vsftpd/vsftpd.spec

#
# spec file for package vsftpd (Version 2.0.6)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#

# norootforbuild


Name:           vsftpd
BuildRequires:  openssl-devel pam-devel
%if 0%{?suse_version} < 1001
BuildRequires:  libcap
%else
BuildRequires:  libcap-devel
%endif
Version:        2.0.6
Release:        8
Summary:        Very Secure FTP Daemon - Written from Scratch
License:        GPL v2 or later
Group:          Productivity/Networking/Ftp/Servers
Url:            http://vsftpd.beasts.org
Source:         %name-%version.tar.bz2
Source1:        %name.pam
Source2:        %name.logrotate
Source3:        %name.init
Source4:        README.SUSE
Source5:        %name.xml
Source6:        %name.firewall
Patch:          %name-2.0.4-conf.diff
Patch1:         %name-2.0.4-lib64.diff
Patch2:         %name-2.0.4-nowarn.patch
Patch3:         %name-2.0.4-xinetd.diff
Patch4:         %name-2.0.4-enable-ssl.patch
Patch5:         %name-2.0.4-dmapi.patch
Patch6:         %name-2.0.5-vuser.patch
Patch7:         %name-2.0.5-enable-debuginfo.patch
Patch8:         %name-2.0.5-utf8-log-names.patch
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
Provides:       ftp-server
PreReq:         %insserv_prereq

%description
Vsftpd is an FTP server, or d<EFBFBD>mon. The "vs" stands for Very Secure.
Obviously this is not a guarantee, but the entire codebase was written
with security in mind, and carefully designed to be resilient to
attack.

Recent evidence suggests that vsftpd is also extremely fast (and this
is before any explicit performance tuning!). In tests against wu-ftpd,
vsftpd was always faster, supporting over twice as many users in some
tests.



Authors:
--------
    Chris Evans <chris@scary.beasts.org>

%prep
%setup -q
%patch
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4
%patch5
%patch6
%patch7
%patch8 -p1

%build
rm -f dummyinc/sys/capability.h
make CFLAGS="$RPM_OPT_FLAGS -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -fstack-protector" \
     LDFLAGS="-pie" LINK=

%install
mkdir -p $RPM_BUILD_ROOT/usr/share/empty
cp %SOURCE4 .
install -D -m 755 %name  $RPM_BUILD_ROOT/usr/sbin/%name
install -D -m 600 %name.conf $RPM_BUILD_ROOT/etc/%name.conf
install -D -m 600 xinetd.d/%name $RPM_BUILD_ROOT/etc/xinetd.d/%name
install -D -m 644 $RPM_SOURCE_DIR/%name.pam $RPM_BUILD_ROOT/etc/pam.d/%name
install -D -m 644 $RPM_SOURCE_DIR/%name.logrotate $RPM_BUILD_ROOT/etc/logrotate.d/%name
install -D -m 644 %name.conf.5 $RPM_BUILD_ROOT/%_mandir/man5/%name.conf.5
install -D -m 644 %name.8 $RPM_BUILD_ROOT/%_mandir/man8/%name.8
install -D -m 755 %SOURCE3 $RPM_BUILD_ROOT/etc/init.d/%name
ln -sf ../../etc/init.d/%name $RPM_BUILD_ROOT/%_prefix/sbin/rc%name
install -d $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/
install -D -m 644 %SOURCE5 $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/
install -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/
install -m 644 %{S:6} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}

%preun
%stop_on_removal %name

%postun
%insserv_cleanup
%restart_on_update %name

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,root,root)
/usr/sbin/%name
/usr/sbin/rc%name
/etc/init.d/%name
%_datadir/omc/svcinfo.d/vsftpd.xml
%dir /usr/share/empty
%config(noreplace) /etc/xinetd.d/%name
%config(noreplace) /etc/%name.conf
%config /etc/pam.d/%name
%config(noreplace) /etc/logrotate.d/%name
%_mandir/man5/%name.conf.*
%_mandir/man8/%name.*
%doc INSTALL BUGS AUDIT Changelog LICENSE README README.security
%doc REWARD SPEED TODO SECURITY TUNING SIZE FAQ EXAMPLE COPYING
%doc README.SUSE
%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}

%changelog
* Tue Apr 01 2008 mkoenig@suse.de
- remove dir /usr/share/omc/svcinfo.d as it is provided now
  by filesystem
* Tue Mar 11 2008 crrodriguez@suse.de
- version 2.0.6
- Fix delay_failed_login typo. Oops.
- Patch the getcwd and readlink sysutil helpers to reflect that they wouldn't
  like a 0-sized buf. No caller is affected. Thanks Ilja van Sprundel
  <ilja@suresec.org>.
- Allow a (fake) reauth as the same user as the logged in user. Should resolve
  .NET related report from Sabo Jim <Jim.Sabo@thomson.net>.
- Tweak from Lucian Adrian Grijincu <lucian.grijincu@gmail.com> to take
  unnecessary port calculations out of a loop.
- Fix byte I/O accounting in the error path of do_file_send_rwloop, thanks to
  <echen@siac.com>.
- Don't log FireFox's attempts to RETR directories! Reported by
  Nixdorf, Tim <tnixdorf@dnps.com>.
- Fix STOU sending the same 150 status line twice - oops! Reported by
  <yamazaki@iij.ad.jp>.
- Fix xferlog format for virtual (guest) users, reported by Andy Fletcher
  <andy@withnail.org>.
- Fix bug with empty user list file and userlist_deny=NO. Reported by
  Marcin Zawadzki/GlobalVanet.com <marcin.zawadzki@globalvanet.com>.
- Pretend we have proper UTF8 support and respond positively to OPTS UTF8 ON.
  Thanks Stanislav Maslovski <stanislav.maslovski@gmail.com>.
- Add control over the file permissions used in the chown()ing of anonymous
  uploads: chown_upload_mode (default 0600 as before). Suggestion from
  An Pham <apham@medforcetech.com>.
- Do a retry getting the active ftp socket in vsf_privop_get_ftp_port_sock();
  should help buggy Solaris systems. Reported by Michael Masterson
  <mjmasterson@xo.com>.
- Add debug_ssl option to dump out some SSL connection details.
- Use code 522, not 521, to indicate that the server requires an encrypted
  data connection. Still does not seem to coax lftp to retry :(
- Recognize OPTS pre-login.
- A whole ton of SSL improvements, including ability to force requirement of
  a client cert; data and control channel client cert cross checking. Ability
  to require fully valid / authentic client certs. No cert-based auth yet.
* Tue Mar 27 2007 mskibbe@suse.de
- change path to firewall script (#247352)
* Fri Mar 02 2007 mskibbe@suse.de
- change path to firewall script (#247352)
* Wed Feb 28 2007 mskibbe@suse.de
- vsftpd - Support for FATE #300687: Ports for SuSEfirewall added
  via packages (#246932)
* Mon Jan 15 2007 mskibbe@suse.de
- fix cryptic symbol in package - description
- build against libcap on suse < 10.1
* Fri Jan 12 2007 mskibbe@suse.de
- vsftp could not log any file name other then ascii (#229320)
* Thu Jan 11 2007 mskibbe@suse.de
- change path to xml service document (fate #301713)
* Mon Jan 08 2007 mskibbe@suse.de
- fix Bug #230220 - vsftp no debuginfo
* Mon Jan 08 2007 mskibbe@suse.de
- xml document should readable to all (fate #301713)
* Wed Dec 06 2006 mskibbe@suse.de
- add service xml document (fate #301713 )
* Mon Oct 23 2006 mskibbe@suse.de
- fix Bug 213894 - vsftpd and pam
* Mon Sep 04 2006 kukuk@suse.de
- Include common PAM config files, add pam_loginuid.so
* Fri Jul 14 2006 mskibbe@suse.de
- udpate to version 2.0.5 which
  o IE should now show the login dialog again
  o configurable login attempt limits and delays were added
  o a bad intereaction with DMAPI filesystems was fixed and chained
  certs should now work.
* Fri May 26 2006 schwab@suse.de
- Don't strip binaries.
* Thu Apr 20 2006 hvogel@suse.de
- revert the rename to vsftp for the xinetd config file. chkconfig
  knows on for init and xinetd. So this wasnt a bug but a misusage
  of chkconfig
* Thu Apr 20 2006 hvogel@suse.de
- add support for DMAPI filesystems [#167632]
* Wed Apr 19 2006 hvogel@suse.de
- rename xinetd config from vsftpd to vsftp to avoid name clashes
  in chkconfig [#165745]
* Thu Feb 16 2006 hvogel@suse.de
- enable ssl for real [#151453]
* Mon Feb 06 2006 hvogel@suse.de
- The switch to standalone should not happen in update.
  Installed xinetd config file again. The configuration file is
  marked as noreplace anyway so if you are updating you will
  get a xinetd.d/vsftpd.rpmnew and a vsftpd.conf.rpmnew
  and everything is working as before and standalone is only used
  for new installations. [#148201]
- redirect standalone parent output to /var/log/rcvsftp.log
  so the init script can return properly.
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Fri Jan 13 2006 hvogel@suse.de
- Make use of Stack Protector
- fix some uninitialized variables
* Wed Jan 11 2006 hvogel@suse.de
- Update to version 2.0.4 including:
  o Add explicit "This FTP server does not allow anonymous logins"
  message.
  o Add paranoid checks to sysutil.c for large values / lengths.
  o Load per-IP config files earlier; allows more settings to be
  tuned on a per-IP level.
  o regex fix so that {*} correctly matches everything.
  o Add optional file locking support via lock_upload_files.
  o Apply LDFLAGS patch from Mads Martin Joergensen <mmj@suse.de>.
  o Add pasv_addr_resolve option to allow pasv_address to get
  DNS resolved once at startup.
  o Apply patch to fix timezone issues (caused by chroot()
  interacting badly with newer glibc versions).
* Wed Sep 28 2005 mmj@suse.de
- Add init script, and make it standalone
* Sun Sep 18 2005 kukuk@suse.de
- Add libcap-devel to nfb
* Tue Aug 09 2005 mmj@suse.de
- Document that /etc/xinet.d/vsftpd is for xinetd conf [#102953]
* Mon Aug 08 2005 uli@suse.de
- build with -fPIE, not -fpie (fixes s390x)
* Mon Jun 27 2005 ro@suse.de
- use libcap
* Fri Jun 17 2005 mmj@suse.de
- Compile with -fpie, link with -pie
* Tue Apr 19 2005 mmj@suse.de
- Update to 2.0.3 including:
  o Document what regex expressions are supported in the man page.
  o New settings rsa_private_key_file and dsa_private_key_file to
  allow separate files for the certificates and private keys.
  o Initial, simple fix for timed out processes not exiting when
  SSL is in use.  Better fix (which reports timeout to client
  properly) to follow.
  o Add which setsockopt option failed to die("setsockopt") calls.
  o Fix error with IPv4 connections to IPv6 listeners and PORT
  type data connections when connect_from_port_20 is set.
  o Remove vsf_sysutil_sockaddr_same_family (unused).
  o Support protocol 1 (IPv4) in EPRT.
  o Add ssl.c to AUDIT.
  o Allow config file to use "ssl_ciphers=" to use default
  OpenSSL cipher list.
  o Allow "EPSV 1" to mean IPv4 EPSV.
  o Report dummy IP but correct port with IPv6 / PASV.
  o Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read
  and SSL_write; fixes SSL upload failures when data timeouts are
  in use with some clients.
  o Implicitly disable connect_from_port_20 and chown_uploads
  when a non-root user is using run_as_launching_user.
  o Add force_anon_logins_ssl and force_anon_data_ssl for a fully
  SSL secure anonymous  oonly solution (useful when you don't
  have root access and a range of acceptable anonymous
  passwords as credentials).
  o Use SSL BIO callbacks to fix data connection timeout checks;
  the checks weren't all occurring promply.
* Thu Mar 03 2005 mmj@suse.de
- Update to 2.0.2 including:
  o Emit data transfer status messages (success / failure)
  after flushing and waiting for the full data transfer to
  reach the client. This should help work around buggy FTP
  clients such as FlashFXP, which is known to truncate files
  incorrectly.
  o Make str_empty actually allocate an empty string.
  o Change the ASCII receive code to ONLY rip out \r if it is
  just before a \n; someone finally complained about this.
  o Enable AIX Large File Support
  o Add a couple of FAQ entries.
  o Fix time delta code areas to cope with negative deltas,
  which will occur if the clock is adjusted backwards.
  o Fix "errno" checks to be robust in multiple places;
  previously, calls to failing library calls could be made
  inbetween the original library call and the "errno" reads.
  o Make bandwidth limiter work with SSL data connections.
  o Note that the SSL / bandwidth limiter bug fixed a much more
  serious bug: SSL data connection dropouts after
  data_connection_timeout seconds.
* Fri Feb 18 2005 mmj@suse.de
- Glibc doesn't cache the timezone as much as it used to, so export
  the TZ variable after doing chroot. [#49878]
* Thu Aug 12 2004 mmj@suse.de
- Update to 2.0.1 including:
  o Add -lcrypto for the SSL build; needed for some systems
  o Oops; fix session bale out if an empty length password is given.
  o Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so).
  o Fix vsftpd.conf.5 man page error in "ssl_sslv3"
  o Clarify licensing: I allow linking of my GPL software with the OpenSSL
  libraries.
  o Fix build where PAM build is enabled but PAM headers are missing.
* Fri Jul 02 2004 mmj@suse.de
- Update to 2.0.0 including:
  o Improve logging (log deletes, renames, chmods, etc. as
  requested by users).
  o Add no_log_lock to work around Solaris / Veritas locking
  hangs.
  o Add EPRT, EPSV, PASV and TVFS to FEAT response.
  o Implement use of MDTM to set timestamps.
  o Recognize FEAT prior to login.
  o Add OpenSSL (AUTH TLS / SSL) support for encrypted control
  and data connections.
  o Increase max size of .message files to 4000 characters
  o Add easy builddefs.h ability to disable PAM builds even when
  PAM is installed.
  o Report vsftpd version in STAT output.
  o Add REFS file.
  o Change parent<->child socket comms from DGRAM to STREAM for
  increased reliability. The main benefit is should the parent
  be killed (or crash out) then the child won't block on a
  read() that will never return.
  o Make str_reserve reserve space for the trailing zero as well,
  so we don't cause a reallocation if we exactly fill the buffer.
  o Optimize the sending of strings over the parent<->child comms links.
  o Improve the build system so tcp_wrappers, PAM and OpenSSL can
  be forcibly compiled out.
  o Fix vsftpd.conf.5 typos
  o If trans_chunk_size is between 1 and 4096, use 4096 rather
  than ignoring totally.
  o Add SSL / TLS info to SECURITY texts.
  o Add README.ssl
  o Add documentation for new SSL options to vsftpd.conf.5.
  o Add support for CWD ~
  o Fix compile warnings.
* Sun May 30 2004 mmj@suse.de
- Add logrotate file [#41432]
* Tue Apr 27 2004 mmj@suse.de
- Update to 1.2.2 including:
  o Fix nasty issue resulting in listener instability under
  extreme load (root cause was re-entering malloc/free).
  o Fix build with modern glibc-2.3 and no libcap on Linux.
  o Add initial support for running as the user which launched
  vsftpd, i.e. no root needed. Warning - easy to create
  insecurity if you use this without knowing what you are
  doing.
  o For above run-as-launching-user support: make CDUP re-use CWD
  code so that deny_file of *..* is useful.
* Mon Jan 26 2004 hvogel@suse.de
- reworked the log part of the conf file patch.
  Enabled syslog as default log destination, clarify xferlog
  settings.
* Mon Jan 19 2004 mmj@suse.de
- -D_LARGEFILE_SOURCE to get LFS support. Also make sure the
  offset bits are set correct.
* Fri Jan 16 2004 kukuk@suse.de
- Add pam-devel to neededforbuild
* Thu Nov 13 2003 mmj@suse.de
- Update to 1.2.1
* Wed Oct 15 2003 mmj@suse.de
- Don't build as root
* Mon Jul 28 2003 mmj@suse.de
- Add EXAMPLE/ and FAQ
- Don't strip explicitly
* Fri May 30 2003 mmj@suse.de
- Update to vsftpd-1.2.0 including:
  <EFBFBD> IPv6 support, so drop our patch
  <EFBFBD> Many bugfixes and tunings
  <EFBFBD> Build fixes
* Thu Mar 06 2003 mmj@suse.de
- Fix the xinetd conf file [#24774]
* Fri Feb 07 2003 kukuk@suse.de
- Use pam_unix2.so instead of pam_unix.so
* Fri Jan 24 2003 mmj@suse.de
- Correct xinetd conffile
* Tue Jan 14 2003 mmj@suse.de
- Install xinetd.d/vsftpd
* Sat Oct 26 2002 mmj@suse.de
- Use better configuration defaults, thanks henne.
* Fri Oct 25 2002 mmj@suse.de
- Add $RPM_OPT_FLAGS to CFLAGS when building
* Thu Oct 24 2002 mmj@suse.de
- Update to 1.1.2 including:
  o Addition of per-IP connection limits in standalone mode.
  o Add logging of refused connect due to global or IP connection limits.
  o Make connection limit exceeded messages nonblocking.
  o Don't exit the listener if fork fails.
* Tue Oct 08 2002 mmj@suse.de
- Update to 1.1.1
* Fri Aug 02 2002 mmj@suse.de
- Update to 1.1.0
* Tue Jul 09 2002 okir@suse.de
- Added a patch to get rid of lots of warnings caused by -Wshadow
- Added a patch to implement IPv6 support
* Tue Apr 30 2002 mmj@suse.de
- And now without detection of pam in /lib/libpam.so.0, which is
  bogus.
* Sun Feb 17 2002 mmj@suse.de
- Added a patch to the vsftpd library detection function to make
  it build with /usr/lib64. Fixes build on S/390.
* Tue Feb 12 2002 mmj@suse.de
- Remove Requires: ftpdir
* Mon Feb 04 2002 choeger@suse.de
- do not set e(x)ecute bit on textfiles
* Fri Feb 01 2002 choeger@suse.de
- declare config file as %%config(noreplace)
* Thu Jan 17 2002 mmj@suse.de
- Update to version 1.0.1
* Fri Nov 30 2001 mmj@suse.de
- Use /etc/pam.d/vsftpd
* Tue Nov 13 2001 mmj@suse.de
- Updated to version 1.0.0
* Mon Oct 22 2001 mmj@suse.de
- Initial package