rpms
/
vsftpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import vsftpd-3.0.3-28.el8

Browse Source
c8 imports/c8/vsftpd-3.0.3-28.el8
CentOS Sources 4 years ago committed by Andrew Lukoshko
commit 29c01ac4fd
71 changed files with 6152 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape Escape View File

@ -0,0 +1 @@
SOURCES/vsftpd-3.0.3.tar.gz

1
.vsftpd.metadata
Unescape Escape View File

@ -0,0 +1 @@
d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz

27
SOURCES/0001-Don-t-use-the-provided-script-to-locate-libraries.patch
Unescape Escape View File

@ -0,0 +1,27 @@
From 7bd573d76e9c1996ad5a96f0289731a253a24301 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 6 Sep 2016 13:35:51 +0200
Subject: [PATCH 01/59] Don't use the provided script to locate libraries.
This branch is Fedora (RHEL) specific, so we know what
libraries we have and want to use.
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index c63ed1b..98118dc 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ CFLAGS = -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
-D_FORTIFY_SOURCE=2 \
#-pedantic -Wconversion
-LIBS = `./vsf_findlibs.sh`
+LIBS = -lwrap -lnsl -lpam -lcap -ldl -lcrypto
LINK = -Wl,-s
LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now
--
2.14.4

25
SOURCES/0002-Enable-build-with-SSL.patch
Unescape Escape View File

@ -0,0 +1,25 @@
From 6fe24bc56694808ac7f8038855883a971967f0fb Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 6 Sep 2016 13:40:53 +0200
Subject: [PATCH 02/59] Enable build with SSL.
---
builddefs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/builddefs.h b/builddefs.h
index e908352..63cc62b 100644
--- a/builddefs.h
+++ b/builddefs.h
@@ -3,7 +3,7 @@
#undef VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
-#undef VSF_BUILD_SSL
+#define VSF_BUILD_SSL
#endif /* VSF_BUILDDEFS_H */
--
2.14.4

25
SOURCES/0003-Enable-build-with-TCP-Wrapper.patch
Unescape Escape View File

@ -0,0 +1,25 @@
From 1e0e2b13836d40f5a3f4cb20f2b3ea8204115b51 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 6 Sep 2016 13:42:09 +0200
Subject: [PATCH 03/59] Enable build with TCP Wrapper
---
builddefs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/builddefs.h b/builddefs.h
index 63cc62b..83de674 100644
--- a/builddefs.h
+++ b/builddefs.h
@@ -1,7 +1,7 @@
#ifndef VSF_BUILDDEFS_H
#define VSF_BUILDDEFS_H
-#undef VSF_BUILD_TCPWRAPPERS
+#define VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
#define VSF_BUILD_SSL
--
2.14.4

483
SOURCES/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch
Unescape Escape View File

@ -0,0 +1,483 @@
From fff93602a4b252be8d674e27083dde68a7acf038 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 6 Sep 2016 13:46:03 +0200
Subject: [PATCH 04/59] Use /etc/vsftpd/ dir for config files instead of /etc.
---
EXAMPLE/INTERNET_SITE/README | 6 +++---
EXAMPLE/INTERNET_SITE_NOINETD/README | 4 ++--
EXAMPLE/PER_IP_CONFIG/README | 4 ++--
EXAMPLE/VIRTUAL_USERS/README | 14 +++++++-------
FAQ | 8 ++++----
INSTALL | 10 +++++-----
README | 5 +++++
defs.h | 2 +-
tunables.c | 10 +++++-----
vsftpd.8 | 10 +++++-----
vsftpd.conf | 20 +++++++++++++-------
vsftpd.conf.5 | 22 +++++++++++-----------
12 files changed, 63 insertions(+), 52 deletions(-)
diff --git a/EXAMPLE/INTERNET_SITE/README b/EXAMPLE/INTERNET_SITE/README
index 12b10a5..fe3d7ca 100644
--- a/EXAMPLE/INTERNET_SITE/README
+++ b/EXAMPLE/INTERNET_SITE/README
@@ -41,13 +41,13 @@ no_access = 192.168.1.3
As an example of how to ban certain sites from connecting, 192.168.1.3 will
be denied access.
-banner_fail = /etc/vsftpd.busy_banner
+banner_fail = /etc/vsftpd/busy_banner
This is the file to display to users if the connection is refused for whatever
reason (too many users, IP banned).
Example of how to populate it:
-echo "421 Server busy, please try later." > /etc/vsftpd.busy_banner
+echo "421 Server busy, please try later." > /etc/vsftpd/busy_banner
log_on_success += PID HOST DURATION
log_on_failure += HOST
@@ -62,7 +62,7 @@ Step 2) Set up your vsftpd configuration file.
An example file is supplied. Install it like this:
-cp vsftpd.conf /etc
+cp vsftpd.conf /etc/vsftpd
Let's example the contents of the file:
diff --git a/EXAMPLE/INTERNET_SITE_NOINETD/README b/EXAMPLE/INTERNET_SITE_NOINETD/README
index ce17af2..9198c5f 100644
--- a/EXAMPLE/INTERNET_SITE_NOINETD/README
+++ b/EXAMPLE/INTERNET_SITE_NOINETD/README
@@ -17,7 +17,7 @@ even per-connect-IP configurability.
To use this example config:
-1) Copy the vsftpd.conf file in this directory to /etc/vsftpd.conf.
+1) Copy the vsftpd.conf file in this directory to /etc/vsftpd/vsftpd.conf.
2) Start up vsftpd, e.g.
vsftpd &
@@ -51,5 +51,5 @@ in the vsftpd.conf:
listen_address=192.168.1.2
And launch vsftpd with a specific config file like this:
-vsftpd /etc/vsftpd.conf.site1 &
+vsftpd /etc/vsftpd/vsftpd.conf.site1 &
diff --git a/EXAMPLE/PER_IP_CONFIG/README b/EXAMPLE/PER_IP_CONFIG/README
index a9ef352..34924d5 100644
--- a/EXAMPLE/PER_IP_CONFIG/README
+++ b/EXAMPLE/PER_IP_CONFIG/README
@@ -20,12 +20,12 @@ directory: hosts.allow. It lives at /etc/hosts.allow.
Let's have a look at the example:
-vsftpd: 192.168.1.3: setenv VSFTPD_LOAD_CONF /etc/vsftpd_tcp_wrap.conf
+vsftpd: 192.168.1.3: setenv VSFTPD_LOAD_CONF /etc/vsftpd/tcp_wrap.conf
vsftpd: 192.168.1.4: DENY
The first line:
If a client connects from 192.168.1.3, then vsftpd will apply the vsftpd
-config file /etc/vsftpd_tcp_wrap.conf to the session! These settings are
+config file /etc/vsftpd/tcp_wrap.conf to the session! These settings are
applied ON TOP of the default vsftpd.conf.
This is obviously very powerful. You might use this to apply different
access restrictions for some IPs (e.g. the ability to upload).
diff --git a/EXAMPLE/VIRTUAL_USERS/README b/EXAMPLE/VIRTUAL_USERS/README
index b48995d..72972fa 100644
--- a/EXAMPLE/VIRTUAL_USERS/README
+++ b/EXAMPLE/VIRTUAL_USERS/README
@@ -15,7 +15,7 @@ See example file "logins.txt" - this specifies "tom" with password "foo" and
"fred" with password "bar".
Whilst logged in as root, create the actual database file like this:
-db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
+db_load -T -t hash -f logins.txt /etc/vsftpd/login.db
(Requires the Berkeley db program installed).
NOTE: Many systems have multiple versions of "db" installed, so you may
need to use e.g. db3_load for correct operation. This is known to affect
@@ -23,10 +23,10 @@ some Debian systems. The core issue is that pam_userdb expects its login
database to be a specific db version (often db3, whereas db4 may be installed
on your system).
-This will create /etc/vsftpd_login.db. Obviously, you may want to make sure
+This will create /etc/vsftpd/login.db. Obviously, you may want to make sure
the permissions are restricted:
-chmod 600 /etc/vsftpd_login.db
+chmod 600 /etc/vsftpd/login.db
For more information on maintaing your login database, look around for
documentation on "Berkeley DB", e.g.
@@ -37,8 +37,8 @@ Step 2) Create a PAM file which uses your new database.
See the example file vsftpd.pam. It contains two lines:
-auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
-account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
+auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login
+account required /lib/security/pam_userdb.so db=/etc/vsftpd/login
This tells PAM to authenticate users using our new database. Copy this PAM
file to the PAM directory - typically /etc/pam.d/
@@ -108,9 +108,9 @@ pasv_max_port=30999
These put a port range on passive FTP incoming requests - very useful if
you are configuring a firewall.
-Copy the example vsftpd.conf file to /etc:
+Copy the example vsftpd.conf file to /etc/vsftpd:
-cp vsftpd.conf /etc/
+cp vsftpd.conf /etc/vsftpd/
Step 5) Start up vsftpd.
diff --git a/FAQ b/FAQ
index 59fe56b..0142a0d 100644
--- a/FAQ
+++ b/FAQ
@@ -35,7 +35,7 @@ needs this user to run bits of itself with no privilege.
Q) Help! Local users cannot log in.
A) There are various possible problems.
A1) By default, vsftpd disables any logins other than anonymous logins. Put
-local_enable=YES in your /etc/vsftpd.conf to allow local users to log in.
+local_enable=YES in your /etc/vsftpd/vsftpd.conf to allow local users to log in.
A2) vsftpd tries to link with PAM. (Run "ldd vsftpd" and look for libpam to
find out whether this has happened or not). If vsftpd links with PAM, then
you will need to have a PAM file installed for the vsftpd service. There is
@@ -47,12 +47,12 @@ system have a "shadow.h" file in the include path?
A4) If you are not using PAM, then vsftpd will do its own check for a valid
user shell in /etc/shells. You may need to disable this if you use an invalid
shell to disable logins other than FTP logins. Put check_shell=NO in your
-/etc/vsftpd.conf.
+/etc/vsftpd/vsftpd.conf.
Q) Help! Uploads or other write commands give me "500 Unknown command.".
A) By default, write commands, including uploads and new directories, are
disabled. This is a security measure. To enable writes, put write_enable=YES
-in your /etc/vsftpd.conf.
+in your /etc/vsftpd/vsftpd.conf.
Q) Help! What are the security implications referred to in the
"chroot_local_user" option?
@@ -88,7 +88,7 @@ A2) Alternatively, run as many copies as vsftpd as necessary, in standalone
mode. Use "listen_address=x.x.x.x" to set the virtual IP.
Q) Help! Does vsftpd support virtual users?
-A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd.conf. This
+A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd/vsftpd.conf. This
has the effect of mapping every non-anonymous successful login to the local
username specified in "guest_username". Then, use PAM and (e.g.) its pam_userdb
module to provide authentication against an external (i.e. non-/etc/passwd)
diff --git a/INSTALL b/INSTALL
index 4f811aa..93a8a81 100644
--- a/INSTALL
+++ b/INSTALL
@@ -56,14 +56,14 @@ cp vsftpd.8 /usr/local/man/man8
"make install" doesn't copy the sample config file. It is recommended you
do this:
-cp vsftpd.conf /etc
+cp vsftpd.conf /etc/vsftpd
Step 4) Smoke test (without an inetd).
vsftpd can run standalone or via an inetd (such as inetd or xinetd). You will
typically get more control running vsftpd from an inetd. But first we will run
it without, so we can check things are going well so far.
-Edit /etc/vsftpd.conf, and add this line at the bottom:
+Edit /etc/vsftpd/vsftpd.conf, and add this line at the bottom:
listen=YES
@@ -135,11 +135,11 @@ cp RedHat/vsftpd.pam /etc/pam.d/ftp
Step 7) Customize your configuration
As well as the above three pre-requisites, you are recommended to install a
-config file. The default location for the config file is /etc/vsftpd.conf.
+config file. The default location for the config file is /etc/vsftpd/vsftpd.conf.
There is a sample vsftpd.conf in the distribution tarball. You probably want
-to copy that to /etc/vsftpd.conf as a basis for modification, i.e.:
+to copy that to /etc/vsftpd/vsftpd.conf as a basis for modification, i.e.:
-cp vsftpd.conf /etc
+cp vsftpd.conf /etc/vsftpd
The default configuration allows neither local user logins nor anonymous
uploads. You may wish to change these defaults.
diff --git a/README b/README
index 86643c1..adc7f42 100644
--- a/README
+++ b/README
@@ -37,3 +37,8 @@ All configuration options are documented in the manual page vsftpd.conf.5.
Various example configurations are discussed in the EXAMPLE directory.
Frequently asked questions are tackled in the FAQ file.
+Important Note
+==============
+The location of configuration files was changed to /etc/vsftpd/. If you want
+to migrate your old conf files from /etc (files vsftpd.xxxx.rpmsave) use
+/etc/vsfptd/vsftpd_conf_migrate.sh
diff --git a/defs.h b/defs.h
index 0ff5864..ca11eac 100644
--- a/defs.h
+++ b/defs.h
@@ -1,7 +1,7 @@
#ifndef VSF_DEFS_H
#define VSF_DEFS_H
-#define VSFTP_DEFAULT_CONFIG "/etc/vsftpd.conf"
+#define VSFTP_DEFAULT_CONFIG "/etc/vsftpd/vsftpd.conf"
#define VSFTP_COMMAND_FD 0
diff --git a/tunables.c b/tunables.c
index 284a10d..0ac4c34 100644
--- a/tunables.c
+++ b/tunables.c
@@ -190,7 +190,7 @@ tunables_load_defaults()
tunable_listen_ipv6 = 0;
tunable_dual_log_enable = 0;
tunable_syslog_enable = 0;
- tunable_background = 0;
+ tunable_background = 1;
tunable_virtual_use_local_privs = 0;
tunable_session_support = 0;
tunable_download_enable = 1;
@@ -262,11 +262,11 @@ tunables_load_defaults()
install_str_setting(".message", &tunable_message_file);
install_str_setting("nobody", &tunable_nopriv_user);
install_str_setting(0, &tunable_ftpd_banner);
- install_str_setting("/etc/vsftpd.banned_emails", &tunable_banned_email_file);
- install_str_setting("/etc/vsftpd.chroot_list", &tunable_chroot_list_file);
+ install_str_setting("/etc/vsftpd/banned_emails", &tunable_banned_email_file);
+ install_str_setting("/etc/vsftpd/chroot_list", &tunable_chroot_list_file);
install_str_setting("ftp", &tunable_pam_service_name);
install_str_setting("ftp", &tunable_guest_username);
- install_str_setting("/etc/vsftpd.user_list", &tunable_userlist_file);
+ install_str_setting("/etc/vsftpd/user_list", &tunable_userlist_file);
install_str_setting(0, &tunable_anon_root);
install_str_setting(0, &tunable_local_root);
install_str_setting(0, &tunable_banner_file);
@@ -279,7 +279,7 @@ tunables_load_defaults()
install_str_setting(0, &tunable_hide_file);
install_str_setting(0, &tunable_deny_file);
install_str_setting(0, &tunable_user_sub_token);
- install_str_setting("/etc/vsftpd.email_passwords",
+ install_str_setting("/etc/vsftpd/email_passwords",
&tunable_email_password_file);
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
diff --git a/vsftpd.8 b/vsftpd.8
index 6640b57..c920e7d 100644
--- a/vsftpd.8
+++ b/vsftpd.8
@@ -21,7 +21,7 @@ itself will listen on the network. This latter mode is easier to use, and
recommended. It is activated by setting
.Pa listen=YES
in
-.Pa /etc/vsftpd.conf .
+.Pa /etc/vsftpd/vsftpd.conf .
Direct execution of the
.Nm vsftpd
binary will then launch the FTP service ready for immediate client connections.
@@ -33,7 +33,7 @@ as root. Any command line option not starting with a "-" character is treated
as a config file that will be loaded. Note that config files are loaded in the
strict order that they are encountered on the command line.
If no config files are specified, the default configuration file of
-.Pa /etc/vsftpd.conf
+.Pa /etc/vsftpd/vsftpd.conf
will be loaded, after all other command line options are processed.
.Pp
Supported options are:
@@ -47,14 +47,14 @@ their appearance on the command line, including intermingling with loading of
config files.
.El
.Sh EXAMPLES
-vsftpd -olisten=NO /etc/vsftpd.conf -oftpd_banner=blah
+vsftpd -olisten=NO /etc/vsftpd/vsftpd.conf -oftpd_banner=blah
.Pp
That example overrides vsftpd's built-in default for the "listen" option to be
-NO, but then loads /etc/vsftpd.conf which may override that setting. Finally,
+NO, but then loads /etc/vsftpd/vsftpd.conf which may override that setting. Finally,
the "ftpd_banner" setting is set to "blah", which overrides any default vsftpd
setting and any identical setting that was in the config file.
.Sh FILES
-.Pa /etc/vsftpd.conf
+.Pa /etc/vsftpd/vsftpd.conf
.Sh SEE ALSO
.Xr vsftpd.conf 5
.end
diff --git a/vsftpd.conf b/vsftpd.conf
index cc1c607..db44170 100644
--- a/vsftpd.conf
+++ b/vsftpd.conf
@@ -1,4 +1,4 @@
-# Example config file /etc/vsftpd.conf
+# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
@@ -12,18 +12,20 @@
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
-#local_enable=YES
+# When SELinux is enforcing check for SE bool ftp_home_dir
+local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
-#write_enable=YES
+write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
-#local_umask=022
+local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
+# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
@@ -52,7 +54,7 @@ connect_from_port_20=YES
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
-#xferlog_std_format=YES
+xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
@@ -87,7 +89,7 @@ connect_from_port_20=YES
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
-#banned_email_file=/etc/vsftpd.banned_emails
+#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
@@ -98,7 +100,7 @@ connect_from_port_20=YES
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
-#chroot_list_file=/etc/vsftpd.chroot_list
+#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
@@ -115,3 +117,7 @@ listen=YES
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
+
+pam_service_name=vsftpd
+userlist_enable=YES
+tcp_wrappers=YES
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index fcc6022..5e46a2f 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -4,7 +4,7 @@ vsftpd.conf \- config file for vsftpd
.SH DESCRIPTION
vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By
default, vsftpd looks for this file at the location
-.BR /etc/vsftpd.conf .
+.BR /etc/vsftpd/vsftpd.conf .
However, you may override this by specifying a command line argument to
vsftpd. The command line argument is the pathname of the configuration file
for vsftpd. This behaviour is useful because you may wish to use an advanced
@@ -110,7 +110,7 @@ When enabled, and vsftpd is started in "listen" mode, vsftpd will background
the listener process. i.e. control will immediately be returned to the shell
which launched vsftpd.
-Default: NO
+Default: YES
.TP
.B check_shell
Note! This option only has an effect for non-PAM builds of vsftpd. If disabled,
@@ -138,7 +138,7 @@ chroot() jail in their home directory upon login. The meaning is slightly
different if chroot_local_user is set to YES. In this case, the list becomes
a list of users which are NOT to be placed in a chroot() jail.
By default, the file containing this list is
-/etc/vsftpd.chroot_list, but you may override this with the
+/etc/vsftpd/chroot_list, but you may override this with the
.BR chroot_list_file
setting.
@@ -177,7 +177,7 @@ Default: NO
.B deny_email_enable
If activated, you may provide a list of anonymous password e-mail responses
which cause login to be denied. By default, the file containing this list is
-/etc/vsftpd.banned_emails, but you may override this with the
+/etc/vsftpd/banned_emails, but you may override this with the
.BR banned_email_file
setting.
@@ -433,7 +433,7 @@ anonymous logins are prevented unless the password provided is listed in the
file specified by the
.BR email_password_file
setting. The file format is one password per line, no extra whitespace. The
-default filename is /etc/vsftpd.email_passwords.
+default filename is /etc/vsftpd/email_passwords.
Default: NO
.TP
@@ -764,7 +764,7 @@ passwords which are not permitted. This file is consulted if the option
.BR deny_email_enable
is enabled.
-Default: /etc/vsftpd.banned_emails
+Default: /etc/vsftpd/banned_emails
.TP
.B banner_file
This option is the name of a file containing text to display when someone
@@ -803,7 +803,7 @@ is enabled. If the option
is enabled, then the list file becomes a list of users to NOT place in a
chroot() jail.
-Default: /etc/vsftpd.chroot_list
+Default: /etvsftpd.confc/vsftpd.chroot_list
.TP
.B cmds_allowed
This options specifies a comma separated list of allowed FTP commands (post
@@ -864,7 +864,7 @@ This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
setting.
-Default: /etc/vsftpd.email_passwords
+Default: /etc/vsftpd/email_passwords
.TP
.B ftp_username
This is the name of the user we use for handling anonymous FTP. The home
@@ -987,10 +987,10 @@ the manual page, on a per-user basis. Usage is simple, and is best illustrated
with an example. If you set
.BR user_config_dir
to be
-.BR /etc/vsftpd_user_conf
+.BR /etc/vsftpd/user_conf
and then log on as the user "chris", then vsftpd will apply the settings in
the file
-.BR /etc/vsftpd_user_conf/chris
+.BR /etc/vsftpd/user_conf/chris
for the duration of the session. The format of this file is as detailed in
this manual page! PLEASE NOTE that not all settings are effective on a
per-user basis. For example, many settings only prior to the user's session
@@ -1026,7 +1026,7 @@ This option is the name of the file loaded when the
.BR userlist_enable
option is active.
-Default: /etc/vsftpd.user_list
+Default: /etc/vsftpd/user_list
.TP
.B vsftpd_log_file
This option is the name of the file to which we write the vsftpd style
--
2.14.4

75
SOURCES/0005-Use-hostname-when-calling-PAM-authentication-module.patch
Unescape Escape View File

@ -0,0 +1,75 @@
From 08c49b78942d40c99fae8c40e7668aa73e1bd695 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 6 Sep 2016 15:01:23 +0200
Subject: [PATCH 05/59] Use hostname when calling PAM authentication module.
Currently the vsftpd passes all logins as IP addresses
into PAM. This prevents administrators from setting up
ACLs based on domain (e.g. .example.com). This patch
enables reverse host lookup and use hostname instead
of address if there is one.
---
sysdeputil.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/sysdeputil.c b/sysdeputil.c
index 06f01f4..b2782da 100644
--- a/sysdeputil.c
+++ b/sysdeputil.c
@@ -16,6 +16,10 @@
#include "tunables.h"
#include "builddefs.h"
+/* For gethostbyaddr, inet_addr */
+#include <netdb.h>
+#include <arpa/inet.h>
+
/* For Linux, this adds nothing :-) */
#include "port/porting_junk.h"
@@ -323,6 +327,10 @@ vsf_sysdep_check_auth(struct mystr* p_user_str,
const struct mystr* p_remote_host)
{
int retval = -1;
+#ifdef PAM_RHOST
+ struct sockaddr_in sin;
+ struct hostent *host;
+#endif
pam_item_t item;
const char* pam_user_name = 0;
struct pam_conv the_conv =
@@ -346,7 +354,12 @@ vsf_sysdep_check_auth(struct mystr* p_user_str,
return 0;
}
#ifdef PAM_RHOST
- retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host));
+ sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host));
+ host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET);
+ if (host != (struct hostent*)0)
+ retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name);
+ else
+ retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host));
if (retval != PAM_SUCCESS)
{
(void) pam_end(s_pamh, retval);
@@ -559,7 +572,7 @@ vsf_sysdep_has_capabilities(void)
}
return s_runtime_has_caps;
}
-
+
#ifndef VSF_SYSDEP_HAVE_LIBCAP
static int
do_checkcap(void)
@@ -1081,7 +1094,7 @@ vsf_sysutil_recv_fd(const int sock_fd)
msg.msg_flags = 0;
/* In case something goes wrong, set the fd to -1 before the syscall */
p_fd = (int*)CMSG_DATA(CMSG_FIRSTHDR(&msg));
- *p_fd = -1;
+ *p_fd = -1;
retval = recvmsg(sock_fd, &msg, 0);
if (retval != 1)
{
--
2.14.4

35
SOURCES/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch
Unescape Escape View File

@ -0,0 +1,35 @@
From 423cbf4ddca6578b87e0f8a3fc425688cd1ca89c Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 6 Sep 2016 16:18:39 +0200
Subject: [PATCH 06/59] Close stdin/out/err before listening for incoming
connections.
When running vsftpd as a stand-alone FTP daemon, vsftpd
did not close stdin/out/err. This caused the start script
to hang waiting for stdin to close. Before this patch was
applied, one had to hit ctrl+c in order to get shell prompt
back. Correct behavior:
$ /etc/init.d/vsftpd start | tee
Starting vsftpd for vsftpd: [ OK ]
$
---
standalone.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/standalone.c b/standalone.c
index ba01ab1..e0f2d5b 100644
--- a/standalone.c
+++ b/standalone.c
@@ -130,6 +130,9 @@ vsf_standalone_main(void)
die("could not bind listening IPv6 socket");
}
}
+ vsf_sysutil_close(0);
+ vsf_sysutil_close(1);
+ vsf_sysutil_close(2);
retval = vsf_sysutil_listen(listen_sock, VSFTP_LISTEN_BACKLOG);
if (vsf_sysutil_retval_is_error(retval))
{
--
2.14.4

102
SOURCES/0007-Make-filename-filters-smarter.patch
Unescape Escape View File

@ -0,0 +1,102 @@
From 548375b2122f83771dc0b8571f16e5b5adabba98 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 10:04:31 +0200
Subject: [PATCH 07/59] Make filename filters smarter.
In the original version vsftpd was not able to prevent
users from downloading for instance /etc/passwd by
defining filters such as deny_file=/etc/passwd or /etc*
or passwd. Example of erroneous behavior:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /
250 Directory successfully changed.
ftp> cd /etc
550 Permission denied.
ftp> cd etc
250 Directory successfully changed.
ftp> get passwd
local: passwd remote: passwd
227 Entering Passive Mode (127,0,0,1,99,251)
150 Opening BINARY mode data connection for passwd (2813 bytes).
226 File send OK.
2813 bytes received in 0.00016 seconds (1.7e+04 Kbytes/s)
ftp> quit
221 Goodbye.
---
ls.c | 24 +++++++++++++++++++++++-
str.c | 11 +++++++++++
str.h | 1 +
3 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/ls.c b/ls.c
index 7e1376d..f489478 100644
--- a/ls.c
+++ b/ls.c
@@ -246,8 +246,30 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
int ret = 0;
char last_token = 0;
int must_match_at_current_pos = 1;
+
+
str_copy(&filter_remain_str, p_filter_str);
- str_copy(&name_remain_str, p_filename_str);
+
+ if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) {
+ if (str_get_char_at(p_filter_str, 0) == '/') {
+ if (str_get_char_at(p_filename_str, 0) != '/') {
+ str_getcwd (&name_remain_str);
+
+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
+ str_append_char (&name_remain_str, '/');
+
+ str_append_str (&name_remain_str, p_filename_str);
+ }
+ else
+ str_copy (&name_remain_str, p_filename_str);
+ } else {
+ if (str_get_char_at(p_filter_str, 0) != '{')
+ str_basename (&name_remain_str, p_filename_str);
+ else
+ str_copy (&name_remain_str, p_filename_str);
+ }
+ } else
+ str_copy(&name_remain_str, p_filename_str);
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
{
diff --git a/str.c b/str.c
index 6596204..ba4b92a 100644
--- a/str.c
+++ b/str.c
@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_str, char new_char)
}
}
+void
+str_basename (struct mystr* d_str, const struct mystr* path)
+{
+ static struct mystr tmp;
+
+ str_copy (&tmp, path);
+ str_split_char_reverse(&tmp, d_str, '/');
+
+ if (str_isempty(d_str))
+ str_copy (d_str, path);
+}
diff --git a/str.h b/str.h
index ab0a9a4..3a21b50 100644
--- a/str.h
+++ b/str.h
@@ -100,6 +100,7 @@ void str_replace_unprintable(struct mystr* p_str, char new_char);
int str_atoi(const struct mystr* p_str);
filesize_t str_a_to_filesize_t(const struct mystr* p_str);
unsigned int str_octal_to_uint(const struct mystr* p_str);
+void str_basename (struct mystr* d_str, const struct mystr* path);
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
* buffer, starting at character position 'p_pos'. The extracted line will
--
2.14.4

147
SOURCES/0008-Write-denied-logins-into-the-log.patch
Unescape Escape View File

@ -0,0 +1,147 @@
From 75c172596aa9e7a9f32062579f7f98783341c924 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 10:17:17 +0200
Subject: [PATCH 08/59] Write denied logins into the log.
This patch adds a new option 'userlist_log'. If enabled,
every login denial based on the user list will be logged.
---
logging.c | 7 +++++++
logging.h | 11 +++++++++++
parseconf.c | 1 +
prelogin.c | 14 ++++++++++++++
tunables.c | 2 ++
tunables.h | 1 +
vsftpd.conf.5 | 8 ++++++++
7 files changed, 44 insertions(+)
diff --git a/logging.c b/logging.c
index ad531d6..99671b4 100644
--- a/logging.c
+++ b/logging.c
@@ -103,6 +103,13 @@ vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
vsf_log_common(p_sess, 1, what, p_str);
}
+void
+vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
+ struct mystr* p_str)
+{
+ vsf_log_common(p_sess, 0, what, p_str);
+}
+
int
vsf_log_entry_pending(struct vsf_session* p_sess)
{
diff --git a/logging.h b/logging.h
index 48f88ec..1ff57d1 100644
--- a/logging.h
+++ b/logging.h
@@ -80,5 +80,16 @@ void vsf_log_do_log(struct vsf_session* p_sess, int succeeded);
void vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
struct mystr* p_str);
+/* vsf_log_failed_line()
+ * PURPOSE
+ * Same as vsf_log_line(), except that it logs the line as failed operation.
+ * PARAMETERS
+ * p_sess - the current session object
+ * what - the type of operation to log
+ * p_str - the string to log
+ */
+void vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
+ struct mystr* p_str);
+
#endif /* VSF_LOGGING_H */
diff --git a/parseconf.c b/parseconf.c
index ea2242b..385afd2 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -91,6 +91,7 @@ parseconf_bool_array[] =
{ "mdtm_write", &tunable_mdtm_write },
{ "lock_upload_files", &tunable_lock_upload_files },
{ "pasv_addr_resolve", &tunable_pasv_addr_resolve },
+ { "userlist_log", &tunable_userlist_log },
{ "debug_ssl", &tunable_debug_ssl },
{ "require_cert", &tunable_require_cert },
{ "validate_cert", &tunable_validate_cert },
diff --git a/prelogin.c b/prelogin.c
index df4aade..1588bc1 100644
--- a/prelogin.c
+++ b/prelogin.c
@@ -246,6 +246,20 @@ handle_user_command(struct vsf_session* p_sess)
check_login_delay();
vsf_cmdio_write(p_sess, FTP_LOGINERR, "Permission denied.");
check_login_fails(p_sess);
+ if (tunable_userlist_log)
+ {
+ struct mystr str_log_line = INIT_MYSTR;
+ if (tunable_userlist_deny)
+ {
+ str_alloc_text(&str_log_line, "User is in the deny user list.");
+ }
+ else
+ {
+ str_alloc_text(&str_log_line, "User is not in the allow user list.");
+ }
+ vsf_log_failed_line(p_sess, kVSFLogEntryLogin, &str_log_line);
+ str_free(&str_log_line);
+ }
str_empty(&p_sess->user_str);
return;
}
diff --git a/tunables.c b/tunables.c
index 0ac4c34..b30fca1 100644
--- a/tunables.c
+++ b/tunables.c
@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl;
int tunable_mdtm_write;
int tunable_lock_upload_files;
int tunable_pasv_addr_resolve;
+int tunable_userlist_log;
int tunable_debug_ssl;
int tunable_require_cert;
int tunable_validate_cert;
@@ -212,6 +213,7 @@ tunables_load_defaults()
tunable_mdtm_write = 1;
tunable_lock_upload_files = 1;
tunable_pasv_addr_resolve = 0;
+ tunable_userlist_log = 0;
tunable_debug_ssl = 0;
tunable_require_cert = 0;
tunable_validate_cert = 0;
diff --git a/tunables.h b/tunables.h
index 05d2456..e44d64c 100644
--- a/tunables.h
+++ b/tunables.h
@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
extern int tunable_mdtm_write; /* Allow MDTM to set timestamps */
extern int tunable_lock_upload_files; /* Lock uploading files */
extern int tunable_pasv_addr_resolve; /* DNS resolve pasv_addr */
+extern int tunable_userlist_log; /* Log every failed login attempt */
extern int tunable_debug_ssl; /* Verbose SSL logging */
extern int tunable_require_cert; /* SSL client cert required */
extern int tunable_validate_cert; /* SSL certs must be valid */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 5e46a2f..9d767b1 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -586,6 +586,14 @@ Default: NO
If set to yes, all SSL client certificates received must validate OK.
Self-signed certs do not constitute OK validation. (New in v2.0.6).
+Default: NO
+.TP
+.B userlist_log
+This option is examined if
+.BR userlist_enable
+is activated. If enabled, every login denial based on the user list will be
+logged.
+
Default: NO
.TP
.B virtual_use_local_privs
--
2.14.4

99
SOURCES/0009-Trim-whitespaces-when-reading-configuration.patch
Unescape Escape View File

@ -0,0 +1,99 @@
From d024bc27cee40f21e6a3841266062408c44e56fb Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 10:35:54 +0200
Subject: [PATCH 09/59] Trim whitespaces when reading configuration.
---
parseconf.c | 2 +-
str.c | 12 ++++++++++++
str.h | 1 +
sysutil.c | 12 ++++++++++++
sysutil.h | 1 +
5 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/parseconf.c b/parseconf.c
index 385afd2..30df598 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -280,7 +280,7 @@ vsf_parseconf_load_setting(const char* p_setting, int errs_fatal)
}
else
{
- *p_curr_setting = str_strdup(&s_value_str);
+ *p_curr_setting = str_strdup_trimmed(&s_value_str);
}
return;
}
diff --git a/str.c b/str.c
index ba4b92a..41b27db 100644
--- a/str.c
+++ b/str.c
@@ -104,6 +104,18 @@ str_strdup(const struct mystr* p_str)
return vsf_sysutil_strdup(str_getbuf(p_str));
}
+const char*
+str_strdup_trimmed(const struct mystr* p_str)
+{
+ const char* p_trimmed = str_getbuf(p_str);
+ int h, t, newlen;
+
+ for (h = 0; h < (int)str_getlen(p_str) && vsf_sysutil_isspace(p_trimmed[h]); h++) ;
+ for (t = str_getlen(p_str) - 1; t >= 0 && vsf_sysutil_isspace(p_trimmed[t]); t--) ;
+ newlen = t - h + 1;
+ return newlen ? vsf_sysutil_strndup(p_trimmed+h, (unsigned int)newlen) : 0L;
+}
+
void
str_alloc_alt_term(struct mystr* p_str, const char* p_src, char term)
{
diff --git a/str.h b/str.h
index 3a21b50..44270da 100644
--- a/str.h
+++ b/str.h
@@ -31,6 +31,7 @@ void str_alloc_ulong(struct mystr* p_str, unsigned long the_ulong);
void str_alloc_filesize_t(struct mystr* p_str, filesize_t the_filesize);
void str_copy(struct mystr* p_dest, const struct mystr* p_src);
const char* str_strdup(const struct mystr* p_str);
+const char* str_strdup_trimmed(const struct mystr* p_str);
void str_empty(struct mystr* p_str);
void str_free(struct mystr* p_str);
void str_trunc(struct mystr* p_str, unsigned int trunc_len);
diff --git a/sysutil.c b/sysutil.c
index 5cdb6ef..428a34a 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -1035,6 +1035,18 @@ vsf_sysutil_strdup(const char* p_str)
return strdup(p_str);
}
+char*
+vsf_sysutil_strndup(const char* p_str, unsigned int p_len)
+{
+ char *new = (char *)malloc(p_len+1);
+
+ if (new == NULL)
+ return NULL;
+
+ new[p_len]='\0';
+ return (char *)memcpy(new, p_str, p_len);
+}
+
void
vsf_sysutil_memclr(void* p_dest, unsigned int size)
{
diff --git a/sysutil.h b/sysutil.h
index c34778c..c2ddd15 100644
--- a/sysutil.h
+++ b/sysutil.h
@@ -186,6 +186,7 @@ int vsf_sysutil_wait_get_exitcode(
/* Various string functions */
unsigned int vsf_sysutil_strlen(const char* p_text);
char* vsf_sysutil_strdup(const char* p_str);
+char* vsf_sysutil_strndup(const char* p_str, unsigned int p_len);
void vsf_sysutil_memclr(void* p_dest, unsigned int size);
void vsf_sysutil_memcpy(void* p_dest, const void* p_src,
const unsigned int size);
--
2.14.4

209
SOURCES/0010-Improve-daemonizing.patch
Unescape Escape View File

@ -0,0 +1,209 @@
From 569e7078244470ac0fcc2af3947c2735338555ec Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 11:29:29 +0200
Subject: [PATCH 10/59] Improve daemonizing
Init script gets correct return code if binding fails.
---
standalone.c | 38 +++++++++++++++++++++++++++++++++++++-
sysutil.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
sysutil.h | 7 ++++++-
3 files changed, 102 insertions(+), 2 deletions(-)
diff --git a/standalone.c b/standalone.c
index e0f2d5b..3b65ea2 100644
--- a/standalone.c
+++ b/standalone.c
@@ -26,6 +26,8 @@ static unsigned int s_ipaddr_size;
static void handle_sigchld(void* duff);
static void handle_sighup(void* duff);
+static void handle_sigusr1(int sig);
+static void handle_sigalrm(int sig);
static void prepare_child(int sockfd);
static unsigned int handle_ip_count(void* p_raw_addr);
static void drop_ip_count(void* p_raw_addr);
@@ -46,11 +48,23 @@ vsf_standalone_main(void)
}
if (tunable_background)
{
+ vsf_sysutil_sigaction(kVSFSysUtilSigALRM, handle_sigalrm);
+ vsf_sysutil_sigaction(kVSFSysUtilSigUSR1, handle_sigusr1);
+
int forkret = vsf_sysutil_fork();
if (forkret > 0)
{
/* Parent, just exit */
- vsf_sysutil_exit(0);
+ vsf_sysutil_set_alarm(3);
+ vsf_sysutil_pause();
+
+ vsf_sysutil_exit(1);
+ }
+ else if (forkret == 0)
+ {
+ // Son, restore original signal handler
+ vsf_sysutil_sigaction(kVSFSysUtilSigALRM, 0L);
+ vsf_sysutil_sigaction(kVSFSysUtilSigUSR1, 0L);
}
/* Son, close standard FDs to avoid SSH hang-on-exit */
vsf_sysutil_reopen_standard_fds();
@@ -99,6 +113,10 @@ vsf_standalone_main(void)
{
die("could not bind listening IPv4 socket");
}
+ if (tunable_background)
+ {
+ vsf_sysutil_kill(vsf_sysutil_getppid(), kVSFSysUtilSigUSR1);
+ }
}
else
{
@@ -129,6 +147,10 @@ vsf_standalone_main(void)
{
die("could not bind listening IPv6 socket");
}
+ if (tunable_background)
+ {
+ vsf_sysutil_kill(vsf_sysutil_getppid(), kVSFSysUtilSigUSR1);
+ }
}
vsf_sysutil_close(0);
vsf_sysutil_close(1);
@@ -268,6 +290,20 @@ handle_sighup(void* duff)
vsf_parseconf_load_file(0, 0);
}
+static void
+handle_sigalrm(int sig)
+{
+ (void)sig; // avoid unused parameter error
+ vsf_sysutil_exit(1);
+}
+
+static void
+handle_sigusr1(int sig)
+{
+ (void)sig; // avoid unused parameter error
+ vsf_sysutil_exit(0);
+}
+
static unsigned int
hash_ip(unsigned int buckets, void* p_key)
{
diff --git a/sysutil.c b/sysutil.c
index 428a34a..c848356 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -201,6 +201,9 @@ vsf_sysutil_translate_sig(const enum EVSFSysUtilSignal sig)
case kVSFSysUtilSigHUP:
realsig = SIGHUP;
break;
+ case kVSFSysUtilSigUSR1:
+ realsig = SIGUSR1;
+ break;
default:
bug("unknown signal in vsf_sysutil_translate_sig");
break;
@@ -549,6 +552,12 @@ vsf_sysutil_getpid(void)
return (unsigned int) s_current_pid;
}
+unsigned int
+vsf_sysutil_getppid(void)
+{
+ return (unsigned int)getppid();
+}
+
int
vsf_sysutil_fork(void)
{
@@ -2871,3 +2880,53 @@ vsf_sysutil_post_fork()
s_sig_details[i].pending = 0;
}
}
+
+static struct sigaction sigalr, sigusr1;
+
+void
+vsf_sysutil_sigaction(const enum EVSFSysUtilSignal sig, void (*p_handlefunc)(int))
+{
+ int realsig = vsf_sysutil_translate_sig(sig);
+ int retval;
+ struct sigaction sigact, *origsigact=NULL;
+ if (realsig==SIGALRM)
+ {
+ origsigact = &sigalr;
+ }
+ else if (realsig==SIGUSR1)
+ {
+ origsigact = &sigusr1;
+ }
+ vsf_sysutil_memclr(&sigact, sizeof(sigact));
+ if (p_handlefunc != NULL)
+ {
+ sigact.sa_handler = p_handlefunc;
+ retval = sigfillset(&sigact.sa_mask);
+ if (retval != 0)
+ {
+ die("sigfillset");
+ }
+ retval = sigaction(realsig, &sigact, origsigact);
+ }
+ else
+ {
+ retval = sigaction(realsig, origsigact, NULL);
+ }
+ if (retval != 0)
+ {
+ die("sigaction");
+ }
+}
+
+int
+vsf_sysutil_kill(int pid, int sig)
+{
+ int realsig = vsf_sysutil_translate_sig(sig);
+ return kill(pid, realsig);
+}
+
+int
+vsf_sysutil_pause()
+{
+ return pause();
+}
diff --git a/sysutil.h b/sysutil.h
index c2ddd15..bfc92cb 100644
--- a/sysutil.h
+++ b/sysutil.h
@@ -30,7 +30,8 @@ enum EVSFSysUtilSignal
kVSFSysUtilSigCHLD,
kVSFSysUtilSigPIPE,
kVSFSysUtilSigURG,
- kVSFSysUtilSigHUP
+ kVSFSysUtilSigHUP,
+ kVSFSysUtilSigUSR1
};
enum EVSFSysUtilInterruptContext
{
@@ -165,6 +166,7 @@ void vsf_sysutil_free(void* p_ptr);
/* Process creation/exit/process handling */
unsigned int vsf_sysutil_getpid(void);
+unsigned int vsf_sysutil_getppid(void);
void vsf_sysutil_post_fork(void);
int vsf_sysutil_fork(void);
int vsf_sysutil_fork_failok(void);
@@ -182,6 +184,9 @@ int vsf_sysutil_wait_exited_normally(
const struct vsf_sysutil_wait_retval* p_waitret);
int vsf_sysutil_wait_get_exitcode(
const struct vsf_sysutil_wait_retval* p_waitret);
+void vsf_sysutil_sigaction(const enum EVSFSysUtilSignal sig, void (*p_handlefunc)(int));
+int vsf_sysutil_kill(int pid, int sig);
+int vsf_sysutil_pause();
/* Various string functions */
unsigned int vsf_sysutil_strlen(const char* p_text);
--
2.14.4

38
SOURCES/0011-Fix-listing-with-more-than-one-star.patch
Unescape Escape View File

@ -0,0 +1,38 @@
From 32e6642640635d7305969f808b5badb706a11bff Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 11:36:17 +0200
Subject: [PATCH 11/59] Fix listing with more than one star '*'.
This is a regression introduced by some previous patch.
---
ls.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/ls.c b/ls.c
index f489478..616b2d9 100644
--- a/ls.c
+++ b/ls.c
@@ -311,6 +311,20 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
{
goto out;
}
+ if (!must_match_at_current_pos && last_token == 0)
+ {
+ struct mystr last_str = INIT_MYSTR;
+ str_mid_to_end(&name_remain_str, &last_str,
+ str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str));
+ locate_result = str_locate_str(&last_str, &s_match_needed_str);
+ str_free(&last_str);
+
+ if (locate_result.found)
+ {
+ ret = 1;
+ }
+ goto out;
+ }
/* Chop matched string out of remainder */
str_mid_to_end(&name_remain_str, &temp_str,
indexx + str_getlen(&s_match_needed_str));
--
2.14.4

35
SOURCES/0012-Replace-syscall-__NR_clone-.-with-clone.patch
Unescape Escape View File

@ -0,0 +1,35 @@
From 0c3a1123c391995ab46cfde603fa025ff180a819 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 11:43:54 +0200
Subject: [PATCH 12/59] Replace syscall(__NR_clone ..) with clone ()
in order to fix incorrect order of params on s390 arch
---
sysdeputil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sysdeputil.c b/sysdeputil.c
index b2782da..3bbabaa 100644
--- a/sysdeputil.c
+++ b/sysdeputil.c
@@ -1306,7 +1306,7 @@ vsf_sysutil_fork_isolate_failok()
static int cloneflags_work = 1;
if (cloneflags_work)
{
- int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL);
+ int ret = clone(NULL, NULL, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL);
if (ret != -1 || (errno != EINVAL && errno != EPERM))
{
if (ret == 0)
@@ -1328,7 +1328,7 @@ vsf_sysutil_fork_newnet()
static int cloneflags_work = 1;
if (cloneflags_work)
{
- int ret = syscall(__NR_clone, CLONE_NEWNET | SIGCHLD, NULL);
+ int ret = clone(NULL, NULL, CLONE_NEWNET | SIGCHLD, NULL);
if (ret != -1 || (errno != EINVAL && errno != EPERM))
{
if (ret == 0)
--
2.14.4

86
SOURCES/0013-Extend-man-pages-with-systemd-info.patch
Unescape Escape View File

@ -0,0 +1,86 @@
From 813a4bc45d45f4af94c699893cb2d2ba998d5d31 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 11:53:07 +0200
Subject: [PATCH 13/59] Extend man pages with systemd info.
Man pages now reflect how is vsftpd used as
systemd service.
---
vsftpd.8 | 24 ++++++++++++++++++++++++
vsftpd.conf.5 | 18 +++++++++++++++++-
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/vsftpd.8 b/vsftpd.8
index c920e7d..fbeb1a2 100644
--- a/vsftpd.8
+++ b/vsftpd.8
@@ -25,6 +25,23 @@ in
Direct execution of the
.Nm vsftpd
binary will then launch the FTP service ready for immediate client connections.
+.Pp
+Systemd changes the vsftpd daemon start-up. The vsftpd package contains vsftpd-generator script generating symbolic links to /var/run/systemd/generator/vsftpd.target.wants directory. The generator is called during e.g. 'systemctl --system daemon-reload'. All these symbolic links link /usr/lib/systemd/system/vsftpd@.service file.
+The vsftpd daemon(s) is/are controlled by one of following ways:
+.Pp
+1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration file
+.br
+# systemctl {start,stop,...} vsftpd[.service]
+.Pp
+2. Single daemon using /etc/vsftpd/<conf-name>.conf
+.br
+# systemctl {start,stop,...} vsftpd@<conf-name>[.service]
+.Pp
+3. All instances together
+.br
+# systemctl {restart,stop} vsftpd.target
+.Pp
+See systemd.unit(5), systemd.target(5) for further details.
.Sh OPTIONS
An optional
configuration file or files
@@ -55,6 +72,13 @@ the "ftpd_banner" setting is set to "blah", which overrides any default vsftpd
setting and any identical setting that was in the config file.
.Sh FILES
.Pa /etc/vsftpd/vsftpd.conf
+.Pp
+.Pa /usr/lib/systemd/system/vsftpd.service
+.Pp
+.Pa /usr/lib/systemd/system/vsftpd@.service
+.Pp
+.Pa /usr/lib/systemd/system/vsftpd.target
.Sh SEE ALSO
.Xr vsftpd.conf 5
+.Xr systemd.unit 5
.end
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 9d767b1..0744f85 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -12,7 +12,23 @@ inetd such as
.BR xinetd
to launch vsftpd with different configuration files on a per virtual host
basis.
-
+.P
+Systemd changes the vsftpd daemon start-up. The vsftpd package contains vsftpd-generator script generating symbolic links to /var/run/systemd/generator/vsftpd.target.wants directory. The generator is called during e. g. 'systemctl --system daemon-reload'. All these symbolic links link /usr/lib/systemd/system/vsftpd@.service file.
+The vsftpd daemon(s) is/are controlled by one of following ways:
+.P
+1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration file
+.br
+# systemctl {start,stop,...} vsftpd[.service]
+.P
+2. Single daemon using /etc/vsftpd/<config-filename>.conf
+.br
+# systemctl {start,stop,...} vsftpd@<config-filename-without-extension>[.service]
+.P
+3. All instances together
+.br
+# systemctl {restart,stop} vsftpd.target
+.P
+See systemd.unit(5), systemd.target(5) for further details.
.SH FORMAT
The format of vsftpd.conf is very simple. Each line is either a comment or
a directive. Comment lines start with a # and are ignored. A directive line
--
2.14.4

277
SOURCES/0014-Add-support-for-square-brackets-in-ls.patch
Unescape Escape View File

@ -0,0 +1,277 @@
From ba0520650ae7f9f63e48ba9fb3a94297aebe2d0c Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 14:22:21 +0200
Subject: [PATCH 14/59] Add support for square brackets in ls.
---
ls.c | 222 +++++++++++++++++++++++++++++++++++++++++++++----------------------
1 file changed, 150 insertions(+), 72 deletions(-)
diff --git a/ls.c b/ls.c
index 616b2d9..b840136 100644
--- a/ls.c
+++ b/ls.c
@@ -246,7 +246,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
int ret = 0;
char last_token = 0;
int must_match_at_current_pos = 1;
-
+ int matched = 0;
str_copy(&filter_remain_str, p_filter_str);
@@ -276,7 +276,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
static struct mystr s_match_needed_str;
/* Locate next special token */
struct str_locate_result locate_result =
- str_locate_chars(&filter_remain_str, "*?{");
+ str_locate_chars(&filter_remain_str, "*?{[");
(*iters)++;
/* Isolate text leading up to token (if any) - needs to be matched */
if (locate_result.found)
@@ -294,94 +294,172 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
str_empty(&filter_remain_str);
last_token = 0;
}
- if (!str_isempty(&s_match_needed_str))
- {
- /* Need to match something.. could be a match which has to start at
- * current position, or we could allow it to start anywhere
- */
- unsigned int indexx;
- locate_result = str_locate_str(&name_remain_str, &s_match_needed_str);
- if (!locate_result.found)
+
+ matched = 0;
+ do {
+ if (!str_isempty(&s_match_needed_str))
{
- /* Fail */
- goto out;
+ if (!matched)
+ {
+ matched = 1;
+ }
+ /* Need to match something.. could be a match which has to start at
+ * current position, or we could allow it to start anywhere
+ */
+ unsigned int indexx;
+ locate_result = str_locate_str(&name_remain_str, &s_match_needed_str);
+ if (!locate_result.found)
+ {
+ /* Fail */
+ goto out;
+ }
+ indexx = locate_result.index;
+ if (must_match_at_current_pos && indexx > 0)
+ {
+ goto out;
+ }
+ if (!must_match_at_current_pos && last_token == 0)
+ {
+ struct mystr last_str = INIT_MYSTR;
+ str_mid_to_end(&name_remain_str, &last_str,
+ str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str));
+ locate_result = str_locate_str(&last_str, &s_match_needed_str);
+ str_free(&last_str);
+
+ if (locate_result.found)
+ {
+ ret = 1;
+ }
+ goto out;
+ }
+ /* Chop matched string out of remainder */
+ str_mid_to_end(&name_remain_str, &temp_str,
+ indexx + str_getlen(&s_match_needed_str));
+ str_copy(&name_remain_str, &temp_str);
}
- indexx = locate_result.index;
- if (must_match_at_current_pos && indexx > 0)
+ if (last_token == '?')
{
- goto out;
+ if (str_isempty(&name_remain_str))
+ {
+ goto out;
+ }
+ str_right(&name_remain_str, &temp_str, str_getlen(&name_remain_str) - 1);
+ str_copy(&name_remain_str, &temp_str);
+ must_match_at_current_pos = 1;
}
- if (!must_match_at_current_pos && last_token == 0)
+ else if (last_token == '{')
{
- struct mystr last_str = INIT_MYSTR;
- str_mid_to_end(&name_remain_str, &last_str,
- str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str));
- locate_result = str_locate_str(&last_str, &s_match_needed_str);
- str_free(&last_str);
+ struct str_locate_result end_brace =
+ str_locate_char(&filter_remain_str, '}');
+ must_match_at_current_pos = 1;
+ if (end_brace.found)
+ {
+ int entire = (*iters == 1 && last_token == '{');
- if (locate_result.found)
+ str_split_char(&filter_remain_str, &temp_str, '}');
+ str_copy(&brace_list_str, &filter_remain_str);
+ str_copy(&filter_remain_str, &temp_str);
+ str_split_char(&brace_list_str, &temp_str, ',');
+ while (!str_isempty(&brace_list_str))
+ {
+ str_empty(&new_filter_str);
+ if (!matched && !entire)
+ {
+ str_append_char(&new_filter_str, '*');
+ }
+ str_append_str(&new_filter_str, &brace_list_str);
+ str_append_str(&new_filter_str, &filter_remain_str);
+ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
+ iters))
+ {
+ ret = 1;
+ goto out;
+ }
+ str_copy(&brace_list_str, &temp_str);
+ str_split_char(&brace_list_str, &temp_str, ',');
+ }
+ goto out;
+ }
+ else if (str_isempty(&name_remain_str) ||
+ str_get_char_at(&name_remain_str, 0) != '{')
{
- ret = 1;
+ goto out;
+ }
+ else
+ {
+ str_right(&name_remain_str, &temp_str,
+ str_getlen(&name_remain_str) - 1);
+ str_copy(&name_remain_str, &temp_str);
}
- goto out;
- }
- /* Chop matched string out of remainder */
- str_mid_to_end(&name_remain_str, &temp_str,
- indexx + str_getlen(&s_match_needed_str));
- str_copy(&name_remain_str, &temp_str);
- }
- if (last_token == '?')
- {
- if (str_isempty(&name_remain_str))
- {
- goto out;
}
- str_right(&name_remain_str, &temp_str, str_getlen(&name_remain_str) - 1);
- str_copy(&name_remain_str, &temp_str);
- must_match_at_current_pos = 1;
- }
- else if (last_token == '{')
- {
- struct str_locate_result end_brace =
- str_locate_char(&filter_remain_str, '}');
- must_match_at_current_pos = 1;
- if (end_brace.found)
+ else if (last_token == '[')
{
- str_split_char(&filter_remain_str, &temp_str, '}');
- str_copy(&brace_list_str, &filter_remain_str);
- str_copy(&filter_remain_str, &temp_str);
- str_split_char(&brace_list_str, &temp_str, ',');
- while (!str_isempty(&brace_list_str))
+ struct str_locate_result end_sqb =
+ str_locate_char(&filter_remain_str, ']');
+ must_match_at_current_pos = 1;
+ if (end_sqb.found)
{
- str_copy(&new_filter_str, &brace_list_str);
- str_append_str(&new_filter_str, &filter_remain_str);
- if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
- iters))
+ unsigned int cur_pos;
+ char stch, ench;
+ const char *p_brace;
+
+ str_split_char(&filter_remain_str, &temp_str, ']');
+ str_copy(&brace_list_str, &filter_remain_str);
+ str_copy(&filter_remain_str, &temp_str);
+ p_brace = str_getbuf(&brace_list_str);
+ for (cur_pos = 0; cur_pos < str_getlen(&brace_list_str);)
{
- ret = 1;
- goto out;
+ stch = p_brace[cur_pos];
+ // char vers. range
+ if (cur_pos + 2 < str_getlen(&brace_list_str) &&
+ p_brace[cur_pos+1] == '-')
+ {
+ ench = p_brace[cur_pos+2];
+ cur_pos += 3;
+ }
+ else
+ {
+ ench = stch;
+ cur_pos++;
+ }
+ // expand char[s]
+ for (;stch <= ench && !str_isempty(&brace_list_str); stch++)
+ {
+ str_empty(&new_filter_str);
+ if (!matched)
+ {
+ str_append_char(&new_filter_str, '*');
+ }
+ str_append_char(&new_filter_str, stch);
+ str_append_str(&new_filter_str, &filter_remain_str);
+ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
+ iters))
+ {
+ ret = 1;
+ goto out;
+ }
+ }
}
- str_copy(&brace_list_str, &temp_str);
- str_split_char(&brace_list_str, &temp_str, ',');
+ goto out;
+ }
+ else if (str_isempty(&name_remain_str) ||
+ str_get_char_at(&name_remain_str, 0) != '[')
+ {
+ goto out;
+ }
+ else
+ {
+ str_right(&name_remain_str, &temp_str,
+ str_getlen(&name_remain_str) - 1);
+ str_copy(&name_remain_str, &temp_str);
}
- goto out;
- }
- else if (str_isempty(&name_remain_str) ||
- str_get_char_at(&name_remain_str, 0) != '{')
- {
- goto out;
}
else
{
- str_right(&name_remain_str, &temp_str,
- str_getlen(&name_remain_str) - 1);
- str_copy(&name_remain_str, &temp_str);
+ must_match_at_current_pos = 0;
}
- }
- else
- {
- must_match_at_current_pos = 0;
- }
+ } while (locate_result.found &&
+ str_getlen(&name_remain_str) > 0 && last_token != '*');
}
/* Any incoming string left means no match unless we ended on the correct
* type of wildcard.
--
2.14.4

55
SOURCES/0015-Listen-on-IPv6-by-default.patch
Unescape Escape View File

@ -0,0 +1,55 @@
From c5daaedf1efe23b397a5950f5503f5cbfac871c8 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 14:25:28 +0200
Subject: [PATCH 15/59] Listen on IPv6 by default.
---
vsftpd.conf | 14 +++++++++-----
vsftpd.conf.5 | 5 +++--
2 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/vsftpd.conf b/vsftpd.conf
index db44170..ae6c6c9 100644
--- a/vsftpd.conf
+++ b/vsftpd.conf
@@ -111,12 +111,16 @@ xferlog_std_format=YES
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
-listen=YES
-#
-# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
-# sockets, you must run two copies of vsftpd with two configuration files.
+listen=NO
+#
+# This directive enables listening on IPv6 sockets. By default, listening
+# on the IPv6 "any" address (::) will accept connections from both IPv6
+# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
+# sockets. If you want that (perhaps because you want to listen on specific
+# addresses) then you must run two copies of vsftpd with two configuration
+# files.
# Make sure, that one of the listen options is commented !!
-#listen_ipv6=YES
+listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 0744f85..72bb86f 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -297,8 +297,9 @@ Default: NO
.TP
.B listen_ipv6
Like the listen parameter, except vsftpd will listen on an IPv6 socket instead
-of an IPv4 one. This parameter and the listen parameter are mutually
-exclusive.
+of an IPv4 one. Note that a socket listening on the IPv6 "any" address (::)
+will accept both IPv6 and IPv4 connections by default. This parameter and the
+listen parameter are mutually exclusive.
Default: NO
.TP
--
2.14.4

27
SOURCES/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch
Unescape Escape View File

@ -0,0 +1,27 @@
From 048208a4db5d7164d89ba5d7545e281d0a3472d3 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 15:35:59 +0200
Subject: [PATCH 16/59] Increase VSFTP_AS_LIMIT from 200UL to 400UL.
When using a PAM module to get users from LDAP or database the old
limit was insufficient.
---
defs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defs.h b/defs.h
index ca11eac..bde3232 100644
--- a/defs.h
+++ b/defs.h
@@ -19,7 +19,7 @@
/* Must be at least the size of VSFTP_MAX_COMMAND_LINE, VSFTP_DIR_BUFSIZE and
VSFTP_DATA_BUFSIZE*2 */
#define VSFTP_PRIVSOCK_MAXSTR VSFTP_DATA_BUFSIZE * 2
-#define VSFTP_AS_LIMIT 200UL * 1024 * 1024
+#define VSFTP_AS_LIMIT 400UL * 1024 * 1024
#endif /* VSF_DEFS_H */
--
2.14.4