vsftpd/README.SUSE

vsftpd-3.0.0 made the listen mode default. In order to maintain backward
compatibility, default /etc/vsftpd.conf in SUSE contains

listen=NO
listen_ipv6=YES

if you plan to use xinetd (/etc/xinetd.d/vsftp) you don't need to change
anything by default, but if you have ipv6 available you have to set
listen_ipv6=NO too in order for xinetd to work.
Alternatively you can also use systemd socket service that listens on
port 21 and starts the server like xinetd would. This service does
not require you to change ANY variable in the /etc/vsftpd.conf.
- update to upstream 3.0.0: * Make listen mode the default. * Fix missing "const" in ssl.c * Add seccompsandbox.c to support a seccomp filter sandbox; works against Ubuntu 12.04 ABI. * Rearrange ftppolicy.c a bit so the syscall list is easily comparable with seccompsandbox.c * Rename deprecated "sandbox" to "ptrace_sandbox". * Add a few more state checks to the privileged helper processes. * Add tunable "seccomp_sandbox", default on. * Use hardened build flags. * Retry creating a PASV socket upon port reuse race between bind() and listen(), patch from Ralph Wuerthner <ralph.wuerthner@de.ibm.com>. * Don't die() if recv() indicates a closed remote connection. Problem report on a Windows client from Herbert van den Bergh, <herbert.van.den.bergh@oracle.com>. * Add new config setting "allow_writeable_chroot" to help people in a bit of a spot with the v2.3.5 defensive change. Only applies to non-anonymous. * Remove a couple of fixed things from BUGS. * strlen() trunction fix -- no particular impact. * Apply some tidyups from mmoufid@yorku.ca. * Fix delete_failed_uploads if there is a timeout. Report from Alejandro Hernández Hdez <aalejandrohdez@gmail.com>. * Fix other data channel bugs such as failure to log failure upon timeout. * Use exit codes a bit more consistently. * Fix bad interaction between SSL and trans_chunk_size. * Redo data timeout to fire properly for SSL sessions. * Redo idle timeout to fire properly for SSL sessions. * Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing. * Use 10 minutes as a max linger time just in case an alarm gets lost. * Change PR_SET_NO_NEW_PRIVS define, from Kees Cook. * Add AES128-SHA to default SSL cipher suites for FileZilla compatibility. Unfortunately the default vsftpd SSL confiuration still doesn't fully work with FileZilla, because FileZilla has a data connection security problem: no client certificate presentation and no session reuse. At least the error message is now very clear. * Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst a data transfer is in progress. * Fix delete_failed_uploads for anonymous sessions. * Don't listen for urgent data if the control connection is SSL, due to possible protocol synchronization issues. - SUSE specific changes: * turn off the listen mode (listen=NO) by default and change README.SUSE * merge new hardended flags for build and linking * fix the wrong Type=forking from systemd service file * turn off the seccomp_sandbox off by default as SUSE kernel does not support it (yet) OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=38 2012-04-11 14:03:42 +02:00			`vsftpd-3.0.0 made the listen mode default. In order to maintain backward`
			`compatibility, default /etc/vsftpd.conf in SUSE contains`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=1 2007-01-16 00:40:43 +01:00
			`listen=NO`
- update to upstream 3.0.0: * Make listen mode the default. * Fix missing "const" in ssl.c * Add seccompsandbox.c to support a seccomp filter sandbox; works against Ubuntu 12.04 ABI. * Rearrange ftppolicy.c a bit so the syscall list is easily comparable with seccompsandbox.c * Rename deprecated "sandbox" to "ptrace_sandbox". * Add a few more state checks to the privileged helper processes. * Add tunable "seccomp_sandbox", default on. * Use hardened build flags. * Retry creating a PASV socket upon port reuse race between bind() and listen(), patch from Ralph Wuerthner <ralph.wuerthner@de.ibm.com>. * Don't die() if recv() indicates a closed remote connection. Problem report on a Windows client from Herbert van den Bergh, <herbert.van.den.bergh@oracle.com>. * Add new config setting "allow_writeable_chroot" to help people in a bit of a spot with the v2.3.5 defensive change. Only applies to non-anonymous. * Remove a couple of fixed things from BUGS. * strlen() trunction fix -- no particular impact. * Apply some tidyups from mmoufid@yorku.ca. * Fix delete_failed_uploads if there is a timeout. Report from Alejandro Hernández Hdez <aalejandrohdez@gmail.com>. * Fix other data channel bugs such as failure to log failure upon timeout. * Use exit codes a bit more consistently. * Fix bad interaction between SSL and trans_chunk_size. * Redo data timeout to fire properly for SSL sessions. * Redo idle timeout to fire properly for SSL sessions. * Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing. * Use 10 minutes as a max linger time just in case an alarm gets lost. * Change PR_SET_NO_NEW_PRIVS define, from Kees Cook. * Add AES128-SHA to default SSL cipher suites for FileZilla compatibility. Unfortunately the default vsftpd SSL confiuration still doesn't fully work with FileZilla, because FileZilla has a data connection security problem: no client certificate presentation and no session reuse. At least the error message is now very clear. * Add restart_syscall to seccomp policy. Triggers reliably if you strace whilst a data transfer is in progress. * Fix delete_failed_uploads for anonymous sessions. * Don't listen for urgent data if the control connection is SSL, due to possible protocol synchronization issues. - SUSE specific changes: * turn off the listen mode (listen=NO) by default and change README.SUSE * merge new hardended flags for build and linking * fix the wrong Type=forking from systemd service file * turn off the seccomp_sandbox off by default as SUSE kernel does not support it (yet) OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=38 2012-04-11 14:03:42 +02:00			`listen_ipv6=YES`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=1 2007-01-16 00:40:43 +01:00
- Cleanup with spec-cleaner - Remove conditions about init files as we do not build for < 12.1 anyway. - Update the README.SUSE file to describe more the listen option. OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=63 2014-05-26 15:22:17 +02:00			`if you plan to use xinetd (/etc/xinetd.d/vsftp) you don't need to change`
			`anything by default, but if you have ipv6 available you have to set`
			`listen_ipv6=NO too in order for xinetd to work.`
			`Alternatively you can also use systemd socket service that listens on`
			`port 21 and starts the server like xinetd would. This service does`
			`not require you to change ANY variable in the /etc/vsftpd.conf.`