rpm/vsftpd
SHA256
1
0
Fork 0
forked from pool/vsftpd
Code Pull Requests Activity
afb6927f52
vsftpd/vsftpd-3.0.0-turn-seccomp-sandbox-off.patch

14 lines
476 B
Diff
Raw Normal View History

- update to upstream 3.0.0: * Make listen mode the default. * Fix missing "const" in ssl.c * Add seccompsandbox.c to support a seccomp filter sandbox; works against Ubuntu 12.04 ABI. * Rearrange ftppolicy.c a bit so the syscall list is easily comparable with seccompsandbox.c * Rename deprecated "sandbox" to "ptrace_sandbox". * Add a few more state checks to the privileged helper processes. * Add tunable "seccomp_sandbox", default on. * Use hardened build flags. * Retry creating a PASV socket upon port reuse race between bind() and listen(), patch from Ralph Wuerthner <ralph.wuerthner@de.ibm.com>. * Don't die() if recv() indicates a closed remote connection. Problem report on a Windows client from Herbert van den Bergh, <herbert.van.den.bergh@oracle.com>. * Add new config setting "allow_writeable_chroot" to help people in a bit of a spot with the v2.3.5 defensive change. Only applies to non-anonymous. * Remove a couple of fixed things from BUGS. * strlen() trunction fix -- no particular impact. * Apply some tidyups from mmoufid@yorku.ca. * Fix delete_failed_uploads if there is a timeout. Report from Alejandro Hernández Hdez <aalejandrohdez@gmail.com>. * Fix other data channel bugs such as failure to log failure upon timeout. * Use exit codes a bit more consistently. * Fix bad interaction between SSL and trans_chunk_size. * Redo data timeout to fire properly for SSL sessions. * Redo idle timeout to fire properly for SSL sessions. * Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing. * Use 10 minutes as a max linger time just in case an alarm gets lost. * Change PR_SET_NO_NEW_PRIVS define, from Kees Cook. * Add AES128-SHA to default SSL cipher suites for FileZilla compatibility. Unfortunately the default vsftpd SSL confiuration still doesn't fully work with FileZilla, because FileZilla has a data connection security problem: no client certificate presentation and no session reuse. At least the error message is now very clear. * Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst a data transfer is in progress. * Fix delete_failed_uploads for anonymous sessions. * Don't listen for urgent data if the control connection is SSL, due to possible protocol synchronization issues. - SUSE specific changes: * turn off the listen mode (listen=NO) by default and change README.SUSE * merge new hardended flags for build and linking * fix the wrong Type=forking from systemd service file * turn off the seccomp_sandbox off by default as SUSE kernel does not support it (yet) OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=38
2012-04-11 14:03:42 +02:00
Index: vsftpd-3.0.0/tunables.c
===================================================================
--- vsftpd-3.0.0.orig/tunables.c 2012-04-05 00:29:50.000000000 +0200
+++ vsftpd-3.0.0/tunables.c 2012-04-11 13:50:39.538712522 +0200
@@ -226,7 +226,7 @@
tunable_isolate_network = 1;
tunable_ftp_enable = 1;
tunable_http_enable = 0;
- tunable_seccomp_sandbox = 1;
+ tunable_seccomp_sandbox = 0;
tunable_allow_writeable_chroot = 0;
tunable_accept_timeout = 60;
Copy Permalink