From cf6d32b00e06bf50bd827f28d930d0f0f54c706669eb1e22fc3fb46c1feb9c4a Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Thu, 7 Sep 2017 13:15:52 +0000 Subject: [PATCH 1/5] Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that would cause SSL protocol errors, aborting the connection, whenever system errors occurred that were supposed to be non-fatal. [bsc#1044292] OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=115 --- vsftpd-die-with-session.patch | 155 ++++++++++++++++++++++++++++++++++ vsftpd.changes | 8 ++ vsftpd.spec | 2 + 3 files changed, 165 insertions(+) create mode 100644 vsftpd-die-with-session.patch diff --git a/vsftpd-die-with-session.patch b/vsftpd-die-with-session.patch new file mode 100644 index 0000000..8be0839 --- /dev/null +++ b/vsftpd-die-with-session.patch @@ -0,0 +1,155 @@ +Index: vsftpd-3.0.2/main.c +=================================================================== +--- vsftpd-3.0.2.orig/main.c ++++ vsftpd-3.0.2/main.c +@@ -155,6 +155,9 @@ main(int argc, const char* argv[]) + the_session.num_clients = ret.num_children; + the_session.num_this_ip = ret.num_this_ip; + } ++ ++ die_init(&the_session); ++ + if (tunable_tcp_wrappers) + { + the_session.tcp_wrapper_ok = vsf_tcp_wrapper_ok(VSFTP_COMMAND_FD); +Index: vsftpd-3.0.2/utility.c +=================================================================== +--- vsftpd-3.0.2.orig/utility.c ++++ vsftpd-3.0.2/utility.c +@@ -9,9 +9,22 @@ + #include "sysutil.h" + #include "str.h" + #include "defs.h" ++#include "session.h" ++#include "tunables.h" ++#include "privsock.h" ++#include "ssl.h" ++#include + + #define DIE_DEBUG + ++static struct vsf_session *s_p_sess = NULL; ++ ++void ++die_init(struct vsf_session *p_sess) ++{ ++ s_p_sess = p_sess; ++} ++ + void + die(const char* p_text) + { +@@ -40,12 +53,70 @@ die2(const char* p_text1, const char* p_ + void + bug(const char* p_text) + { ++ /* Detect calls caused by failed logging from bug() itself ++ * to prevent infinite loops */ ++ static int s_in_bug = 0; ++ const unsigned int buffer_size = 256; ++ char text_buffer[buffer_size]; ++ unsigned int text_len; ++ ++ if (s_in_bug) ++ return; ++ ++ s_in_bug = 1; ++ ++ if (s_p_sess) ++ { ++ /* Try to write the message to logs */ ++ if (s_p_sess->vsftpd_log_fd != -1) ++ { ++ snprintf(text_buffer, buffer_size, ++ "%s vsftpd [pid %d]: \"%s\" from \"%s\": %s", ++ vsf_sysutil_get_current_date(), vsf_sysutil_getpid(), ++ str_getbuf(&s_p_sess->user_str), ++ str_getbuf(&s_p_sess->remote_ip_str), p_text); ++ text_len = vsf_sysutil_strlen(text_buffer); ++ vsf_sysutil_write_loop(s_p_sess->vsftpd_log_fd, text_buffer, text_len); ++ } ++ ++ if (tunable_syslog_enable) ++ { ++ snprintf(text_buffer, buffer_size, "\"%s\" from \"%s\": %s", ++ str_getbuf(&s_p_sess->user_str), ++ str_getbuf(&s_p_sess->remote_ip_str), p_text); ++ vsf_sysutil_syslog(text_buffer, 1); ++ } ++ } ++ else ++ { ++ /* dummy logging before the system is fully set up */ ++ if (tunable_syslog_enable) ++ { ++ vsf_sysutil_syslog(p_text, 1); ++ } ++ } ++ ++ snprintf(text_buffer, buffer_size, "500 OOPS: %s\r\n", p_text); ++ text_len = vsf_sysutil_strlen(text_buffer); ++ + /* Rats. Try and write the reason to the network for diagnostics */ +- vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD); +- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "500 OOPS: ", 10); +- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, p_text, +- vsf_sysutil_strlen(p_text)); +- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "\r\n", 2); ++ if (s_p_sess && s_p_sess->control_use_ssl) ++ { ++ if (s_p_sess->ssl_slave_active) ++ { ++ priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP); ++ priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len); ++ } ++ else ++ { ++ (void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len); ++ } ++ } ++ else ++ { ++ vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD); ++ (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, text_buffer, text_len); ++ } + vsf_sysutil_exit(2); + } + +Index: vsftpd-3.0.2/utility.h +=================================================================== +--- vsftpd-3.0.2.orig/utility.h ++++ vsftpd-3.0.2/utility.h +@@ -2,6 +2,18 @@ + #define VSF_UTILITY_H + + struct mystr; ++struct vsf_session; ++ ++/* die_init ++ * PURPOSE ++ * Initialize static pointer to vsf_session used for ++ * logging and SSL support used by die() and bug(). ++ * If not set (or set to NULL) only dummy write ++ * to VSFTP_COMMAND_FD will be done. ++ * PARAMETERS ++ * p_sess - pointer to vsf_session or NULL ++ */ ++void die_init(struct vsf_session *p_sess); + + /* die() + * PURPOSE +Index: vsftpd-3.0.2/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.2.orig/seccompsandbox.c ++++ vsftpd-3.0.2/seccompsandbox.c +@@ -556,6 +556,10 @@ seccomp_sandbox_setup_postlogin_broker() + allow_nr(__NR_fchown); + allow_nr_1_arg_match(__NR_recvmsg, 3, 0); + } ++ if (tunable_syslog_enable) ++ { ++ allow_nr_1_arg_match(__NR_sendto, 6, 0); ++ } + } + + void diff --git a/vsftpd.changes b/vsftpd.changes index c4f2b0c..19534b5 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 7 12:24:26 UTC 2017 - tchvatal@suse.com + +- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that + would cause SSL protocol errors, aborting the connection, whenever + system errors occurred that were supposed to be non-fatal. + [bsc#1044292] + ------------------------------------------------------------------- Wed Jun 14 11:42:26 UTC 2017 - tchvatal@suse.com diff --git a/vsftpd.spec b/vsftpd.spec index 6f2f3dc..0ce8bc7 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -72,6 +72,7 @@ Patch24: vsftpd-3.0.2-wnohang.patch Patch25: vsftpd-3.0.2-fix-chown-uploads.patch #FIX-FIX-OPENSUSE: bsc#1042673 Patch26: vsftpd-3.0.3-build-with-openssl-1.1.patch +Patch27: vsftpd-die-with-session.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel @@ -126,6 +127,7 @@ tests. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP From eb840b0f5c9f2290766d9d18265e7815450ee0734d5d6b7cde650c62760f6b1e Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Thu, 7 Sep 2017 13:55:51 +0000 Subject: [PATCH 2/5] Add "vsftpd-mdtm-in-utc.patch" to fix interoperability issue with various ftp clients that arose when vsftpd is configured with option "use_localtime=YES". Basically, it's fine to use local time stamps in directory listings, but responding to MDTM commands with any time zone other than UTC directly violates RFC3659 and leads FTP clients to misinterpret the file's time stamp. [bsc#1024961] OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=116 --- vsftpd-mdtm-in-utc.patch | 41 ++++++++++++++++++++++++++++++++++++++++ vsftpd.changes | 7 +++++++ vsftpd.spec | 4 +++- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 vsftpd-mdtm-in-utc.patch diff --git a/vsftpd-mdtm-in-utc.patch b/vsftpd-mdtm-in-utc.patch new file mode 100644 index 0000000..4eb0c35 --- /dev/null +++ b/vsftpd-mdtm-in-utc.patch @@ -0,0 +1,41 @@ +Index: vsftpd-3.0.2/postlogin.c +=================================================================== +--- vsftpd-3.0.2.orig/postlogin.c 2017-04-06 12:40:37.413294178 +0200 ++++ vsftpd-3.0.2/postlogin.c 2017-04-06 12:40:37.610294876 +0200 +@@ -1639,7 +1639,7 @@ handle_mdtm(struct vsf_session* p_sess) + else + { + retval = vsf_sysutil_setmodtime( +- str_getbuf(&p_sess->ftp_arg_str), modtime, tunable_use_localtime); ++ str_getbuf(&p_sess->ftp_arg_str), modtime, 0); + if (retval != 0) + { + vsf_cmdio_write(p_sess, FTP_FILEFAIL, +@@ -1664,7 +1664,7 @@ handle_mdtm(struct vsf_session* p_sess) + static struct mystr s_mdtm_res_str; + str_alloc_text(&s_mdtm_res_str, + vsf_sysutil_statbuf_get_numeric_date( +- s_p_statbuf, tunable_use_localtime)); ++ s_p_statbuf, 0)); + vsf_cmdio_write_str(p_sess, FTP_MDTMOK, &s_mdtm_res_str); + } + } +Index: vsftpd-3.0.2/vsftpd.conf.5 +=================================================================== +--- vsftpd-3.0.2.orig/vsftpd.conf.5 2017-04-06 12:40:37.496294472 +0200 ++++ vsftpd-3.0.2/vsftpd.conf.5 2017-04-06 12:41:50.271557442 +0200 +@@ -556,9 +556,11 @@ may be found within the _current_ chroot + Default: NO + .TP + .B use_localtime +-If enabled, vsftpd will display directory listings with the time in your +-local time zone. The default is to display GMT. The times returned by the +-MDTM FTP command are also affected by this option. ++If enabled, vsftpd will display directory listings with the time in your local ++time zone. The default is to display GMT. Note that this setting will NOT ++affect the times returned by the MDTM FTP command in this version of the ++daemon. This behavior deviates from the upstream version, which violated ++RFC3659 and subsequently caused problems with popular FTP clients. + + Default: NO + .TP diff --git a/vsftpd.changes b/vsftpd.changes index 19534b5..60520bf 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -6,6 +6,13 @@ Thu Sep 7 12:24:26 UTC 2017 - tchvatal@suse.com system errors occurred that were supposed to be non-fatal. [bsc#1044292] +- Add "vsftpd-mdtm-in-utc.patch" to fix interoperability issue with + various ftp clients that arose when vsftpd is configured with + option "use_localtime=YES". Basically, it's fine to use local time + stamps in directory listings, but responding to MDTM commands with + any time zone other than UTC directly violates RFC3659 and leads + FTP clients to misinterpret the file's time stamp. [bsc#1024961] + ------------------------------------------------------------------- Wed Jun 14 11:42:26 UTC 2017 - tchvatal@suse.com diff --git a/vsftpd.spec b/vsftpd.spec index 0ce8bc7..38d22f4 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -72,7 +72,8 @@ Patch24: vsftpd-3.0.2-wnohang.patch Patch25: vsftpd-3.0.2-fix-chown-uploads.patch #FIX-FIX-OPENSUSE: bsc#1042673 Patch26: vsftpd-3.0.3-build-with-openssl-1.1.patch -Patch27: vsftpd-die-with-session.patch +Patch27: vsftpd-mdtm-in-utc.patch +Patch28: vsftpd-die-with-session.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel @@ -128,6 +129,7 @@ tests. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP From ce43389ac49b4d7de09fa63d167f86055e8ff4ab877d9b0d61404e8492b10d0a Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Thu, 7 Sep 2017 14:51:06 +0000 Subject: [PATCH 3/5] Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to append to a file system pipe. [bsc#1048427] OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=117 --- vsftpd-append-seek-pipe.patch | 14 ++++++++++++++ vsftpd.changes | 3 +++ vsftpd.spec | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 vsftpd-append-seek-pipe.patch diff --git a/vsftpd-append-seek-pipe.patch b/vsftpd-append-seek-pipe.patch new file mode 100644 index 0000000..57d9652 --- /dev/null +++ b/vsftpd-append-seek-pipe.patch @@ -0,0 +1,14 @@ +Index: vsftpd-3.0.2/sysutil.c +=================================================================== +--- vsftpd-3.0.2.orig/sysutil.c ++++ vsftpd-3.0.2/sysutil.c +@@ -490,7 +490,8 @@ vsf_sysutil_lseek_end(const int fd) + { + filesize_t retval; + retval = lseek(fd, 0, SEEK_END); +- if (retval < 0) ++ /* Ignore ESPIPE to allow append to fifos */ ++ if (retval < 0 && errno != ESPIPE) + { + die("lseek"); + } diff --git a/vsftpd.changes b/vsftpd.changes index 60520bf..cbcb0ca 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -13,6 +13,9 @@ Thu Sep 7 12:24:26 UTC 2017 - tchvatal@suse.com any time zone other than UTC directly violates RFC3659 and leads FTP clients to misinterpret the file's time stamp. [bsc#1024961] +- Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to + append to a file system pipe. [bsc#1048427] + ------------------------------------------------------------------- Wed Jun 14 11:42:26 UTC 2017 - tchvatal@suse.com diff --git a/vsftpd.spec b/vsftpd.spec index 38d22f4..7f35c30 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -74,6 +74,7 @@ Patch25: vsftpd-3.0.2-fix-chown-uploads.patch Patch26: vsftpd-3.0.3-build-with-openssl-1.1.patch Patch27: vsftpd-mdtm-in-utc.patch Patch28: vsftpd-die-with-session.patch +Patch29: vsftpd-append-seek-pipe.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel @@ -130,6 +131,7 @@ tests. %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP From 6364c36bd653e398929e62c15d4f4ca516a9868db4d117af0e7cb562886f0d5d Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 8 Sep 2017 07:29:34 +0000 Subject: [PATCH 4/5] Add "vsftpd-3.0.3-address_space_limit.patch" to create the new configuration option "address_space_limit", which determines the memory limit vsftpd configures for its own process (given in bytes). The previously hard-coded limit (100 MB) may not be sufficient for vsftpd servers running with certain PAM modules enabled, and in such cases administrators may wish to raise the limit to match their system's requirements. [bsc#1042137] OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=118 --- vsftpd-3.0.3-address_space_limit.patch | 57 ++++++++++++++++++++++++++ vsftpd.changes | 10 ++++- vsftpd.spec | 2 + 3 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 vsftpd-3.0.3-address_space_limit.patch diff --git a/vsftpd-3.0.3-address_space_limit.patch b/vsftpd-3.0.3-address_space_limit.patch new file mode 100644 index 0000000..6eeaead --- /dev/null +++ b/vsftpd-3.0.3-address_space_limit.patch @@ -0,0 +1,57 @@ +Index: vsftpd-3.0.3/main.c +=================================================================== +--- vsftpd-3.0.3.orig/main.c ++++ vsftpd-3.0.3/main.c +@@ -317,7 +317,7 @@ env_init(void) + static void + limits_init(void) + { +- unsigned long limit = VSFTP_AS_LIMIT; ++ unsigned long limit = tunable_address_space_limit ?: VSFTP_AS_LIMIT; + if (tunable_text_userdb_names) + { + /* Turns out, LDAP lookups for lots of userid -> name mappings can really +Index: vsftpd-3.0.3/parseconf.c +=================================================================== +--- vsftpd-3.0.3.orig/parseconf.c ++++ vsftpd-3.0.3/parseconf.c +@@ -138,6 +138,7 @@ parseconf_uint_array[] = + { "delay_successful_login", &tunable_delay_successful_login }, + { "max_login_fails", &tunable_max_login_fails }, + { "chown_upload_mode", &tunable_chown_upload_mode }, ++ { "address_space_limit", &tunable_address_space_limit }, + { 0, 0 } + }; + +Index: vsftpd-3.0.3/tunables.c +=================================================================== +--- vsftpd-3.0.3.orig/tunables.c ++++ vsftpd-3.0.3/tunables.c +@@ -110,6 +110,7 @@ unsigned int tunable_delay_failed_login; + unsigned int tunable_delay_successful_login; + unsigned int tunable_max_login_fails; + unsigned int tunable_chown_upload_mode; ++unsigned int tunable_address_space_limit; + + const char* tunable_secure_chroot_dir; + const char* tunable_ftp_username; +@@ -255,6 +256,7 @@ tunables_load_defaults() + tunable_max_login_fails = 3; + /* -rw------- */ + tunable_chown_upload_mode = 0600; ++ tunable_address_space_limit = 0; /* See main.c:limits_init */ + + install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir); + install_str_setting("ftp", &tunable_ftp_username); +Index: vsftpd-3.0.3/tunables.h +=================================================================== +--- vsftpd-3.0.3.orig/tunables.h ++++ vsftpd-3.0.3/tunables.h +@@ -112,6 +112,7 @@ extern unsigned int tunable_delay_failed + extern unsigned int tunable_delay_successful_login; + extern unsigned int tunable_max_login_fails; + extern unsigned int tunable_chown_upload_mode; ++extern unsigned int tunable_address_space_limit; + + /* String defines */ + extern const char* tunable_secure_chroot_dir; diff --git a/vsftpd.changes b/vsftpd.changes index cbcb0ca..ceb1497 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -1,5 +1,5 @@ ------------------------------------------------------------------- -Thu Sep 7 12:24:26 UTC 2017 - tchvatal@suse.com +Thu Sep 7 12:24:26 UTC 2017 - psimons@suse.com - Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that would cause SSL protocol errors, aborting the connection, whenever @@ -16,6 +16,14 @@ Thu Sep 7 12:24:26 UTC 2017 - tchvatal@suse.com - Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to append to a file system pipe. [bsc#1048427] +- Add "vsftpd-3.0.3-address_space_limit.patch" to create the new + configuration option "address_space_limit", which determines the + memory limit vsftpd configures for its own process (given in + bytes). The previously hard-coded limit (100 MB) may not be + sufficient for vsftpd servers running with certain PAM modules + enabled, and in such cases administrators may wish to raise the + limit to match their system's requirements. [bsc#1042137] + ------------------------------------------------------------------- Wed Jun 14 11:42:26 UTC 2017 - tchvatal@suse.com diff --git a/vsftpd.spec b/vsftpd.spec index 7f35c30..b0f2703 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -75,6 +75,7 @@ Patch26: vsftpd-3.0.3-build-with-openssl-1.1.patch Patch27: vsftpd-mdtm-in-utc.patch Patch28: vsftpd-die-with-session.patch Patch29: vsftpd-append-seek-pipe.patch +Patch30: vsftpd-3.0.3-address_space_limit.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel @@ -132,6 +133,7 @@ tests. %patch27 -p1 %patch28 -p1 %patch29 -p1 +%patch30 -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP From f6c72fe663e00feb6712b1aacb9158ba22fc33eafca2fa644aa66bb7b70361fc Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Mon, 11 Sep 2017 13:02:10 +0000 Subject: [PATCH 5/5] - Don't rely on the vsf_findlibs.sh script to figure out the list of libraries the build needs to link. The script is wildly unreliable and it's hard to predict what results it will produce. Also, the results it *does* produce are invisble in the build log. We stumbled across this issue when vsftpd suddendly had build failures on i586 platforms because the script decided to try and link "-lnsl" even though the library was neither installed nor required. - Drop the explicit specification of the LDFLAGS and LINK variables from the call to make. The value of LDFLAGS we passed is the default anyway and giving LINK has no effect since it's not used anywhere in the Makefile. OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=119 --- vsftpd.changes | 14 ++++++++++++++ vsftpd.spec | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/vsftpd.changes b/vsftpd.changes index ceb1497..bd2edb7 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -24,6 +24,20 @@ Thu Sep 7 12:24:26 UTC 2017 - psimons@suse.com enabled, and in such cases administrators may wish to raise the limit to match their system's requirements. [bsc#1042137] +- Don't rely on the vsf_findlibs.sh script to figure out the list + of libraries the build needs to link. The script is wildly + unreliable and it's hard to predict what results it will produce. + Also, the results it *does* produce are invisble in the build + log. We stumbled across this issue when vsftpd suddendly had + build failures on i586 platforms because the script decided to + try and link "-lnsl" even though the library was neither + installed nor required. + +- Drop the explicit specification of the LDFLAGS and LINK variables + from the call to make. The value of LDFLAGS we passed is the + default anyway and giving LINK has no effect since it's not used + anywhere in the Makefile. + ------------------------------------------------------------------- Wed Jun 14 11:42:26 UTC 2017 - tchvatal@suse.com diff --git a/vsftpd.spec b/vsftpd.spec index b0f2703..85f921d 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -137,9 +137,9 @@ tests. %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP -rm -f dummyinc/sys/capability.h +rm dummyinc/sys/capability.h vsf_findlibs.sh make CFLAGS="%{optflags} -DOPENSSL_NO_SSL_INTERN -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -fstack-protector --param=ssp-buffer-size=4 %{seccomp_opts}" \ - LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now" LINK= + LIBS="-lpam -lcap -lssl -lcrypto" %install mkdir -p %{buildroot}%{_datadir}/empty