
Index: vsftpd-3.0.5/builddefs.h
===================================================================
--- vsftpd-3.0.5.orig/builddefs.h 2021-08-02 09:01:43.000000000 +0200
+++ vsftpd-3.0.5/builddefs.h 2022-02-01 20:12:01.538925293 +0100
@@ -3,7 +3,7 @@
#undef VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
-#undef VSF_BUILD_SSL
+#define VSF_BUILD_SSL
#endif /* VSF_BUILDDEFS_H */

28
vsftpd-2.0.4-lib64.diff Normal file
View File

@ -0,0 +1,28 @@
Index: vsftpd-3.0.4/vsf_findlibs.sh
===================================================================
--- vsftpd-3.0.4.orig/vsf_findlibs.sh 2021-05-18 07:14:35.000000000 +0000
+++ vsftpd-3.0.4/vsf_findlibs.sh 2021-06-29 09:24:32.833223756 +0000
@@ -14,6 +14,7 @@ fi
# crypt library.
if find_func pam_start sysdeputil.o; then
locate_library /lib/libpam.so.0 && echo "/lib/libpam.so.0";
+ locate_library /lib64/libpam.so.0 && echo "/lib64/libpam.so.0";
locate_library /usr/lib/libpam.so && echo "-lpam";
locate_library /usr/lib64/libpam.so && echo "-lpam";
locate_library /lib/x86_64-linux-gnu/libpam.so.0 && echo "-lpam";
@@ -23,6 +24,7 @@ if find_func pam_start sysdeputil.o; the
locate_library /usr/lib/libpam.a && echo "-lpam";
else
locate_library /lib/libcrypt.so && echo "-lcrypt";
+ locate_library /lib64/libcrypt.so && echo "-lcrypt";
locate_library /usr/lib/libcrypt.so && echo "-lcrypt";
locate_library /usr/lib64/libcrypt.so && echo "-lcrypt";
locate_library /lib/x86_64-linux-gnu/libcrypt.so && echo "-lcrypt";
@@ -52,6 +54,7 @@ locate_library /usr/lib/libsec.sl && ech
# /usr/bin/ld: cannot find -lcap
# If the libcap-devel package isn't installed.
locate_library /usr/lib/libcap.so && echo "-lcap";
+locate_library /usr/lib64/libcap.so && echo "-lcap";
locate_library /lib/libcap.so && echo "-lcap";
locate_library /lib64/libcap.so && echo "-lcap";

37
vsftpd-2.0.4-xinetd.diff Normal file
View File

@ -0,0 +1,37 @@
diff -urN vsftpd-3.0.2.old/xinetd.d/vsftpd vsftpd-3.0.2/xinetd.d/vsftpd
--- vsftpd-3.0.2.old/xinetd.d/vsftpd 2014-05-26 14:38:40.717042497 +0200
+++ vsftpd-3.0.2/xinetd.d/vsftpd 2014-05-26 14:41:23.753049249 +0200
@@ -1,18 +1,26 @@
-# default: on
+# default: off
# description:
# The vsftpd FTP server serves FTP connections. It uses
# normal, unencrypted usernames and passwords for authentication.
# vsftpd is designed to be secure.
+#
+# NOTE: This file contains the configuration for xinetd to start vsftpd.
+# the configuration file for vsftp itself is in /etc/vsftpd.conf
+#
+# NOTE: Remember to set both listen and listen_ipv6 to NO in /etc/vsftpd.conf
+# in order to have working xinetd connection.
+#
service ftp
{
socket_type = stream
+ protocol = tcp
wait = no
user = root
- server = /usr/local/sbin/vsftpd
-# server_args =
-# log_on_success += DURATION USERID
-# log_on_failure += USERID
- nice = 10
- disable = no
+ server = /usr/sbin/vsftpd
+ server_args = /etc/vsftpd.conf
+# log_on_success += DURATION USERID
+# log_on_failure += USERID
+# nice = 10
+ disable = yes
}

View File

@ -0,0 +1,21 @@
Index: vsftpd-3.0.5/Makefile
===================================================================
--- vsftpd-3.0.5.orig/Makefile 2012-09-16 09:27:35.000000000 +0200
+++ vsftpd-3.0.5/Makefile 2022-02-01 20:12:04.538882105 +0100
@@ -9,7 +9,6 @@ CFLAGS = -O2 -fPIE -fstack-protector --p
#-pedantic -Wconversion
LIBS = `./vsf_findlibs.sh`
-LINK = -Wl,-s
LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now
OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
@@ -26,7 +25,7 @@ OBJS = main.o utility.o prelogin.o ftpcm
$(CC) -c $*.c $(CFLAGS) $(IFLAGS)
vsftpd: $(OBJS)
- $(CC) -o vsftpd $(OBJS) $(LINK) $(LDFLAGS) $(LIBS)
+ $(CC) -o vsftpd $(OBJS) $(LDFLAGS) $(LIBS)
install:
if [ -x /usr/local/sbin ]; then \

View File

@ -0,0 +1,102 @@
Index: vsftpd-3.0.5/str.c
===================================================================
--- vsftpd-3.0.5.orig/str.c 2012-09-16 09:09:06.000000000 +0200
+++ vsftpd-3.0.5/str.c 2022-02-01 20:12:05.458868861 +0100
@@ -27,6 +27,24 @@ static int str_equal_internal(const char
const char* p_buf2, unsigned int buf2_len);
/* Private functions */
+static int
+continuation_char(unsigned char str, int* val)
+{
+ if ((str & 0xc0) != 0x80) /* 10xxxxxx */
+ return 0;
+ (*val) <<= 6;
+ (*val) |= str & 0x3f;
+ return 1;
+}
+
+static int
+unicode_valid(int b)
+{
+ return (b < 0x110000 && ((b & 0xFFFFF800) != 0xD800)
+ && (b < 0xFDD0 || b > 0xFDEF)
+ && (b & 0xFFFE) != 0xFFFE);
+}
+
static void
s_setbuf(struct mystr* p_str, char* p_newbuf)
{
@@ -181,6 +199,45 @@ str_reserve(struct mystr* p_str, unsigne
p_str->p_buf[res_len - 1] = '\0';
}
+int str_is_utf8( const struct mystr* p_str )
+{
+ unsigned int i;
+ int min = 0, val = 0;
+
+ for(i = 0; i < p_str->len; i++)
+ {
+ if( (unsigned char)p_str->p_buf[i] < 128) continue;
+
+ if((p_str->p_buf[i] & 0xe0) == 0xc0) { /* 110xxxxx */
+ if((p_str->p_buf[i] & 0x1e) == 0) return 0;
+ i++;
+ if((p_str->p_buf[i] & 0xc0) != 0x80) /* 10xxxxxx */
+ return 0;
+ } else {
+ if((p_str->p_buf[i] & 0xf0) == 0xe0) { /* 1110xxxx */
+ min = (1 << 11);
+ val = p_str->p_buf[i] & 0x0f;
+ goto TWO_REMAINING;
+ } else if((p_str->p_buf[i] & 0xf8) == 0xf0) { /* 11110xxx */
+ min = (1 << 16);
+ val = p_str->p_buf[i] & 0x07;
+ } else {
+ return 0;
+ }
+ i++;
+ if(!continuation_char(p_str->p_buf[i], &val)) return 0;
+TWO_REMAINING:
+ i++;
+ if(!continuation_char(p_str->p_buf[i], &val)) return 0;
+ i++;
+ if(!continuation_char(p_str->p_buf[i], &val)) return 0;
+ if(val < min || !unicode_valid(val)) return 0;
+ }
+ }
+ return 1;
+}
+
+
int
str_isempty(const struct mystr* p_str)
{
@@ -702,6 +759,7 @@ void
str_replace_unprintable(struct mystr* p_str, char new_char)
{
unsigned int i;
+ if( !str_is_utf8( p_str ) ) {
for (i=0; i < p_str->len; i++)
{
if (!vsf_sysutil_isprint(p_str->p_buf[i]))
@@ -709,5 +767,6 @@ str_replace_unprintable(struct mystr* p_
p_str->p_buf[i] = new_char;
}
}
+ }
}
Index: vsftpd-3.0.5/str.h
===================================================================
--- vsftpd-3.0.5.orig/str.h 2012-09-16 09:01:52.000000000 +0200
+++ vsftpd-3.0.5/str.h 2022-02-01 20:12:05.458868861 +0100
@@ -36,6 +36,7 @@ void str_free(struct mystr* p_str);
void str_trunc(struct mystr* p_str, unsigned int trunc_len);
void str_reserve(struct mystr* p_str, unsigned int res_len);
+int str_is_utf8(const struct mystr* p_str);
int str_isempty(const struct mystr* p_str);
unsigned int str_getlen(const struct mystr* p_str);
const char* str_getbuf(const struct mystr* p_str);

9
vsftpd-2.0.5-vuser.patch Normal file
View File

@ -0,0 +1,9 @@
Index: vsftpd-3.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
===================================================================
--- vsftpd-3.0.5.orig/EXAMPLE/VIRTUAL_USERS/vsftpd.pam 2008-02-02 02:30:40.000000000 +0100
+++ vsftpd-3.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam 2022-02-01 20:12:03.670894600 +0100
@@ -1,2 +1,2 @@
-auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
-account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
+auth required pam_userdb.so db=/etc/vsftpd_login
+account required pam_userdb.so db=/etc/vsftpd_login

66
vsftpd-2.1.0-filter.patch Normal file
View File

@ -0,0 +1,66 @@
diff -up vsftpd-2.1.0/ls.c.filter vsftpd-2.1.0/ls.c
--- vsftpd-2.1.0/ls.c.filter 2008-02-02 02:30:41.000000000 +0100
+++ vsftpd-2.1.0/ls.c 2009-01-08 19:31:15.000000000 +0100
@@ -239,9 +239,31 @@ vsf_filename_passes_filter(const struct
int ret = 0;
char last_token = 0;
int must_match_at_current_pos = 1;
+
+
str_copy(&filter_remain_str, p_filter_str);
- str_copy(&name_remain_str, p_filename_str);
-
+
+ if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) {
+ if (str_get_char_at(p_filter_str, 0) == '/') {
+ if (str_get_char_at(p_filename_str, 0) != '/') {
+ str_getcwd (&name_remain_str);
+
+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
+ str_append_char (&name_remain_str, '/');
+
+ str_append_str (&name_remain_str, p_filename_str);
+ }
+ else
+ str_copy (&name_remain_str, p_filename_str);
+ } else {
+ if (str_get_char_at(p_filter_str, 0) != '{')
+ str_basename (&name_remain_str, p_filename_str);
+ else
+ str_copy (&name_remain_str, p_filename_str);
+ }
+ } else
+ str_copy(&name_remain_str, p_filename_str);
+
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
{
static struct mystr s_match_needed_str;
diff -up vsftpd-2.1.0/str.c.filter vsftpd-2.1.0/str.c
--- vsftpd-2.1.0/str.c.filter 2008-12-17 06:54:16.000000000 +0100
+++ vsftpd-2.1.0/str.c 2009-01-08 19:31:15.000000000 +0100
@@ -680,3 +680,14 @@ str_replace_unprintable(struct mystr* p_
}
}
+void
+str_basename (struct mystr* d_str, const struct mystr* path)
+{
+ static struct mystr tmp;
+
+ str_copy (&tmp, path);
+ str_split_char_reverse(&tmp, d_str, '/');
+
+ if (str_isempty(d_str))
+ str_copy (d_str, path);
+}
diff -up vsftpd-2.1.0/str.h.filter vsftpd-2.1.0/str.h
--- vsftpd-2.1.0/str.h.filter 2008-12-17 06:53:23.000000000 +0100
+++ vsftpd-2.1.0/str.h 2009-01-08 19:32:14.000000000 +0100
@@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst
int str_atoi(const struct mystr* p_str);
filesize_t str_a_to_filesize_t(const struct mystr* p_str);
unsigned int str_octal_to_uint(const struct mystr* p_str);
+void str_basename (struct mystr* d_str, const struct mystr* path);
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
* buffer, starting at character position 'p_pos'. The extracted line will

View File

@ -0,0 +1,24 @@
diff -up vsftpd-2.3.2/ls.c.tmp vsftpd-2.3.2/ls.c
--- vsftpd-2.3.2/ls.c.tmp 2010-08-20 13:18:54.397583558 +0200
+++ vsftpd-2.3.2/ls.c 2010-08-20 13:14:59.047831385 +0200
@@ -305,6 +305,20 @@ vsf_filename_passes_filter(const struct
{
goto out;
}
+ if (!must_match_at_current_pos && last_token == 0)
+ {
+ struct mystr last_str = INIT_MYSTR;
+ str_mid_to_end(&name_remain_str, &last_str,
+ str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str));
+ locate_result = str_locate_str(&last_str, &s_match_needed_str);
+ str_free(&last_str);
+
+ if (locate_result.found)
+ {
+ ret = 1;
+ }
+ goto out;
+ }
/* Chop matched string out of remainder */
str_mid_to_end(&name_remain_str, &temp_str,
indexx + str_getlen(&s_match_needed_str));

128
vsftpd-2.3.4-sqb.patch Normal file
View File

@ -0,0 +1,128 @@
Index: vsftpd-2.0.7/ls.c
===================================================================
--- vsftpd-2.0.7.orig/ls.c
+++ vsftpd-2.0.7/ls.c
@@ -243,7 +243,7 @@ vsf_filename_passes_filter(const struct
int ret = 0;
char last_token = 0;
int must_match_at_current_pos = 1;
-
+ int matched = 0;
str_copy(&filter_remain_str, p_filter_str);
@@ -273,7 +273,7 @@ vsf_filename_passes_filter(const struct
static struct mystr s_match_needed_str;
/* Locate next special token */
struct str_locate_result locate_result =
- str_locate_chars(&filter_remain_str, "*?{");
+ str_locate_chars(&filter_remain_str, "*?{[");
(*iters)++;
/* Isolate text leading up to token (if any) - needs to be matched */
if (locate_result.found)
@@ -291,8 +291,14 @@ vsf_filename_passes_filter(const struct
str_empty(&filter_remain_str);
last_token = 0;
}
+
+ matched = 0;
if (!str_isempty(&s_match_needed_str))
{
+ if (!matched)
+ {
+ matched = 1;
+ }
/* Need to match something.. could be a match which has to start at
* current position, or we could allow it to start anywhere
*/
@@ -344,13 +350,20 @@ vsf_filename_passes_filter(const struct
must_match_at_current_pos = 1;
if (end_brace.found)
{
+ int entire = (*iters == 1 && last_token == '{');
+
str_split_char(&filter_remain_str, &temp_str, '}');
str_copy(&brace_list_str, &filter_remain_str);
str_copy(&filter_remain_str, &temp_str);
str_split_char(&brace_list_str, &temp_str, ',');
while (!str_isempty(&brace_list_str))
{
- str_copy(&new_filter_str, &brace_list_str);
+ str_empty(&new_filter_str);
+ if (!matched && !entire)
+ {
+ str_append_char(&new_filter_str, '*');
+ }
+ str_append_str(&new_filter_str, &brace_list_str);
str_append_str(&new_filter_str, &filter_remain_str);
if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
iters))
@@ -368,6 +381,68 @@ vsf_filename_passes_filter(const struct
{
goto out;
}
+ else
+ {
+ str_right(&name_remain_str, &temp_str,
+ str_getlen(&name_remain_str) - 1);
+ str_copy(&name_remain_str, &temp_str);
+ }
+ }
+ else if (last_token == '[')
+ {
+ struct str_locate_result end_sqb =
+ str_locate_char(&filter_remain_str, ']');
+ must_match_at_current_pos = 1;
+ if (end_sqb.found)
+ {
+ unsigned int cur_pos;
+ char stch, ench;
+ const char *p_brace;
+
+ str_split_char(&filter_remain_str, &temp_str, ']');
+ str_copy(&brace_list_str, &filter_remain_str);
+ str_copy(&filter_remain_str, &temp_str);
+ p_brace = str_getbuf(&brace_list_str);
+ for (cur_pos = 0; cur_pos < str_getlen(&brace_list_str);)
+ {
+ stch = p_brace[cur_pos];
+ // char vers. range
+ if (cur_pos + 2 < str_getlen(&brace_list_str) &&
+ p_brace[cur_pos+1] == '-')
+ {
+ ench = p_brace[cur_pos+2];
+ cur_pos += 3;
+ }
+ else
+ {
+ ench = stch;
+ cur_pos++;
+ }
+ // expand char[s]
+ for (;stch <= ench && !str_isempty(&brace_list_str); stch++)
+ {
+ str_empty(&new_filter_str);
+ if (!matched)
+ {
+ str_append_char(&new_filter_str, '*');
+ }
+ str_append_char(&new_filter_str, stch);
+ str_append_str(&new_filter_str, &filter_remain_str);
+ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
+ iters))
+ {
+ ret = 1;
+ goto out;
+ }
+ }
+ }
+ goto out;
+ }
+ else if (str_isempty(&name_remain_str) ||
+ str_get_char_at(&name_remain_str, 0) != '[')
+ {
+ goto out;
+ }
else
{
str_right(&name_remain_str, &temp_str,

250
vsftpd-2.3.5-conf.patch Normal file
View File

@ -0,0 +1,250 @@
Index: vsftpd-3.0.5/vsftpd.conf
===================================================================
--- vsftpd-3.0.5.orig/vsftpd.conf 2011-12-17 19:24:40.000000000 +0100
+++ vsftpd-3.0.5/vsftpd.conf 2022-02-01 20:12:06.546853199 +0100
@@ -4,23 +4,89 @@
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
+# If you do not change anything here you will have a minimum setup for an
+# anonymus FTP server.
+#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
-# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
-anonymous_enable=YES
-#
-# Uncomment this to allow local users to log in.
-#local_enable=YES
+# ################
+# General Settings
+# ################
#
# Uncomment this to enable any form of FTP write command.
-#write_enable=YES
+write_enable=NO
+#
+# Activate directory messages - messages given to remote users when they
+# go into a certain directory.
+dirmessage_enable=YES
+#
+# It is recommended that you define on your system a unique user which the
+# ftp server can use as a totally isolated and unprivileged user.
+nopriv_user=ftpsecure
+#
+# You may fully customise the login banner string:
+#ftpd_banner=Welcome to blah FTP service.
+#
+# You may activate the "-R" option to the builtin ls. This is disabled by
+# default to avoid remote users being able to cause excessive I/O on large
+# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+# the presence of the "-R" option, so there is a strong case for enabling it.
+#ls_recurse_enable=YES
+#
+# You may specify a file of disallowed anonymous e-mail addresses. Apparently
+# useful for combatting certain DoS attacks.
+#deny_email_enable=YES
+# (default follows)
+#banned_email_file=/etc/vsftpd.banned_emails
+#
+# If enabled, all user and group information in
+# directory listings will be displayed as "ftp".
+#hide_ids=YES
+#
+# #######################
+# Local FTP user Settings
+# #######################
+#
+# Uncomment this to allow local users to log in.
+local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
+# You may specify an explicit list of local users to chroot() to their home
+# directory. If chroot_local_user is YES, then this list becomes a list of
+# users to NOT chroot().
+#chroot_local_user=YES
+#chroot_list_enable=YES
+# (default follows)
+#chroot_list_file=/etc/vsftpd.chroot_list
+#
+# The maximum data transfer rate permitted, in bytes per second, for
+# local authenticated users. The default is 0 (unlimited).
+#local_max_rate=7200
+#
+# ##########################
+# Anonymus FTP user Settings
+# ##########################
+#
+# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+anonymous_enable=YES
+#
+# The maximum data transfer rate permitted, in bytes per second, for anonymous
+# authenticated users. The default is 0 (unlimited).
+#anon_max_rate=7200
+#
+# Anonymous users will only be allowed to download files which are
+# world readable.
+anon_world_readable_only=YES
+#
+# Default umask for anonymus users is 077. You may wish to change this to 022,
+# if your users expect that (022 is used by most other ftpd's)
+#anon_umask=022
+#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
@@ -30,15 +96,9 @@ anonymous_enable=YES
# new directories.
#anon_mkdir_write_enable=YES
#
-# Activate directory messages - messages given to remote users when they
-# go into a certain directory.
-dirmessage_enable=YES
-#
-# Activate logging of uploads/downloads.
-xferlog_enable=YES
-#
-# Make sure PORT transfer connections originate from port 20 (ftp-data).
-connect_from_port_20=YES
+# Uncomment this to enable anonymus FTP users to perform other write operations
+# like deletion and renaming.
+#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
@@ -46,24 +106,51 @@ connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#
+# ############
+# Log Settings
+# ############
+#
+# Log to the syslog daemon instead of using an logfile.
+syslog_enable=YES
+#
+# Uncomment this to log all FTP requests and responses.
+#log_ftp_protocol=YES
+#
+# Activate logging of uploads/downloads.
+#xferlog_enable=YES
+#
# You may override where the log file goes if you like. The default is shown
# below.
-#xferlog_file=/var/log/vsftpd.log
+#
+#vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
+# You may override where the log file goes if you like. The default is shown
+# below.
+#xferlog_file=/var/log/vsftpd.log
+#
+# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
+#dual_log_enable=YES
+#
+# Uncomment this to enable session status information in the system process listing.
+#setproctitle_enable=YES
+#
+# #################
+# Transfer Settings
+# #################
+#
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
+connect_from_port_20=YES
+#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
-# It is recommended that you define on your system a unique user which the
-# ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
-#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
@@ -77,41 +164,46 @@ connect_from_port_20=YES
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
-#ascii_upload_enable=YES
+ascii_upload_enable=YES
#ascii_download_enable=YES
#
-# You may fully customise the login banner string:
-#ftpd_banner=Welcome to blah FTP service.
-#
-# You may specify a file of disallowed anonymous e-mail addresses. Apparently
-# useful for combatting certain DoS attacks.
-#deny_email_enable=YES
-# (default follows)
-#banned_email_file=/etc/vsftpd.banned_emails
-#
-# You may specify an explicit list of local users to chroot() to their home
-# directory. If chroot_local_user is YES, then this list becomes a list of
-# users to NOT chroot().
-# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
-# the user does not have write access to the top level directory within the
-# chroot)
-#chroot_local_user=YES
-#chroot_list_enable=YES
-# (default follows)
-#chroot_list_file=/etc/vsftpd.chroot_list
+# Set to NO if you want to disallow the PASV method of obtaining a data
+# connection.
+#pasv_enable=NO
#
-# You may activate the "-R" option to the builtin ls. This is disabled by
-# default to avoid remote users being able to cause excessive I/O on large
-# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
-# the presence of the "-R" option, so there is a strong case for enabling it.
-#ls_recurse_enable=YES
+# PAM setting. Do NOT change this unless you know what you do!
+pam_service_name=vsftpd
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
-listen=YES
+listen=NO
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
-#listen_ipv6=YES
+listen_ipv6=YES
+#
+# Set to ssl_enable=YES if you want to enable SSL
+ssl_enable=NO
+#
+# Limit passive ports to this range to assis firewalling
+pasv_min_port=30000
+pasv_max_port=30100
+
+### security features that are incompatible with some other settings. ###
+
+# isolate_network ensures the vsftpd subprocess is started in own network
+# namespace (see CLONE_NEWNET in clone(2)). It however disables the
+# authentication methods needs the network access (LDAP, NIS, ...).
+#isolate_network=NO
+
+# seccomp_sanbox add an aditional security layer limiting the number of a
+# syscalls can be performed via vsftpd. However it might happen that a
+# whitelist don't allow a legitimate call (usually indirectly triggered by
+# third-party library like pam, or openssl) and the process is being killed by kernel.
+#
+# Therefor if your server dies on common situations (file download, upload),
+# uncomment following line and don't forget to open bug at
+# https://bugzilla.novell.com
+#seccomp_sandbox=NO

View File

@ -0,0 +1,11 @@
--- vsftpd-3.0.0/seccompsandbox.c 2012-04-04 18:41:51.000000000 -0400
+++ vsftpd-3.0.0+/seccompsandbox.c 2012-04-23 06:06:00.000000000 -0400
@@ -10,7 +10,7 @@
#include "seccompsandbox.h"
-#if defined(__linux__) && defined(__x86_64__)
+#if defined(__linux__) && defined(__x86_64__) && defined(USE_SECCOMP)
#include "session.h"
#include "sysutil.h"

View File

@ -0,0 +1,13 @@
diff -aur vsftpd-3.0.0/sysdeputil.c vsftpd-3.0.0+/sysdeputil.c
--- vsftpd-3.0.0/sysdeputil.c 2010-03-25 23:25:33.000000000 -0400
+++ vsftpd-3.0.0+/sysdeputil.c 2012-04-23 04:39:39.000000000 -0400
@@ -60,7 +60,9 @@
#define VSF_SYSDEP_HAVE_LIBCAP
#define VSF_SYSDEP_HAVE_UTMPX
+#ifndef __USE_GNU
#define __USE_GNU
+#endif
#include <utmpx.h>
/* BEGIN config */

View File

@ -0,0 +1,28 @@
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -475,6 +475,10 @@ seccomp_sandbox_setup_postlogin(const st
/* Need to send file descriptors to privileged broker. */
allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
}
+ if (is_anon && tunable_chown_uploads)
+ {
+ allow_nr(__NR_fchmod);
+ }
}
if (tunable_syslog_enable)
@@ -538,6 +542,12 @@ seccomp_sandbox_setup_postlogin_broker()
seccomp_sandbox_setup_base();
seccomp_sandbox_setup_data_connections();
allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
+ if (tunable_chown_uploads)
+ {
+ allow_nr(__NR_fstat);
+ allow_nr(__NR_fchown);
+ allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+ }
}
void

13
vsftpd-3.0.2-s390.patch Normal file
View File

@ -0,0 +1,13 @@
Index: vsftpd-3.0.2/sysdeputil.c
===================================================================
--- vsftpd-3.0.2.orig/sysdeputil.c 2014-08-21 16:12:59.845872489 +0200
+++ vsftpd-3.0.2/sysdeputil.c 2014-08-21 16:14:59.641431931 +0200
@@ -66,7 +66,7 @@
#include <utmpx.h>
/* BEGIN config */
-#if defined(__linux__)
+#if defined(__linux__) && !defined(__s390__)
#include <errno.h>
#include <syscall.h>
#define VSF_SYSDEP_HAVE_LINUX_CLONE

View File

@ -0,0 +1,59 @@
--- vsftpd-3.0.2/sysutil.c.wnohang 2015-08-03 07:35:33.619620425 +0200
+++ vsftpd-3.0.2/sysutil.c 2015-08-03 07:35:33.626620480 +0200
@@ -608,13 +608,13 @@ vsf_sysutil_exit(int exit_code)
}
struct vsf_sysutil_wait_retval
-vsf_sysutil_wait(void)
+vsf_sysutil_wait(int hang)
{
struct vsf_sysutil_wait_retval retval;
vsf_sysutil_memclr(&retval, sizeof(retval));
while (1)
{
- int sys_ret = wait(&retval.exit_status);
+ int sys_ret = waitpid(-1, &retval.exit_status, hang ? 0 : WNOHANG);
if (sys_ret < 0 && errno == EINTR)
{
vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
--- vsftpd-3.0.2/sysutil.h.wnohang 2015-08-03 07:35:33.610620354 +0200
+++ vsftpd-3.0.2/sysutil.h 2015-08-03 07:35:33.626620480 +0200
@@ -176,7 +176,7 @@ struct vsf_sysutil_wait_retval
int PRIVATE_HANDS_OFF_syscall_retval;
int PRIVATE_HANDS_OFF_exit_status;
};
-struct vsf_sysutil_wait_retval vsf_sysutil_wait(void);
+struct vsf_sysutil_wait_retval vsf_sysutil_wait(int hang);
int vsf_sysutil_wait_reap_one(void);
int vsf_sysutil_wait_get_retval(
const struct vsf_sysutil_wait_retval* p_waitret);
--- vsftpd-3.0.2/twoprocess.c.wnohang 2012-09-16 09:15:49.000000000 +0200
+++ vsftpd-3.0.2/twoprocess.c 2015-08-03 07:35:33.626620480 +0200
@@ -47,8 +47,17 @@ static void
handle_sigchld(void* duff)
{
- struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait();
+ struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait(0);
(void) duff;
+ if (!vsf_sysutil_wait_get_exitcode(&wait_retval) &&
+ !vsf_sysutil_wait_get_retval(&wait_retval))
+ /* There was nobody to wait for, possibly caused by underlying library
+ * which created a new process through fork()/vfork() and already picked
+ * it up, e.g. by pam_exec.so or integrity check routines for libraries
+ * when FIPS mode is on (nss freebl), which can lead to calling prelink
+ * if the prelink package is installed.
+ */
+ return;
/* Child died, so we'll do the same! Report it as an error unless the child
* exited normally with zero exit code
*/
@@ -390,7 +399,7 @@ common_do_login(struct vsf_session* p_se
priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
if (!p_sess->control_use_ssl)
{
- (void) vsf_sysutil_wait();
+ (void) vsf_sysutil_wait(1);
}
else
{

View File

@ -0,0 +1,81 @@
Index: vsftpd-3.0.2/main.c
===================================================================
--- vsftpd-3.0.2.orig/main.c 2018-06-28 15:45:11.373254606 +0000
+++ vsftpd-3.0.2/main.c 2018-06-28 15:45:16.700973780 +0000
@@ -320,7 +320,7 @@ env_init(void)
static void
limits_init(void)
{
- unsigned long limit = VSFTP_AS_LIMIT;
+ unsigned long limit = tunable_address_space_limit ?: VSFTP_AS_LIMIT;
if (tunable_text_userdb_names)
{
/* Turns out, LDAP lookups for lots of userid -> name mappings can really
Index: vsftpd-3.0.2/parseconf.c
===================================================================
--- vsftpd-3.0.2.orig/parseconf.c 2018-06-28 15:45:11.373254606 +0000
+++ vsftpd-3.0.2/parseconf.c 2018-06-28 15:45:16.700973780 +0000
@@ -138,6 +138,7 @@ parseconf_uint_array[] =
{ "delay_successful_login", &tunable_delay_successful_login },
{ "max_login_fails", &tunable_max_login_fails },
{ "chown_upload_mode", &tunable_chown_upload_mode },
+ { "address_space_limit", &tunable_address_space_limit },
{ 0, 0 }
};
Index: vsftpd-3.0.2/tunables.c
===================================================================
--- vsftpd-3.0.2.orig/tunables.c 2018-06-28 15:45:11.373254606 +0000
+++ vsftpd-3.0.2/tunables.c 2018-06-28 15:45:16.700973780 +0000
@@ -110,6 +110,7 @@ unsigned int tunable_delay_failed_login;
unsigned int tunable_delay_successful_login;
unsigned int tunable_max_login_fails;
unsigned int tunable_chown_upload_mode;
+unsigned int tunable_address_space_limit;
const char* tunable_secure_chroot_dir;
const char* tunable_ftp_username;
@@ -255,6 +256,7 @@ tunables_load_defaults()
tunable_max_login_fails = 3;
/* -rw------- */
tunable_chown_upload_mode = 0600;
+ tunable_address_space_limit = 0; /* See main.c:limits_init */
install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
install_str_setting("ftp", &tunable_ftp_username);
Index: vsftpd-3.0.2/tunables.h
===================================================================
--- vsftpd-3.0.2.orig/tunables.h 2018-06-28 15:45:11.373254606 +0000
+++ vsftpd-3.0.2/tunables.h 2018-06-28 15:45:16.700973780 +0000
@@ -112,6 +112,7 @@ extern unsigned int tunable_delay_failed
extern unsigned int tunable_delay_successful_login;
extern unsigned int tunable_max_login_fails;
extern unsigned int tunable_chown_upload_mode;
+extern unsigned int tunable_address_space_limit;
/* String defines */
extern const char* tunable_secure_chroot_dir;
Index: vsftpd-3.0.2/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf.5 2018-06-28 15:45:06.882648441 +0000
+++ vsftpd-3.0.2/vsftpd.conf.5 2018-06-28 15:55:42.806639732 +0000
@@ -639,6 +639,19 @@ The timeout, in seconds, for a remote cl
a PASV style data connection.
Default: 60
+
+.TP
+.B address_space_limit
+Set the amount of memory vsftpd can use (in bytes). This limit exists so that
+attackers cannot exploit any potential bugs in the server that might result in
+vsftpd allocating huge amounts of memory that would affect the host system
+negatively, e.g. causing thrashing or killing random processes due to Linux's
+OOM system. If the value is configured too low, vsftpd will fail with "out of
+memory" errors during normal operations. Oftentimes, this occurs inside of the
+PAM stack on systems that have many memory-intensive PAM modules enabled.
+
+Default: 104857600 (100MB)
+
.TP
.B anon_max_rate
The maximum data transfer rate permitted, in bytes per second, for anonymous

View File

@ -0,0 +1,13 @@
Index: vsftpd-3.0.4/vsf_findlibs.sh
===================================================================
--- vsftpd-3.0.4.orig/vsf_findlibs.sh 2021-06-15 07:58:45.004475824 +0000
+++ vsftpd-3.0.4/vsf_findlibs.sh 2021-06-15 07:59:59.039320940 +0000
@@ -69,7 +69,7 @@ locate_library /usr/shlib/librt.so && ec
locate_library /usr/lib/libsendfile.so && echo "-lsendfile";
# OpenSSL
-if find_func SSL_library_init ssl.o; then
+if find_func SSL_CTX_new ssl.o; then
echo "-lssl -lcrypto";
elif find_func SSL_new ssl.o; then
echo "-lssl -lcrypto";

BIN
vsftpd-3.0.5.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

17
vsftpd-3.0.5.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJKBAABCAA0FiEEZ6KrT0H5lywh9r9me4kBG8rhz+oFAmEHmVAWHHNjYXJ5YmVh
c3RzQGdtYWlsLmNvbQAKCRB7iQEbyuHP6ulCEACeXHUCc3nHICqIMZ6kginHRwTP
vVlfMkGCYNRXc8c0Dw1oC02G0L2Zh5ZqQ4unkEN5tUeI3chRAQJ8LpQHrdWxT+3d
DIT7t3k8NkJDEkLps/gxdGdHoxv0I/6E/BE4UmbsRGH+FI7r/HOcG37Z7pqcEdWm
aU0WS9mdr7EuQdyUPJikIXZ8xyAmUg2BruZKJSu44jOK2oiTK1OX3NDkAuFhFNFe
AKU7lduHHYMeNaPtejt9FpCQ8knbf3XhCtqdNo6Ye15Gk2H4/8zjYCAvjTIZu5wX
YdaSaREfa8k7xbWKrLY6UQPbpsgDeW2mAtYwW7E7Rz/+Slq+LgnWiAXNliWe1Ko3
G9qJ0AueUw6sa3/YQllfmfFer7ayU/Delg20Evffhrt9YPWvv6hErOoeadLCuZtH
s0MjL1LgWAEMPvb1fpY4+qx2LJEwCh31/ezdkw7oxu+OpNbcowTp5aM8KCLkn8Hj
7EIflvE4alFwK2FKaPhFL16egw0vpNCSlVUPD9XwIcTRUvPqhfri4agOXBX6bses
M7U8yJgQsHQF0RMQvFNdhoCC3fSLwAH/gHWHjPchuhXlZjZQJnti5Nttzel4jcCb
DuES/mnQVHKoiW9cTuMa8K64C70yHksJYgndSm56zSDTyNxMZQKX2Rt7JLQZTAPU
XUu2PDcK9KmF+5ltbg==
=puYU
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,30 @@
From: mvyskocil@suse.com
Subject: enable /dev/log related socket call
Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
Index: vsftpd-3.0.5/seccompsandbox.c
===================================================================
--- vsftpd-3.0.5.orig/seccompsandbox.c 2022-02-02 11:03:38.133860169 +0100
+++ vsftpd-3.0.5/seccompsandbox.c 2022-02-02 11:03:38.177859528 +0100
@@ -366,6 +366,15 @@ seccomp_sandbox_init()
{
bug("bad state in seccomp_sandbox_init");
}
+
+ //this is very probably an attempt to open /dev/log
+ //it fails because process cannot open any file, so it might be safe
+ //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
+ allow_nr_3_arg_match(__NR_socket,
+ 1, PF_FILE,
+ 2, SOCK_DGRAM | SOCK_CLOEXEC,
+ 3, 0);
+
}
void

View File

@ -0,0 +1,14 @@
Index: vsftpd-3.0.2/sysutil.c
===================================================================
--- vsftpd-3.0.2.orig/sysutil.c
+++ vsftpd-3.0.2/sysutil.c
@@ -490,7 +490,8 @@ vsf_sysutil_lseek_end(const int fd)
{
filesize_t retval;
retval = lseek(fd, 0, SEEK_END);
- if (retval < 0)
+ /* Ignore ESPIPE to allow append to fifos */
+ if (retval < 0 && errno != ESPIPE)
{
die("lseek");
}

View File

@ -0,0 +1,19 @@
Index: vsftpd-3.0.2/utility.c
===================================================================
--- vsftpd-3.0.2.orig/utility.c
+++ vsftpd-3.0.2/utility.c
@@ -104,11 +104,13 @@ bug(const char* p_text)
{
if (s_p_sess->ssl_slave_active)
{
+ /* Write error through ssl_slave process */
priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP);
priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len);
}
- else
+ else if (s_p_sess->p_control_ssl)
{
+ /* From ssl_slave write the message directly */
(void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len);
}
}

View File

@ -0,0 +1,155 @@
Index: vsftpd-3.0.2/main.c
===================================================================
--- vsftpd-3.0.2.orig/main.c
+++ vsftpd-3.0.2/main.c
@@ -155,6 +155,9 @@ main(int argc, const char* argv[])
the_session.num_clients = ret.num_children;
the_session.num_this_ip = ret.num_this_ip;
}
+
+ die_init(&the_session);
+
if (tunable_tcp_wrappers)
{
the_session.tcp_wrapper_ok = vsf_tcp_wrapper_ok(VSFTP_COMMAND_FD);
Index: vsftpd-3.0.2/utility.c
===================================================================
--- vsftpd-3.0.2.orig/utility.c
+++ vsftpd-3.0.2/utility.c
@@ -9,9 +9,22 @@
#include "sysutil.h"
#include "str.h"
#include "defs.h"
+#include "session.h"
+#include "tunables.h"
+#include "privsock.h"
+#include "ssl.h"
+#include <stdio.h>
#define DIE_DEBUG
+static struct vsf_session *s_p_sess = NULL;
+
+void
+die_init(struct vsf_session *p_sess)
+{
+ s_p_sess = p_sess;
+}
+
void
die(const char* p_text)
{
@@ -40,12 +53,70 @@ die2(const char* p_text1, const char* p_
void
bug(const char* p_text)
{
+ /* Detect calls caused by failed logging from bug() itself
+ * to prevent infinite loops */
+ static int s_in_bug = 0;
+ const unsigned int buffer_size = 256;
+ char text_buffer[buffer_size];
+ unsigned int text_len;
+
+ if (s_in_bug)
+ return;
+
+ s_in_bug = 1;
+
+ if (s_p_sess)
+ {
+ /* Try to write the message to logs */
+ if (s_p_sess->vsftpd_log_fd != -1)
+ {
+ snprintf(text_buffer, buffer_size,
+ "%s vsftpd [pid %d]: \"%s\" from \"%s\": %s",
+ vsf_sysutil_get_current_date(), vsf_sysutil_getpid(),
+ str_getbuf(&s_p_sess->user_str),
+ str_getbuf(&s_p_sess->remote_ip_str), p_text);
+ text_len = vsf_sysutil_strlen(text_buffer);
+ vsf_sysutil_write_loop(s_p_sess->vsftpd_log_fd, text_buffer, text_len);
+ }
+
+ if (tunable_syslog_enable)
+ {
+ snprintf(text_buffer, buffer_size, "\"%s\" from \"%s\": %s",
+ str_getbuf(&s_p_sess->user_str),
+ str_getbuf(&s_p_sess->remote_ip_str), p_text);
+ vsf_sysutil_syslog(text_buffer, 1);
+ }
+ }
+ else
+ {
+ /* dummy logging before the system is fully set up */
+ if (tunable_syslog_enable)
+ {
+ vsf_sysutil_syslog(p_text, 1);
+ }
+ }
+
+ snprintf(text_buffer, buffer_size, "500 OOPS: %s\r\n", p_text);
+ text_len = vsf_sysutil_strlen(text_buffer);
+
/* Rats. Try and write the reason to the network for diagnostics */
- vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "500 OOPS: ", 10);
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, p_text,
- vsf_sysutil_strlen(p_text));
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "\r\n", 2);
+ if (s_p_sess && s_p_sess->control_use_ssl)
+ {
+ if (s_p_sess->ssl_slave_active)
+ {
+ priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP);
+ priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len);
+ }
+ else
+ {
+ (void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len);
+ }
+ }
+ else
+ {
+ vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
+ (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, text_buffer, text_len);
+ }
vsf_sysutil_exit(2);
}
Index: vsftpd-3.0.2/utility.h
===================================================================
--- vsftpd-3.0.2.orig/utility.h
+++ vsftpd-3.0.2/utility.h
@@ -2,6 +2,18 @@
#define VSF_UTILITY_H
struct mystr;
+struct vsf_session;
+
+/* die_init
+ * PURPOSE
+ * Initialize static pointer to vsf_session used for
+ * logging and SSL support used by die() and bug().
+ * If not set (or set to NULL) only dummy write
+ * to VSFTP_COMMAND_FD will be done.
+ * PARAMETERS
+ * p_sess - pointer to vsf_session or NULL
+ */
+void die_init(struct vsf_session *p_sess);
/* die()
* PURPOSE
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -556,6 +556,10 @@ seccomp_sandbox_setup_postlogin_broker()
allow_nr(__NR_fchown);
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
}
+ if (tunable_syslog_enable)
+ {
+ allow_nr_1_arg_match(__NR_sendto, 6, 0);
+ }
}
void

View File

@ -0,0 +1,35 @@
From: Michal Vyskocil <mvyskocil@suse.cz>
Subject: Drop CLONE_NEWPID from clone call
Kernel autid system prohibits the processes created with CLONE_NEWPID, so an
attempt to log into ftp server ends with
audit_log_acct_message() failed: Operation not permitted
https://bugzilla.novell.com/show_bug.cgi?id=786024#c38
identified-by: Tony Jones <tonyj@suse.com>
fixes: bnc#786024
Index: vsftpd-3.0.2/sysdeputil.c
===================================================================
--- vsftpd-3.0.2.orig/sysdeputil.c
+++ vsftpd-3.0.2/sysdeputil.c
@@ -1272,7 +1272,7 @@ vsf_sysutil_fork_isolate_all_failok()
if (cloneflags_work)
{
int ret = syscall(__NR_clone,
- CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD,
+ CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD,
NULL);
if (ret != -1 || (errno != EINVAL && errno != EPERM))
{
@@ -1295,7 +1295,7 @@ vsf_sysutil_fork_isolate_failok()
static int cloneflags_work = 1;
if (cloneflags_work)
{
- int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL);
+ int ret = syscall(__NR_clone, CLONE_NEWIPC | SIGCHLD, NULL);
if (ret != -1 || (errno != EINVAL && errno != EPERM))
{
if (ret == 0)

View File

@ -0,0 +1,33 @@
From: mvyskocil@suse.com
Subject: enable sendto to /dev/log
vsftpd is killed once a file is downloaded and it try to log the success to
/dev/log. This patch enables a sendto on fd 4, in a case the syslog logging is
enabled.
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=812406
---
seccompsandbox.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -503,6 +501,15 @@ seccomp_sandbox_setup_postlogin(const st
allow_nr(__NR_chmod);
}
}
+
+ /*
+ * MV: this enables logging to the syslog - the vsf_log_do_log are in postlogin.c and privops.c, but hopefully this is enough
+ */
+ if (tunable_syslog_enable)
+ {
+ allow_nr_1_arg_mask(__NR_sendto, 1, 4);
+ }
+
}
void

View File

@ -0,0 +1,44 @@
From: Michal Vyskocil <mvyskocil@suse.cz>
Subject: Enable fcntl F_SETFL
The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add
it unconditionally to seccomp sandbox. I've failed to limit it more, however
most arguments of F_SETFL are ignored on Linux and the remaining set seems to be
safe.
fixes: bnc#786024
---
seccompsandbox.c | 22 ++++++++++++++++++++++
5 files changed, 45 insertions(+), 6 deletions(-)
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -306,6 +306,25 @@ seccomp_sandbox_setup_base()
/* Always need to be able to exit ! */
allow_nr(__NR_exit_group);
+
+ /*
+ * MV: this is needed for
+ * vsf_sysutil_activate_noblock
+ * vsf_sysutil_deactivate_noblock
+ *
+ * both called from various places (like all those die, bug in utilities),
+ * so lets enable it by default
+ */
+ allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
+ allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL);
+
+ /*
+ * MV: this form have newer worked, neither with O_RDWR, O_RDWR|O_NONBLOCK
+ * however fcntl(2) says that most of arguments to fcntl are ignored on Linux
+ * thus this might be safe to do
+ */
+ //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);
+
}
void

View File

@ -0,0 +1,18 @@
diff -urN vsftpd-3.0.2/seccompsandbox.c vsftpd-3.0.2.new/seccompsandbox.c
--- vsftpd-3.0.2/seccompsandbox.c 2012-09-18 08:52:30.000000000 +0200
+++ vsftpd-3.0.2.new/seccompsandbox.c 2014-04-10 14:55:30.855607231 +0200
@@ -303,6 +303,14 @@
allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
allow_nr(__NR_restart_syscall);
allow_nr(__NR_close);
+
+ /*
+ * Calls to alarm and date
+ * Seems to be some part of the logging
+ * wrt bnc#870122
+ */
+ allow_nr(__NR_alarm);
+ allow_nr(__NR_gettimeofday);
/* Always need to be able to exit ! */
allow_nr(__NR_exit_group);

View File

@ -0,0 +1,21 @@
Enable sendto for syslog logging to /dev/log in prelogin
We write to log from check_limits() and therefore we have to allow
sendto() for syslog otherwise sandbox will kill the child.
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -388,6 +388,11 @@ seccomp_sandbox_setup_prelogin(const str
1, PF_FILE,
2, SOCK_DGRAM | SOCK_CLOEXEC,
3, 0);
+ // allow syslog logs from check_limits()
+ if (tunable_syslog_enable)
+ {
+ allow_nr_1_arg_match(__NR_sendto, 6, 0);
+ }
}

View File

@ -0,0 +1,18 @@
Index: vsftpd-3.0.3/seccompsandbox.c
===================================================================
--- vsftpd-3.0.3.orig/seccompsandbox.c 2018-04-25 06:34:52.154728803 +0000
+++ vsftpd-3.0.3/seccompsandbox.c 2018-04-25 06:37:43.071314942 +0000
@@ -306,6 +306,13 @@ seccomp_sandbox_setup_base()
allow_nr(__NR_restart_syscall);
allow_nr(__NR_close);
+ /* Required on SLE-15 because of changes in 3rd party libraries.
+ * Reported in bsc#1089088.
+ */
+ allow_nr(__NR_wait4);
+ allow_nr(__NR_sysinfo);
+ allow_nr(__NR_shutdown);
+
/*
* Calls to alarm and date
* Seems to be some part of the logging

11
vsftpd-ls-memleak.patch Normal file
View File

@ -0,0 +1,11 @@
Index: vsftpd-2.0.7/ls.c
===================================================================
--- vsftpd-2.0.7.orig/ls.c
+++ vsftpd-2.0.7/ls.c
@@ -558,5 +559,6 @@ build_dir_line(struct mystr* p_str, cons
/* Filename */
str_append_str(p_str, p_filename_str);
str_append_text(p_str, "\r\n");
+ str_free(&s_tmp_str);
}

41
vsftpd-mdtm-in-utc.patch Normal file
View File

@ -0,0 +1,41 @@
Index: vsftpd-3.0.2/postlogin.c
===================================================================
--- vsftpd-3.0.2.orig/postlogin.c 2017-04-06 12:40:37.413294178 +0200
+++ vsftpd-3.0.2/postlogin.c 2017-04-06 12:40:37.610294876 +0200
@@ -1639,7 +1639,7 @@ handle_mdtm(struct vsf_session* p_sess)
else
{
retval = vsf_sysutil_setmodtime(
- str_getbuf(&p_sess->ftp_arg_str), modtime, tunable_use_localtime);
+ str_getbuf(&p_sess->ftp_arg_str), modtime, 0);
if (retval != 0)
{
vsf_cmdio_write(p_sess, FTP_FILEFAIL,
@@ -1664,7 +1664,7 @@ handle_mdtm(struct vsf_session* p_sess)
static struct mystr s_mdtm_res_str;
str_alloc_text(&s_mdtm_res_str,
vsf_sysutil_statbuf_get_numeric_date(
- s_p_statbuf, tunable_use_localtime));
+ s_p_statbuf, 0));
vsf_cmdio_write_str(p_sess, FTP_MDTMOK, &s_mdtm_res_str);
}
}
Index: vsftpd-3.0.2/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf.5 2017-04-06 12:40:37.496294472 +0200
+++ vsftpd-3.0.2/vsftpd.conf.5 2017-04-06 12:41:50.271557442 +0200
@@ -556,9 +556,11 @@ may be found within the _current_ chroot
Default: NO
.TP
.B use_localtime
-If enabled, vsftpd will display directory listings with the time in your
-local time zone. The default is to display GMT. The times returned by the
-MDTM FTP command are also affected by this option.
+If enabled, vsftpd will display directory listings with the time in your local
+time zone. The default is to display GMT. Note that this setting will NOT
+affect the times returned by the MDTM FTP command in this version of the
+daemon. This behavior deviates from the upstream version, which violated
+RFC3659 and subsequently caused problems with popular FTP clients.
Default: NO
.TP

View File

@ -0,0 +1,18 @@
Force openlog() to open log immediately iff force!=0.
Otherwise is log opened on first syslog() call which may be
after the privileges are dropped and new file descriptors
cannot be created.
Index: vsftpd-3.0.5/sysutil.c
===================================================================
--- vsftpd-3.0.5.orig/sysutil.c 2022-02-01 19:38:36.487789134 +0100
+++ vsftpd-3.0.5/sysutil.c 2022-02-01 19:44:08.787005494 +0100
@@ -2700,7 +2700,7 @@ vsf_sysutil_openlog(int force)
{
int facility = LOG_DAEMON;
int option = LOG_PID;
- if (!force)
+ if (force)
{
option |= LOG_NDELAY;
}

171
vsftpd-path-normalize.patch Normal file
View File

@ -0,0 +1,171 @@
Index: vsftpd-3.0.2/str.c
===================================================================
--- vsftpd-3.0.2.orig/str.c
+++ vsftpd-3.0.2/str.c
@@ -16,6 +16,12 @@
#define PRIVATE_HANDS_OFF_alloc_bytes alloc_bytes
#include "str.h"
+/* normalize filepath */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <libgen.h>
+
/* Ick. Its for die() */
#include "utility.h"
#include "sysutil.h"
@@ -781,3 +787,60 @@ str_basename (struct mystr* d_str, const
if (str_isempty(d_str))
str_copy (d_str, path);
}
+
+void
+str_normalize_filepath(struct mystr* filepath)
+{
+ char *path;
+ char *normdir;
+ char *dir;
+ char *filename;
+ static struct mystr tmp;
+
+ /* normalize filepath */
+ path = str_strdup(filepath);
+ if (path == NULL)
+ {
+ return;
+ }
+ char *ch1 = strdup(path);
+ char *ch2 = strdup(path);
+ if (ch1 == NULL || ch2 == NULL)
+ {
+ goto out;
+ }
+ /* we split dir/file as realpath /home/REGEXP is NULL so we need dir
+ * dir only to function correctly, later on we need to glue back the
+ * file if there is some
+ */
+ dir = dirname(ch1);
+ filename = basename(ch2);
+ normdir = realpath(dir, NULL);
+ if (normdir == NULL)
+ {
+ goto out;
+ }
+ str_alloc_text(&tmp, normdir);
+ unsigned int len = str_getlen(&tmp);
+ if (str_get_char_at(&tmp, len - 1) != '/')
+ {
+ str_append_char(&tmp, '/');
+ }
+ /* / is special it ends in both dirname and basename so ignore it here */
+ if (strcmp(filename, "/") != 0)
+ {
+ str_append_text(&tmp, filename);
+ }
+ /* TODO: here we should run one more stat to determine if the whole thing
+ * is a directory and append trailing / (ie. /home -> /home/).
+ * This will make the deny_file=/home/<REGEXP> work contrary to currently
+ * needed /home<REGEXP>.
+ */
+ str_copy(filepath, &tmp);
+ free(normdir);
+ str_free(&tmp);
+out:
+ free(path);
+ free(ch1);
+ free(ch2);
+}
Index: vsftpd-3.0.2/str.h
===================================================================
--- vsftpd-3.0.2.orig/str.h
+++ vsftpd-3.0.2/str.h
@@ -102,6 +102,7 @@ int str_atoi(const struct mystr* p_str);
filesize_t str_a_to_filesize_t(const struct mystr* p_str);
unsigned int str_octal_to_uint(const struct mystr* p_str);
void str_basename (struct mystr* d_str, const struct mystr* path);
+void str_normalize_filepath(struct mystr* filepath);
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
* buffer, starting at character position 'p_pos'. The extracted line will
Index: vsftpd-3.0.2/ls.c
===================================================================
--- vsftpd-3.0.2.orig/ls.c
+++ vsftpd-3.0.2/ls.c
@@ -117,11 +117,13 @@ vsf_ls_populate_dir_list(struct mystr_li
{
continue;
}
+ str_copy(&s_next_path_and_filename_str, &normalised_base_dir_str);
+ str_append_str(&s_next_path_and_filename_str, &s_next_filename_str);
/* If we have an ls option which is a filter, apply it */
if (!str_isempty(p_filter_str))
{
unsigned int iters = 0;
- if (!vsf_filename_passes_filter(&s_next_filename_str, p_filter_str,
+ if (!vsf_filename_passes_filter(&s_next_path_and_filename_str, p_filter_str,
&iters))
{
continue;
@@ -130,8 +132,6 @@ vsf_ls_populate_dir_list(struct mystr_li
/* Calculate the full path (relative to CWD) for lstat() and
* output purposes
*/
- str_copy(&s_next_path_and_filename_str, &normalised_base_dir_str);
- str_append_str(&s_next_path_and_filename_str, &s_next_filename_str);
if (do_stat)
{
/* lstat() the file. Of course there's a race condition - the
@@ -239,6 +239,7 @@ vsf_filename_passes_filter(const struct
* for /a/?/c will not.
*/
struct mystr filter_remain_str = INIT_MYSTR;
+ struct mystr basic_name_str = INIT_MYSTR;
struct mystr name_remain_str = INIT_MYSTR;
struct mystr temp_str = INIT_MYSTR;
struct mystr brace_list_str = INIT_MYSTR;
@@ -249,27 +250,29 @@ vsf_filename_passes_filter(const struct
int matched = 0;
str_copy(&filter_remain_str, p_filter_str);
+ str_copy(&basic_name_str, p_filename_str);
+ str_normalize_filepath(&basic_name_str);
- if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) {
+ if (!str_isempty (&filter_remain_str) && !str_isempty(&basic_name_str)) {
if (str_get_char_at(p_filter_str, 0) == '/') {
- if (str_get_char_at(p_filename_str, 0) != '/') {
+ if (str_get_char_at(&basic_name_str, 0) != '/') {
str_getcwd (&name_remain_str);
if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
str_append_char (&name_remain_str, '/');
- str_append_str (&name_remain_str, p_filename_str);
+ str_append_str (&name_remain_str, &basic_name_str);
}
else
- str_copy (&name_remain_str, p_filename_str);
+ str_copy (&name_remain_str, &basic_name_str);
} else {
if (str_get_char_at(p_filter_str, 0) != '{')
- str_basename (&name_remain_str, p_filename_str);
+ str_basename (&name_remain_str, &basic_name_str);
else
- str_copy (&name_remain_str, p_filename_str);
+ str_copy (&name_remain_str, &basic_name_str);
}
} else
- str_copy(&name_remain_str, p_filename_str);
+ str_copy(&name_remain_str, &basic_name_str);
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
{
@@ -475,6 +475,7 @@ vsf_filename_passes_filter(const struct
}
out:
str_free(&filter_remain_str);
+ str_free(&basic_name_str);
str_free(&name_remain_str);
str_free(&temp_str);
str_free(&brace_list_str);

View File

@ -0,0 +1,112 @@
---
parseconf.c | 1 +
secutil.c | 6 ++++--
secutil.h | 2 ++
tunables.c | 2 ++
tunables.h | 1 +
twoprocess.c | 6 ++++++
vsftpd.conf | 4 ++++
vsftpd.conf.5 | 7 +++++++
8 files changed, 27 insertions(+), 2 deletions(-)
Index: vsftpd-3.0.2/tunables.c
===================================================================
--- vsftpd-3.0.2.orig/tunables.c
+++ vsftpd-3.0.2/tunables.c
@@ -88,6 +88,7 @@ int tunable_ftp_enable;
int tunable_http_enable;
int tunable_seccomp_sandbox;
int tunable_allow_writeable_chroot;
+int tunable_allow_root_squashed_chroot;
unsigned int tunable_accept_timeout;
unsigned int tunable_connect_timeout;
@@ -228,6 +229,7 @@ tunables_load_defaults()
tunable_http_enable = 0;
tunable_seccomp_sandbox = 1;
tunable_allow_writeable_chroot = 0;
+ tunable_allow_root_squashed_chroot = 0;
tunable_accept_timeout = 60;
tunable_connect_timeout = 60;
Index: vsftpd-3.0.2/tunables.h
===================================================================
--- vsftpd-3.0.2.orig/tunables.h
+++ vsftpd-3.0.2/tunables.h
@@ -89,6 +89,7 @@ extern int tunable_ftp_enable;
extern int tunable_http_enable; /* Allow HTTP protocol */
extern int tunable_seccomp_sandbox; /* seccomp filter sandbox */
extern int tunable_allow_writeable_chroot; /* Allow misconfiguration */
+extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */
/* Integer/numeric defines */
extern unsigned int tunable_accept_timeout;
Index: vsftpd-3.0.2/parseconf.c
===================================================================
--- vsftpd-3.0.2.orig/parseconf.c
+++ vsftpd-3.0.2/parseconf.c
@@ -107,6 +107,7 @@ parseconf_bool_array[] =
{ "http_enable", &tunable_http_enable },
{ "seccomp_sandbox", &tunable_seccomp_sandbox },
{ "allow_writeable_chroot", &tunable_allow_writeable_chroot },
+ { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot },
{ 0, 0 }
};
Index: vsftpd-3.0.2/twoprocess.c
===================================================================
--- vsftpd-3.0.2.orig/twoprocess.c
+++ vsftpd-3.0.2/twoprocess.c
@@ -164,6 +164,9 @@ drop_all_privs(void)
{
str_alloc_text(&dir_str, tunable_secure_chroot_dir);
}
+ if (tunable_allow_root_squashed_chroot) {
+ option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
+ }
/* Be kind: give good error message if the secure dir is missing */
{
struct vsf_sysutil_statbuf* p_statbuf = 0;
@@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se
{
secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;
}
+ if (do_chroot && tunable_allow_root_squashed_chroot) {
+ secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
+ }
calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
p_user_str, p_orig_user_str);
vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
Index: vsftpd-3.0.2/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf.5
+++ vsftpd-3.0.2/vsftpd.conf.5
@@ -42,6 +42,13 @@ connections.
Default: NO
.TP
+.B allow_root_squashed_chroot
+If set to YES, chroot is called with non-root credentials. This enabled chroot
+on squashed nfs. This option is applied only if chroot is performed, otherwise
+ignored.
+
+Default: NO
+.TP
.B anon_mkdir_write_enable
If set to YES, anonymous users will be permitted to create new directories
under certain conditions. For this to work, the option
Index: vsftpd-3.0.2/vsftpd.conf
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf
+++ vsftpd-3.0.2/vsftpd.conf
@@ -64,6 +64,10 @@ local_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
+# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root,
+# where root becomes nobody and would need -x access.
+#allow_root_squashed_chroot=YES
+#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#local_max_rate=7200

View File

@ -0,0 +1,15 @@
Index: vsftpd-3.0.5/seccompsandbox.c
===================================================================
--- vsftpd-3.0.5.orig/seccompsandbox.c 2022-02-01 19:47:13.916340458 +0100
+++ vsftpd-3.0.5/seccompsandbox.c 2022-02-01 19:51:24.196737535 +0100
@@ -406,6 +406,10 @@ seccomp_sandbox_setup_prelogin(const str
{
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
+ // called from openssl's RAND_poll which is invoked in FIPS mode when the DRBG is seeded
+ allow_nr(__NR_getrandom);
+ allow_nr_1_arg_mask(__NR_open, 2, O_RDONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC);
+ allow_nr(__NR_getuid);
}
if (tunable_syslog_enable)
{

15
vsftpd-seccomp-ssl.patch Normal file
View File

@ -0,0 +1,15 @@
SSL initialization calls RAND_load_file() which needs stat() enabled.
Index: vsftpd-3.0.3/seccompsandbox.c
===================================================================
--- vsftpd-3.0.3.orig/seccompsandbox.c 2021-12-21 15:33:01.491786690 +0100
+++ vsftpd-3.0.3/seccompsandbox.c 2021-12-21 15:33:01.499786535 +0100
@@ -559,6 +559,8 @@ seccomp_sandbox_setup_postlogin_broker()
allow_nr(__NR_fstat);
allow_nr(__NR_fchown);
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+ // called by RAND_load_file
+ allow_nr(__NR_stat);
}
if (tunable_syslog_enable)
{

View File

@ -0,0 +1,14 @@
Broker has to wait for its child.
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -540,6 +540,7 @@ seccomp_sandbox_setup_postlogin_broker()
seccomp_sandbox_setup_base();
seccomp_sandbox_setup_data_connections();
allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
+ allow_nr(__NR_wait4);
if (tunable_chown_uploads)
{
allow_nr(__NR_fstat);

View File

@ -0,0 +1,18 @@
Index: vsftpd-3.0.3/vsftpd.conf
===================================================================
--- vsftpd-3.0.3.orig/vsftpd.conf 2018-06-21 11:01:12.125258812 +0000
+++ vsftpd-3.0.3/vsftpd.conf 2018-06-21 11:04:43.355979116 +0000
@@ -188,8 +188,12 @@ listen=NO
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
#
-# Set to ssl_enable=YES if you want to enable SSL
+# Set "ssl_enable=YES" to enable SSL support and configure the location of
+# your local certificate (RSA, DSA, or both). Note that vsftpd won't start
+# if either of the "xxx_cert_file" options sets a path that doesn't exist.
ssl_enable=NO
+rsa_cert_file=
+dsa_cert_file=
#
# Limit passive ports to this range to assis firewalling
pasv_min_port=30000

View File

@ -0,0 +1,30 @@
Index: vsftpd-3.0.5/tunables.c
===================================================================
--- vsftpd-3.0.5.orig/tunables.c
+++ vsftpd-3.0.5/tunables.c
@@ -295,7 +295,7 @@ tunables_load_defaults()
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
- install_str_setting("DEFAULT_SUSE", &tunable_ssl_ciphers);
+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
Index: vsftpd-3.0.5/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.5.orig/vsftpd.conf.5
+++ vsftpd-3.0.5/vsftpd.conf.5
@@ -1024,7 +1024,11 @@ man page for further details. Note that
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.
-Default: DEFAULT_SUSE
+By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8)
+for further details.
+
+Default: PROFILE=SYSTEM
.TP
.B ssl_sni_hostname
If set, SSL connections will be rejected unless the SNI hostname in the

1334
vsftpd.changes Normal file

File diff suppressed because it is too large Load Diff

17
vsftpd.firewall Normal file
View File

@ -0,0 +1,17 @@
## Name: vsftpd Server
## Description: Opens ports for vsftpd Server.
# space separated list of allowed TCP ports
TCP="ftp 30000:30100"
# space separated list of allowed UDP ports
UDP=""
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""

8
vsftpd.firewalld Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>vsftpd ports</short>
<description>vsftpd ports for both active and passive connections</description>
<port protocol="tcp" port="21"/> <!-- control connection port -->
<port protocol="tcp" port="30000-30100"/> <!-- passive mode port range -->
</service>

16
vsftpd.ftpusers Normal file
View File

@ -0,0 +1,16 @@
#
# ftpusers This file describes the names of the users that may
# _*NOT*_ log into the system via the FTP server.
# This usually includes "root", "uucp", "news" and the
# like, because those users have too much power to be
# allowed to do "just" FTP...
#
adm
bin
daemon
games
mail
news
nobody
root
uucp

107
vsftpd.init Normal file
View File

@ -0,0 +1,107 @@
#! /bin/sh
# Copyright (c) 1995-2005 SUSE Linux GmbH, Nuernberg, Germany.
# All rights reserved.
#
# Author: Mads Martin Joergensen
#
# /etc/init.d/vsftpd
# and its symbolic link
# /usr/sbin/rcvsftpd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
### BEGIN INIT INFO
# Provides: ftpd
# Required-Start: $local_fs $remote_fs $syslog network-remotefs
# Required-Stop: $local_fs $remote_fs $syslog network-remotefs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: very secure ftp daemon
# Short-Description: very secure ftp daemon
### END INIT INFO
# Note on runlevels:
# 0 - halt/poweroff 6 - reboot
# 1 - single user 2 - multiuser without network exported
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
#
# Note on script names:
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.
VSFTPD_BIN=/usr/sbin/vsftpd
test -x $VSFTPD_BIN || { echo "$VSFTPD_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting vsftpd "
/sbin/startproc -l /var/log/rcvsftp.log $VSFTPD_BIN
rc_status -v
;;
stop)
echo -n "Shutting down vsftpd "
/sbin/killproc -TERM $VSFTPD_BIN
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
$0 start
rc_status
;;
force-reload)
echo -n "Reload service vsftpd "
/sbin/killproc -HUP $VSFTPD_BIN
rc_status -v
;;
reload)
echo -n "Reload service vsftpd "
/sbin/killproc -HUP $VSFTPD_BIN
rc_status -v
;;
status)
echo -n "Checking for service vsftpd "
/sbin/checkproc $VSFTPD_BIN
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}"
exit 1
;;
esac
rc_exit

52
vsftpd.keyring Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGCyyncBEADCkx7Uh4mO2Q590LFi7gCh+Ivm1MqsK+pBXmIiIMBPFLMKqmji
boJiJFu4QcB/ZJZOLVBKKwbQfN/7IeulNkrvMhnu+jJizz0hUDDLQjuoScx53+MW
zwIPhI7OAJ6kurlHo0b1wvNnJD5ENmwxrOTYL5bHxut/05a+uTaruPFQPNOMYMzs
rOvIZrzv0lcW/8ZL4tAFvlkogfiGNC9Vfxy4Px8lyVhhfiVzVY3+UNJMM69n6QAt
kUH07xpV+vn7I3lD4dZM96zFnrXuQhwJba3fbCY9vFN0NDRVdF3tYl2xwJhXMJtM
jtQ1Tw9ykRMPsLlaiow0/uW3mYrTYjDP12VxukCEg6a240mhT4jAVA4cSoOCdGBJ
AZCQk5SLbr/MwikggUyS9Fu3d10WKUSyQFS8NWQGHpaFSIIp3T/dGTe6fprhXzFo
vvLv26OCFNvn4vTHz4lMzZZJjYLNtlcriJoSPCCe8/fI9BmgARmFxiKgY5ENQOrY
cZUJJ3sHre52aqCETgz+w8j5o/cAU8iizlYxYsJK/Y+QXlVIzyV8oQGm/jvXhrhi
CgB4xx96cthfolv2Lj+Dz90d/MYKB3suX38Q1ZNhxCZjIcoE+dcn+uGHUqzm4sot
gN37P1Xfijn15L2cHoV1itasVlOc92HrEUEaBWpB6QXF6nEYkkgA2agnMwARAQAB
tCNDaHJpcyBFdmFucyA8c2NhcnliZWFzdHNAZ21haWwuY29tPokCVAQTAQgAPhYh
BGeiq09B+ZcsIfa/ZnuJARvK4c/qBQJgssp3AhsDBQkSzAMABQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJEHuJARvK4c/qW6QP/2dZFkqxQl7hGJizaGIMCHXV1R2G
0r1S3GyVSRZEUWuVvv2UMjxYx6DZhhoaTGRNi0gXVrTVL3FG8yBfLN2LQQCSXK4k
eee8FIXSp1LhwciAJKN+Z5nc0i7R6Qy6cIvc82DO6Y4FaMJZoO5lWbl1WjEYO/oN
NJAp7U3J+BWYKTzIB+Nh2vaapzj2XrNB6dh3ry2nj7yZmerPquYtXsuNRfi/c/Z0
2t+TiSEFZW83/NZFGbDhhzWB19TMFM5oUpSBH6Yw02ASseaZBRBK0gLhfKGEnf2W
KgrwcGd41kMxia6UsrXiG3ZjDR+gF/sed93ZdLWpyYxN4DinirCt/+i1/L5RWCSg
Xus1SviMmnTfhB7WB+WfrIauLpPZOZhdLc3vSBdBmOZ6+p0qLQC2eK2rehM6kQzw
nd9vmCtws2l5HGsBngrBEIkXsPVSVZKEUB8xH57nbIzn7igsUgrTBdz8K61oMaAu
iEZzRJ35P81B3uJqZyqjkONm/1J9d081V2aiASJw/vfiAEkjpws488ZWkg9FFSFJ
VqvAUu6p/g152GP+vatqFT1sH8zxXLLrwGlcktZFNfTYSnscQ9NU/L761anjrgM4
Oi7ks4jLq91vwvxW9E9TNyuMUJj85412xPIwx1o1+fKGwzi1d+01uQ73aPmp6Z4l
idE6tmV5wVSuMGSCuQINBGCyyncBEADIM7Z+1GxMvEtKRyWukfL5w8C4Bqid6M7N
yCCs8bT1lunc7/weiNCOFigZDfAaSoFQpVe22YZABeWD/wO0iY9x+wOwpnsGhmC9
7H/c0+g4IT7fKkaNVMbvUGfo9dWrXD2gtFzZJruMnPbj0HeFqSHvkGbMM7dLyMlF
K295F901iFvvfw7jSQyVGVS97i7swXj9F/O13jedIbh+3TWdkKk/YqmMsETjkcOe
UvmY7P7pTKEpdimvY2I1B8PsBJkyjdZA8G+eiG1STa0+Vj4yVtMJodKJDJbY6+y7
M9hajCdUTplLWTbxzPMo54KjTOzyLVT7mfugUlS7WQWrVWVtvScJsvaec95+p/Bx
UdJVwylVjQrxJxI8Bk2yrIgu7/rj+uYGV5+TNKjJWFkQw0YDJ1NkcvVjU7WIwNCl
X6s5s/tuX+yzUA+DBSHx0WuqtGWYaFgXeO/pWPidc8ovYFVIAr3QB76AeEL3ZJj3
ttN5jk96zOlaVxOOlEC6zX5TJ7Z+aQHBPq8RN/G8o99sOdx5QuKqvhHe8673eIMY
CWPgNSSMJ/7I5IBLsIfIv2UWgLPPHS8s/HTwPacU0/L4pahh553uAhC4QP7BPkYw
p4KXGasR3v9YxuSa33IraJALC6eF2t3L0CLUMzsc0pgLCmGqzskbrP8p0daBjFCS
KofV+jOiQQARAQABiQI8BBgBCAAmFiEEZ6KrT0H5lywh9r9me4kBG8rhz+oFAmCy
yncCGwwFCRLMAwAACgkQe4kBG8rhz+qDNRAAsG3lta/eQ+yWTHCXxXYfw94jm/bx
XFUcvSOwjO+vB5tCt8Q0JmxoZ6PDD/bkcGSDz8FHjhxiIGYKPQiyu7jeZDAijBzu
MLf3yGuubM6SUoXB1olkTbs9DTSFdTPqbM8eYn14CVHk19w/in/Oe11BD0I7D4Qg
bkjIAkIKf01AxbcLFKOMihqhSEIEeqP70DIP8hT3arefk2wgEKG108SOzCPD1YQ7
sEkYX2lRXjqBefHmIGLVllF3v+jUHYFIVz62i/OVMBHXF0D9Qn39cE5e94VdRZIf
0hdizes1w48o9DxVSs+5TTtuLfFtsY+22OqZZ1cxXrdNUBCB4XEllrDdu58Qr7No
fpDPDB4AVatWkpB288C/USl1UJgvhuvZs1AKChi9egfoMJczkZMvgQeiKagQkyeb
l/W7vT3wX4R2WvcM4n6rlPkvRNvO+jw9owSDWuF+6iB0DWEpv5hMjPEfTBv0sYTH
T/sOcV7vKV9Q6JsQwvfOagI9OAkXbxbjpbQgk/jlaaz/9+5wIy2vvW69Nh7ZfFNO
RU1GhwNbghLwbHF7rrGvpwlV9hwpaMYcplvkW9bMgjPGpwxecE1zDdhO8Zq9QXyb
dvDqRPNAqsWd/LwwqRpG36/YI4f5Pdv38W9/HoXlqj9+Uaa/TyDl9TIlBCYcnrzM
SEfMQy8pH/YWOBk=
=QcZC
-----END PGP PUBLIC KEY BLOCK-----

14
vsftpd.logrotate Normal file
View File

@ -0,0 +1,14 @@
/var/log/vsftpd.log {
compress
dateext
maxage 365
rotate 99
size +1024k
notifempty
missingok
create 600 root root
sharedscripts
postrotate
pgrep vsftpd && killall -HUP vsftpd || exit 0
endscript
}

16
vsftpd.pam Normal file
View File

@ -0,0 +1,16 @@
#%PAM-1.0
# Uncomment this to achieve what used to be ftpd -A.
# auth required pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail
auth required pam_listfile.so item=user sense=deny file=/etc/vftpd/ftpusers onerr=succeed
# Uncomment the following line for anonymous ftp.
#auth sufficient pam_ftp.so
auth required pam_shells.so
auth include common-auth
account include common-account
password include common-password
session required pam_keyinit.so force revoke
session required pam_loginuid.so
session include common-session
session include postlogin-session

20
vsftpd.service Normal file
View File

@ -0,0 +1,20 @@
[Unit]
Description=Vsftpd ftp daemon
After=network.target
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
[Install]
WantedBy=multi-user.target

9
vsftpd.socket Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Conflicts=vsftpd.service
[Socket]
ListenStream=21
Accept=yes
[Install]
WantedBy=sockets.target

322
vsftpd.spec Normal file
View File

@ -0,0 +1,322 @@
#
# spec file for package vsftpd
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?suse_version} > 1210
%global with_systemd 1
%else
%global with_systemd 0
%endif
%if 0%{?suse_version} >= 1500
%define use_firewalld 1
%else
%define use_firewalld 0
%endif
Name: vsftpd
Version: 3.0.5
Release: 0
Summary: Very Secure FTP Daemon - Written from Scratch
License: SUSE-GPL-2.0-with-openssl-exception
Group: Productivity/Networking/Ftp/Servers
URL: https://security.appspot.com/vsftpd.html
Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
Source1: %{name}.pam
Source2: %{name}.logrotate
Source3: %{name}.init
Source4: README.SUSE
Source5: %{name}.ftpusers
Source6: %{name}.firewall
Source7: vsftpd.service
Source8: vsftpd@.service
Source9: %{name}.keyring
Source10: vsftpd.socket
Source11: %{name}.firewalld
Source1000: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz.asc
Patch1: vsftpd-2.0.4-lib64.diff
Patch3: vsftpd-2.0.4-xinetd.diff
Patch4: vsftpd-2.0.4-enable-ssl.patch
Patch5: vsftpd-2.0.4-dmapi.patch
Patch6: vsftpd-2.0.5-vuser.patch
Patch7: vsftpd-2.0.5-enable-debuginfo.patch
Patch8: vsftpd-2.0.5-utf8-log-names.patch
Patch9: vsftpd-2.3.5-conf.patch
Patch10: vsftpd-3.0.0_gnu_source_defines.patch
Patch11: vsftpd-3.0.0-optional-seccomp.patch
#PATCH-FIX-OPENSUSE: bnc#786024, second issue with pam_login_acct
Patch13: vsftpd-drop-newpid-from-clone.patch
#PATCH-FIX-OPENSUSE: bnc#812406
Patch14: vsftpd-enable-fcntl-f_setfl.patch
#PATCH-FIX-OPENSUSE: bnc#812406
Patch15: vsftpd-enable-dev-log-sendto.patch
#PATCH-FEATURE-SUSE: FATE#311051, call chroot with user credentials to enable nsf with squash_root option
Patch16: vsftpd-root-squashed-chroot.patch
#PATCH-FIX-UPSTREAM: bnc#870122
Patch17: vsftpd-enable-gettimeofday-sec.patch
#PATCH-FIX-UPSTREAM: bnc#890469 fix broken syscall on s390
Patch18: vsftpd-3.0.2-s390.patch
#PATCH-FIX-UPSTREAM: bnc#900326 deny_file filtering acts weirdly (19-22)
Patch19: vsftpd-2.1.0-filter.patch
Patch20: vsftpd-2.2.0-wildchar.patch
Patch21: vsftpd-2.3.4-sqb.patch
Patch22: vsftpd-path-normalize.patch
Patch23: vsftpd-ls-memleak.patch
#PATCH-FIX-UPSTREAM: bnc#970982
Patch24: vsftpd-3.0.2-wnohang.patch
Patch25: vsftpd-3.0.2-fix-chown-uploads.patch
#FIX-FIX-OPENSUSE: bsc#1042673
Patch26: vsftpd-3.0.3-build-with-openssl-1.1.patch
Patch27: vsftpd-mdtm-in-utc.patch
Patch28: vsftpd-die-with-session.patch
Patch29: vsftpd-append-seek-pipe.patch
Patch30: vsftpd-3.0.3-address_space_limit.patch
Patch31: vsftpd-enable-syscalls-needed-by-sle15.patch
Patch32: vsftpd-support-dsa-only-setups.patch
Patch33: vsftpd-avoid-bogus-ssl-write.patch
Patch35: 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
# PATCH-FIX-UPSTREAM https://bugzilla.suse.com/show_bug.cgi?id=1179553
Patch36: seccomp-fixes.patch
Patch37: vsftpd-openlog-force.patch
Patch38: vsftpd-seccomp-getrandom.patch
Patch39: vsftpd-seccomp-ssl.patch
Patch40: vsftpd-seccomp-wait4.patch
Patch41: revert-undocumented-config-file-format-changes.patch
Patch42: use-system-wide-tls-cipher-policy.patch
Patch43: vsftpd-allow-dev-log-socket.patch
Patch44: vsftpd-enable-sendto-for-prelogin-syslog.patch
Patch45: disable-tls13-to-support-older-openssl-versions.patch
Patch46: 0001-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch
#PATCH-FIX-OPENSUSE bsc#1211301 Enable crypto-policies support
Patch47: vsftpd-use-system-wide-crypto-policy.patch
BuildRequires: libcap-devel
%if 0%{?suse_version} == 1315
BuildRequires: libopenssl-1_1-devel >= 1.1.1
%else
%if 0%{?sle_version} == 150000
BuildRequires: libopenssl-1_1-devel >= 1.1.0
%else
BuildRequires: libopenssl-devel >= 1.1.1
%endif
%endif
BuildRequires: pam-devel
Requires: logrotate
Requires(pre): shadow
Provides: ftp-server
%if %{use_firewalld}
BuildRequires: firewall-macros
%endif
%if 0%{?suse_version} >= 1330
Requires: group(nobody)
Requires: user(ftp)
Requires(pre): group(nobody)
%endif
%if %{with_systemd}
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%else
Requires(post): %insserv_prereq
%endif
%description
Vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure.
Obviously this is not a guarantee, but the entire codebase was written
with security in mind, and carefully designed to be resilient to
attack.
Recent evidence suggests that vsftpd is also extremely fast (and this
is before any explicit performance tuning!). In tests against wu-ftpd,
vsftpd was always faster, supporting over twice as many users in some
tests.
%prep
%setup -q
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%if 0%{?sle_version} == 150000
%patch45 -p1
%endif
%patch46 -p1
%patch47 -p1
%build
%define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP
rm dummyinc/sys/capability.h vsf_findlibs.sh
make CFLAGS="%{optflags} -DOPENSSL_NO_SSL_INTERN -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -fstack-protector --param=ssp-buffer-size=4 %{seccomp_opts}" \
LIBS="-lpam -lcap -lssl -lcrypto"
%install
mkdir -p %{buildroot}%{_datadir}/empty
cp %{SOURCE4} .
install -D -m 755 %{name} %{buildroot}%{_sbindir}/%{name}
install -D -m 600 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}.conf
%if 0%{?suse_version} < 1330
install -D -m 600 xinetd.d/%{name} %{buildroot}%{_sysconfdir}/xinetd.d/%{name}
%endif
install -D -m 644 $RPM_SOURCE_DIR/%{name}.pam %{buildroot}%{_pam_vendordir}/%{name}
install -D -m 600 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/vsftpd/ftpusers
%if 0%{?suse_version} > 1500
mkdir -p %{buildroot}%{_distconfdir}/logrotate.d
install -D -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_distconfdir}/logrotate.d/%{name}
%else
install -D -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%endif
install -D -m 644 %{name}.conf.5 %{buildroot}/%{_mandir}/man5/%{name}.conf.5
install -D -m 644 %{name}.8 %{buildroot}/%{_mandir}/man8/%{name}.8
%if %{with_systemd}
ln -sf service %{buildroot}/%{_sbindir}/rc%{name}
install -D -m 0644 %{SOURCE7} %{buildroot}/%{_unitdir}/%{name}.service
%if 0%{?sle_version} && 0%{?sle_version} < 150300
sed -r -i '/^(Protect(Home|Hostname|KernelLogs|Clock|KernelTunables|KernelModules|ControlGroups)|RestrictRealtime|PrivateMounts)=/d' %{buildroot}/%{_unitdir}/%{name}.service
%endif
install -D -m 0644 %{SOURCE8} %{buildroot}/%{_unitdir}/%{name}@.service
install -D -m 0644 %{SOURCE10} %{buildroot}/%{_unitdir}/%{name}.socket
%else
install -D -m 755 %{SOURCE3} %{buildroot}%{_initddir}/%{name}
ln -sf %{_initddir}/%{name} %{buildroot}/%{_sbindir}/rc%{name}
%endif
# install firewall information file
%if %{use_firewalld}
install -D -m 644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
%else
install -d %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/
install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}
%endif
%pre
getent passwd ftpsecure >/dev/null || useradd -r -g nobody -s /bin/false -c "Secure FTP User" -d %{_localstatedir}/lib/empty ftpsecure
%if %{with_systemd}
%service_add_pre %{name}.service %{name}.socket
%endif
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in logrotate.d/%{name} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
%if 0%{?suse_version} > 1500
%posttrans
# Migration to /usr/etc, restore just created .rpmsave
for i in logrotate.d/%{name} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
%preun
%if %{with_systemd}
%service_del_preun %{name}.service %{name}.socket
%else
%stop_on_removal %{name}
%endif
%post
%if %{with_systemd}
%service_add_post %{name}.service %{name}.socket
%else
%insserv_cleanup
%restart_on_update %{name}
%endif
%if %{use_firewalld}
%{firewalld_reload}
%endif
%postun
%if %{with_systemd}
%service_del_postun %{name}.service %{name}.socket
%else
%insserv_cleanup
%restart_on_update %{name}
%endif
%files
%if %{with_systemd}
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}.socket
%{_unitdir}/%{name}@.service
%else
%{_initddir}/%{name}
%endif
%{_sbindir}/%{name}
%{_sbindir}/rc%{name}
%dir %{_datadir}/empty
%if 0%{?suse_version} < 1330
%config(noreplace) %{_sysconfdir}/xinetd.d/%{name}
%endif
%config(noreplace) %{_sysconfdir}/%{name}.conf
%if 0%{?suse_version} > 1500
%config %{_pam_vendordir}/%{name}
%{_distconfdir}/logrotate.d/%{name}
%else
%config %{_pam_sysconfdir}/pam.d/%{name}
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%endif
%dir %{_sysconfdir}/vsftpd
%config %{_sysconfdir}/vsftpd/ftpusers
%{_mandir}/man5/%{name}.conf.*
%{_mandir}/man8/%{name}.*
%license LICENSE
%doc BUGS AUDIT Changelog README README.security
%license COPYING
%doc REWARD SPEED TODO SECURITY TUNING SIZE FAQ EXAMPLE
%doc README.SUSE
%if %{use_firewalld}
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
%{_prefix}/lib/firewalld/services/%{name}.xml
%else
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}
%endif
%changelog

8
vsftpd@.service Normal file
View File

@ -0,0 +1,8 @@
[Unit]
Description=Very Secure FTP Daemon
[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf -obackground=NO -olisten=NO -olisten_ipv6=NO
StandardInput=socket
SuccessExitStatus=2