rpms/vsftpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Review patches and spec file.

Browse Source
This commit is contained in:
Martin Sehnoutka 2016-11-17 14:35:34 +01:00
parent 8d113be502
commit e000aa4ebe
39 changed files with 537 additions and 361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
vsftpd-2.1.0-libs.patch → 0001-Don-t-use-the-provided-script-to-locate-libraries.patch
View File

@ -1,8 +1,10 @@
From e007fc137c6bee2d359af9cfc88cd01fb672cc1e Mon Sep 17 00:00:00 2001
From 7bd573d76e9c1996ad5a96f0289731a253a24301 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 01/26] Applied vsftpd-2.1.0-libs.patch
Date: Tue, 6 Sep 2016 13:35:51 +0200
Subject: [PATCH 01/33] Don't use the provided script to locate libraries.
This branch is Fedora (RHEL) specific, so we know what
libraries we have and want to use.
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
@ -21,5 +23,5 @@ index c63ed1b..98118dc 100644
LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now
--
2.5.0
2.7.4

8
vsftpd-2.1.0-build_ssl.patch → 0002-Enable-build-with-SSL.patch
View File

@ -1,7 +1,7 @@
From 2ee718251d602abf6f4c5bb2fc6d829e32d3f3e1 Mon Sep 17 00:00:00 2001
From 6fe24bc56694808ac7f8038855883a971967f0fb Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 02/26] Applied vsftpd-2.1.0-build_ssl.patch
Date: Tue, 6 Sep 2016 13:40:53 +0200
Subject: [PATCH 02/33] Enable build with SSL.
---
builddefs.h | 2 +-
@ -21,5 +21,5 @@ index e908352..63cc62b 100644
#endif /* VSF_BUILDDEFS_H */
--
2.5.0
2.7.4

8
vsftpd-2.1.0-tcp_wrappers.patch → 0003-Enable-build-with-TCP-Wrapper.patch
View File

@ -1,7 +1,7 @@
From 3e01cb1388681f8a956c954570db4fe8ac61d1bc Mon Sep 17 00:00:00 2001
From 1e0e2b13836d40f5a3f4cb20f2b3ea8204115b51 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 03/26] Applied vsftpd-2.1.0-tcp_wrappers.patch
Date: Tue, 6 Sep 2016 13:42:09 +0200
Subject: [PATCH 03/33] Enable build with TCP Wrapper
---
builddefs.h | 2 +-
@ -21,5 +21,5 @@ index 63cc62b..83de674 100644
#define VSF_BUILD_SSL
--
2.5.0
2.7.4

8
vsftpd-2.1.0-configuration.patch → 0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch
View File

@ -1,7 +1,7 @@
From 4c4dcfaa65c86da78d2cf49f0f4a5c8d63a78d3a Mon Sep 17 00:00:00 2001
From fff93602a4b252be8d674e27083dde68a7acf038 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 04/26] Applied vsftpd-2.1.0-configuration.patch
Date: Tue, 6 Sep 2016 13:46:03 +0200
Subject: [PATCH 04/33] Use /etc/vsftpd/ dir for config files instead of /etc.
---
EXAMPLE/INTERNET_SITE/README | 6 +++---
@ -479,5 +479,5 @@ index fcc6022..5e46a2f 100644
.B vsftpd_log_file
This option is the name of the file to which we write the vsftpd style
--
2.5.0
2.7.4

13
vsftpd-2.1.0-pam_hostname.patch → 0005-Use-hostname-when-calling-PAM-authentication-module.patch
View File

@ -1,8 +1,13 @@
From fb9754bb10105b6c23d355fd448f55ab94c704b8 Mon Sep 17 00:00:00 2001
From 08c49b78942d40c99fae8c40e7668aa73e1bd695 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 05/26] Applied vsftpd-2.1.0-pam_hostname.patch
Date: Tue, 6 Sep 2016 15:01:23 +0200
Subject: [PATCH 05/33] Use hostname when calling PAM authentication module.
Currently the vsftpd passes all logins as IP addresses
into PAM. This prevents administrators from setting up
ACLs based on domain (e.g. .example.com). This patch
enables reverse host lookup and use hostname instead
of address if there is one.
---
sysdeputil.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
@ -66,5 +71,5 @@ index 06f01f4..b2782da 100644
if (retval != 1)
{
--
2.5.0
2.7.4

35
0006-Close-stdin-out-err-before-listening-for-incoming-co.patch Normal file
View File

@ -0,0 +1,35 @@
From 423cbf4ddca6578b87e0f8a3fc425688cd1ca89c Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 6 Sep 2016 16:18:39 +0200
Subject: [PATCH 06/33] Close stdin/out/err before listening for incoming
connections.
When running vsftpd as a stand-alone FTP daemon, vsftpd
did not close stdin/out/err. This caused the start script
to hang waiting for stdin to close. Before this patch was
applied, one had to hit ctrl+c in order to get shell prompt
back. Correct behavior:
$ /etc/init.d/vsftpd start | tee
Starting vsftpd for vsftpd: [ OK ]
$
---
standalone.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/standalone.c b/standalone.c
index ba01ab1..e0f2d5b 100644
--- a/standalone.c
+++ b/standalone.c
@@ -130,6 +130,9 @@ vsf_standalone_main(void)
die("could not bind listening IPv6 socket");
}
}
+ vsf_sysutil_close(0);
+ vsf_sysutil_close(1);
+ vsf_sysutil_close(2);
retval = vsf_sysutil_listen(listen_sock, VSFTP_LISTEN_BACKLOG);
if (vsf_sysutil_retval_is_error(retval))
{
--
2.7.4

51
vsftpd-2.1.0-filter.patch → 0007-Make-filename-filters-smarter.patch
View File

@ -1,36 +1,56 @@
From d8f1f584c96d3449265a54fa62c5944b1b7c915c Mon Sep 17 00:00:00 2001
From 548375b2122f83771dc0b8571f16e5b5adabba98 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 07/26] Applied vsftpd-2.1.0-filter.patch
Date: Wed, 7 Sep 2016 10:04:31 +0200
Subject: [PATCH 07/33] Make filename filters smarter.
In the original version vsftpd was not able to prevent
users from downloading for instance /etc/passwd by
defining filters such as deny_file=/etc/passwd or /etc*
or passwd. Example of erroneous behavior:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /
250 Directory successfully changed.
ftp> cd /etc
550 Permission denied.
ftp> cd etc
250 Directory successfully changed.
ftp> get passwd
local: passwd remote: passwd
227 Entering Passive Mode (127,0,0,1,99,251)
150 Opening BINARY mode data connection for passwd (2813 bytes).
226 File send OK.
2813 bytes received in 0.00016 seconds (1.7e+04 Kbytes/s)
ftp> quit
221 Goodbye.
---
ls.c | 26 ++++++++++++++++++++++++--
ls.c | 24 +++++++++++++++++++++++-
str.c | 11 +++++++++++
str.h | 1 +
3 files changed, 36 insertions(+), 2 deletions(-)
3 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/ls.c b/ls.c
index 7e1376d..e9302dd 100644
index 7e1376d..f489478 100644
--- a/ls.c
+++ b/ls.c
@@ -246,9 +246,31 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
@@ -246,8 +246,30 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
int ret = 0;
char last_token = 0;
int must_match_at_current_pos = 1;
+
+
+
+
str_copy(&filter_remain_str, p_filter_str);
- str_copy(&name_remain_str, p_filename_str);
-
+
+
+ if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) {
+ if (str_get_char_at(p_filter_str, 0) == '/') {
+ if (str_get_char_at(p_filename_str, 0) != '/') {
+ str_getcwd (&name_remain_str);
+
+
+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
+ str_append_char (&name_remain_str, '/');
+
+
+ str_append_str (&name_remain_str, p_filename_str);
+ }
+ else
@ -43,10 +63,9 @@ index 7e1376d..e9302dd 100644
+ }
+ } else
+ str_copy(&name_remain_str, p_filename_str);
+
while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
{
static struct mystr s_match_needed_str;
diff --git a/str.c b/str.c
index 6596204..ba4b92a 100644
--- a/str.c
@ -79,5 +98,5 @@ index ab0a9a4..3a21b50 100644
/* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
* buffer, starting at character position 'p_pos'. The extracted line will
--
2.5.0
2.7.4

10
vsftpd-2.1.0-userlist_log.patch → 0008-Write-denied-logins-into-the-log.patch
View File

@ -1,8 +1,10 @@
From 2f563a92cf4c12d8a37e413ffdc14a7eb4637c03 Mon Sep 17 00:00:00 2001
From 75c172596aa9e7a9f32062579f7f98783341c924 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 08/26] Applied vsftpd-2.1.0-userlist_log.patch
Date: Wed, 7 Sep 2016 10:17:17 +0200
Subject: [PATCH 08/33] Write denied logins into the log.
This patch adds a new option 'userlist_log'. If enabled,
every login denial based on the user list will be logged.
---
logging.c | 7 +++++++
logging.h | 11 +++++++++++
@ -141,5 +143,5 @@ index 5e46a2f..9d767b1 100644
If enabled, virtual users will use the same privileges as local users. By
default, virtual users will use the same privileges as anonymous users, which
--
2.5.0
2.7.4

8
vsftpd-2.1.0-trim.patch → 0009-Trim-whitespaces-when-reading-configuration.patch
View File

@ -1,7 +1,7 @@
From aea6f1b484d06c56f636ae5ed7df232d6a94f57a Mon Sep 17 00:00:00 2001
From d024bc27cee40f21e6a3841266062408c44e56fb Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 09/26] Applied vsftpd-2.1.0-trim.patch
Date: Wed, 7 Sep 2016 10:35:54 +0200
Subject: [PATCH 09/33] Trim whitespaces when reading configuration.
---
parseconf.c | 2 +-
@ -95,5 +95,5 @@ index c34778c..c2ddd15 100644
void vsf_sysutil_memcpy(void* p_dest, const void* p_src,
const unsigned int size);
--
2.5.0
2.7.4

9
vsftpd-2.1.1-daemonize_plus.patch → 0010-Improve-daemonizing.patch
View File

@ -1,8 +1,9 @@
From 662531f296a0b7341e4e6817e084585a7e7a1d87 Mon Sep 17 00:00:00 2001
From 569e7078244470ac0fcc2af3947c2735338555ec Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 10/26] Applied vsftpd-2.1.1-daemonize_plus.patch
Date: Wed, 7 Sep 2016 11:29:29 +0200
Subject: [PATCH 10/33] Improve daemonizing
Init script gets correct return code if binding fails.
---
standalone.c | 38 +++++++++++++++++++++++++++++++++++++-
sysutil.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
@ -204,5 +205,5 @@ index c2ddd15..bfc92cb 100644
/* Various string functions */
unsigned int vsf_sysutil_strlen(const char* p_text);
--
2.5.0
2.7.4

11
vsftpd-2.2.0-wildchar.patch → 0011-Fix-listing-with-more-than-one-star.patch
View File

@ -1,14 +1,15 @@
From 46b1cacac22d4c5f0b7695579860f7ecc28d3efb Mon Sep 17 00:00:00 2001
From 32e6642640635d7305969f808b5badb706a11bff Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 11/26] Applied vsftpd-2.2.0-wildchar.patch
Date: Wed, 7 Sep 2016 11:36:17 +0200
Subject: [PATCH 11/33] Fix listing with more than one star '*'.
This is a regression introduced by some previous patch.
---
ls.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/ls.c b/ls.c
index e9302dd..92be544 100644
index f489478..616b2d9 100644
--- a/ls.c
+++ b/ls.c
@@ -311,6 +311,20 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
@ -33,5 +34,5 @@ index e9302dd..92be544 100644
str_mid_to_end(&name_remain_str, &temp_str,
indexx + str_getlen(&s_match_needed_str));
--
2.5.0
2.7.4

9
vsftpd-2.2.2-clone.patch → 0012-Replace-syscall-__NR_clone-.-with-clone.patch
View File

@ -1,8 +1,9 @@
From 1220fb187aa6b114ae4877fd74a42979d580d8ef Mon Sep 17 00:00:00 2001
From 0c3a1123c391995ab46cfde603fa025ff180a819 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 12/26] Applied vsftpd-2.2.2-clone.patch
Date: Wed, 7 Sep 2016 11:43:54 +0200
Subject: [PATCH 12/33] Replace syscall(__NR_clone ..) with clone ()
in order to fix incorrect order of params on s390 arch
---
sysdeputil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
@ -30,5 +31,5 @@ index b2782da..3bbabaa 100644
{
if (ret == 0)
--
2.5.0
2.7.4

10
vsftpd-2.3.4-sd.patch → 0013-Extend-man-pages-with-systemd-info.patch
View File

@ -1,8 +1,10 @@
From 4b7a6eecf79ee63c21fa27e5f5c22f248824991c Mon Sep 17 00:00:00 2001
From 813a4bc45d45f4af94c699893cb2d2ba998d5d31 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 13/26] Applied vsftpd-2.3.4-sd.patch
Date: Wed, 7 Sep 2016 11:53:07 +0200
Subject: [PATCH 13/33] Extend man pages with systemd info.
Man pages now reflect how is vsftpd used as
systemd service.
---
vsftpd.8 | 24 ++++++++++++++++++++++++
vsftpd.conf.5 | 18 +++++++++++++++++-
@ -80,5 +82,5 @@ index 9d767b1..0744f85 100644
The format of vsftpd.conf is very simple. Each line is either a comment or
a directive. Comment lines start with a # and are ignored. A directive line
--
2.5.0
2.7.4

16
vsftpd-2.3.4-sqb.patch → 0014-Add-support-for-square-brackets-in-ls.patch
View File

@ -1,25 +1,25 @@
From 9db0f2142b7d456af0a147a53c7555996e90dfd6 Mon Sep 17 00:00:00 2001
From ba0520650ae7f9f63e48ba9fb3a94297aebe2d0c Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 14/26] Applied vsftpd-2.3.4-sqb.patch
Date: Wed, 7 Sep 2016 14:22:21 +0200
Subject: [PATCH 14/33] Add support for square brackets in ls.
---
ls.c | 222 +++++++++++++++++++++++++++++++++++++++++++++----------------------
1 file changed, 150 insertions(+), 72 deletions(-)
diff --git a/ls.c b/ls.c
index 92be544..0ad7f54 100644
index 616b2d9..b840136 100644
--- a/ls.c
+++ b/ls.c
@@ -246,7 +246,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
int ret = 0;
char last_token = 0;
int must_match_at_current_pos = 1;
-
-
+ int matched = 0;
str_copy(&filter_remain_str, p_filter_str);
@@ -276,7 +276,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
static struct mystr s_match_needed_str;
/* Locate next special token */
@ -273,5 +273,5 @@ index 92be544..0ad7f54 100644
/* Any incoming string left means no match unless we ended on the correct
* type of wildcard.
--
2.5.0
2.7.4

8
vsftpd-2.3.4-listen_ipv6.patch → 0015-Listen-on-IPv6-by-default.patch
View File

@ -1,7 +1,7 @@
From d723e42f895f8bbf6888512a772aa549b0a396d9 Mon Sep 17 00:00:00 2001
From c5daaedf1efe23b397a5950f5503f5cbfac871c8 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 15/26] Applied vsftpd-2.3.4-listen_ipv6.patch
Date: Wed, 7 Sep 2016 14:25:28 +0200
Subject: [PATCH 15/33] Listen on IPv6 by default.
---
vsftpd.conf | 14 +++++++++-----
@ -51,5 +51,5 @@ index 0744f85..72bb86f 100644
Default: NO
.TP
--
2.5.0
2.7.4

27
0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch Normal file
View File

@ -0,0 +1,27 @@
From 048208a4db5d7164d89ba5d7545e281d0a3472d3 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 15:35:59 +0200
Subject: [PATCH 16/33] Increase VSFTP_AS_LIMIT from 200UL to 400UL.
When using a PAM module to get users from LDAP or database the old
limit was insufficient.
---
defs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defs.h b/defs.h
index ca11eac..bde3232 100644
--- a/defs.h
+++ b/defs.h
@@ -19,7 +19,7 @@
/* Must be at least the size of VSFTP_MAX_COMMAND_LINE, VSFTP_DIR_BUFSIZE and
VSFTP_DATA_BUFSIZE*2 */
#define VSFTP_PRIVSOCK_MAXSTR VSFTP_DATA_BUFSIZE * 2
-#define VSFTP_AS_LIMIT 200UL * 1024 * 1024
+#define VSFTP_AS_LIMIT 400UL * 1024 * 1024
#endif /* VSF_DEFS_H */
--
2.7.4

20
vsftpd-3.0.0-tz.patch → 0017-Fix-an-issue-with-timestamps-during-DST.patch
View File

@ -1,14 +1,16 @@
From cc7c4ed98d69230f24a4437db2ba6bee20f4e494 Mon Sep 17 00:00:00 2001
From 5ec0b86e5c1ff060720b5a6cd1af9d93ec993650 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 16/26] Applied vsftpd-3.0.0-tz.patch
Date: Thu, 29 Sep 2016 11:14:03 +0200
Subject: [PATCH 17/33] Fix an issue with timestamps during DST.
vsftpd now checks whether a file was uploaded during DST and
adjust the timestamp accordingly.
---
sysutil.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 77 insertions(+), 27 deletions(-)
diff --git a/sysutil.c b/sysutil.c
index c848356..497d670 100644
index c848356..2abdd13 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -26,8 +26,10 @@
@ -23,18 +25,18 @@ index c848356..497d670 100644
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
@@ -55,6 +57,11 @@
#include <utime.h>
@@ -56,6 +58,11 @@
#include <netdb.h>
#include <sys/resource.h>
+
+#ifndef __USE_GNU
+ #define __USE_GNU
+#endif
+#include <string.h>
+
/* Private variables to this file */
/* Current umask() */
static unsigned int s_current_umask;
@@ -2574,49 +2581,92 @@ error:
die("reopening standard file descriptors to /dev/null failed");
}
@ -155,5 +157,5 @@ index c848356..497d670 100644
s_timezone *= -1;
}
--
2.5.0
2.7.4

43
0018-Change-the-default-log-file-in-configuration.patch Normal file
View File

@ -0,0 +1,43 @@
From 61dac172bdb14c5a37713078828ea8c8f78c7eb6 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 29 Sep 2016 13:53:16 +0200
Subject: [PATCH 18/33] Change the default log file in configuration.
Previous "default" value was wrong.
tunables.c:262 => install_str_setting("/var/log/xferlog",
&tunable_xferlog_file);
---
RedHat/vsftpd.log | 6 ++++++
vsftpd.conf | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/RedHat/vsftpd.log b/RedHat/vsftpd.log
index d338de8..14731c1 100644
--- a/RedHat/vsftpd.log
+++ b/RedHat/vsftpd.log
@@ -3,3 +3,9 @@
nocompress
missingok
}
+
+/var/log/xferlog {
+ # ftpd doesn't handle SIGHUP properly
+ nocompress
+ missingok
+}
diff --git a/vsftpd.conf b/vsftpd.conf
index ae6c6c9..39d1955 100644
--- a/vsftpd.conf
+++ b/vsftpd.conf
@@ -50,7 +50,7 @@ connect_from_port_20=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
-#xferlog_file=/var/log/vsftpd.log
+#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
--
2.7.4

11
vsftpd-3.0.2-lookup.patch → 0019-Introduce-reverse_lookup_enable-option.patch
View File

@ -1,8 +1,11 @@
From 341ecdb33ac371d0efcfe428719fdf627ab253c2 Mon Sep 17 00:00:00 2001
From 721de88621100f6ed33f1602415bc249f3ed3219 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 19/26] Applied vsftpd-3.0.2-lookup.patch
Date: Thu, 17 Nov 2016 10:22:32 +0100
Subject: [PATCH 19/33] Introduce reverse_lookup_enable option.
vsftpd can transform IP address into hostname before
PAM authentication. You can disable it to prevent
performance issues.
---
parseconf.c | 1 +
sysdeputil.c | 14 +++++++++-----
@ -102,5 +105,5 @@ index 72bb86f..fb6324e 100644
Set to YES if you want vsftpd to run as the user which launched vsftpd. This is
useful where root access is not available. MASSIVE WARNING! Do NOT enable this
--
2.5.0
2.7.4

12
vsftpd-3.0.2-uint-uidgid.patch → 0020-Use-unsigned-int-for-uid-and-gid-representation.patch
View File

@ -1,7 +1,7 @@
From 24a1132cfe48d4c8bd799494ca802c918ac9132b Mon Sep 17 00:00:00 2001
From dcaaf1e0dd3985e229a87de18b83f301d30b6ce9 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 20/26] Applied vsftpd-3.0.2-uint-uidgid.patch
Date: Thu, 17 Nov 2016 10:31:39 +0100
Subject: [PATCH 20/33] Use unsigned int for uid and gid representation.
---
ls.c | 4 ++--
@ -12,7 +12,7 @@ Subject: [PATCH 20/26] Applied vsftpd-3.0.2-uint-uidgid.patch
5 files changed, 30 insertions(+), 47 deletions(-)
diff --git a/ls.c b/ls.c
index 0ad7f54..f18791d 100644
index b840136..3c0988c 100644
--- a/ls.c
+++ b/ls.c
@@ -503,7 +503,7 @@ build_dir_line(struct mystr* p_str, const struct mystr* p_filename_str,
@ -65,7 +65,7 @@ index 27a488f..956bfb7 100644
/* Things we need to cache before we chroot() */
struct mystr banned_email_str;
diff --git a/sysutil.c b/sysutil.c
index 497d670..62d833d 100644
index 2abdd13..9881a66 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -1454,14 +1454,14 @@ vsf_sysutil_statbuf_get_size(const struct vsf_sysutil_statbuf* p_statbuf)
@ -246,5 +246,5 @@ index bfc92cb..79b5514 100644
void vsf_sysutil_setegid(const struct vsf_sysutil_user* p_user);
void vsf_sysutil_seteuid_numeric(int uid);
--
2.5.0
2.7.4

8
vsftpd-3.0.2-dh.patch → 0021-Introduce-support-for-DHE-based-cipher-suites.patch
View File

@ -1,7 +1,7 @@
From 1c4cb55ed61ca962a051c7de7cca866af8e2b2fa Mon Sep 17 00:00:00 2001
From 4eac1dbb5f70a652d31847eec7c28d245f36cdbb Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 21/26] Applied vsftpd-3.0.2-dh.patch
Date: Thu, 17 Nov 2016 10:48:28 +0100
Subject: [PATCH 21/33] Introduce support for DHE based cipher suites.
---
parseconf.c | 1 +
@ -222,5 +222,5 @@ index fb6324e..ff94eca 100644
This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
--
2.5.0
2.7.4

8
vsftpd-3.0.2-ecdh.patch → 0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
View File

@ -1,7 +1,7 @@
From 400bd7cd3fc7478a668862cfba4b79e84a5034e9 Mon Sep 17 00:00:00 2001
From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 22/26] Applied vsftpd-3.0.2-ecdh.patch
Date: Thu, 17 Nov 2016 10:49:22 +0100
Subject: [PATCH 22/33] Introduce support for EDDHE based cipher suites.
---
parseconf.c | 1 +
@ -132,5 +132,5 @@ index ff94eca..e242873 100644
This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
--
2.5.0
2.7.4

14
vsftpd-3.0.2-docupd.patch → 0023-Add-documentation-for-isolate_-options.-Correct-defa.patch
View File

@ -1,14 +1,16 @@
From f7fb4f5c91ab132982c78f1b34f7fe1493fd1372 Mon Sep 17 00:00:00 2001
From 3d02ef3be17f37baf729e786a8f36af4982f70ad Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:46 +0100
Subject: [PATCH 23/26] Applied vsftpd-3.0.2-docupd.patch
Date: Thu, 17 Nov 2016 10:52:16 +0100
Subject: [PATCH 23/33] Add documentation for isolate_* options. Correct
default
values of max_clients, max_per_ip.
---
vsftpd.conf.5 | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index e242873..7a8f130 100644
index e242873..31d317f 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -652,6 +652,21 @@ change it with the setting
@ -20,7 +22,7 @@ index e242873..7a8f130 100644
+If enabled, use CLONE_NEWNET to isolate the untrusted processes so that
+they can't do arbitrary connect() and instead have to ask the privileged
+process for sockets (
+.BR port_promiscuous
+.BR port_promiscuous
+have to be disabled).
+
+Default: YES
@ -57,5 +59,5 @@ index e242873..7a8f130 100644
.B pasv_max_port
The maximum port to allocate for PASV style data connections. Can be used to
--
2.5.0
2.7.4

12
vsftpd-3.0.2-rc450.patch → 0024-Introduce-new-return-value-450.patch
View File

@ -1,8 +1,10 @@
From e8c21dbd87c5e46c246c2d08c1abc84bb649fc02 Mon Sep 17 00:00:00 2001
From 1d5cdf309387ff92988ab17d746f015d833a4b92 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:46 +0100
Subject: [PATCH 24/26] Applied vsftpd-3.0.2-rc450.patch
Date: Thu, 17 Nov 2016 11:08:52 +0100
Subject: [PATCH 24/33] Introduce new return value 450:
*450 Requested file action not taken.
File unavailable (e.g., file busy).
---
ftpcodes.h | 1 +
postlogin.c | 9 ++++++++-
@ -43,7 +45,7 @@ index bf12970..29958c0 100644
}
/* Lock file if required */
diff --git a/sysutil.c b/sysutil.c
index 62d833d..a924edf 100644
index 9881a66..6d7cb3f 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -1632,6 +1632,9 @@ vsf_sysutil_get_error(void)
@ -71,5 +73,5 @@ index 79b5514..c145bdf 100644
enum EVSFSysUtilError vsf_sysutil_get_error(void);
--
2.5.0
2.7.4

9
vsftpd-3.0.2-mrate.patch → 0025-Improve-local_max_rate-option.patch
View File

@ -1,8 +1,9 @@
From 4700495a07fe9423c8411a018cde4de413407f42 Mon Sep 17 00:00:00 2001
From 386db86fe865fb552b1867af4bf4b78dbf9080cf Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:03:16 +0200
Subject: [PATCH 2/7] vsftpd-3.0.2-mrate
Date: Thu, 17 Nov 2016 12:44:26 +0100
Subject: [PATCH 25/33] Improve local_max_rate option.
Now it should work as expected.
---
ftpdataio.c | 14 +++++++-------
main.c | 2 +-
@ -85,5 +86,5 @@ index 956bfb7..3e8fdd5 100644
/* Details of the login */
int is_anonymous;
--
2.5.5
2.7.4

16
vsftpd-3.0.2-wnohang.patch → 0026-Prevent-hanging-in-SIGCHLD-handler.patch
View File

@ -1,8 +1,10 @@
From 1a14b13a1684f71ecfd5ed94b1aae7541b1a77a8 Mon Sep 17 00:00:00 2001
From 1e65a0a15f819b8bf1b551bd84f71d0da1f5a00c Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:03:16 +0200
Subject: [PATCH 3/7] vsftpd-3.0.2-wnohang
Date: Thu, 17 Nov 2016 13:02:27 +0100
Subject: [PATCH 26/33] Prevent hanging in SIGCHLD handler.
vsftpd can now handle pam_exec.so in pam.d config without hanging
in SIGCHLD handler.
---
sysutil.c | 4 ++--
sysutil.h | 2 +-
@ -10,7 +12,7 @@ Subject: [PATCH 3/7] vsftpd-3.0.2-wnohang
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/sysutil.c b/sysutil.c
index 6dfe350..61d9f28 100644
index 6d7cb3f..099748f 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -608,13 +608,13 @@ vsf_sysutil_exit(int exit_code)
@ -30,10 +32,10 @@ index 6dfe350..61d9f28 100644
{
vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0);
diff --git a/sysutil.h b/sysutil.h
index 26698cd..d341b5d 100644
index c145bdf..13153cd 100644
--- a/sysutil.h
+++ b/sysutil.h
@@ -178,7 +178,7 @@ struct vsf_sysutil_wait_retval
@@ -177,7 +177,7 @@ struct vsf_sysutil_wait_retval
int PRIVATE_HANDS_OFF_syscall_retval;
int PRIVATE_HANDS_OFF_exit_status;
};
@ -75,5 +77,5 @@ index 33d84dc..b1891e7 100644
else
{
--
2.5.5
2.7.4

22
vsftpd-3.0.2-del-upl.patch → 0027-Delete-files-when-upload-fails.patch
View File

@ -1,8 +1,10 @@
From 9be8a4188420bba2075eacf9aea8fa26b6ebdcc5 Mon Sep 17 00:00:00 2001
From 6224ecc5ac209323baa775880c0602c3fde3590a Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:03:16 +0200
Subject: [PATCH 4/7] vsftpd-3.0.2-del-upl
Date: Thu, 17 Nov 2016 13:10:41 +0100
Subject: [PATCH 27/33] Delete files when upload fails.
Previously the uploaded file wasn't removed when the network was
disconnected. Now it is successfully deleted.
---
ftpcodes.h | 3 ++-
ftpdataio.c | 8 ++++++++
@ -14,7 +16,7 @@ Subject: [PATCH 4/7] vsftpd-3.0.2-del-upl
7 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/ftpcodes.h b/ftpcodes.h
index 3950f92..97801f3 100644
index 81e25c5..54dfae7 100644
--- a/ftpcodes.h
+++ b/ftpcodes.h
@@ -15,7 +15,8 @@
@ -67,10 +69,10 @@ index f1e2f69..f039081 100644
0, INIT_MYSTR,
/* Session state */
diff --git a/postlogin.c b/postlogin.c
index 154c16a..8363c9c 100644
index 29958c0..e473c34 100644
--- a/postlogin.c
+++ b/postlogin.c
@@ -358,7 +358,14 @@ process_post_login(struct vsf_session* p_sess)
@@ -356,7 +356,14 @@ process_post_login(struct vsf_session* p_sess)
}
else if (str_equal_text(&p_sess->ftp_cmd_str, "ALLO"))
{
@ -99,7 +101,7 @@ index 3e8fdd5..4eccf46 100644
int is_ascii;
struct mystr rnfr_filename_str;
diff --git a/sysutil.c b/sysutil.c
index 61d9f28..3c4a337 100644
index 099748f..42bcdf8 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -681,6 +681,16 @@ vsf_sysutil_activate_keepalive(int fd)
@ -120,10 +122,10 @@ index 61d9f28..3c4a337 100644
{
int reuseaddr = 1;
diff --git a/sysutil.h b/sysutil.h
index d341b5d..be727f5 100644
index 13153cd..2886bbc 100644
--- a/sysutil.h
+++ b/sysutil.h
@@ -267,6 +267,7 @@ void vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr,
@@ -266,6 +266,7 @@ void vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr,
const char* p_name);
/* Option setting on sockets */
void vsf_sysutil_activate_keepalive(int fd);
@ -132,5 +134,5 @@ index d341b5d..be727f5 100644
void vsf_sysutil_activate_reuseaddr(int fd);
void vsf_sysutil_set_nodelay(int fd);
--
2.5.5
2.7.4

10
vsftpd-2.2.2-man-pages.patch → 0028-Fix-man-page-rendering.patch
View File

@ -1,14 +1,14 @@
From ab49bde79f81a422629210c23ccc83bc4e14ad2a Mon Sep 17 00:00:00 2001
From ea99be1a7a5973bbe8ed798b65abe5ce3b92f5df Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:03:16 +0200
Subject: [PATCH 5/7] vsftpd-2.2.2-man-pages
Date: Thu, 17 Nov 2016 13:12:52 +0100
Subject: [PATCH 28/33] Fix man page rendering.
---
vsftpd.conf.5 | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 7a8f130..45cd3c0 100644
index 31d317f..cf1ae34 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -495,7 +495,8 @@ Default: NO
@ -22,5 +22,5 @@ index 7a8f130..45cd3c0 100644
(New in v2.0.7).
--
2.5.5
2.7.4

8
vsftpd-2.2.2-blank-chars-overflow.patch → 0029-Fix-segfault-in-config-file-parser.patch
View File

@ -1,7 +1,7 @@
From c7cbcc64c824d1a2a60f8d81c26d5c8215463623 Mon Sep 17 00:00:00 2001
From 34b9e1d10c6be736f1b20be8795c655446f38c5e Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:05:06 +0200
Subject: [PATCH 6/7] vsftpd-2.2.2-blank-chars-overflow
Date: Thu, 17 Nov 2016 13:14:55 +0100
Subject: [PATCH 29/33] Fix segfault in config file parser.
---
str.c | 2 +-
@ -21,5 +21,5 @@ index 41b27db..82b8ae4 100644
void
--
2.5.5
2.7.4

8
vsftpd-2.2.2-syslog.patch → 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
View File

@ -1,7 +1,7 @@
From a480a9659fb0cab1c44006f6c06013e6e7f78948 Mon Sep 17 00:00:00 2001
From 03ff061f18f555d7bec62fa6a597a275b4b3f1c7 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:05:53 +0200
Subject: [PATCH 7/7] vsftpd-2.2.2-syslog
Date: Thu, 17 Nov 2016 13:18:22 +0100
Subject: [PATCH 30/33] Fix logging into syslog when enabled in config.
---
logging.c | 2 +-
@ -21,5 +21,5 @@ index 99671b4..c4461f7 100644
if (!tunable_xferlog_enable && !tunable_dual_log_enable)
{
--
2.5.5
2.7.4

12
vsftpd-2.0.5-fix_qm.patch → 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
View File

@ -1,14 +1,16 @@
From cdcb1c5f660fb4f72b4896f5145a34e9dd158252 Mon Sep 17 00:00:00 2001
From 0da42468ac9518a544aad57d22d7697d6bdfa969 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 12:00:34 +0100
Subject: [PATCH 26/26] Applied vsftpd-2.0.5-fix_qm.patch
Date: Thu, 17 Nov 2016 13:25:12 +0100
Subject: [PATCH 31/33] Fix question mark wildcard withing a file name.
Previously '?' worked only at the end of a file name, now it can
be used anywhere.
---
ls.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ls.c b/ls.c
index f18791d..de68c30 100644
index 3c0988c..35c15c7 100644
--- a/ls.c
+++ b/ls.c
@@ -459,7 +459,8 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
@ -22,5 +24,5 @@ index f18791d..de68c30 100644
/* Any incoming string left means no match unless we ended on the correct
* type of wildcard.
--
2.5.0
2.7.4

31
vsftpd-2.2.2-nfs-fail.patch → 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
View File

@ -1,8 +1,11 @@
From 1be2ebccc0a5e1040fa9bb5f1cac8040070830df Mon Sep 17 00:00:00 2001
From aa9cb48373018502ef99a57aad70b69c0c75ff65 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 14:51:29 +0100
Subject: [PATCH 25/26] Applied vsftpd-2.2.2-nfs-fail.patch
Date: Thu, 17 Nov 2016 13:29:59 +0100
Subject: [PATCH 32/33] Propagate errors from nfs with quota to client.
vsftpd now checks for errors when closing newly uploaded file and
forward errors to the client (e.g. when file system quota was
exceeded)
---
ftpcodes.h | 1 +
postlogin.c | 32 ++++++++++++++++++++++++++++++--
@ -11,10 +14,10 @@ Subject: [PATCH 25/26] Applied vsftpd-2.2.2-nfs-fail.patch
4 files changed, 53 insertions(+), 2 deletions(-)
diff --git a/ftpcodes.h b/ftpcodes.h
index 81e25c5..3950f92 100644
index 54dfae7..97801f3 100644
--- a/ftpcodes.h
+++ b/ftpcodes.h
@@ -73,6 +73,7 @@
@@ -74,6 +74,7 @@
#define FTP_NOHANDLEPROT 536
#define FTP_FILEFAIL 550
#define FTP_NOPERM 550
@ -23,7 +26,7 @@ index 81e25c5..3950f92 100644
#endif /* VSF_FTPCODES_H */
diff --git a/postlogin.c b/postlogin.c
index 29958c0..154c16a 100644
index e473c34..8363c9c 100644
--- a/postlogin.c
+++ b/postlogin.c
@@ -28,6 +28,8 @@
@ -35,7 +38,7 @@ index 29958c0..154c16a 100644
/* Private local functions */
static void handle_pwd(struct vsf_session* p_sess);
static void handle_cwd(struct vsf_session* p_sess);
@@ -1028,8 +1030,10 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
@@ -1035,8 +1037,10 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
struct vsf_transfer_ret trans_ret;
int new_file_fd;
int remote_fd;
@ -46,7 +49,7 @@ index 29958c0..154c16a 100644
int do_truncate = 0;
filesize_t offset = p_sess->restart_pos;
p_sess->restart_pos = 0;
@@ -1142,6 +1146,18 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
@@ -1149,6 +1153,18 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
trans_ret = vsf_ftpdataio_transfer_file(p_sess, remote_fd,
new_file_fd, 1, 0);
}
@ -65,7 +68,7 @@ index 29958c0..154c16a 100644
if (vsf_ftpdataio_dispose_transfer_fd(p_sess) != 1 && trans_ret.retval == 0)
{
trans_ret.retval = -2;
@@ -1154,7 +1170,16 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
@@ -1161,7 +1177,16 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique)
}
if (trans_ret.retval == -1)
{
@ -83,7 +86,7 @@ index 29958c0..154c16a 100644
}
else if (trans_ret.retval == -2)
{
@@ -1176,7 +1201,10 @@ port_pasv_cleanup_out:
@@ -1183,7 +1208,10 @@ port_pasv_cleanup_out:
{
str_unlink(p_filename);
}
@ -96,10 +99,10 @@ index 29958c0..154c16a 100644
static void
diff --git a/sysutil.c b/sysutil.c
index a924edf..6dfe350 100644
index 42bcdf8..1c0422e 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -1259,6 +1259,27 @@ vsf_sysutil_close(int fd)
@@ -1269,6 +1269,27 @@ vsf_sysutil_close(int fd)
}
int
@ -128,7 +131,7 @@ index a924edf..6dfe350 100644
{
return close(fd);
diff --git a/sysutil.h b/sysutil.h
index c145bdf..26698cd 100644
index 2886bbc..be727f5 100644
--- a/sysutil.h
+++ b/sysutil.h
@@ -92,6 +92,7 @@ int vsf_sysutil_create_or_open_file_append(const char* p_filename,
@ -140,5 +143,5 @@ index c145bdf..26698cd 100644
int vsf_sysutil_unlink(const char* p_dead);
int vsf_sysutil_write_access(const char* p_filename);
--
2.5.0
2.7.4

153
0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch Normal file
View File

@ -0,0 +1,153 @@
From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Nov 2016 13:36:17 +0100
Subject: [PATCH 33/33] Introduce TLSv1.1 and TLSv1.2 options.
Users can now enable a specific version of TLS protocol.
---
parseconf.c | 2 ++
ssl.c | 8 ++++++++
tunables.c | 9 +++++++--
tunables.h | 2 ++
vsftpd.conf.5 | 24 ++++++++++++++++++++----
5 files changed, 39 insertions(+), 6 deletions(-)
diff --git a/parseconf.c b/parseconf.c
index a2c715b..33a1349 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -85,6 +85,8 @@ parseconf_bool_array[] =
{ "ssl_sslv2", &tunable_sslv2 },
{ "ssl_sslv3", &tunable_sslv3 },
{ "ssl_tlsv1", &tunable_tlsv1 },
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
{ "tilde_user_enable", &tunable_tilde_user_enable },
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
diff --git a/ssl.c b/ssl.c
index 96bf8ad..ba8a613 100644
--- a/ssl.c
+++ b/ssl.c
@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess)
{
options |= SSL_OP_NO_TLSv1;
}
+ if (!tunable_tlsv1_1)
+ {
+ options |= SSL_OP_NO_TLSv1_1;
+ }
+ if (!tunable_tlsv1_2)
+ {
+ options |= SSL_OP_NO_TLSv1_2;
+ }
SSL_CTX_set_options(p_ctx, options);
if (tunable_rsa_cert_file)
{
diff --git a/tunables.c b/tunables.c
index 93f85b1..78f2bcd 100644
--- a/tunables.c
+++ b/tunables.c
@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;
int tunable_sslv2;
int tunable_sslv3;
int tunable_tlsv1;
+int tunable_tlsv1_1;
+int tunable_tlsv1_2;
int tunable_tilde_user_enable;
int tunable_force_anon_logins_ssl;
int tunable_force_anon_data_ssl;
@@ -209,7 +211,10 @@ tunables_load_defaults()
tunable_force_local_data_ssl = 1;
tunable_sslv2 = 0;
tunable_sslv3 = 0;
+ /* TLSv1 up to TLSv1.2 is enabled by default */
tunable_tlsv1 = 1;
+ tunable_tlsv1_1 = 1;
+ tunable_tlsv1_2 = 1;
tunable_tilde_user_enable = 0;
tunable_force_anon_logins_ssl = 0;
tunable_force_anon_data_ssl = 0;
@@ -292,8 +297,8 @@ tunables_load_defaults()
install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting(0, &tunable_dh_param_file);
install_str_setting(0, &tunable_ecdh_param_file);
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
- &tunable_ssl_ciphers);
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
+ &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
diff --git a/tunables.h b/tunables.h
index 3e2d40c..a466427 100644
--- a/tunables.h
+++ b/tunables.h
@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */
extern int tunable_sslv2; /* Allow SSLv2 */
extern int tunable_sslv3; /* Allow SSLv3 */
extern int tunable_tlsv1; /* Allow TLSv1 */
+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */
+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */
extern int tunable_tilde_user_enable; /* Support e.g. ~chris */
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index cf1ae34..a3d569e 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -506,7 +506,7 @@ Default: YES
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit SSL v2 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
Default: NO
.TP
@@ -514,7 +514,7 @@ Default: NO
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit SSL v3 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
Default: NO
.TP
@@ -522,7 +522,23 @@ Default: NO
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit TLS v1 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_1
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+TLS v1.2 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_2
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+TLS v1.2 connections are preferred.
Default: YES
.TP
@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.
-Default: DES-CBC3-SHA
+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
.TP
.B user_config_dir
This powerful option allows the override of any config option specified in
--
2.7.4

12
vsftpd-3.0.2-seccomp.patch → 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
View File

@ -1,17 +1,17 @@
From dd86a1c28f11fa67b1263d5dc79fa9953629d30d Mon Sep 17 00:00:00 2001
From 4922e60589326540b2ee4f0bdfd6cb95f645f3d5 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:03:16 +0200
Subject: [PATCH 1/7] vsftpd-3.0.2-seccomp
Date: Fri, 18 Nov 2016 10:23:29 +0100
Subject: [PATCH] Turn off seccomp sandbox, because it is too strict.
---
tunables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tunables.c b/tunables.c
index 93f85b1..b024be4 100644
index 78f2bcd..5440c00 100644
--- a/tunables.c
+++ b/tunables.c
@@ -232,7 +232,7 @@ tunables_load_defaults()
@@ -237,7 +237,7 @@ tunables_load_defaults()
tunable_isolate_network = 1;
tunable_ftp_enable = 1;
tunable_http_enable = 0;
@ -21,5 +21,5 @@ index 93f85b1..b024be4 100644
tunable_accept_timeout = 60;
--
2.5.5
2.7.4

12
vsftpd-2.3.5-aslim.patch
View File

@ -1,12 +0,0 @@
diff -up vsftpd-3.0.3/defs.h.aslim vsftpd-3.0.3/defs.h
--- vsftpd-3.0.3/defs.h.aslim 2016-03-03 16:55:42.760819658 +0100
+++ vsftpd-3.0.3/defs.h 2016-03-03 17:01:49.606873710 +0100
@@ -19,7 +19,7 @@
/* Must be at least the size of VSFTP_MAX_COMMAND_LINE, VSFTP_DIR_BUFSIZE and
VSFTP_DATA_BUFSIZE*2 */
#define VSFTP_PRIVSOCK_MAXSTR VSFTP_DATA_BUFSIZE * 2
-#define VSFTP_AS_LIMIT 200UL * 1024 * 1024
+#define VSFTP_AS_LIMIT 400UL * 1024 * 1024
#endif /* VSF_DEFS_H */

26
vsftpd-3.0.0-logrotate.patch
View File

@ -1,26 +0,0 @@
From 5a4adb1078552f3f17f21dab9cacadbcacf593ec Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 18/26] Applied vsftpd-3.0.0-logrotate.patch
---
RedHat/vsftpd.log | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/RedHat/vsftpd.log b/RedHat/vsftpd.log
index d338de8..14731c1 100644
--- a/RedHat/vsftpd.log
+++ b/RedHat/vsftpd.log
@@ -3,3 +3,9 @@
nocompress
missingok
}
+
+/var/log/xferlog {
+ # ftpd doesn't handle SIGHUP properly
+ nocompress
+ missingok
+}
--
2.5.0

25
vsftpd-3.0.0-xferlog.patch
View File

@ -1,25 +0,0 @@
From 26d555a940faf7c7c90d8a8a2b5d5e0d9988f714 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 17/26] Applied vsftpd-3.0.0-xferlog.patch
---
vsftpd.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vsftpd.conf b/vsftpd.conf
index ae6c6c9..39d1955 100644
--- a/vsftpd.conf
+++ b/vsftpd.conf
@@ -50,7 +50,7 @@ connect_from_port_20=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
-#xferlog_file=/var/log/vsftpd.log
+#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
--
2.5.0

26
vsftpd-close-std-fds.patch
View File

@ -1,26 +0,0 @@
From 883736a0ad3b521c8210cc7e6cbc2cb302aca43c Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Mar 2016 11:44:45 +0100
Subject: [PATCH 06/26] Applied vsftpd-close-std-fds.patch
---
standalone.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/standalone.c b/standalone.c
index ba01ab1..e0f2d5b 100644
--- a/standalone.c
+++ b/standalone.c
@@ -130,6 +130,9 @@ vsf_standalone_main(void)
die("could not bind listening IPv6 socket");
}
}
+ vsf_sysutil_close(0);
+ vsf_sysutil_close(1);
+ vsf_sysutil_close(2);
retval = vsf_sysutil_listen(listen_sock, VSFTP_LISTEN_BACKLOG);
if (vsf_sysutil_retval_is_error(retval))
{
--
2.5.0

159
vsftpd.spec
View File

@ -1,123 +1,77 @@
%{!?tcp_wrappers:%define tcp_wrappers 1}
%define _generatorsdir %{_prefix}/lib/systemd/system-generators
%global _generatorsdir %{_prefix}/lib/systemd/system-generators
Name: vsftpd
Name: vsftpd
Version: 3.0.3
Release: 2%{?dist}
Release: 3%{?dist}
Summary: Very Secure Ftp Daemon
Group: System Environment/Daemons
Group: System Environment/Daemons
# OpenSSL link exception
License: GPLv2 with exceptions
URL: https://security.appspot.com/vsftpd.html
Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
Source1: vsftpd.xinetd
Source2: vsftpd.pam
Source3: vsftpd.ftpusers
Source4: vsftpd.user_list
Source6: vsftpd_conf_migrate.sh
Source7: vsftpd.service
Source8: vsftpd@.service
Source9: vsftpd.target
License: GPLv2 with exceptions
URL: https://security.appspot.com/vsftpd.html
Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
Source1: vsftpd.xinetd
Source2: vsftpd.pam
Source3: vsftpd.ftpusers
Source4: vsftpd.user_list
Source6: vsftpd_conf_migrate.sh
Source7: vsftpd.service
Source8: vsftpd@.service
Source9: vsftpd.target
Source10: vsftpd-generator
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: pam-devel
BuildRequires: libcap-devel
BuildRequires: openssl-devel
BuildRequires: systemd
%if %{tcp_wrappers}
BuildRequires: tcp_wrappers-devel
%endif
BuildRequires: git
Requires: logrotate
# Build patches
Patch1: vsftpd-2.1.0-libs.patch
Patch2: vsftpd-2.1.0-build_ssl.patch
Patch3: vsftpd-2.1.0-tcp_wrappers.patch
# Use /etc/vsftpd/ instead of /etc/
Patch4: vsftpd-2.1.0-configuration.patch
# These need review
Patch5: vsftpd-2.1.0-pam_hostname.patch
Patch6: vsftpd-close-std-fds.patch
Patch7: vsftpd-2.1.0-filter.patch
Patch9: vsftpd-2.1.0-userlist_log.patch
Patch10: vsftpd-2.1.0-trim.patch
Patch12: vsftpd-2.1.1-daemonize_plus.patch
Patch14: vsftpd-2.2.0-wildchar.patch
Patch16: vsftpd-2.2.2-clone.patch
Patch19: vsftpd-2.3.4-sd.patch
Patch20: vsftpd-2.3.4-sqb.patch
Patch21: vsftpd-2.3.4-listen_ipv6.patch
Patch22: vsftpd-2.3.5-aslim.patch
Patch23: vsftpd-3.0.0-tz.patch
Patch24: vsftpd-3.0.0-xferlog.patch
Patch25: vsftpd-3.0.0-logrotate.patch
Patch26: vsftpd-3.0.2-lookup.patch
Patch27: vsftpd-3.0.2-uint-uidgid.patch
Patch28: vsftpd-3.0.2-dh.patch
Patch29: vsftpd-3.0.2-ecdh.patch
Patch30: vsftpd-3.0.2-docupd.patch
Patch31: vsftpd-3.0.2-rc450.patch
Patch32: vsftpd-3.0.2-seccomp.patch
Patch33: vsftpd-3.0.2-mrate.patch
Patch34: vsftpd-3.0.2-wnohang.patch
Patch35: vsftpd-3.0.2-del-upl.patch
Patch36: vsftpd-2.2.2-man-pages.patch
Patch37: vsftpd-2.2.2-blank-chars-overflow.patch
Patch38: vsftpd-2.2.2-syslog.patch
Patch1: 0001-Don-t-use-the-provided-script-to-locate-libraries.patch
Patch2: 0002-Enable-build-with-SSL.patch
Patch3: 0003-Enable-build-with-TCP-Wrapper.patch
Patch4: 0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch
Patch5: 0005-Use-hostname-when-calling-PAM-authentication-module.patch
Patch6: 0006-Close-stdin-out-err-before-listening-for-incoming-co.patch
Patch7: 0007-Make-filename-filters-smarter.patch
Patch8: 0008-Write-denied-logins-into-the-log.patch
Patch9: 0009-Trim-whitespaces-when-reading-configuration.patch
Patch10: 0010-Improve-daemonizing.patch
Patch11: 0011-Fix-listing-with-more-than-one-star.patch
Patch12: 0012-Replace-syscall-__NR_clone-.-with-clone.patch
Patch13: 0013-Extend-man-pages-with-systemd-info.patch
Patch14: 0014-Add-support-for-square-brackets-in-ls.patch
Patch15: 0015-Listen-on-IPv6-by-default.patch
Patch16: 0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch
Patch17: 0017-Fix-an-issue-with-timestamps-during-DST.patch
Patch18: 0018-Change-the-default-log-file-in-configuration.patch
Patch19: 0019-Introduce-reverse_lookup_enable-option.patch
Patch20: 0020-Use-unsigned-int-for-uid-and-gid-representation.patch
Patch21: 0021-Introduce-support-for-DHE-based-cipher-suites.patch
Patch22: 0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
Patch23: 0023-Add-documentation-for-isolate_-options.-Correct-defa.patch
Patch24: 0024-Introduce-new-return-value-450.patch
Patch25: 0025-Improve-local_max_rate-option.patch
Patch26: 0026-Prevent-hanging-in-SIGCHLD-handler.patch
Patch27: 0027-Delete-files-when-upload-fails.patch
Patch28: 0028-Fix-man-page-rendering.patch
Patch29: 0029-Fix-segfault-in-config-file-parser.patch
Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
%description
vsftpd is a Very Secure FTP daemon. It was written completely from
scratch.
%prep
%setup -q -n %{name}-%{version}
%autosetup -S git
cp %{SOURCE1} .
%patch1 -p1 -b .libs
%patch2 -p1 -b .build_ssl
%if %{tcp_wrappers}
%patch3 -p1 -b .tcp_wrappers
%endif
%patch4 -p1 -b .configuration
%patch5 -p1 -b .pam_hostname
%patch6 -p1 -b .close_fds
%patch7 -p1 -b .filter
%patch9 -p1 -b .userlist_log
%patch10 -p1 -b .trim
%patch12 -p1 -b .daemonize_plus
%patch14 -p1 -b .wildchar
%patch16 -p1 -b .clone
%patch19 -p1 -b .sd
%patch20 -p1 -b .sqb
%patch21 -p1 -b .listen_ipv6
%patch22 -p1 -b .aslim
%patch23 -p1 -b .tz
%patch24 -p1 -b .xferlog
%patch25 -p1 -b .logrotate
%patch26 -p1 -b .lookup
%patch27 -p1 -b .uint-uidgid
%patch28 -p1 -b .dh
%patch29 -p1 -b .ecdh
%patch30 -p1 -b .docupd
%patch31 -p1 -b .rc450
%patch32 -p1 -b .seccomp
%patch33 -p1 -b .mrate
%patch34 -p1 -b .wnohang
%patch35 -p1 -b .del-upl
%patch36 -p1 -b .man_pages
%patch37 -p1 -b .blank-char-overflow
%patch38 -p1 -b .syslog
%build
%ifarch s390x sparcv9 sparc64
make CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
@ -126,9 +80,7 @@ make CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
%endif
LINK="-pie -lssl" %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{vsftpd,pam.d,logrotate.d}
@ -151,9 +103,6 @@ install -m 755 %{SOURCE10} $RPM_BUILD_ROOT%{_generatorsdir}
mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
%clean
rm -rf $RPM_BUILD_ROOT
%post
%systemd_post vsftpd.service
@ -183,6 +132,12 @@ rm -rf $RPM_BUILD_ROOT
%{_var}/ftp
%changelog
* Thu Nov 17 2016 Martin Sehnoutka <msehnout@redhat.com> - 3.0.3-3
- Review patches
- Add TLSv1.{1,2} options
- Fix question mark wildcard within a file name
- Seccomp patch removed
* Fri Apr 08 2016 Martin Sehnoutka <msehnout@redhat.com> - 3.0.3-2
- Applied patches:
- Readd seccomp disabled by default