From 2a9ee9cdd70f2d228195fe4b15d02aa69c711c7e31ffb372de40c98da9851fb8 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Sat, 1 May 2021 18:28:48 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/network/pure-ftpd?expand=0&rev=78 --- .gitattributes | 23 + pure-ftpd-1.0.20_config.patch | 116 +++ pure-ftpd-1.0.20_doc.patch | 31 + pure-ftpd-1.0.20_virtualhosts.patch | 13 + ....0.32-default_tcp_sedrcv_buffer_size.patch | 114 +++ pure-ftpd-1.0.36-cap-audit-control.patch | 14 + pure-ftpd-1.0.49.tar.bz2 | 3 + pure-ftpd-1.0.49.tar.bz2.minisig | 4 + pure-ftpd-1.0.49_ftpwho_path.patch | 20 + pure-ftpd-apparmor.patch | 61 ++ pure-ftpd-malloc-limit.patch | 181 ++++ pure-ftpd.changes | 909 ++++++++++++++++++ pure-ftpd.init | 116 +++ pure-ftpd.keyring | 177 ++++ pure-ftpd.pamd | 9 + pure-ftpd.service | 10 + pure-ftpd.spec | 172 ++++ pure-ftpd.xinetd | 21 + 18 files changed, 1994 insertions(+) create mode 100644 .gitattributes create mode 100644 pure-ftpd-1.0.20_config.patch create mode 100644 pure-ftpd-1.0.20_doc.patch create mode 100644 pure-ftpd-1.0.20_virtualhosts.patch create mode 100644 pure-ftpd-1.0.32-default_tcp_sedrcv_buffer_size.patch create mode 100644 pure-ftpd-1.0.36-cap-audit-control.patch create mode 100644 pure-ftpd-1.0.49.tar.bz2 create mode 100644 pure-ftpd-1.0.49.tar.bz2.minisig create mode 100644 pure-ftpd-1.0.49_ftpwho_path.patch create mode 100644 pure-ftpd-apparmor.patch create mode 100644 pure-ftpd-malloc-limit.patch create mode 100644 pure-ftpd.changes create mode 100644 pure-ftpd.init create mode 100644 pure-ftpd.keyring create mode 100644 pure-ftpd.pamd create mode 100644 pure-ftpd.service create mode 100644 pure-ftpd.spec create mode 100644 pure-ftpd.xinetd diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/pure-ftpd-1.0.20_config.patch b/pure-ftpd-1.0.20_config.patch new file mode 100644 index 0000000..91bf972 --- /dev/null +++ b/pure-ftpd-1.0.20_config.patch @@ -0,0 +1,116 @@ +Index: pure-ftpd.conf.in +=================================================================== +--- pure-ftpd.conf.in.orig ++++ pure-ftpd.conf.in +@@ -37,19 +37,20 @@ BrokenClientsCompatibility no + + # Maximum number of simultaneous users + +-MaxClientsNumber 50 ++MaxClientsNumber 10 + + + +-# Run as a background process ++# Run as a background process, do not change as systemd needs this to be ++# foreground + +-Daemonize yes ++Daemonize no + + + + # Maximum number of simultaneous clients with the same IP address + +-MaxClientsPerIP 8 ++MaxClientsPerIP 3 + + + +@@ -59,6 +60,9 @@ MaxClientsPerIP 8 + VerboseLog no + + ++# Allow dot-files ++AllowDotFiles yes ++ + + # List dot-files even when the client doesn't send "-a". + +@@ -68,7 +72,7 @@ DisplayDotFiles yes + + # Disallow authenticated users - Act only as a public FTP server. + +-AnonymousOnly no ++AnonymousOnly yes + + + +@@ -106,23 +110,23 @@ MaxIdleTime 15 + + # LDAP configuration file (see README.LDAP) + +-# LDAPConfigFile /etc/pureftpd-ldap.conf ++# LDAPConfigFile /etc/pure-ftpd/pureftpd-ldap.conf + + + + # MySQL configuration file (see README.MySQL) + +-# MySQLConfigFile /etc/pureftpd-mysql.conf ++# MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf + + + # PostgreSQL configuration file (see README.PGSQL) + +-# PGSQLConfigFile /etc/pureftpd-pgsql.conf ++# PGSQLConfigFile /etc/pure-ftpd/pureftpd-pgsql.conf + + + # PureDB user database (see README.Virtual-Users) + +-# PureDB /etc/pureftpd.pdb ++# PureDB /etc/pure-ftpd/pureftpd.pdb + + + # Path to pure-authd socket (see README.Authentication-Modules) +@@ -133,7 +137,7 @@ MaxIdleTime 15 + + # If you want to enable PAM authentication, uncomment the following line + +-# PAMAuthentication yes ++PAMAuthentication yes + + + +@@ -176,7 +180,7 @@ MaxLoad 4 + + # Port range for passive connections - keep it as broad as possible. + +-# PassivePortRange 30000 50000 ++PassivePortRange 30000 30100 + + + +Index: pureftpd-mysql.conf +=================================================================== +--- pureftpd-mysql.conf.orig ++++ pureftpd-mysql.conf +@@ -23,13 +23,13 @@ MYSQLSocket /var/run/mysqld/mysqld.s + + + # Mandatory : user to bind the server as. +- +-MYSQLUser root ++# using the Database root user is always a bad idea. ++MYSQLUser ftpd + + + # Mandatory : user password. You must have a password. +- +-MYSQLPassword rootpw ++# using the Database root user is always a bad idea. ++MYSQLPassword ftpdpassword + + + # Mandatory : database to open. diff --git a/pure-ftpd-1.0.20_doc.patch b/pure-ftpd-1.0.20_doc.patch new file mode 100644 index 0000000..9aeb9db --- /dev/null +++ b/pure-ftpd-1.0.20_doc.patch @@ -0,0 +1,31 @@ +only in patch2: +unchanged: +================================================================================ +Index: README.Configuration-File +=================================================================== +--- README.Configuration-File.orig ++++ README.Configuration-File +@@ -8,12 +8,12 @@ For example, the '-H' switch is recommen + + To enable this feature, just add it right after the executable name: + +- /usr/local/sbin/pure-ftpd -H ++ /usr/sbin/pure-ftpd -H + + Long options are also supported. This is equivalent to the previous + command: + +- /usr/local/sbin/pure-ftpd --dontresolve ++ /usr/sbin/pure-ftpd --dontresolve + + As an alternative to command-line switches, Pure-FTPd can use a + configuration file. The set of supported features is the same no +@@ -25,7 +25,7 @@ the package installation prefix. + + Tweak it according to your needs, and start the server using that file: + +- /usr/local/sbin/pure-ftpd /etc/pure-ftpd.conf ++ /usr/sbin/pure-ftpd /etc/pure-ftpd.conf + + Note the absence of switches. In order to avoid confusion, either a + configuration file or a set of command-line switches can be used. diff --git a/pure-ftpd-1.0.20_virtualhosts.patch b/pure-ftpd-1.0.20_virtualhosts.patch new file mode 100644 index 0000000..6ad6eeb --- /dev/null +++ b/pure-ftpd-1.0.20_virtualhosts.patch @@ -0,0 +1,13 @@ +Index: src/ftpd.h +=================================================================== +--- src/ftpd.h.orig 2012-04-10 13:13:50.081787071 +0200 ++++ src/ftpd.h 2012-04-10 13:15:02.434306712 +0200 +@@ -411,7 +411,7 @@ + #endif + + #ifndef VHOST_PATH +-# define VHOST_PATH CONFDIR "/pure-ftpd" ++# define VHOST_PATH CONFDIR "/vhosts" + #endif + + #ifdef WITH_TLS diff --git a/pure-ftpd-1.0.32-default_tcp_sedrcv_buffer_size.patch b/pure-ftpd-1.0.32-default_tcp_sedrcv_buffer_size.patch new file mode 100644 index 0000000..f5414dc --- /dev/null +++ b/pure-ftpd-1.0.32-default_tcp_sedrcv_buffer_size.patch @@ -0,0 +1,114 @@ +Index: configure +=================================================================== +--- configure.orig 2012-04-10 13:11:53.944741960 +0200 ++++ configure 2012-04-10 13:12:09.310277199 +0200 +@@ -12650,107 +12650,12 @@ + $as_echo "no" >&6; } + fi + +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking default TCP send buffer size" >&5 +-$as_echo_n "checking default TCP send buffer size... " >&6; } +-if test "$cross_compiling" = yes; then : +- CONF_TCP_SO_SNDBUF=65536 +-else +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-#include +-#ifdef STDC_HEADERS +-# include +-# include +-#else +-# if HAVE_STDLIB_H +-# include +-# endif +-#endif +-#ifdef HAVE_UNISTD_H +-# include +-#endif +-#include +-#include +-#include +-int main(void) +-{ +- int fd,val=0,len=sizeof(int); +- if ((fd = socket(PF_INET, SOCK_STREAM, 0)) < 0) return 1; +- if (getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &val, &len) < 0) return 1; +- if (val <= 0) return 1; +- fprintf (fopen("conftestval", "w"), "%d\n", val); +- return 0; +-} +- +-_ACEOF +-if ac_fn_c_try_run "$LINENO"; then : +- CONF_TCP_SO_SNDBUF=`cat conftestval` +-else +- CONF_TCP_SO_SNDBUF=65536 +-fi +-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ +- conftest.$ac_objext conftest.beam conftest.$ac_ext +-fi +- +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CONF_TCP_SO_SNDBUF" >&5 +-$as_echo "$CONF_TCP_SO_SNDBUF" >&6; } +- +- + cat >>confdefs.h <<_ACEOF +-#define CONF_TCP_SO_SNDBUF $CONF_TCP_SO_SNDBUF ++#define CONF_TCP_SO_SNDBUF 65536 + _ACEOF + +- +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking default TCP receive buffer size" >&5 +-$as_echo_n "checking default TCP receive buffer size... " >&6; } +-if test "$cross_compiling" = yes; then : +- CONF_TCP_SO_RCVBUF=65536 +-else +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-#include +-#ifdef STDC_HEADERS +-# include +-# include +-#else +-# if HAVE_STDLIB_H +-# include +-# endif +-#endif +-#ifdef HAVE_UNISTD_H +-# include +-#endif +-#include +-#include +-#include +-int main(void) +-{ +- int fd,val=0,len=sizeof(int); +- if ((fd = socket(PF_INET, SOCK_STREAM, 0)) < 0) return 1; +- if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &val, &len) < 0) return 1; +- if (val <= 0) return 1; +- fprintf (fopen("conftestval", "w"), "%d\n", val); +- return 0; +-} +- +-_ACEOF +-if ac_fn_c_try_run "$LINENO"; then : +- CONF_TCP_SO_RCVBUF=`cat conftestval` +-else +- CONF_TCP_SO_RCVBUF=65536 +-fi +-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ +- conftest.$ac_objext conftest.beam conftest.$ac_ext +-fi +- +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CONF_TCP_SO_RCVBUF" >&5 +-$as_echo "$CONF_TCP_SO_RCVBUF" >&6; } +- +- + cat >>confdefs.h <<_ACEOF +-#define CONF_TCP_SO_RCVBUF $CONF_TCP_SO_RCVBUF ++#define CONF_TCP_SO_RCVBUF 65536 + _ACEOF + + diff --git a/pure-ftpd-1.0.36-cap-audit-control.patch b/pure-ftpd-1.0.36-cap-audit-control.patch new file mode 100644 index 0000000..94017c8 --- /dev/null +++ b/pure-ftpd-1.0.36-cap-audit-control.patch @@ -0,0 +1,14 @@ +Index: pure-ftpd-1.0.36/src/caps_p.h +=================================================================== +--- pure-ftpd-1.0.36.orig/src/caps_p.h ++++ pure-ftpd-1.0.36/src/caps_p.h +@@ -7,7 +7,8 @@ + # endif + + cap_value_t cap_keep_startup[] = { +-# if defined(USE_PAM) && defined(CAP_AUDIT_WRITE) ++# if defined(USE_PAM) && defined(CAP_AUDIT_CONTROL) && defined(CAP_AUDIT_WRITE) ++ CAP_AUDIT_CONTROL, + CAP_AUDIT_WRITE, + # endif + CAP_SETGID, diff --git a/pure-ftpd-1.0.49.tar.bz2 b/pure-ftpd-1.0.49.tar.bz2 new file mode 100644 index 0000000..d0d5fa5 --- /dev/null +++ b/pure-ftpd-1.0.49.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a727dfef810f275fba3eb6099760d4f8a0bdeae2c1197d0d5bfeb8c1b2f61b6 +size 487958 diff --git a/pure-ftpd-1.0.49.tar.bz2.minisig b/pure-ftpd-1.0.49.tar.bz2.minisig new file mode 100644 index 0000000..33b725e --- /dev/null +++ b/pure-ftpd-1.0.49.tar.bz2.minisig @@ -0,0 +1,4 @@ +untrusted comment: signature from minisign secret key +RWQf6LRCGA9i53jbtkymhF4h2cC4NwgcDPxMLwbbhQpd+MxuhP9fq63KtlLE99n1OoP2l4pdNwopuh/B6dXVy5+kPRwsx5AyxA8= +trusted comment: timestamp:1554289403 file:pure-ftpd-1.0.49.tar.bz2 +3H/r3tHgNMKLhBn9DRGOJ/vUDhe1ZF33iAfMnNI/D28ApGcmalgyac/TtBiYP+R1h+8prBTo1QIpp4acRr0VDA== diff --git a/pure-ftpd-1.0.49_ftpwho_path.patch b/pure-ftpd-1.0.49_ftpwho_path.patch new file mode 100644 index 0000000..29f597d --- /dev/null +++ b/pure-ftpd-1.0.49_ftpwho_path.patch @@ -0,0 +1,20 @@ +--- src/ftpwho-update.h 2019-03-25 16:48:42.000000000 +0100 ++++ src/ftpwho-update.h 2020-04-27 16:07:03.449049599 +0200 +@@ -26,6 +26,9 @@ + volatile off_t download_total_size; + volatile off_t download_current_size; + char account[MAX_USER_LENGTH + 1U]; ++#ifdef PATH_MAX ++ char filename[PATH_MAX]; ++#else + #if defined(__OpenBSD__) + char filename[1024]; + #else +@@ -39,6 +42,7 @@ + char filename[1024]; + # endif + #endif ++#endif + } FTPWhoEntry; + + int ftpwho_initwho(void); diff --git a/pure-ftpd-apparmor.patch b/pure-ftpd-apparmor.patch new file mode 100644 index 0000000..44fad82 --- /dev/null +++ b/pure-ftpd-apparmor.patch @@ -0,0 +1,61 @@ +Index: pure-ftpd-1.0.20-sles/AppArmor/README.AppArmor +=================================================================== +--- /dev/null ++++ pure-ftpd-1.0.20-sles/AppArmor/README.AppArmor +@@ -0,0 +1,13 @@ ++ ++---------------------- Using the AppArmor profile ---------------------- ++ ++Make sure that AppArmor is installed and enabled. ++ ++To utilize the security provided by AppArmor, ensure that the supplied ++AppArmor profile (the file 'usr.sbin.pure-ftpd') for Pure-FTPd is present in ++the '/etc/apparmor.d/' directory. If it is not present, copy it from ++the '/usr/share/doc/packages/pure-ftpd/' directory. ++ ++This profile takes care of most of the typical use cases. You can use ++YaST->Novell AppArmor to fine-tune the profile for your specific needs. ++ +Index: pure-ftpd-1.0.20-sles/AppArmor/usr.sbin.pure-ftpd +=================================================================== +--- /dev/null ++++ pure-ftpd-1.0.20-sles/AppArmor/usr.sbin.pure-ftpd +@@ -0,0 +1,38 @@ ++# vim:syntax=apparmor ++# ------------------------------------------------------------------ ++# ++# Copyright (C) 2006 Novell, Inc. ++# ++# ------------------------------------------------------------------ ++ ++#include ++ ++/usr/sbin/pure-ftpd { ++ #include ++ #include ++ #include ++ #include ++ ++ capability net_bind_service, ++ capability setgid, ++ capability setuid, ++ capability sys_chroot, ++ ++ / r, ++ /etc/ftpusers r, ++ /etc/pure-ftpd/* r, ++ /etc/shells r, ++ /etc/ssl/private/pure-ftpd.pem r, ++ /proc/*/loginuid w, ++ /proc/loadavg r, ++ /proc/net/tcp* r, ++ /usr/sbin/pure-ftpd mr, ++ ++ /var/run/pure-ftpd rw, ++ /var/run/pure-ftpd.pid w, ++ /var/run/pure-ftpd/client-* rw, ++ ++ @{HOMEDIRS}* r, ++ @{HOME}/** rwl, ++ @{HOME}/.k5login r, ++} diff --git a/pure-ftpd-malloc-limit.patch b/pure-ftpd-malloc-limit.patch new file mode 100644 index 0000000..9603d01 --- /dev/null +++ b/pure-ftpd-malloc-limit.patch @@ -0,0 +1,181 @@ +diff -Nur pure-ftpd-1.0.49.orig/man/pure-ftpd.8.in pure-ftpd-1.0.49/man/pure-ftpd.8.in +--- pure-ftpd-1.0.49.orig/man/pure-ftpd.8.in 2019-03-25 16:48:42.000000000 +0100 ++++ pure-ftpd-1.0.49/man/pure-ftpd.8.in 2020-04-27 16:36:01.574470331 +0200 +@@ -9,7 +9,7 @@ + pure\-ftpd \- simple File Transfer Protocol server + + .SH "SYNOPSIS" +-.B pure\-ftpd [\-0] [\-1] [\-2 cert_file[,key_file]] [\-3 certd_socket] [\-4] [\-6] [\-a gid] [\-A] [\-b] [\-B] [\-c clients] [\-C cnx/ip] [\-d [\-d]] [\-D] [\-e] [\-E] [\-f facility] [\-F fortunes file] [\-g pidfile] [\-G] [\-H] [\-i] [\-I] [\-j] [\-J ciphers] [\-k percentage] [\-K] [\-l authentication[:config file]] [\-L max files:max depth] [\-m maxload] [\-M] [\-n maxfiles:maxsize] [\-N] [\-o] [\-O format:log file] [\-p first:last] [\-P ip address or host name] [\-q upload:download ratio] [\-Q upload:download ratio] [\-r] [\-R] [\-s] [\-S [address,][port]] [\-t upload bandwidth:download bandwidth] [\-T upload bandwidth:download bandwidth] [\-u uid] [\-U umask files:umask dirs] [\-v bonjour name] [\-V ip address] [\-w] [\-W] [\-x] [\-X] [\-y max user sessions:max anon sessions] [\-Y tls behavior] [\-z] [\-Z] ++.B pure\-ftpd [\-0] [\-1] [\-2 cert_file[,key_file]] [\-3 certd_socket] [\-4] [\-6] [\-a gid] [\-A] [\-b] [\-B] [\-c clients] [\-C cnx/ip] [\-d [\-d]] [\-D] [\-e] [\-E] [\-f facility] [\-F fortunes file] [\-g pidfile] [\-G] [\-H] [\-i] [\-I] [\-j] [\-J ciphers] [\-k percentage] [\-K] [\-l authentication[:config file]] [\-L max files:max depth:[:maxmemory]] [\-m maxload] [\-M] [\-n maxfiles:maxsize] [\-N] [\-o] [\-O format:log file] [\-p first:last] [\-P ip address or host name] [\-q upload:download ratio] [\-Q upload:download ratio] [\-r] [\-R] [\-s] [\-S [address,][port]] [\-t upload bandwidth:download bandwidth] [\-T upload bandwidth:download bandwidth] [\-u uid] [\-U umask files:umask dirs] [\-v bonjour name] [\-V ip address] [\-w] [\-W] [\-x] [\-X] [\-y max user sessions:max anon sessions] [\-Y tls behavior] [\-z] [\-Z] + + .br + Alternative style: +@@ -337,11 +337,12 @@ + .I README.MySQL + files for info about the built\-in LDAP and SQL directory support. + .TP +-.B \-L max files:max depth ++.B \-L max files:max depth[:max memory limit] + Avoid denial\-of\-service attacks by limiting the number of displayed files +-in a 'ls' and the maximum depth of a recursive 'ls'. Defaults are 2000:5 +-(2000 files displayed for a single 'ls' and walk through 5 subdirectories +-max). ++in a 'ls', the maximum depth of a recursive 'ls' and optional memory limit ++for globbing in kilobytes. Defaults are 2000:5:512 (2000 files displayed ++for a single 'ls', walk through 5 subdirectories max and limit allocated ++memory for evaluation wildcard characters by 'ls' to 524288 bytes). + .TP + .B \-m load + Do not allow anonymous users to download files if the load is above +diff -Nur pure-ftpd-1.0.49.orig/src/bsd-glob.c pure-ftpd-1.0.49/src/bsd-glob.c +--- pure-ftpd-1.0.49.orig/src/bsd-glob.c 2019-04-02 16:00:39.000000000 +0200 ++++ pure-ftpd-1.0.49/src/bsd-glob.c 2020-04-27 16:33:21.997238426 +0200 +@@ -107,9 +107,6 @@ + #define M_SET META('[') + #define ismeta(c) (((c)&M_QUOTE) != 0) + +-#ifndef GLOB_LIMIT_MALLOC +-# define GLOB_LIMIT_MALLOC 65536 +-#endif + #ifndef GLOB_MAX_STARS + # define GLOB_MAX_STARS 3 + #endif +@@ -160,7 +157,7 @@ + + static int + glob_(const char *pattern, int flags, int (*errfunc)(const char *, int), +- glob_t *pglob, unsigned long maxfiles, int maxdepth) ++ glob_t *pglob, unsigned long maxfiles, int maxdepth, unsigned long maxmemory) + { + const unsigned char *patnext; + int c; +@@ -172,6 +169,7 @@ + } + pglob->gl_maxdepth = maxdepth; + pglob->gl_maxfiles = maxfiles; ++ pglob->gl_maxmemory = maxmemory; + patnext = (unsigned char *) pattern; + if (!(flags & GLOB_APPEND)) { + pglob->gl_pathc = 0; +@@ -226,15 +224,15 @@ + glob(const char *pattern, int flags, int (*errfunc) (const char *, int), + glob_t * pglob) + { +- return glob_(pattern, flags, errfunc, pglob, (unsigned long) -1, 0); ++ return glob_(pattern, flags, errfunc, pglob, (unsigned long) -1, 0, GLOB_LIMIT_MALLOC); + } + + int + sglob(char *pattern, int flags, int (*errfunc) (const char *, int), +- glob_t * pglob, unsigned long maxfiles, int maxdepth) ++ glob_t * pglob, unsigned long maxfiles, int maxdepth, unsigned long maxmemory) + { + simplify(pattern); +- return glob_(pattern, flags, errfunc, pglob, maxfiles, maxdepth); ++ return glob_(pattern, flags, errfunc, pglob, maxfiles, maxdepth, maxmemory); + } + + /* +@@ -766,7 +764,7 @@ + statv[pglob->gl_offs + pglob->gl_pathc] = NULL; + } else { + limitp->glim_malloc += sizeof(**statv); +- if (limitp->glim_malloc >= GLOB_LIMIT_MALLOC) { ++ if (limitp->glim_malloc >= pglob->gl_maxmemory) { + errno = 0; + return GLOB_NOSPACE; + } +@@ -793,7 +791,7 @@ + } + pathv[pglob->gl_offs + pglob->gl_pathc] = NULL; + +- if ((newn * sizeof(*pathv)) + limitp->glim_malloc > GLOB_LIMIT_MALLOC) { ++ if ((newn * sizeof(*pathv)) + limitp->glim_malloc > pglob->gl_maxmemory) { + errno = 0; + return GLOB_NOSPACE; + } +diff -Nur pure-ftpd-1.0.49.orig/src/bsd-glob.h pure-ftpd-1.0.49/src/bsd-glob.h +--- pure-ftpd-1.0.49.orig/src/bsd-glob.h 2018-09-19 23:53:05.000000000 +0200 ++++ pure-ftpd-1.0.49/src/bsd-glob.h 2020-04-27 16:33:22.001238457 +0200 +@@ -38,6 +38,7 @@ + typedef struct { + unsigned long gl_maxfiles; /* Maximum number of results */ + int gl_maxdepth; /* Maximum depth */ ++ unsigned long gl_maxmemory; /* Maximum memory allocated */ + int gl_pathc; /* Count of total paths so far. */ + int gl_matchc; /* Count of paths matching pattern. */ + int gl_offs; /* Reserved at beginning of gl_pathv. */ +@@ -84,14 +85,14 @@ + + #ifdef DISABLE_GLOBBING + # define glob(A, B, C, D) (GLOB_NOSYS) +-# define sglob(A, B, C, D, E, F) (GLOB_NOSYS) ++# define sglob(A, B, C, D, E, F, G) (GLOB_NOSYS) + # define globfree(A) (void) 0 + #else + # ifndef USELESS_FOR_PUREFTPD + int glob(const char *, int, int (*)(const char *, int), glob_t *); + # endif + int sglob(char *, int, int (*)(const char *, int), +- glob_t *, unsigned long, int); ++ glob_t *, unsigned long, int, unsigned long); + void globfree(glob_t *); + #endif + +diff -Nur pure-ftpd-1.0.49.orig/src/ftpd.c pure-ftpd-1.0.49/src/ftpd.c +--- pure-ftpd-1.0.49.orig/src/ftpd.c 2019-04-02 16:00:40.000000000 +0200 ++++ pure-ftpd-1.0.49/src/ftpd.c 2020-04-27 16:33:22.001238457 +0200 +@@ -5923,11 +5923,14 @@ + } + case 'L': { + int ret; ++ unsigned int tmp_glob_memory; + +- ret = sscanf(optarg, "%u:%u", &max_ls_files, &max_ls_depth); +- if (ret != 2 || +- max_ls_files < 1U || max_ls_depth < 1U) { ++ ret = sscanf(optarg, "%u:%u:%u", &max_ls_files, &max_ls_depth, &tmp_glob_memory); ++ if (ret < 2 || ret > 3 || ++ max_ls_files < 1U || max_ls_depth < 1U || tmp_glob_memory < 1U) { + die(421, LOG_ERR, MSG_CONF_ERR ": " MSG_ILLEGAL_LS_LIMITS ": %s" , optarg); ++ } else if (ret == 3) { ++ max_glob_memory = tmp_glob_memory * 1024; + } + break; + } +diff -Nur pure-ftpd-1.0.49.orig/src/ftpd.h pure-ftpd-1.0.49/src/ftpd.h +--- pure-ftpd-1.0.49.orig/src/ftpd.h 2019-03-25 16:48:42.000000000 +0100 ++++ pure-ftpd-1.0.49/src/ftpd.h 2020-04-27 16:33:22.001238457 +0200 +@@ -541,6 +541,9 @@ + #ifndef DEFAULT_MAX_LS_DEPTH + # define DEFAULT_MAX_LS_DEPTH 5U + #endif ++#ifndef GLOB_LIMIT_MALLOC ++# define GLOB_LIMIT_MALLOC 524288U /* Memory limit for globbing */ ++#endif + #ifndef GLOB_TIMEOUT + # define GLOB_TIMEOUT 17 /* Max user time for a 'ls' to complete */ + #endif +diff -Nur pure-ftpd-1.0.49.orig/src/globals.h pure-ftpd-1.0.49/src/globals.h +--- pure-ftpd-1.0.49.orig/src/globals.h 2019-03-25 17:58:02.000000000 +0100 ++++ pure-ftpd-1.0.49/src/globals.h 2020-04-27 16:33:22.001238457 +0200 +@@ -77,6 +77,7 @@ + GLOBAL0(int allow_anon_mkdir); + GLOBAL(unsigned int max_ls_files, DEFAULT_MAX_LS_FILES); + GLOBAL(unsigned int max_ls_depth, DEFAULT_MAX_LS_DEPTH); ++GLOBAL(unsigned int max_glob_memory, GLOB_LIMIT_MALLOC); + GLOBAL0(char *fortunes_file); + GLOBAL0(char host[NI_MAXHOST]); + GLOBAL0(int replycode); +diff -Nur pure-ftpd-1.0.49.orig/src/ls.c pure-ftpd-1.0.49/src/ls.c +--- pure-ftpd-1.0.49.orig/src/ls.c 2019-04-02 16:00:40.000000000 +0200 ++++ pure-ftpd-1.0.49/src/ls.c 2020-04-27 16:33:22.001238457 +0200 +@@ -857,7 +857,7 @@ + memset(&g, 0, sizeof g); + a = sglob(arg, + opt_a ? (GLOB_PERIOD | GLOB_LIMIT) : GLOB_LIMIT, +- NULL, &g, max_ls_files + 2, max_ls_depth * 2); ++ NULL, &g, max_ls_files + 2, max_ls_depth * 2, max_glob_memory); + alarm(0); + if (a == 0) { + char **path; diff --git a/pure-ftpd.changes b/pure-ftpd.changes new file mode 100644 index 0000000..d9e3679 --- /dev/null +++ b/pure-ftpd.changes @@ -0,0 +1,909 @@ +------------------------------------------------------------------- +Wed May 6 08:51:02 UTC 2020 - Peter Simons + +- Update to version 1.0.49. + * Refresh pure-ftpd-1.0.20_ftpwho_path.patch to + pure-ftpd-1.0.49_ftpwho_path.patch. + +------------------------------------------------------------------- +Tue Mar 17 01:03:27 UTC 2020 - Max Lin + +- BuildRequires postgresql-server-devel on Leap version >= 15.2 + +------------------------------------------------------------------- +Thu Dec 5 14:01:48 UTC 2019 - Josef Möllers + +- Add pam_keyinit.so to PAM config file. + [pure-ftpd.pamd, bsc#1144058] + +------------------------------------------------------------------- +Fri Jul 26 12:11:28 UTC 2019 - matthias.gerstner@suse.com + +- removal of version checks for outdated distributions + +------------------------------------------------------------------- +Thu Jul 25 13:14:55 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Tue Jun 18 15:04:39 UTC 2019 - Peter Simons + +- Add missing run-time dependency on system-user-ftp to ensure that + user exits. [boo#1136997] + +- Processed the spec file with spec-cleaner version 1.1.3. + +------------------------------------------------------------------- +Tue Apr 9 06:52:55 UTC 2019 - Christophe Giboudeaux + +- Add the missing build dependency for Tumbleweed. + +------------------------------------------------------------------- +Fri Mar 1 17:09:05 UTC 2019 - psimons@suse.com + +- Apply "pure-ftpd-malloc-limit.patch" to add a configuration + option that sets the process memory limit used by "ls" for + globbing. The value can be specified as optional third argument + to "-L" (or LimitRecursion in config file). Because it's + optional, the old configuration files will still work without + change with new binaries and update will be smooth. This change + allows sites that store an extremely large set of files inside a + single directory to tune their installation so that the "ls" + command in that directory will succeed without exceeding the ftpd + process memory limit. [bsc#1119187] + +------------------------------------------------------------------- +Sun Feb 18 05:45:16 UTC 2018 - avindra@opensuse.org + +- Version update to 1.0.47: + * If TLS was only enabled on the control channel (-Y 1), the STAT + command would send its output as other directory listing + commands, breaking the TLS stream. This has been fixed. + * The system user “_ftp” can be used as an alternative to “ftp” + for anonymous sessions. + * Compatibility with libsodium > 1.0.12 was added (including + minimal mode). + * The prefix for Argon2-hashed passwords in LDAP has been changed + to “{argon2}” (from “{argon2i}”). Ditto for MySQL and + PostgreSQL: the authentication method is now called “argon2” + instead of “argon2i”, and includes both Argon2i and Argon2id. +- use https for main site and source download +- switch to bz2 tarball (smaller) + +------------------------------------------------------------------- +Thu Jun 15 08:40:15 UTC 2017 - tchvatal@suse.com + +- Version update to 1.0.46: + * Fix build with openssl-1.1 + * The Perl and Python wrappers are gone + * TLS v1.0 sessions are now refused + * Unmaintained contributions have been removed + * File globbing could take up to `GLOB_TIMEOUT` seconds + (17 seconds by default) when matching some patterns, no matter what the + configured recursion level was. +- Refresh patches: + * pure-ftpd-1.0.20_config.patch + * pure-ftpd-1.0.20_doc.patch +- Drop patch pure-ftpd-1.0.32-portrange.patch + * The upstream no longer provide pure-config.pl/py scripts for launching + * This also means the initscript and service were tweaked to reflect this +- Disable xinetd on systemd having versions where we can stick to socket + based services instead + * By default it does not make sense to have this service socket activated + tho so leave it to user to provide this + +------------------------------------------------------------------- +Wed Jun 14 11:32:59 UTC 2017 - psimons@suse.com + +- Fix broken pure-ftpd.init script. We cannot use startproc to run + /usr/sbin/pure-config.pl, because the utility assumes that the + name of that executable matches the name of the started process, + which it does not in our case. Furthermore, the start script will + write a status message to stdout, so we don't have to do it in + the init script. [bsc#1042690] + +------------------------------------------------------------------- +Sat May 27 12:12:01 UTC 2017 - psimons@suse.com + +- Fix build on SUSE:SLE-11, which doesn't define the RPM variable + %{_initddir}, so we have to use %{_sysconfdir}/init.d instead. + +------------------------------------------------------------------- +Fri May 19 13:32:57 UTC 2017 - psimons@suse.com + +- pure-ftpd-apparmor.patch: Add an AppArmor profile (based on the + one from SLE11). + +- The Factory version of pure-ftp will replace the older package in + SLE-11 as per fate#321125. That update brings the following + changes: + + * These patches have been updated and renamed in the process: + * pure-ftpd-1.0.22-default_tcp_sedrcv_buffer_size.patch is now + in pure-ftpd-1.0.32-default_tcp_sedrcv_buffer_size.patch. + * pure-ftpd-1.0.21-portrange.patch is now in + pure-ftpd-1.0.32-portrange.patch. + * pure-ftpd-1.0.32-cap-audit-write.patch is now in + pure-ftpd-1.0.36-cap-audit-control.patch. + + * These patches are obsolete now and have been removed: + * 0001-Act-like-a-server-even-in-TLS-mode-when-in-active-mo.patch + * 0002-Init-a-TLS-data-session-after-having-sent-the-go-ahe.patch + * 0003-add-opt_a-to-donlist.patch + * 0004-support-stat-over-tls.patch + * 0005-speedup-TLS-listing.patch + * pure-ftpd-1.0.20_config_minuid.patch + * pure-ftpd-1.0.22-fix-listing-if-directory-has-white-space-in-it.patch + * pure-ftpd-1.0.22-flush-cmd-after-tls.patch + * pure-ftpd-1.0.22-oes-bugfix-1.patch + * pure-ftpd-1.0.22-oes-bugfix-2.patch + * pure-ftpd-1.0.22-oes-bugfix.patch + * pure-ftpd-1.0.22-oes-disable-ascii.patch + * pure-ftpd-1.0.22-oes_remote_server.patch + * pure-ftpd-1.0.22-wait-on-tls-handshake.patch + * pure-ftpd-allow-crypto-settings.patch + * pure-ftpd-remove-gpl-code.patch + +------------------------------------------------------------------- +Fri Aug 5 11:32:12 UTC 2016 - tchvatal@suse.com + +- Kill omc xml file useless nowdays +- Version update to 1.0.43: + * -J switch has been fixed + * openBSD compat changes + * Passwords are now hashed using Argon2i, default for puredb accounts now + +------------------------------------------------------------------- +Tue May 10 21:36:36 UTC 2016 - wr@rosenauer.org + +- fix systemd unit file so the service actually starts (boo#872430) + +------------------------------------------------------------------- +Thu Apr 14 12:41:54 UTC 2016 - tchvatal@suse.com + +- Add -fvisibility=hidden for bnc#971980 + +------------------------------------------------------------------- +Sat Jan 16 13:41:42 UTC 2016 - mpluskal@suse.com + +- Add gpg signature + +------------------------------------------------------------------- +Fri Jan 8 10:58:04 UTC 2016 - tchvatal@suse.com + +- Version update to 1.0.42: + - Compilation fix for OpenBSD and Bitrig when Pure-FTPd is not + compiled with libsodium. + - The connection is now dropped if HTTP commands are received. + - LDAP force_default_gid and force_default_uid now work as documented. + - The ONLY_ACCEPT_REUSED_SSL_SESSIONS switch (introduced in Pure-FTPd + 1.0.22 circa 2009, but disabled back then due to client compatibility + concerns) is now on by default, except in broken clients compatibility mode. + - libmariadb is looked for in addition to libmysqlclient + - MySQL: my_make_scrambled_password() is not always an exported + symbol any more, so pure-ftpd now ships a reimplementation. + - openssl/ec.h is not available on some Linux distributions that + disable EC in OpenSSL. This is being tested by autoconf. + - New command-line switch: -2/--certfile= to set the path to the + certificate file when using TLS. + - Support for TCP_FASTOPEN added on Linux + - The LDAP configuration file didn't allow a default gid without also + defining a default uid. This is no longer the case. + - OpenBSD's glob() left the glob_t structure uninitialized if the + pattern was larger than PATH_MAX, causing globfree() to free() an + unwanted pointer. The bug was introduced in Pure-FTPd 1.0.34. +- Refresh patch: + * pure-ftpd-1.0.20_config.patch + +------------------------------------------------------------------- +Fri Jun 5 08:38:25 UTC 2015 - tchvatal@suse.com + +- Reenable sle11 builds I need for testing. + +------------------------------------------------------------------- +Fri Jun 5 07:51:32 UTC 2015 - tchvatal@suse.com + +- Remove gpg/keyring, not provided now by upstream +- Cleanup with spec-cleaner +- Update to latest upstream 1.0.39: + * Explicitly include openssl/ec.h for OpenSSL 0.9.8 (CentOS 5) + * Retry if SSL_shutdown() returns -1 and SSL_ERROR_WANT_(READ|WRITE) + * The default cipher suite is now + ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SH + * TLS forward secrecy support was added. DH parameters are loaded from + TLS_DHPARAMS_FILE, if present. ECDH is also supported - Default curve + is prime256v1 (TLS_DEFAULT_ECDH_CURVE). The best curve is automatically + selected when using LibreSSL. + * scrypt hashed passwords can be used in the MySQL, PostgreSQL and + LDAP backends. + * The -C: prefix can be added to the cipher suite in order to make valid + client certificates mandatory. This is no longer a compile-time option. + * The Clear Command Channel (CCC) command is now supported. + * pure-config.py is compatible with Python 3. + * SSL (v2, v3) is refused by default. + * The PureDB backend supports the scrypt function in order to hash + passwords. This is the preferred algorithm, but requires the presence + of libsodium. + * DES-hashed passwords are not supported any more. + * LDAP uid and gid values can over overridden in the LDAP configuration file. + * RC4 was killed. +- Refreshed patches: + * pure-ftpd-1.0.20_config.patch + * pure-ftpd-1.0.20_doc.patch + * pure-ftpd-1.0.20_ftpwho_path.patch + +------------------------------------------------------------------- +Wed Apr 9 17:04:26 UTC 2014 - crrodriguez@opensuse.org + +- Remove all init scripts but keep the rc link working. + +------------------------------------------------------------------- +Wed Jan 23 08:43:56 UTC 2013 - mvyskocil@suse.com + +- fix bnc#789833: pure-ftpd login failes + * pure-ftpd-1.0.36-cap-audit-control.patch +- remove oes related patches have never used at openSUSE + * pure-ftpd-1.0.20-oes_remote_server.patch + * pure-ftpd-1.0.22-oes-bugfix-534424.patch +- change old PreReq to Requires(pre) +- add version to pureftpd symbol + +------------------------------------------------------------------- +Thu Nov 29 19:06:23 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Wed Aug 29 07:14:29 UTC 2012 - mvyskocil@suse.cz + +- add gpg signature file for easier verification + +------------------------------------------------------------------- +Wed Aug 29 04:33:03 UTC 2012 - crrodriguez@opensuse.org + +- systemd: Do not fork in the background + +------------------------------------------------------------------- +Fri Apr 20 11:55:23 UTC 2012 - highwaystar.ru@gmail.com + +- spec file: fixed pure-ftpd.service file installation + +------------------------------------------------------------------- +Tue Apr 10 11:39:50 UTC 2012 - mvyskocil@suse.cz + +- update to 1.0.36 : + - Sync built-in glob(3) code with OpenBSD-current, and remove code we +don't use instead of ifdef'ing it. + - Repair checkproc() on Linux when support for capabitilies is +compiled in. Reported by Eric Gouyer. + - Don't read /dev/*random every time we need a value. Just use +arc4random() everywhere and seed it before we possibly chroot(). + - Add support for MFMT, with the same code as SITE UTIME. + - Support 2-arguments SITE UTIME. + - LDAP: Add LDAPDefaultHomeDirectory, suggested by Landry Breuil. + - Add SSL_OP_NO_SSLv3 to SSL options if the list of ciphers is +prefixed by -S: , needed by Brad. + - Use more paranoid compiler options whenever possible, and preliminary +uncluttering of the autoconf script. + - Try to cache locale-related data at startup after tzset(), rather +than during a session. + - Fix quota computation after rename() overwrites an existing file. +Reported by Hiramoto Koujo, thanks! + - Improved autoconf detection of -fstack-protector and -fPIE + - If 10 digits are not enough to print the size of a file in an +ls-like output, bump the max number of digits to 18. This adds support for +files up to 1 exabyte. + - Don't display dot files (except . and ..) if dot_read_ok is 0 in +donlist() - but not in sglob() yet. This change is purely cosmetic. There are +many ways to figure out if a file exists. + +- document bnc#756306: pure-ftpd umask setting not working properly + * /etc/pure-ftpd/pure-ftpd.conf contains a note about a side-effect of pam_umask + +- add native pure-ftpd.service for systemd-powered systems + +- use the same way how to start the daemon in sysvinit script and put + $remote_fs dependency + usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf --daemonize + +------------------------------------------------------------------- +Wed Jun 22 08:31:38 UTC 2011 - mvyskocil@suse.cz + +- fix bnc#700611 - pure-ftpd fails with pam + * pure-ftpd-1.0.32-cap-audit-write.patch + +------------------------------------------------------------------- +Fri May 27 22:23:06 UTC 2011 - alexandre@exatati.com.br + +- Update to 1.0.32: + - Support SHA1 password hashing in MySQL and PostgreSQL backends + - Support for braces expansion in directory listings has been + disabled - Cf. CVE-2011-0418 +- Aditional changes FROM 1.0.31: + - Introduce --tlsciphersuite (-J) to set the list of allowed ciphers, + thanks to Todd Rinaldo. + - The -F switch has been documented in the built-in help. + - Shell-like escaping is now partially handled when emulating the "ls" + command. + - Use my_make_scrambled_password() instead of make_scrambled_password(). + Suggested by Arkadiusz Miskiewicz. +- Refresh and fix patch for [bnc#407363]: + - old: patch pure-ftpd-1.0.22-default_tcp_sedrcv_buffer_size.patch + - new: patch pure-ftpd-1.0.32-default_tcp_sedrcv_buffer_size.patch +- Refresh PassivePortRange patch: + - old: pure-ftpd-1.0.21-portrange.patch + - new: pure-ftpd-1.0.32-portrange.patch + +------------------------------------------------------------------- +Mon Apr 11 11:56:20 UTC 2011 - mvyskocil@suse.cz + +- update to 1.0.30 + * pure-quotacheck can now work with a large number of files. + * OPTS UTF-8 is now an alias to OPTS UTF8. + * Fix a STARTTLS flaw similar to Postfix’s CVE-2011-0411. If you’re using + TLS, upgrading is recommended. + * Provide ANSI-compliant MySQL configuration example. + * Fix some issues with man pages. + +------------------------------------------------------------------- +Thu Oct 7 13:29:41 UTC 2010 - mvyskocil@suse.cz + +- add pure-ftpd-1.0.22-oes-bugfix-534424.patch for tracking OES patches +- use macro with_oes to determine if OES patches might be applied or not + +------------------------------------------------------------------- +Tue Sep 14 18:24:00 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use with-rfc2640 [bnc#638626] + +------------------------------------------------------------------- +Tue Jul 20 15:32:37 UTC 2010 - cristian.rodriguez@opensuse.org + +- add missing buildRequires on libcap-devel + +------------------------------------------------------------------- +Tue May 25 13:10:33 UTC 2010 - cristian.rodriguez@opensuse.org + +- $remote_fs --> network-remotefs + +------------------------------------------------------------------- +Fri May 14 18:34:37 UTC 2010 - alexandre@exatati.com.br + +- Added "--with-virtualchroot" option; +- Spec file cleaned with spec-cleaner; +- updated to version 1.0.29: + - max_dlmap_size was size_t instead off_t, causing misalignment while + downloading > 4 Gb files on a 32-bits arch. + - pread() vs lseek()+read() was a useless optimization, since pread() + doesn't change the file position and further reads weren't going through + plain read() calls. + - iconv_fd_* should be initialized by (iconv_t) -1 as we test them upon + exit. Fixes segfaults on glibc. + - pure-uploadscript tries to reach the pipe during 30 seconds instead of 10. +- changes in version 1.0.28: + - FTPD_PAM_SERVICE_NAME can be defined in order to change the PAM service + name. + - When an upload gets renamed (--autorename), send the new name to the + uploadscript instead of the original one. + - The ALLO command now checks for the actual disk space in addition to the + virtal quota. + - Work around OSX broken poll() + - After an atomic resumed upload, don't append the previous file size to the + quota. + - Always accept OPTS UTF8 ON, but refuse OPTS UTF8 OFF if client_charset is + UTF8. + - Fix AUTHD_ENCRYPTED + - Reset the CWD failures counter after a successful directory has been + created. It avoids spurious disconnections with ncftp. + - Support for iPhone has been moved to another branch. + - Fix crash with PostgreSQL. + +------------------------------------------------------------------- +Fri Feb 12 15:27:50 UTC 2010 - mseben@novell.com + +- updated to version 1.0.27: + - Have pureftpd_shutdown() shut the server down even if a client is + connected on iPhone. + - Allow users with no quota to delete .pureftpd-upload-* files. + - Unbreak ipv6 support, reported by Brad Smith. + - Disable SSLv3 renegotiation if an old SSL library is used. If you really + want to re-enable SSLv3 renegotiation, even with a recent library, you can + always define ACCEPT_SSL_RENEGOTIATION. +- changes in version 1.0.26: + - Fix incompatibilities with Cyberduck when TLS is enabled. + - Don't TLS_accept() immediately after accept(). Reply on the connection + socket first, so that clients don't have to wait before knowing that they + can actually use TLS. It avoids lags with LFTP and hangs with Cyberduck. + - Properly change the process name on Linux when the -S option is used, by + Margus Kaidja. + - Unbreak authentication of non-chrooted users. Thanks to Juergen Daubert + for the bug report. +- changes in version 1.0.25: + - Show symlinks as symlinks in MLSD, except when the broken client + compatibility mode is turned on and links are not dangling (just like the + old LIST and NLIST commands). Reported by Mime Cuvalo. + - More gcc 2 compatibility, thanks to Todd Rinaldo. + - Properly handle custom paths in man pages. Thanks to Scott Haneda and + Mathieu Parisot. + - Have $localstatedir default to /var as it used to be unless + --localstatedir=... is explicitely passed to ./configure + - Use @VERSION@ in man pages. + - --without-pam disables PAM on OSX and iPhone. + - Allow cross-compilation. + - Experimental iPhone target. + - Change the way it links, building a library first. + - Don't use mmap() any more for downloads. It's too slow. + - Don't use hard-coded paths in order to find MySQL and PostgreSQL + libraries and header files. Use mysql_config and pg_config instead. + Suggested by John Alberts. + - Log the DELE command similar to the RETR and STOR commands. Suggested by + Martin Fuxa. + - The primary group gets cached so that it's always displayed in directory + listings. + - Avoid a client process to burn CPU in an infinite loop if the command + channel gets disconnected before the data channel. Reported by Thomas Min + and Margus Kaidja. + - Restore the traditional behavior of a download restarting at the end of a + file. For some weird reasons, some clients still insist on doing that. Don't + send a 55x return code, just let them download... nothing. + - Documentation updates. +- changes in version 1.0.24: + - Refuse empty passwords in LDAP bind mode. Reported by Henning Brauer. + - The package can now be compiled with gcc 2. +- changes in version 1.0.23: + - LDAP: accept "enabled" as a correct value for FTPStatus as it used to be. + - More useful error logging for OpenSSL errors. + - Don't read certificates twice. + - Fix compilation on Solaris with privsep, thanks to Ritesh Patel. + - Don't replace : (as in IPv6 addresses) in host names. Thanks to Tero Pelander. + - Add SUP top AUXILIARY to LDAP schema, suggested by Zhang Huangbin. + - Don't ignore dot files even if -D is not supplied with the MLSD command. + - Deinline code + - Throttling more reliable + - STAT is now working over TLS + - DH keys for ephemeral key exchange are now handled + - Fix libiconv checking + - The column was missing in the PassivePortRange comment (thanks to Igor Alexadrov) + - LDAP authentication through binding is now possible in addition to + passwords. This allows for the FTP server to run with an unprivileged LDAP + account. It also adds a warning if auth method password is used and doesn't find + a userPassword attribute. This usually indicates that the LDAP bind DN + cannot read the attributes, because it doesn't have sufficient privileges. + Contributed by Wilco Baan Hofman. + - Perform charset conversions on directory names. Issue spotted by Xianghu Zhao. + - Almost a complete rewrite of the upload, download and TLS code for more + reliability + - Seemlessly handle ABOR without any SIGURG + - Try to immediately handle any kind of disconnection + - Use poll() rather than select() as much as possible + - Distinguish aborted (even the hard way) and completed download and upload + operations in log files + - Minor corrections to he French messages + - Don't use atomic uploads unless --notruncate or --autorename have been + enabled + - Take care of removing .pureftpd-upload-* files in every possible case + - List up to 10000 files per directory per default instead of 2000 + - Don't mess with TCP_NOPUSH, as it interferes with OpenSSL + - New compile-time option: --with-implicittls in order to build a FTPS-only + server + - ./configure --localstatedir can now be used in order to avoid storing the + scoreboard and other dynamic files in /var/run/ + - Quota handling reworked (easier, and way more reliable) + - RNTO support even when quota are enabled. + - A bunch of return codes were fixed to be more RFC-conformant. + - ALLO command is now actually checking if an upload can occur without + blowing the quota. + - Don't change the TCP window size. Admins should do this as part of their + system configuration. + - Privsep is now enabled by default. Use --without-privsep to disable. + - --without-banner is gone. If you have a cookie file (-F), the default + banner won't be displayed. + - Compile with PAM by default on OSX. + - Switch the privsep process to _pure-ftpd or pure-ftpd when no privileged + call is actually necessary. Since only the effective uid chances, it's not + brutally useful yet, but it paves the way for forthcoming changes. + - Install man pages with local paths instead of hard-coded ones. + +------------------------------------------------------------------- +Tue Jan 12 10:23:12 UTC 2010 - mseben@novell.com + +- modified portrange.patch - for PassivePortRange option in pure-ftpd.conf + we could use now also syntax without colon (bnc#547578) +- merged config.patch with config_minuid.patch + +------------------------------------------------------------------- +Fri Jun 5 13:38:32 CEST 2009 - coolo@novell.com + +- fix build + +------------------------------------------------------------------- +Mon May 25 13:52:55 CEST 2009 - hvogel@suse.de + +- Update to version 1.0.22 + - New catalan translation + - TLS support for LDAP + - Fix usage of MySQL 5 stored procedures + - Compatibility with newer OpenLDAP versions + - Don't hang up during uploads if we get any other command than QUIT and + ABORT. + - SITE UTIME reads UTC time + - A space is needed for inline content in response to the MLST command. + - Time zone issues should be fixed for good. We have to redefine TZ, + tzset() is not enough on Linux when we are in a chroot environment. + - Correctly respond to FEAT without removing extra features when passive + mode is disabled. Thanks to upb. + - Better process name change setup for Linux. + - Auto-created home directories are now created with mode 0777 (and + directory umask is applied), per common request. It's very important to + double check your umask. + - Extend gid / uid to 10 digits in ls output. Extend file size as well. + - Brazilian portuguese translation was updated. + - Fix SecureFX compatibility. + - Use PQescapeStringConn() for PostgreSQL instead of hand-made escaping. + - Don't respond to server that an upload succeeded before the temporary + file has been renamed. + - TLS support on data channels + - Use sendfile() on recent Solaris versions in place of sendfilev(). + - Don't use a deprecated interface for Bonjour registration. + - Tell authentication handlers if the connection is encrypted or not, + through a new AUTHD_ENCRYPTED environment variable. + - Create all directories, not only the basement when on-demand directory + creation is enabled and the user's home directory looks like /basement/./user. + - Fixed error reporting when TLS support was compiled in, but TLS wasn't + enabled on the current session + - Log full path on file deletion + - Handle "ftp" and "anonymous" like normal accounts (with passwords) if -E + (no anonymous logins) is specified. Thanks to Arkadiusz Miskiewicz. + - Sleep before answering a password failure, not the other way round + - In broken mode, show symlinks as their real target. It can have side + effects, don't forget that broken mode is... broken mode. + - Respect aliasing rules for sockaddr_storage usage. + - Privsep is enabled by default in the installation GUI. + - --with-everything now includes privsep. + - update: fix compilation with gcc 2.x + +------------------------------------------------------------------- +Thu Jan 15 13:00:31 CET 2009 - hvogel@suse.de + +- Move PassivePortRange to numparic_switch_for [bnc#465954] + +------------------------------------------------------------------- +Mon Sep 15 14:50:54 CEST 2008 - hvogel@suse.de + +- limit port range for passv to 30000:30100 to assist firewalling + [bnc#420671] + +------------------------------------------------------------------- +Mon Jul 21 16:34:26 CEST 2008 - hvogel@suse.de + +- do not use tcp send/receive buffer optimization. Might lead to + strange side effects when allocating too much stack. [bnc#407363] + +------------------------------------------------------------------- +Tue Apr 1 16:19:13 CEST 2008 - mkoenig@suse.de + +- remove dir /usr/share/omc/svcinfo.d as it is provided now + by filesystem + +------------------------------------------------------------------- +Thu Mar 20 15:42:03 CET 2008 - hvogel@suse.de + +- Fix ldap schema [bnc:368864] +- add Short-Description to init script + +------------------------------------------------------------------- +Tue Mar 27 14:53:53 CEST 2007 - mskibbe@suse.de + +- change path to firewall script (#247352) + +------------------------------------------------------------------- +Fri Mar 2 08:38:24 CET 2007 - mskibbe@suse.de + +- change path to firewall script (#247352) + +------------------------------------------------------------------- +Wed Feb 28 08:54:05 CET 2007 - mskibbe@suse.de + +- pure-ftpd - Support for FATE #300687: Ports for SuSEfirewall + added via packages (#246931) + +------------------------------------------------------------------- +Thu Jan 11 09:55:19 CET 2007 - mskibbe@suse.de + +- change path to xml service document (fate #301713) + +------------------------------------------------------------------- +Wed Dec 6 12:48:34 CET 2006 - mskibbe@suse.de + +- add service xml document (fate #301713 ) + +------------------------------------------------------------------- +Wed Sep 6 14:36:48 CEST 2006 - mskibbe@suse.de + +- fix bug Bug 203798 - Restarting the ftp server using the + "rcpure-ftpd stop/start" doesn't stop/kill the existing + client-server instances + +------------------------------------------------------------------- +Mon Sep 4 11:15:57 CEST 2006 - kukuk@suse.de + +- Add pam_loginuid.so to session management + +------------------------------------------------------------------- +Thu Aug 31 07:59:18 CEST 2006 - mskibbe@suse.de + +- update to version 1.0.21 which + o includes patch pure-ftpd-1.0.20-abort-transfer.patch + o Rendezvous has been renamed Bonjour + o The old PAM sample has been removed + o -F option added to pure-pw + o MAX_USER_LENGTH has been bumped to 127 due to popular demand + o pam/* can now be used if security/* doesn't exist + o simplify() simplifies paths ending by /. and /.. + o Experimental support for RFC2640 (UTF-8 filename encoding) + o The LDAP schema has been changed: FTPStatus should be a boolean + o OPTS MLST has been implemented + o SITE UTIME has been implemented + o TCP_CORK is on by default again. A new configure switch, + --without-cork, can disable it + o Correctly format %c and %% in fakesprintf() + o The connection socket is now created with the Nagle algorithm + disabled. It was the trick to dramatically improve performance + when transfering a lot of small files + o Use CLIENT_MULTI_STATEMENTS while connecting to a MySQL server + + +------------------------------------------------------------------- +Mon Aug 21 21:31:34 CEST 2006 - kukuk@suse.de + +- Reorder auth section of PAM config file to make sure all modules + will always be evaluated. + +------------------------------------------------------------------- +Mon Apr 10 17:04:23 CEST 2006 - mrueckert@suse.de + +- added pure-ftpd-1.0.20_config_minuid.patch: + * configuration-file/pure-ftpd.conf.in: our ftp user has uid 40. + if you want to map virtual users to this uid they would be + blocked from login. + +- added pure-ftpd-1.0.20_ftpwho_path.patch: + * src/ftpwho-update.h: PAGE_SIZE is a function on + glibc-2.4/kernel-2.6.16 on ppc64. use PATH_MAX for the filename + member of the FTPWhoEntry_ struct + + +------------------------------------------------------------------- +Wed Jan 25 21:40:41 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 16 16:40:55 CET 2006 - hvogel@suse.de + +- Patch from Patrick Gosling to handle transfer aborts during file + upload correctly. [#133452] + +------------------------------------------------------------------- +Fri Jan 13 15:05:03 CET 2006 - hvogel@suse.de + +- Make use of Stack Protector + +------------------------------------------------------------------- +Mon Oct 24 22:06:55 CEST 2005 - mrueckert@suse.de + +- cleaned up spec file +- add /etc/pure-ftpd/vhosts as base dir for virtual servers. + (documentation and code changed accordingly.) +- fixed paths in the documenation + +------------------------------------------------------------------- +Thu Oct 13 12:48:35 CEST 2005 - hvogel@suse.de + +- Build with DLDAP_DEPRECATED untill upstream applied one of the + various ldap patches floating around on the sf.net project page + +------------------------------------------------------------------- +Wed Aug 24 12:06:08 CEST 2005 - hvogel@suse.de + +- disable "funny" ftp messages to be a bit more professional + +------------------------------------------------------------------- +Mon Nov 8 17:19:11 CET 2004 - kukuk@suse.de + +- Use common-* PAM config files for pure-ftpd PAM configuration + +------------------------------------------------------------------- +Thu Aug 12 12:40:48 CEST 2004 - mmj@suse.de + +- Use --with-diraliases + +------------------------------------------------------------------- +Thu Aug 12 10:48:44 CEST 2004 - mmj@suse.de + +- Update to 1.0.20 which fixes compatibility issues. + +------------------------------------------------------------------- +Wed Jun 23 20:38:56 CEST 2004 - mmj@suse.de + +- Update to 1.0.19 including: + o Real disk space is no more shown. + o A possible denial of service when too many users were connected + should be fixed. + +------------------------------------------------------------------- +Tue Mar 2 23:22:41 CET 2004 - mmj@suse.de + +- Reflect in the configuration file that /etc/pure-ftpd/ now is a + place to keep all the pure-ftpd configuration files. + +------------------------------------------------------------------- +Tue Mar 2 22:42:02 CET 2004 - mmj@suse.de + +- Move configuration file when updating +- Fix initscript to use /etc/pure-ftpd/pure-ftpd.conf [#35196] +- Update to 1.0.18 including: + o UTF-8 characters are now supported in file names [#34829] + o Buglets were fixed in the documentation. + o Two new translations were added : hungarian and catalan + o The server now uses distinct IPv4 and IPv6 to listen to both + protocols on all operating systems. A new switch, -6, forces the + server to only listen to IPv6. + o W3C and CLF alternative log formats are now more standard + conformant. + o Pure-FTPd can now produce WU-FTPd (xferlog) compatible log files. + o Support for Rendezvous was added on MacOS X. + o Support for Apple / GNUStep plist data output was added to + pure-ftpwho. + +------------------------------------------------------------------- +Fri Feb 27 18:27:16 CET 2004 - mmj@suse.de + +- Enable mysql and postgresql support, since they provide very + good functionality with only tiny extra dependencies +- Compile with --with-nonalnum to support non alphanumeric chars + +------------------------------------------------------------------- +Fri Jan 16 13:26:06 CET 2004 - kukuk@suse.de + +- Add pam-devel to neededforbuild + +------------------------------------------------------------------- +Thu Dec 4 14:10:58 CET 2003 - mmj@suse.de + +- Update to pure-ftpd v. 1.0.17a + +------------------------------------------------------------------- +Wed Oct 15 12:59:03 CEST 2003 - mmj@suse.de + +- Don't build as root + +------------------------------------------------------------------- +Tue Aug 12 10:55:04 CEST 2003 - mmj@suse.de + +- Update to 1.0.16, with SSL/TLS support and many bugfixes +- Use new macros for stop/restart of services on rpm update/removal + +------------------------------------------------------------------- +Sun Jul 27 11:19:20 CEST 2003 - mmj@suse.de + +- Support system quotas + +------------------------------------------------------------------- +Tue Jun 17 13:09:47 CEST 2003 - mmj@suse.de + +- Update to version 1.0.15: + - A turkish translation has been added. + - Various functional and portability fixes have been made to the + handling of upload scripts, to the pure-pw command and to the + automatic creation of home directories. + - Accounts in a puredb database can now be quickly listed. + - The anonymous FTP directory can now be overriden on the Windows + port (using a WIN32_ANON_DIR environment variable). + - The default banner has been stripped down to look more + professionnal. + - Transfer speed on BSD systems has been improved. + - The license of the whole package has changed from GPL to a + simplified BSD license. + +------------------------------------------------------------------- +Thu May 15 12:41:00 CEST 2003 - mmj@suse.de + +- Allow dot-files in general, but prohibit writing of them [#26897] + +------------------------------------------------------------------- +Wed Apr 30 12:42:52 CEST 2003 - mmj@suse.de + +- Apply the detach patch elsewhere to not break xinetd +- Add note to the xinetd conffile about the xinetd behaviour +- Rearrange the specfile a bit + +------------------------------------------------------------------- +Thu Mar 6 16:33:14 CET 2003 - mmj@suse.de + +- Fix the xinetd configuration file + +------------------------------------------------------------------- +Fri Feb 28 15:32:38 CET 2003 - mmj@suse.de + +- Add note to README.LDAP about use_ldap in the pam config + +------------------------------------------------------------------- +Fri Jan 31 14:33:01 CET 2003 - mmj@suse.de + +- Update to 1.0.14 and add a xinetd configuration file just in case + the user wants to use it with xinetd. Default behaviour is still + standalone. + +------------------------------------------------------------------- +Mon Jan 20 20:42:56 CET 2003 - mmj@suse.de + +- Added patch to detach from fd 0, 1 and 2 [#22836] + +------------------------------------------------------------------- +Wed Nov 27 14:02:07 CET 2002 - mmj@suse.de + +- Update to 1.0.13a which is a minor feature/bugfix-release + +------------------------------------------------------------------- +Sat Oct 5 02:34:37 CEST 2002 - ckm@suse.de + +- Changed default config file to only allow ro anonymous logins, + and tightened security in case writing is enabled. + +------------------------------------------------------------------- +Sat Aug 3 15:16:27 CEST 2002 - kukuk@suse.de + +- Remove symlinks in postinstall script +- Add PreRequires for insserv + +------------------------------------------------------------------- +Thu Jul 4 16:59:51 CEST 2002 - kukuk@suse.de + +- Update to version 1.0.12 (per-user limits) + +------------------------------------------------------------------- +Fri Apr 26 16:27:00 CEST 2002 - kukuk@suse.de + +- Update to version 1.0.11 (minor bug fixes, better LDAP support) + +------------------------------------------------------------------- +Mon Mar 11 09:48:02 CET 2002 - kukuk@suse.de + +- Fix permissions + +------------------------------------------------------------------- +Sat Feb 16 21:15:14 CET 2002 - kukuk@suse.de + +- Fix print arguments [Bug #13389] + +------------------------------------------------------------------- +Mon Feb 11 18:12:54 CET 2002 - ro@suse.de + +- flgs in perl-config parser is an array + +------------------------------------------------------------------- +Thu Jan 24 20:51:42 CET 2002 - kukuk@suse.de + +- Update to version 1.0.8 +- Compile with LDAP support + +------------------------------------------------------------------- +Thu Nov 29 18:22:20 CET 2001 - kukuk@suse.de + +- Add pam config file +- Cleanup example config file + +------------------------------------------------------------------- +Thu Nov 22 17:09:45 CET 2001 - kukuk@suse.de + +- Update to 1.0.3 (rename and quota fixes) + +------------------------------------------------------------------- +Thu Nov 1 10:51:40 CET 2001 - kukuk@suse.de + +- Initial release of a secure ftp server with LFS diff --git a/pure-ftpd.init b/pure-ftpd.init new file mode 100644 index 0000000..d5b6652 --- /dev/null +++ b/pure-ftpd.init @@ -0,0 +1,116 @@ +#! /bin/sh +# Copyright (c) 2001, 2002 SuSE GmbH Nuernberg, Germany. +# +# Author: Thorsten Kukuk +# +# /etc/init.d/pure-ftpd +# +# and symbolic its link +# +# /usr/sbin/rcpure-ftpd +# +# System startup script for the pure ftp daemon +# +### BEGIN INIT INFO +# Provides: pure-ftpd +# Required-Start: network-remotefs $syslog $remote_fs +# Required-Stop: network-remotefs $syslog $remote_fs +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: Start pure-ftpd ftp server. +# Description: Start pure-ftpd ftp server. +### END INIT INFO + +FTPD_BIN=/usr/sbin/pure-ftpd +test -x $FTPD_BIN || exit 5 + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v ditto but be verbose in local rc status +# rc_status -v -r ditto and clear the local rc status +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear local rc status (overall remains) +# rc_exit exit appropriate to overall rc status +. /etc/rc.status + +# First reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - insufficient privilege +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signalling is not supported) are +# considered a success. + +case "$1" in + start) + $FTPD_BIN /etc/pure-ftpd/pure-ftpd.conf --daemonize + rc_status -v + ;; + stop) + echo -n "Shutting down pure-ftpd" + killproc -G -TERM $FTPD_BIN + rc_status -v + ;; + try-restart) + $0 status >/dev/null && $0 restart + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + $0 start + rc_status + ;; + force-reload) + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). + ## If it does not support it, restart. + echo -n "Reload service pure-ftpd" + $0 stop && $0 start + rc_status + ;; + reload) + ## Like force-reload, but if daemon does not support + ## signalling, do nothing (!) + echo -n "Reload service pure-ftpd" + rc_failed 3 + rc_status -v + ;; + status) + echo -n "Checking for pure-ftpd: " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Status has a slightly different for the status command: + # 0 - service running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running + + # NOTE: checkproc returns LSB compliant status values. + checkproc $FTPD_BIN + rc_status -v + ;; + probe) + test /etc/pure-ftpd/pure-ftpd.conf -nt /var/run/pure-ftpd.pid && \ + echo restart + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/pure-ftpd.keyring b/pure-ftpd.keyring new file mode 100644 index 0000000..a311e1b --- /dev/null +++ b/pure-ftpd.keyring @@ -0,0 +1,177 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBFTZ0A8BEAD2/BeYhJpEJDADNuOz5EO8E0SIj5VeQdb9WLh6tBe37KrJJy7+ +FBFnsd/ahfsqoLmr/IUE3+ZejNJ6QVozUKUAbds1LnKh8ejX/QegMrtgb+F2Zs83 +8ju4k6GtWquW5OmiG7+b5t8R/oHlPs/1nHbk7jkQqLkYAYswRmKld1rqrrLFV8fH +SAsnTkgeNxpX8W4MJR22yEwxb/k9grQTxnKHHkjJInoP6VnGRR+wmXL/7xeyUg6r +EVmTaqEoZA2LiSaxaJ1c8+5c7oJ3zSBUveJA587KsCp56xUKcwm2IFJnC34WiBDn +KOLB7lNxIT3BnnzabF2m+5602qWRbyMME2YZmcISQzjiVKt8O62qmKfFr5u9B8Tx +iYpSOal9HvZqih8C7u/SKeGzbONfbmmJgFuA15LVwt7I5Xx7565+kWeoDgKPlfrL +7zPrCQqS1a75MB+W/fOHhCRJ3IqFc+dT1F4hb8AAKWrERVq27LEJzmxXH36kMbB+ +eQg336JlS6TmqelVFb15PgtcFh972jJK8u/vpHY0EBPij5chjYQ2nCBmFLT5O4UZ +Y4Gm8Z3QLFG1EeOiz+uRdNfchxwfLkjng1UhKXSq5yuOAAeMaNoYFtCf1hAHG6tx +vWyIijRxUd5c8cDZsKMuLQ34O6DuvPZyeCy6q8BTfW18miMMhIH0QTS9MwARAQAB +tCFGcmFuayBEZW5pcyA8Z2l0aHViQHB1cmVmdHBkLm9yZz6IRgQQEQgABgUCVNnR +HAAKCRCSa8UXHN6kOfywAJ0XnUHJzBG8ymQU95rViLf8HUQ6zQCglP1p97fNCc6V +wi4EUHOl05Ox5xSJAjYEEwEIACACGwMCHgECF4AFAlTZ0WkECwkIBwUVCgkICwUW +AgMBAAAKCRAhBiequnCf4bJSEACNpfrkZcJqH4kh6Px9nFAzTtjZ+7kX3FSMPRCL +U5nVOiisfZ5IBT92N5VMJC0BT+mkIUCchwVOUBqp/Z/JPPoxD3Iky+4XG07mNGEb +s9JqfWyfK67qhsU62bqILyFZ7cJ59R74AG7tdxyrvtyji2A5lqqLFTX9GvBox49d +GQ7jQz0FW1+jVg3rPoy3XlLMVSlGR5TgtwokQkhyc2dxtYDvUFO/C0ABQiCAzuxj +u8T46m7xF57MrOX9dji1weDagZSGphHcs7VfgsCGQTPTYusrT5xIVs0x8x8IveaD +WvgLaVJYBkWI2LTEfacQqlZK6ZcK8IQOHW0juxy4l0CKwOexdf+S8CkUeHuyBoZ0 +6WaFvIa/MqoOAAFQmaq+WgfNiziQDD+mZQu5EG/f2MRmMOFcH+qgmPCMO+DLyC+c +FtM0r/6KwXjbR3j9Gfzs8d1FygNnITRJRFm2fXtCGQV4HI/yQ3yvHtFU6r9SLRy5 +tmZLwm8oVXxEfCPABz5388JF71hXgynjDvK2pKg3jUN4eAXoggQlR6RLFHSFkht6 +AjtYLsvf4cTCUdsgFoivt+bAnGW64E0zdKEHqUTLmd+J4iAStI1Ie7dTObATDYMR +ACHioyX+uAxLnTc/sVIHpOTfgV8e4a8rlQt7Ncuh+Ns7Toz7aRz1VMPfIFqb+Ve0 +ESwbNIkCNgQTAQgAIAUCVNnQqwIbAwQLCQgHBRUKCQgLBRYCAwEAAh4BAheAAAoJ +ECEGJ6q6cJ/hgqQQAJRxOYPse56eok0qMn7VCXfgHkm8n0wZlD7NxzVsC/iHQRik +cto0+/UAWaDXE3LiY/RAHS7hkIgVqgumnaYgDcXmA0lXj1sDheMSlM+YUUR09+/U +8vIyCDyhqBmQ5rOd76d3Ys2ow3t7V0xEzAyqMrr6l47PM3ScccwmPU4WqpFl24wm +jXYlbwlocIEuUzEEeJ83ojeD4PBVbSLICYcN64xhwLZ1/ji6GMh1aNkB/lQwocjz +LLbWIz7cgimbqLMBV41PEDvtXYldBOOujsnQ6ejjSD1HStDaaNCqrMy6IuI1AZ4b +CkOv2AF/RcPNX0CQpouZH/hDNl/tr766w/tgUVI9BiC9ol4jcuLW1TXoJbeU5Ps+ +QEp5bhyt+t03Eej1gR0btRxOjgqkTF3TdR7sjWzhgALG+MXRsOQ33HK0IhmYs2LQ +sIelwpmiDLV5Kd+mxzSD3Nv82GyElwCvvFrUaGibu1SXbPaj0oJPcuL8Mgan1NrP +T0c7uR8J2it3hsAXf3azexUb0k8q+ysGxakbvlTrv4IM6LI1RBN22BUYco29pUTP +K2BRGoVZKyty+kfkUlETyjm5z/D17a9XGi5MAyJIAKrPnc+vKn2CLX1S6xfg9zbM ++k9wflJIdEXHNrQfEMyl9OxNQDAKbpayYpCKaShCQpwlATSWifZdlm/2KnE7tCZG +cmFuayBEZW5pcyA8ZnJhbmsuZGVuaXNAY29ycC5vdmguY29tPohGBBARCAAGBQJU +2dEcAAoJEJJrxRcc3qQ565kAn3WoiXELAGWknxHztVcWWmNJBFX9AJ9cVVC2L6OT +OLLWtLSCxbt1LYcwRokCNgQTAQgAIAIbAwIeAQIXgAUCVNnRegQLCQgHBRUKCQgL +BRYCAwEAAAoJECEGJ6q6cJ/h0LgP+wfCw2SCFvD7sFlnmd6oJNP+ddtt+qbxDGXo +UbhrS1N88k6YiFRZQ+Z84ge9RgQXA74xuWlx8g1YBEsqO1rYCGQ4C+Ph+oUO+a3X +k+wmEzINnjCF8CQzZQ3vdXvWmshKzqC2yyeR235WC/BSHsqsr+TRFEmGa68ju8s7 +UF8ZQaBzbM0ttUtrc0UqhnS16xV5lH9gBkVbMWIN1pAeJcFRL6MB92Vv5tWjayua +w76vxmwPhu6quUlwxNYNvYBgG5kpBjqMOLHaX1x+SA5F6aI6E3kqxeyurwV6Ty+/ +FIns+Awl+IFPey5ctwSOXkizhtqxpMNHAu9resNRjneIjNVTLON1uaxvmPJttMd/ +CdTXh+guxDBfH6Vr9nmExy2qbihDJ06Sm874UYtnBZdB7Fi0cNF1DlEZKaZyYaLw +RA/TelI2IaIdkRFLsaFdo144nfceZ2fra2QO83Ow6uShNZzAHU0ZVEKLVt/VJqCL +6hts7vhKuCBcNlpoNOZptRPJf8RMLh4qwtniZadDcM16TpvkyTQUAWH+GvTML0UR +5sLHOtZ7MUaHO/c5UWQWJOmuaWOKgdKLi3iXztGbNNDc9F7wRoObUH7Om/0s5IRy +noO58ofDCmurPDP+10eOQaWtgVz2nFXcFF0qTw4H6L/sXlzbm27HuqEHuYrzpTl/ +Njn0chjBiQI2BBMBCAAgBQJU2dB5AhsDBAsJCAcFFQoJCAsFFgIDAQACHgECF4AA +CgkQIQYnqrpwn+GYRBAA0+7ImcxLB3yYSMK0yO59TWaUkiVLNOwBW1GihtIUtx3N +2/P/Fi3eRLU0/2GtzYqCRwKqlluMrN0s8HuOEna1gTmVMqYTYm00CXP15S22xeUh +jH4zJ4wAeUTPTGMnd/fMVwuQzjKuzgh4JUsqomhEubYw5WXVsTa9FtQxLeoTbOUw +o0nRJMvxx4ERMpRsaHP2bfv87wgTquMTLrY1+oOJ3Vsb3L0oYUz4DLIqzSYjqFcn +TmwyjLa5ZptJlf+PsXMFlhwGIHFjoOVUtTkmuorRoWi2In6e2bpVNZ2ECNRh3FZz +1XxvhtQ5fmiZpRMpQFvCqA50ltCzJihqNG0/4Oj1KVnYenRYBbi9wN3Jt5BorUz9 +G15QVplnVIIN99uUSdaQkg8MXdQ6lnKRPwt0eE6KuRIDIAsJ08zoZvW3+UsZ6eTn +YW08t9EWYqZcv4AcZFt2HJ6IMijm0C0ffr8cUNS5UAlX2k16jwUzvKO+iaSJNLtY +Wz9OsTW8SWSKsdSPrr8fKNjZLFmJrSSbyxmPkboIsaNo9otqnHmLePMoomrHmyyC +i6FFax3QLbz/22tMWWu39cKm9sEISQQTH6ogN/osKYg+AW9BhdErma1fou+wPtcl +kA5k87WCJ1SsNV6171GoVPsL+cYUSh42UWxTPTu8IwFwH9H+3wJ58Krv2OJI5JW0 +LkZyYW5rIERlbmlzIChKZWRpL1NlY3RvciBPbmUpIDxqQHB1cmVmdHBkLm9yZz6I +RgQQEQgABgUCVNnRHAAKCRCSa8UXHN6kOWXzAKCGlk6DvVCqExkBd6OEsaEoOBgH +5ACfcVQaz/FEgCdRsJeLi7xNwZXZ22OJAjYEEwEIACACGwMCHgECF4AFAlTZ0XoE +CwkIBwUVCgkICwUWAgMBAAAKCRAhBiequnCf4ak4EACQm7nJmEs8EjOcNkyvSgn+ +kmJJ5rsZQJjh9W4VQoukuVKMhpLELgTahYbxwmgx0yHBbXHXrqtFk91cWlbx4Lmv +6HybbkcEnrj0WMxQ8OLav25CA90HLzQj6AWWuyKdLLvFt2VRKmOtxhgLH2NiONPA +fovVBlr5gIwXJrx2hv81x3NDSjtw1G7k0b3zxxJyyxxdhfMjpIyi5LA8YIytAcCw +zfVhvxgVsku4PEVEJljn6qJHwNcPNbgunrx8mrRf9QZb1D6Lb0sxO9llYMYFD1vB +A228Os9nxJinbj1ww6xHhbsUrhjQ55phFMEVxdp5cQoA/VmpitjbYEOIck7kgZjv +YPePe88BMBiKDCOv+o0U638NoREWlDgvtEP4TpYscBMVbFkcf8A9yTqrxtjgQevw +YlYDvuwio38K29qnvn1AoHyet6tPqUDRyiOFLkh7wuujpiwwBcOrCPOy/5WCdOCq +XygAWa5T6j7pyYdTAY0eASz7F7ZQNCKTG7rzmA4Id8eYHC57f3WCUe59B294KHLl +6KSJ/qro12DtUf2ZHffmjxUn0j5Wn+TdbxdkED04S7CvGPLUTNa9xvZYZetQdVnf +bD4T0IgK8UVXsmJOe0be3UKHj9tsXCvB2RzkRlOHRzoHth8iQRac6cGi9YE8QGRI +a97fvUyyoG4q4GvVbiN5zIkCNgQTAQgAIAUCVNnQDwIbAwQLCQgHBRUKCQgLBRYC +AwEAAh4BAheAAAoJECEGJ6q6cJ/ht+gP/jcG27dq63a8s8NrnxByYCQBW/Q6MdNk +WgfdD4ajMwyPELwk4D1mtcCqnihXoj4NBGhCgtiZZ0gKKTv6fOGKRjf8ZLJBiKy4 +vZs6IzM1f6j4QPOPx1Ew6WLPxGuPuUT9ZsMvwpoMU+OrLaSJZMxxB6oHrsRZ5Wc6 ++Zxn8Pqtp9Bx1SK1pX04hUjsYI6wpqzInAMlGh4ZlYsadqSUFEtnzMP0T2usoc61 +jDzfNgW+vHmD1diIl/Gp7coInp/3k0ovNYMiqwjmMl3WcA8O4Vh1JhE5dM8Eppz7 +nkoGbFIHaLjuz40U4T2tHSXDOpy6QXcuTE4man9Wo+WmA2ibzPsAzyZr7W5qo0PM +Rkv6K6Oy0rxB2GFm5+welxD41tt5CwRHu9cdg8QP1lxlf+CgnVs8u0EBAuu5c9/8 +UZGSWtTc3wRKRVnO41/uHzhvgeEW3Zypnrc26h4bWGmil1WgaENTHGSM5j1MDy24 +Kn7Xoyh+utQALJAuB7V+UCqpDNN4icRos92rpWiQKQm0sXKtyhtmz55cRc3aRXvN +vJAdrpfV2fUh6Xz8tgER19MEUkVRLQMA7ePwEQIjOKl7Pr/b5NozhzpOwr+RRwHl +iXYLnTEV480DG6+Eb55vTEZ2a5Rr1VVgbRW6LgQBNb1yo8M594QLXadGYgc3UvAJ +dnEMmQ5TAk0/tDBGcmFuayBEZW5pcyAoSmVkaS9TZWN0b3IgT25lKSA8cGdwQHB1 +cmVmdHBkLm9yZz6JAjkEEwEIACMCGwMECwkIBwUVCgkICwUWAgMBAAIeAQIXgAUC +VNnfeQIZAQAKCRAhBiequnCf4TtuD/9izD9TC84d/1gZJ8hNDZ/TFV5ycN5NtqAx +Y/6i97Pb7unLj0aEAEGOXtJN3mHGL6s32s+dmWhNn+IXygU8c/s5IHTpdyf4EKiu +y/8vGVyV3nGI7N2hpl297I5dwo97M2qfrfCTPX9mnqln1txHUBQkEyX7XZj13VwR +tv1dOGy2ga3iUD9UtqUC23Vkwo3FOv6te7R8xXoXjEvOKWxYyHwAdeh5snKz8ex5 +ZDluSUTTkkJHQdJgnPSM5txh4RMhNSXc0kRQDBgcZQvVc/UTAxwPF2z5chtqOZsg +f3jLvwkIVpAbhBfgt3sUJMJcmX2BVWLaiYHebT5uW35xNOgGB79+RynH2/iQFAF/ +SmS5Zzz+L0lZHhux+nXqcREBkwItk3n+6uBNgKfLP9U/lj3o8BE6AijUl/xIJmWx +hzrCgPCJGcuRlX24rFiCujkx2696tWokTKQNRXKd59ZI+bd+KCtb4fFecDWaVj8Y +zNDJmVL0PUQp0Ix/Bu63Oa3spN8vOVrkRD5X40JI5uxTNA6tRlczBlcp0NNUeB13 +q0h5ya5UWHWbStsoQp1f60Gl0og+aoaKwnV0WNU8o2W+ayUGvltVon6zTEbmgkai +n6hYi1AGuiNTQQ5bhGJxEUGzpei0TwtK/RJmwC6iPiCTge5PPASDJcK2EkgmP+cQ +W5bjf8zvZrQ3RnJhbmsgRGVuaXMgKEplZGkvU2VjdG9yIE9uZSkgPDBkYXlkaWdl +c3RAcHVyZWZ0cGQub3JnPokCNgQTAQgAIAUCVNnSkQIbAwQLCQgHBRUKCQgLBRYC +AwEAAh4BAheAAAoJECEGJ6q6cJ/hakcQAMFpvn+pqPZwqBkQ+K+I60i7ieQKciMU +UNy+Qy/zHiE0TDzQ6bNDqbyiCBphr9fZ+QJ4u7nznJ0C5E1Y9de/VOQU52oZNnw0 +tAsZRcrJaUfQO7V+qkDLSMgROHHT4Y1bnmTsCPj3yUpXhRZj0NxEpWys3jRiagUI +jUm6aPajIYcmEWcvxZOJDkMwHV6Wut5D19SlaE7L89fTtn6y4pu0GPKEyPFW4o9A +gfh34R7i5qJXNN/f0uO4RfucoBESuRcI6JksfkNnysfT9+U2akPWcO93t4EvWFBK +0+C1O2cHZrpX7XwmlS5iLl+BlAz2rJjWwFi6ShxMC5Z9GCTtJCMw/tqts3Jc1Jho +HYBnBFMC2+r6ViyeNTLJh5J2YNM5v8huv7GrANI1NcCsXkZR3ksZ4dz2G/r9+pB1 +7EVYqj5cMXvTxpiyvafcA9Mkv3ZNi7CWxNYZ1GX8O5deFXYr6y+euzMv9LBt0myF +G/w8R7lZIB1PSxx5XGuM+VZhXO79vrHNPuiHMxVvOhSiPJvqvMy4R3KrioGabpsb +8IxKAG45fddt26mSptXvKRy9200Gum0r/YrDbFt0/Xh3hAe362wZWDmY7zELmC3/ +NrdrbvhOMW1GGWa5pUWBsARhVAUaa7SdHl3lL8RYAJ2s8jTV8V4TtzzIgsaQqdHu +/seuHylTzHxbuQINBFTZ0A8BEADJ7/1Bve7wLSMnhvpT2pZoZ9dDUNOyOEc/r4oG +RwMTvLe0GITmDmC2RY9ZjtdX/JXOV9aMVe3SsIfrBzCUN35DpkGxulRkS5kUwD5O +ORrGkXAJ3MzcwmVsNLOH/dsm3PU4eHTUfHVJPdLfrRSLTxpxRxh5o8FGDHO7vATZ +fZf0jYiYqcbh41EdYV0BPkV65YJKFvUvCG4rB8rXeSHDlxs99+3KGJHSS88dQHaT +jBjeJ+asppa4YwSL1dmv0fpsHlAA+yJfCGJ4+fJWpa6dpC5p6CWnC9EfUdmW0oww +XryqYrZst5Kh0ufbwocPNGrAUVq9dPvhGldC51gyim3NVPNPUT9QHNJeuioyo95p +okECg6W9qBxw9LibMfOJKgjpKFnahddsEbLcoGLAHPAiV57ACk4XQ77EE5DF+lio +OMLUicNBC0bTQkGcx/IhOnqvTF2Yo7xuh4/Vsmdi9nnjtGyp9LhAxr6TzC1nBXzo +wsS99sfya/ebKgLdqdA3ARR+XeIyu7ah0GMzcLfIm22xpcM0RU4Kv+YoFfp/avT/ +4fG1kIVCcqm48ibsLeJf6E0kymeW2dCAKykv/mP2PW/wQV0c0T/w9S4Wjp3R+NxO +h5hFhktj4VFD591ek0MzquZ6Wk1yoav3/FzGBKr20N6o30RGviy4JhSwMA+63PId +lmFaewARAQABiQIfBBgBCAAJBQJU2dAPAhsMAAoJECEGJ6q6cJ/hglYQALHDtKWA +kc3IA8A1jq094OcovHbdzZgxi/XOv6ISlcGlkiA5cBbW2TYmf36/dVQnQ34VEqIb +Z+hO17ymHVTTuDUSyG0oEXO2PwuD/vZRIZPuppV2JRIpfxjemFwbELw0s9ccPgrM +92OpKtptcYkhxbmaz9D0u+cfryACmyLKWrruSMhIf8AFtb2P6Z87O0ybWNq/ELL/ ++cbfs1HZRgdGSauyGf9Rr3pbUTCa34XAkyj0EVnTL9GhIqHgcGADPLHPVK63jzPY +0qU97gmMLiZZXeDPePrare7ar5EenZblxfuFlnrj16OuY0gZdPeARH0+XVW7dE6p +hunk4Jz4IYdY+z6SIIcqlFNL/GD5eQ1J2VLh84uAhHEFjVBKvsSvTdv535WqvEeC +zwyY7qUliMObWb/DVo/hAP88sYIF/qtqa96pQ/iFJzvHEf0U9S72fS+bdX706o6Y +A6lySK3pooTmyzhhFdPtMVhGjdPOTlc8lEE7dhAYc0sR5AtAhHegoEfJePGBrCia +xwo7jr0PpYFbQJIGAXlRXn4aymtuNk5lQTZWQpEtucFIRoVmy799+KfikxuHe/Sf +oimG4fJ9Av4AStGMw194C2y/usHrNMWImlkkQX8fYXzwnxSwxhubGO8lYh/GHDho +oOiFffg1gQksjmdHdCF1jb0yxft3dQRQ+HZRuQINBFTZ0DcBEADWTaBSOHDPU2BQ +jDmCIh9VGl6ImzRO5GdagzPzusuR01Dkp5tpKAmDE6rVWooAKv7V4lCSwc6B8Ide +wsw8eS9/yEoTB3asABQnFGSCNjVv1xBB+5J8J6p+bZItgmQs3xPhl7VJuzO3wVtq +YD71bfzq3fg4ZhCj9APn3Sh0t8fxFJ/FbLyaGBJMYPX09eHqmJPqACxcZur1vVAB +TtFWfyTl83g07sdPuqejUI3MpCnhuRolwHR6UaKX3pLC0Md7GanxQRIboiF+z5ZQ +EMR6T6inDxvNmlak+cfbb2dkVXZP+eYXCoDYXXGwxlqpDRDWzr05qJtmv4AzYG+6 +X9doyWvbdkUVQvKMmIfs1X7S4X9hpcDFb78LlztVNgNP5VEOyt97epUNphJm7ncn +hSQrKN5CCeffHn08NmT5HhJGfmnbCAUG3QkhJtAf0vg0vAg0y030uZzeU96xpzu5 +cz3/fN7j/Qi2zg8rdOXahdR5fuF4nDE9z0Lc9U/j+1+5z0C/RVMDllAR6n4WITbJ +1de5ujPzg6CrMo3Zfdp4zsb8g+s1Wn33Mds1/kmBGiCIgxYcVRaa4cE7q7ijn2sd +5zUy3dSXoq2lHo0jQpz+tFcU7KdtN2NB/Kri7b7FheleZa+e1kMRkMUJkuSUFfcK +3mM7gN9/QKVKrpH1poYjwx20FVgHtwARAQABiQQ+BBgBCAAJBQJU2dA3AhsCAikJ +ECEGJ6q6cJ/hwV0gBBkBCAAGBQJU2dA3AAoJEGLyW1krb3batY4P/A5ugYnIxG3D +aYVqbI49LqDwePSNHyhcUjNrlIejyPsLXC7YpCbDchr1w5u6BhP7lyJIuUvvvdaW +eaE1fd9R1c6fHuL4qeSEQnFhZOjYrEZomZzf8THoy5yt7OdaZiuVCYaGMpqxExol +Co9bruQansEV2eMFh9pMyLrAcyHOd+7IURqpPi4MGO/8eGimPuWeOlaQBkpTuGul +nVrZUS2czs9MfrTyKwGKNH+9oXR4Nnp2RK6pIYvdHcv+YQrGiUZfq2hGVQ0oIDrT +tIZoU5y0lgF92DyDadakqr5+REJPBYWboUWqJ6V4NMGS3PNqCGBGdCp4SexwYFf4 +xe/JSOWT3ZPZtthmwElpCI8DZn8wIRhD7vzV94sHgz31OFC2zr3o7N4r0ExDqxeO +7t6bP+kjqwV0u39t2QcO58GK8nswnkFFfEQipJPsVD7+WFNA6RrVYg638XrnF1vF +tOVTgbAn6Wtj0174+FYz+lBkVHF90lU3AFZ7ygJn7A2v+PuADhL34EBUc7nsfLbY +RWz1tqSyRED6VRbsQCtH6FB8O/BxS+zUVUxcd41FoBgDOzwPRSPYda61OXV8ovLl +8AY2l3BGiLbO1hNDRoxcxG7m+pCZXa8oZeWQjJJjnAVO0pEpiPeWzicL2HRhohHD +uHoe3IuKThR9GTain6Y8n6U4LRYEuS3Z3qQQAPLm50evm+4BmjkJP60Tk2B6EqvR +l1QKoYZmOvZX7F0PRF6IgMzWZ4SS7Y9Se/OmdwYHfV/jF66z6CS1RpgU0/Mk99+y +mP/q25NehOaC9XiLZ7CdMYKaw9YJFlDWmqUVyynQPOqIKFPLBP/Vq9gjenQnTwpo +5nNJlrxh2OVepTH9zTyAEG0uIs7lP8PiBID5waOOQT5MT9h8r4aDnpPqcabKi/Li +0M7iI7cIFrzDqHFUK6QTa+pEPfYb6/H3mOpDiOTKBrGoFt0euZuwwH8/8daDt0Jl +k/5INnXFqohG8y96YV9UKULXSZDufiU2EBdFj+bD80Ow2iD+zKNjY4ar5zuTUff5 +BM19chEHJNwSOLyjR0ogENfyfeLorvQM3lunXTzuAMey8nCtFjnjVTQE+mt7RSW0 +K73t2aAw0jVwGu9FSpqXa7K8J1/v+Pq5cme5Y+65zFgnvY5ZX2djIvpyGFwq74VY +dLezh1RsKUqtvAf3tgBbEGcV3E+GPuqaO2iQA1XW/i5TgLhesQd7MpRNSJtIgAwl +vVAFrm9aIjq/Y79PphxGHN5GhdJD1OcyjiPXIPPdY3DgVf6kb/Pbm0h4n8PYU2Qd +HQ418wYzcDYwR6pGA2i7H9Ys3mBxBuIBDrI6DA0DKoMOismfvuhYAFBl+SNXQTmC +yaKJ4Th/5TZsY0L3 +=r0bJ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pure-ftpd.pamd b/pure-ftpd.pamd new file mode 100644 index 0000000..08c1377 --- /dev/null +++ b/pure-ftpd.pamd @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth required pam_shells.so +auth include common-auth +account include common-account +password include common-password +session required pam_keyinit.so force revoke +session required pam_loginuid.so +session include common-session diff --git a/pure-ftpd.service b/pure-ftpd.service new file mode 100644 index 0000000..101b9fd --- /dev/null +++ b/pure-ftpd.service @@ -0,0 +1,10 @@ +[Unit] +Description=Pure-FTPd FTP server +After=syslog.target network.target + +[Service] +ExecStart=/usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf + +[Install] +WantedBy=multi-user.target + diff --git a/pure-ftpd.spec b/pure-ftpd.spec new file mode 100644 index 0000000..9824806 --- /dev/null +++ b/pure-ftpd.spec @@ -0,0 +1,172 @@ +# +# spec file for package pure-ftpd +# +# Copyright (c) 2020 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: pure-ftpd +Version: 1.0.49 +Release: 0 +Summary: A Lightweight, Fast, and Secure FTP Server +License: BSD-3-Clause +Group: Productivity/Networking/Ftp/Servers +URL: https://www.pureftpd.org +Source0: https://download.pureftpd.org/pub/%{name}/releases/%{name}-%{version}.tar.bz2 +Source1: https://download.pureftpd.org/pub/%{name}/releases/%{name}-%{version}.tar.bz2.minisig +Source2: %{name}.keyring +Source3: %{name}.init +Source4: %{name}.pamd +Source5: %{name}.xinetd +Source8: %{name}.service +# PATCH-FEATURE-OPENSUSE %{name}-1.0.20_config.patch -- Custom service configs. +Patch0: %{name}-1.0.20_config.patch +# PATCH-FEATURE-OPENSUSE %{name}-1.0.20_doc.patch -- Adjust command paths on documentation. +Patch1: %{name}-1.0.20_doc.patch +# PATCH-FEATURE-OPENSUSE %{name}-1.0.20_virtualhosts.patch -- Custom VHOST_PATH on openSUSE. +Patch2: %{name}-1.0.20_virtualhosts.patch +Patch5: %{name}-1.0.49_ftpwho_path.patch +# PATCH-FIX-UPSTREAM %{name}-1.0.32-default_tcp_sedrcv_buffer_size.patch +Patch7: %{name}-1.0.32-default_tcp_sedrcv_buffer_size.patch +# PATCH-FIX-OPENSUSE: bnc#789833 +# won't be upstreamed, can be dropped when systemd will be only one init system and kernel get AUDIT_LOGINUID_IMMUTABLE +Patch8: pure-ftpd-1.0.36-cap-audit-control.patch +Patch9: pure-ftpd-apparmor.patch +Patch10: pure-ftpd-malloc-limit.patch +BuildRequires: libcap-devel +BuildRequires: mysql-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: postgresql-devel +Requires(pre): coreutils +Provides: ftp-server +Provides: pureftpd = %{version}-%{release} +%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150200 +BuildRequires: postgresql-server-devel +%endif +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +Requires(pre): user(ftp) + +%description +Pure-FTPd is a fast, production-quality, and standard-conforming FTP +server, based-on Troll-FTPd. Unlike other popular FTP servers, it has +no known security flaws, is trivial to set up, and is especially +designed for modern Linux kernels (setfsuid and sendfile capabilities) +. Features include: PAM support, IPv6, chroot()ed home directories, +virtual domains, built-in LS, anti-warez system, bandwidth throttling, +FXP, bounded ports for passive downloads, upload and download ratios, +Apache log files, and more. + +%prep +%setup -q +%patch0 +%patch1 +%patch2 +%patch5 +%patch7 +%patch8 -p1 +%patch9 -p2 +%patch10 -p1 + +%build +#CFLAGS="%{optflags} -DLDAP_DEPRECATED -fstack-protector -fvisibility=hidden" +%configure --docdir=%{_docdir}/%{name} \ + --with-rfc2640 \ + --sysconfdir=%{_sysconfdir}/%{name} \ + --with-ldap \ + --with-paranoidmsg \ + --with-altlog \ + --with-virtualhosts \ + --with-ftpwho \ + --with-mysql \ + --with-nonalnum \ + --with-pgsql \ + --with-cookie \ + --with-throttling \ + --with-ratios \ + --with-uploadscript \ + --with-diraliases \ + --with-pam \ + --with-puredb \ + --with-sysquotas \ + --with-quotas \ + --with-inetd \ + --with-tls \ + --with-boring \ + --with-peruserlimits \ + --with-virtualchroot \ + --with-extauth +make %{?_smp_mflags} + +%install +%make_install + +install -dD -m 0755 \ + %{buildroot}%{_sysconfdir}/{%{name},%{name}/vhosts,pam.d,openldap/schema} +install -m 0644 pure-ftpd.conf %{buildroot}%{_sysconfdir}/%{name} + +install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/pure-ftpd + +install -m 0644 pureftpd.schema %{buildroot}%{_sysconfdir}/openldap/schema/ + +install -D -m 0644 usr.sbin.pure-ftpd %{buildroot}%{_sysconfdir}/apparmor/profiles/extras/usr.sbin.pure-ftpd + +install -D -m0644 %{SOURCE8} %{buildroot}%{_unitdir}/%{name}.service +ln -sf service %{buildroot}%{_sbindir}/rc%{name} + +rm %{buildroot}/%{_docdir}/%{name}/README.MacOS-X +rm %{buildroot}/%{_docdir}/%{name}/pureftpd.schema +rm %{buildroot}/%{_docdir}/%{name}/pure-ftpd.conf + +%pre +%service_add_pre %{name}.service + +%preun +%service_del_preun %{name}.service + +%post +if [ -f etc/pure-ftpd.conf ]; then + mv etc/pure-ftpd.conf etc/pure-ftpd/pure-ftpd.conf +fi +%service_add_post %{name}.service + +%postun +%service_del_postun %{name}.service + +%files +%license COPYING +%doc FAQ AUTHORS NEWS THANKS README +%doc README.Configuration-File HISTORY README.Virtual-Users README.AppArmor +%doc README.LDAP pureftpd-ldap.conf README.MySQL pureftpd-mysql.conf +%doc README.PGSQL pureftpd-pgsql.conf README.TLS +%doc README.Donations README.Authentication-Modules +%{_mandir}/man8/* +%{_bindir}/* +%{_sbindir}/* +%dir %{_sysconfdir}/openldap +%dir %{_sysconfdir}/openldap/schema +%dir %{_sysconfdir}/%{name} +%dir %{_sysconfdir}/%{name}/vhosts +%dir %{_sysconfdir}/apparmor +%dir %{_sysconfdir}/apparmor/profiles +%dir %{_sysconfdir}/apparmor/profiles/extras +%config %{_sysconfdir}/openldap/schema/pureftpd.schema +%config %{_sysconfdir}/pam.d/pure-ftpd +%config(noreplace) %{_sysconfdir}/%{name}/pure-ftpd.conf +%config(noreplace) %{_sysconfdir}/apparmor/profiles/extras/usr.sbin.pure-ftpd + +%{_unitdir}/%{name}.service + +%changelog diff --git a/pure-ftpd.xinetd b/pure-ftpd.xinetd new file mode 100644 index 0000000..d82c892 --- /dev/null +++ b/pure-ftpd.xinetd @@ -0,0 +1,21 @@ +# default: off +# description: The ftpd server serves FTP connections. It uses normal, \ +# unencrypted usernames and passwords for authentication. This ftpd is \ +# the pure-ftpd. +# ** NOTE ** when using pure-ftpd from xinetd the arguments to control +# it's behaviour should be added here in this file in the +# "server_args" line since the configuration file +# /etc/pure-ftpd.conf is only for standalone pure-ftpd. +# The command "/usr/sbin/pure-config-args /etc/pure-ftpd.conf" +# will print the arguments needed for behaviour like standalone +# pure-ftpd. +service ftp +{ + socket_type = stream + server = /usr/sbin/pure-ftpd +# server_args = + protocol = tcp + user = root + wait = no + disable = yes +}