Hello community, here is the log from the commit of package vsftpd.3342 for openSUSE:13.1:Update checked in at 2014-12-27 21:05:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/vsftpd.3342 (Old) and /work/SRC/openSUSE:13.1:Update/.vsftpd.3342.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vsftpd.3342" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.vsftpd.3342.new/vsftpd.changes 2014-12-27 21:05:49.000000000 +0100 @@ -0,0 +1,851 @@ +------------------------------------------------------------------- +Fri Nov 14 09:19:22 UTC 2014 - [email protected] + +- No longer perform gpg validation; osc source_validator does it + implicit: + + Drop gpg-offline BuildRequires. + + No longer execute gpg_verify. + +------------------------------------------------------------------- +Thu Aug 21 14:21:51 UTC 2014 - [email protected] + +- force using fork() instead of clone() on s390 - fixes bnc#890469 + * vsftpd-3.0.2-s390.patch + +------------------------------------------------------------------- +Mon May 26 13:13:44 UTC 2014 - [email protected] + +- Cleanup with spec-cleaner +- Remove conditions about init files as we do not build for < 12.1 + anyway. +- Update the README.SUSE file to describe more the listen option. + +------------------------------------------------------------------- +Mon May 26 12:52:56 UTC 2014 - [email protected] + +- Add socket service for vsftpd to avoid the need for xinetd here. + +------------------------------------------------------------------- +Mon May 26 12:42:21 UTC 2014 - [email protected] + +- Add comment about listen variables for xinetd configuration. + Fixes bnc#872221. +- Add default configuration as arg to xinetd started vsftpd. +- Updated patch: + * vsftpd-2.0.4-xinetd.diff + +------------------------------------------------------------------- +Thu Apr 10 12:56:03 UTC 2014 - [email protected] + +- Move the enabling of timeofday and alarm one level deeper to + be sure it is whitelisted everytime. + Also should possibly fix bnc#872215. + +- Updated patch: + * vsftpd-enable-gettimeofday-sec.patch + +------------------------------------------------------------------- +Thu Apr 10 12:06:25 UTC 2014 - [email protected] + +- Remove forking from service type as it hangs in endless loop. + +------------------------------------------------------------------- +Wed Apr 2 07:47:05 UTC 2014 - [email protected] + +- Fix warning about dangling symlink on rcvsftpd from rpmlint and + remove also clean section while at it. + +------------------------------------------------------------------- +Wed Apr 2 07:35:27 UTC 2014 - [email protected] + +- Add patch to allow gettimeofday and alarm calls with seccomp + enabled. bnc#870122 +- Added patch: + * vsftpd-enable-gettimeofday-sec.patch + +------------------------------------------------------------------- +Tue Apr 1 07:17:50 UTC 2014 - [email protected] + +- Specify that the service type is forking + +------------------------------------------------------------------- +Mon Jan 27 13:04:19 UTC 2014 - [email protected] + +- changed license to SUSE-GPL-2.0-with-openssl-exception + * suggested by legal team + +------------------------------------------------------------------- +Tue Jan 21 11:00:13 UTC 2014 - [email protected] + +- add allow_root_squashed_chroot option to enable chroot on nsf + mounted with squash_root option (fate#311051) + * vsftpd-root-squashed-chroot.patch + +------------------------------------------------------------------- +Sat Jul 20 21:23:31 UTC 2013 - [email protected] + +- build with OPENSSL_NO_SSL_INTERN this hides internal struct + members or functions that if changed in future openssl versions + will break the ABI of the calling applications. + +------------------------------------------------------------------- +Thu Apr 4 08:35:40 UTC 2013 - [email protected] + +- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1) + * this enabled a sendto on /dev/log socket when syslog is enabled +- provide more verbose explanation about isolate_network and seccomp_sanbox in + config file template +- don't install init file on openSUSE 13.1+ +- drop a build support for SL 10 and older + +------------------------------------------------------------------- +Fri Mar 29 13:15:46 UTC 2013 - [email protected] + +- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38) + * drop CLONE_NEWPID from clone to enable audit system +- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406) + * unconditionally enable F_SETFL patch - might be safe to do + +------------------------------------------------------------------- +Thu Feb 28 16:02:17 UTC 2013 - [email protected] + +- add isolate_network and seccomp_sandbox options to template to make them + easier to find (bnc#786024) + +------------------------------------------------------------------- +Thu Feb 28 13:30:07 UTC 2013 - [email protected] + +- add vsftpd-allow-dev-log-socket.patch (bnc#786024) + * whitelist /dev/log related socket syscall + +------------------------------------------------------------------- +Tue Nov 20 17:19:03 CET 2012 - [email protected] + +- Verify GPG signature. + +------------------------------------------------------------------- +Tue Nov 20 09:21:17 UTC 2012 - [email protected] + +- Fix useradd invocation: -o is useless without -u and newer + versions of pwdutils/shadowutils fail on this now. + +------------------------------------------------------------------- +Mon Oct 22 13:38:57 UTC 2012 - [email protected] + +- update to 3.0.2 (bnc#786024) + * Fix some seccomp related build errors on certain CentOS and Debian versions. + * Seccomp filter sandbox: missing munmap() -- oops. Did you know that qsort() + opens and maps /proc/meminfo but only for larger item counts? + * Seccomp filter sandbox: deny socket() gracefully for text_userdb_names. + * Fix various NULL crashes with nonsensical config settings. Noted by Tianyin + Xu <[email protected]>. + * Force cast to unsigned char in is* char functions. + * Fix harmless integer issues in strlist.c. + * Started on a (possibly ill-advised?) crusade to compile cleanly with + Wconversion. Decided to suspend the effort half-way through. + * One more seccomp policy fix: mremap (denied). + * Support STOU with no filename, uses a STOU. prefix. + +------------------------------------------------------------------- +Fri Aug 24 07:07:55 UTC 2012 - [email protected] + +- make seccomp sandbox enabled by default + * dropped vsftpd-3.0.0-turn-seccomp-sandbox-off.patch + +------------------------------------------------------------------- +Mon Apr 23 10:38:40 UTC 2012 - [email protected] + +- fix building on 11.4 x86_64 and lower + * fix where, when, & how __USE_GNU gets #defined + * make seccomp optional and disable it on 10.3 and lower + +------------------------------------------------------------------- +Tue Apr 10 14:13:12 UTC 2012 - [email protected] + +- update to upstream 3.0.0: + * Make listen mode the default. + * Fix missing "const" in ssl.c + * Add seccompsandbox.c to support a seccomp filter sandbox; works against + Ubuntu 12.04 ABI. + * Rearrange ftppolicy.c a bit so the syscall list is easily comparable with + seccompsandbox.c + * Rename deprecated "sandbox" to "ptrace_sandbox". + * Add a few more state checks to the privileged helper processes. + * Add tunable "seccomp_sandbox", default on. + * Use hardened build flags. + * Retry creating a PASV socket upon port reuse race between bind() and + listen(), patch from Ralph Wuerthner <[email protected]>. + * Don't die() if recv() indicates a closed remote connection. Problem report + on a Windows client from Herbert van den Bergh, + <[email protected]>. + * Add new config setting "allow_writeable_chroot" to help people in a bit of + a spot with the v2.3.5 defensive change. Only applies to non-anonymous. + * Remove a couple of fixed things from BUGS. + * strlen() trunction fix -- no particular impact. + * Apply some tidyups from [email protected]. + * Fix delete_failed_uploads if there is a timeout. Report from Alejandro + Hernández Hdez <[email protected]>. + * Fix other data channel bugs such as failure to log failure upon timeout. + * Use exit codes a bit more consistently. + * Fix bad interaction between SSL and trans_chunk_size. + * Redo data timeout to fire properly for SSL sessions. + * Redo idle timeout to fire properly for SSL sessions. + * Make sure PROT_EXEC isn't allowed, thanks to Will Drewry for noticing. + * Use 10 minutes as a max linger time just in case an alarm gets lost. + * Change PR_SET_NO_NEW_PRIVS define, from Kees Cook. + * Add AES128-SHA to default SSL cipher suites for FileZilla compatibility. + Unfortunately the default vsftpd SSL confiuration still doesn't fully work with ++++ 654 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.vsftpd.3342.new/vsftpd.changes New: ---- README.SUSE vsftpd-2.0.4-dmapi.patch vsftpd-2.0.4-enable-ssl.patch vsftpd-2.0.4-lib64.diff vsftpd-2.0.4-xinetd.diff vsftpd-2.0.5-enable-debuginfo.patch vsftpd-2.0.5-utf8-log-names.patch vsftpd-2.0.5-vuser.patch vsftpd-2.3.5-conf.patch vsftpd-3.0.0-optional-seccomp.patch vsftpd-3.0.0_gnu_source_defines.patch vsftpd-3.0.2-s390.patch vsftpd-3.0.2.tar.gz vsftpd-3.0.2.tar.gz.asc vsftpd-allow-dev-log-socket.patch vsftpd-drop-newpid-from-clone.patch vsftpd-enable-dev-log-sendto.patch vsftpd-enable-fcntl-f_setfl.patch vsftpd-enable-gettimeofday-sec.patch vsftpd-root-squashed-chroot.patch vsftpd.changes vsftpd.firewall vsftpd.keyring vsftpd.logrotate vsftpd.pam vsftpd.service vsftpd.socket vsftpd.spec vsftpd.xml [email protected] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vsftpd.spec ++++++ # # spec file for package vsftpd # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: vsftpd Version: 3.0.2 Release: 0 Summary: Very Secure FTP Daemon - Written from Scratch License: SUSE-GPL-2.0-with-openssl-exception Group: Productivity/Networking/Ftp/Servers Url: https://security.appspot.com/vsftpd.html Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz Source1: %{name}.pam Source2: %{name}.logrotate Source4: README.SUSE Source5: %{name}.xml Source6: %{name}.firewall Source7: vsftpd.service Source8: [email protected] Source9: %{name}.keyring Source10: vsftpd.socket Source1000: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz.asc Patch1: vsftpd-2.0.4-lib64.diff Patch3: vsftpd-2.0.4-xinetd.diff Patch4: vsftpd-2.0.4-enable-ssl.patch Patch5: vsftpd-2.0.4-dmapi.patch Patch6: vsftpd-2.0.5-vuser.patch Patch7: vsftpd-2.0.5-enable-debuginfo.patch Patch8: vsftpd-2.0.5-utf8-log-names.patch Patch9: vsftpd-2.3.5-conf.patch Patch10: vsftpd-3.0.0_gnu_source_defines.patch Patch11: vsftpd-3.0.0-optional-seccomp.patch #PATCH-FIX-OPENSUSE: bnc#786024 Patch12: vsftpd-allow-dev-log-socket.patch #PATCH-FIX-OPENSUSE: bnc#786024, second issue with pam_login_acct Patch13: vsftpd-drop-newpid-from-clone.patch #PATCH-FIX-OPENSUSE: bnc#812406 Patch14: vsftpd-enable-fcntl-f_setfl.patch #PATCH-FIX-OPENSUSE: bnc#812406 Patch15: vsftpd-enable-dev-log-sendto.patch #PATCH-FEATURE-SUSE: FATE#311051, call chroot with user credentials to enable nsf with squash_root option Patch16: vsftpd-root-squashed-chroot.patch #PATCH-FIX-UPSTREAM: bnc#870122 Patch17: vsftpd-enable-gettimeofday-sec.patch #PATCH-FIX-UPSTREAM: bnc#890469 fix broken syscall on s390 Patch18: vsftpd-3.0.2-s390.patch BuildRequires: libcap-devel BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: systemd Requires: logrotate Requires(pre): %{_sbindir}/useradd Provides: ftp-server BuildRoot: %{_tmppath}/%{name}-%{version}-build %{?systemd_requires} %description Vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously this is not a guarantee, but the entire codebase was written with security in mind, and carefully designed to be resilient to attack. Recent evidence suggests that vsftpd is also extremely fast (and this is before any explicit performance tuning!). In tests against wu-ftpd, vsftpd was always faster, supporting over twice as many users in some tests. %prep %setup -q %patch1 %patch3 -p1 %patch4 %patch5 %patch6 %patch7 %patch8 %patch9 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP rm -f dummyinc/sys/capability.h make CFLAGS="%{optflags} -DOPENSSL_NO_SSL_INTERN -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -fstack-protector --param=ssp-buffer-size=4 %{seccomp_opts}" \ LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now" LINK= %install mkdir -p %{buildroot}%{_datadir}/empty cp %{SOURCE4} . install -D -m 755 %{name} %{buildroot}%{_sbindir}/%{name} install -D -m 600 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}.conf install -D -m 600 xinetd.d/%{name} %{buildroot}%{_sysconfdir}/xinetd.d/%{name} install -D -m 644 $RPM_SOURCE_DIR/%{name}.pam %{buildroot}%{_sysconfdir}/pam.d/%{name} install -D -m 644 $RPM_SOURCE_DIR/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -D -m 644 %{name}.conf.5 %{buildroot}/%{_mandir}/man5/%{name}.conf.5 install -D -m 644 %{name}.8 %{buildroot}/%{_mandir}/man8/%{name}.8 ln -sf service %{buildroot}/%{_sbindir}/rc%{name} install -D -m 0644 %{SOURCE7} %{buildroot}/%{_unitdir}/%{name}.service install -D -m 0644 %{SOURCE8} %{buildroot}/%{_unitdir}/%{name}@.service install -D -m 0644 %{SOURCE10} %{buildroot}/%{_unitdir}/%{name}.socket install -d %{buildroot}/%{_datadir}/omc/svcinfo.d/ install -D -m 644 %{SOURCE5} %{buildroot}/%{_datadir}/omc/svcinfo.d/ install -d %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name} %pre %{_sbindir}/useradd -r -g nogroup -s /bin/false -c "Secure FTP User" -d %{_localstatedir}/lib/empty ftpsecure 2> /dev/null || : %service_add_pre %{name}.service %preun %service_del_preun %{name}.service %post %service_add_post %{name}.service %postun %service_del_postun %{name}.service %files %defattr(-,root,root) %{_unitdir}/%{name}.service %{_unitdir}/%{name}.socket %{_unitdir}/%{name}@.service %{_sbindir}/%{name} %{_sbindir}/rc%{name} %{_datadir}/omc/svcinfo.d/vsftpd.xml %dir %{_datadir}/empty %config(noreplace) %{_sysconfdir}/xinetd.d/%{name} %config(noreplace) %{_sysconfdir}/%{name}.conf %config %{_sysconfdir}/pam.d/%{name} %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %{_mandir}/man5/%{name}.conf.* %{_mandir}/man8/%{name}.* %doc BUGS AUDIT Changelog LICENSE README README.security %doc REWARD SPEED TODO SECURITY TUNING SIZE FAQ EXAMPLE COPYING %doc README.SUSE %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name} %changelog ++++++ README.SUSE ++++++ vsftpd-3.0.0 made the listen mode default. In order to maintain backward compatibility, default /etc/vsftpd.conf in SUSE contains listen=NO listen_ipv6=YES if you plan to use xinetd (/etc/xinetd.d/vsftp) you don't need to change anything by default, but if you have ipv6 available you have to set listen_ipv6=NO too in order for xinetd to work. Alternatively you can also use systemd socket service that listens on port 21 and starts the server like xinetd would. This service does not require you to change ANY variable in the /etc/vsftpd.conf. ++++++ vsftpd-2.0.4-dmapi.patch ++++++ Index: postlogin.c =================================================================== --- postlogin.c.orig 2012-04-10 16:09:50.440384915 +0200 +++ postlogin.c 2012-04-10 16:10:01.193753389 +0200 @@ -1053,6 +1053,11 @@ { do_truncate = 1; } + if (new_file_fd >= 0) { + vsf_sysutil_fstat(new_file_fd, &s_p_statbuf); + if (vsf_sysutil_statbuf_is_regfile(s_p_statbuf)) + vsf_sysutil_deactivate_noblock(new_file_fd); + } } if (vsf_sysutil_retval_is_error(new_file_fd)) { ++++++ vsftpd-2.0.4-enable-ssl.patch ++++++ --- builddefs.h.orig +++ builddefs.h @@ -3,7 +3,7 @@ #undef VSF_BUILD_TCPWRAPPERS #define VSF_BUILD_PAM -#undef VSF_BUILD_SSL +#define VSF_BUILD_SSL #endif /* VSF_BUILDDEFS_H */ ++++++ vsftpd-2.0.4-lib64.diff ++++++ Index: vsf_findlibs.sh =================================================================== --- vsf_findlibs.sh.orig 2012-04-10 16:09:50.571389404 +0200 +++ vsf_findlibs.sh 2012-04-10 16:09:53.709496934 +0200 @@ -14,6 +14,7 @@ # crypt library. if find_func pam_start sysdeputil.o; then locate_library /lib/libpam.so.0 && echo "/lib/libpam.so.0"; + locate_library /lib64/libpam.so.0 && echo "/lib64/libpam.so.0"; locate_library /usr/lib/libpam.so && echo "-lpam"; locate_library /usr/lib64/libpam.so && echo "-lpam"; locate_library /lib/x86_64-linux-gnu/libpam.so.0 && echo "-lpam"; @@ -23,6 +24,7 @@ locate_library /usr/lib/libpam.a && echo "-lpam"; else locate_library /lib/libcrypt.so && echo "-lcrypt"; + locate_library /lib64/libcrypt.so && echo "-lcrypt"; locate_library /usr/lib/libcrypt.so && echo "-lcrypt"; locate_library /usr/lib64/libcrypt.so && echo "-lcrypt"; locate_library /lib/x86_64-linux-gnu/libcrypt.so && echo "-lcrypt"; ++++++ vsftpd-2.0.4-xinetd.diff ++++++ diff -urN vsftpd-3.0.2.old/xinetd.d/vsftpd vsftpd-3.0.2/xinetd.d/vsftpd --- vsftpd-3.0.2.old/xinetd.d/vsftpd 2014-05-26 14:38:40.717042497 +0200 +++ vsftpd-3.0.2/xinetd.d/vsftpd 2014-05-26 14:41:23.753049249 +0200 @@ -1,18 +1,26 @@ -# default: on +# default: off # description: # The vsftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication. # vsftpd is designed to be secure. +# +# NOTE: This file contains the configuration for xinetd to start vsftpd. +# the configuration file for vsftp itself is in /etc/vsftpd.conf +# +# NOTE: Remember to set both listen and listen_ipv6 to NO in /etc/vsftpd.conf +# in order to have working xinetd connection. +# service ftp { socket_type = stream + protocol = tcp wait = no user = root - server = /usr/local/sbin/vsftpd -# server_args = -# log_on_success += DURATION USERID -# log_on_failure += USERID - nice = 10 - disable = no + server = /usr/sbin/vsftpd + server_args = /etc/vsftpd.conf +# log_on_success += DURATION USERID +# log_on_failure += USERID +# nice = 10 + disable = yes } ++++++ vsftpd-2.0.5-enable-debuginfo.patch ++++++ Index: Makefile =================================================================== --- Makefile.orig 2012-04-03 09:21:18.000000000 +0200 +++ Makefile 2012-04-10 16:10:53.545547162 +0200 @@ -9,7 +9,6 @@ #-pedantic -Wconversion LIBS = `./vsf_findlibs.sh` -LINK = -Wl,-s LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \ @@ -26,7 +25,7 @@ $(CC) -c $*.c $(CFLAGS) $(IFLAGS) vsftpd: $(OBJS) - $(CC) -o vsftpd $(OBJS) $(LINK) $(LDFLAGS) $(LIBS) + $(CC) -o vsftpd $(OBJS) $(LDFLAGS) $(LIBS) install: if [ -x /usr/local/sbin ]; then \ ++++++ vsftpd-2.0.5-utf8-log-names.patch ++++++ Index: str.c =================================================================== --- str.c.orig 2012-03-28 17:25:40.000000000 +0200 +++ str.c 2012-04-10 16:10:59.965767345 +0200 @@ -27,6 +27,24 @@ const char* p_buf2, unsigned int buf2_len); /* Private functions */ +static int +continuation_char(unsigned char str, int* val) +{ + if ((str & 0xc0) != 0x80) /* 10xxxxxx */ + return 0; + (*val) <<= 6; + (*val) |= str & 0x3f; + return 1; +} + +static int +unicode_valid(int b) +{ + return (b < 0x110000 && ((b & 0xFFFFF800) != 0xD800) + && (b < 0xFDD0 || b > 0xFDEF) + && (b & 0xFFFE) != 0xFFFE); +} + static void s_setbuf(struct mystr* p_str, char* p_newbuf) { @@ -181,6 +199,45 @@ p_str->p_buf[res_len - 1] = '\0'; } +int str_is_utf8( const struct mystr* p_str ) +{ + unsigned int i; + int min = 0, val = 0; + + for(i = 0; i < p_str->len; i++) + { + if( (unsigned char)p_str->p_buf[i] < 128) continue; + + if((p_str->p_buf[i] & 0xe0) == 0xc0) { /* 110xxxxx */ + if((p_str->p_buf[i] & 0x1e) == 0) return 0; + i++; + if((p_str->p_buf[i] & 0xc0) != 0x80) /* 10xxxxxx */ + return 0; + } else { + if((p_str->p_buf[i] & 0xf0) == 0xe0) { /* 1110xxxx */ + min = (1 << 11); + val = p_str->p_buf[i] & 0x0f; + goto TWO_REMAINING; + } else if((p_str->p_buf[i] & 0xf8) == 0xf0) { /* 11110xxx */ + min = (1 << 16); + val = p_str->p_buf[i] & 0x07; + } else { + return 0; + } + i++; + if(!continuation_char(p_str->p_buf[i], &val)) return 0; +TWO_REMAINING: + i++; + if(!continuation_char(p_str->p_buf[i], &val)) return 0; + i++; + if(!continuation_char(p_str->p_buf[i], &val)) return 0; + if(val < min || !unicode_valid(val)) return 0; + } + } + return 1; +} + + int str_isempty(const struct mystr* p_str) { @@ -702,11 +759,13 @@ str_replace_unprintable(struct mystr* p_str, char new_char) { unsigned int i; - for (i=0; i < p_str->len; i++) - { - if (!vsf_sysutil_isprint(p_str->p_buf[i])) + if( !str_is_utf8( p_str ) ) { + for (i=0; i < p_str->len; i++) { - p_str->p_buf[i] = new_char; + if (!vsf_sysutil_isprint(p_str->p_buf[i])) + { + p_str->p_buf[i] = new_char; + } } } } Index: str.h =================================================================== --- str.h.orig 2008-12-17 06:53:23.000000000 +0100 +++ str.h 2012-04-10 16:10:59.965767345 +0200 @@ -36,6 +36,7 @@ void str_trunc(struct mystr* p_str, unsigned int trunc_len); void str_reserve(struct mystr* p_str, unsigned int res_len); +int str_is_utf8(const struct mystr* p_str); int str_isempty(const struct mystr* p_str); unsigned int str_getlen(const struct mystr* p_str); const char* str_getbuf(const struct mystr* p_str); ++++++ vsftpd-2.0.5-vuser.patch ++++++ --- EXAMPLE/VIRTUAL_USERS/vsftpd.pam.orig +++ EXAMPLE/VIRTUAL_USERS/vsftpd.pam @@ -1,2 +1,2 @@ -auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login -account required /lib/security/pam_userdb.so db=/etc/vsftpd_login +auth required pam_userdb.so db=/etc/vsftpd_login +account required pam_userdb.so db=/etc/vsftpd_login ++++++ vsftpd-2.3.5-conf.patch ++++++ Index: vsftpd.conf =================================================================== --- vsftpd.conf.orig +++ vsftpd.conf @@ -4,23 +4,89 @@ # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # +# If you do not change anything here you will have a minimum setup for an +# anonymus FTP server. +# # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # -# Allow anonymous FTP? (Beware - allowed by default if you comment this out). -anonymous_enable=YES -# -# Uncomment this to allow local users to log in. -#local_enable=YES +# ################ +# General Settings +# ################ # # Uncomment this to enable any form of FTP write command. -#write_enable=YES +write_enable=NO +# +# Activate directory messages - messages given to remote users when they +# go into a certain directory. +dirmessage_enable=YES +# +# It is recommended that you define on your system a unique user which the +# ftp server can use as a totally isolated and unprivileged user. +nopriv_user=ftpsecure +# +# You may fully customise the login banner string: +#ftpd_banner=Welcome to blah FTP service. +# +# You may activate the "-R" option to the builtin ls. This is disabled by +# default to avoid remote users being able to cause excessive I/O on large +# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume +# the presence of the "-R" option, so there is a strong case for enabling it. +#ls_recurse_enable=YES +# +# You may specify a file of disallowed anonymous e-mail addresses. Apparently +# useful for combatting certain DoS attacks. +#deny_email_enable=YES +# (default follows) +#banned_email_file=/etc/vsftpd.banned_emails +# +# If enabled, all user and group information in +# directory listings will be displayed as "ftp". +#hide_ids=YES +# +# ####################### +# Local FTP user Settings +# ####################### +# +# Uncomment this to allow local users to log in. +local_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # +# You may specify an explicit list of local users to chroot() to their home +# directory. If chroot_local_user is YES, then this list becomes a list of +# users to NOT chroot(). +#chroot_local_user=YES +#chroot_list_enable=YES +# (default follows) +#chroot_list_file=/etc/vsftpd.chroot_list +# +# The maximum data transfer rate permitted, in bytes per second, for +# local authenticated users. The default is 0 (unlimited). +#local_max_rate=7200 +# +# ########################## +# Anonymus FTP user Settings +# ########################## +# +# Allow anonymous FTP? (Beware - allowed by default if you comment this out). +anonymous_enable=YES +# +# The maximum data transfer rate permitted, in bytes per second, for anonymous +# authenticated users. The default is 0 (unlimited). +#anon_max_rate=7200 +# +# Anonymous users will only be allowed to download files which are +# world readable. +anon_world_readable_only=YES +# +# Default umask for anonymus users is 077. You may wish to change this to 022, +# if your users expect that (022 is used by most other ftpd's) +#anon_umask=022 +# # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. @@ -30,15 +96,9 @@ anonymous_enable=YES # new directories. #anon_mkdir_write_enable=YES # -# Activate directory messages - messages given to remote users when they -# go into a certain directory. -dirmessage_enable=YES -# -# Activate logging of uploads/downloads. -xferlog_enable=YES -# -# Make sure PORT transfer connections originate from port 20 (ftp-data). -connect_from_port_20=YES +# Uncomment this to enable anonymus FTP users to perform other write operations +# like deletion and renaming. +#anon_other_write_enable=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not @@ -46,24 +106,51 @@ connect_from_port_20=YES #chown_uploads=YES #chown_username=whoever # +# ############ +# Log Settings +# ############ +# +# Log to the syslog daemon instead of using an logfile. +syslog_enable=YES +# +# Uncomment this to log all FTP requests and responses. +#log_ftp_protocol=YES +# +# Activate logging of uploads/downloads. +#xferlog_enable=YES +# # You may override where the log file goes if you like. The default is shown # below. -#xferlog_file=/var/log/vsftpd.log +# +#vsftpd_log_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # +# You may override where the log file goes if you like. The default is shown +# below. +#xferlog_file=/var/log/vsftpd.log +# +# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log. +#dual_log_enable=YES +# +# Uncomment this to enable session status information in the system process listing. +#setproctitle_enable=YES +# +# ################# +# Transfer Settings +# ################# +# +# Make sure PORT transfer connections originate from port 20 (ftp-data). +connect_from_port_20=YES +# # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # -# It is recommended that you define on your system a unique user which the -# ftp server can use as a totally isolated and unprivileged user. -#nopriv_user=ftpsecure -# # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. @@ -77,41 +164,46 @@ connect_from_port_20=YES # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. -#ascii_upload_enable=YES +ascii_upload_enable=YES #ascii_download_enable=YES # -# You may fully customise the login banner string: -#ftpd_banner=Welcome to blah FTP service. -# -# You may specify a file of disallowed anonymous e-mail addresses. Apparently -# useful for combatting certain DoS attacks. -#deny_email_enable=YES -# (default follows) -#banned_email_file=/etc/vsftpd.banned_emails -# -# You may specify an explicit list of local users to chroot() to their home -# directory. If chroot_local_user is YES, then this list becomes a list of -# users to NOT chroot(). -# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that -# the user does not have write access to the top level directory within the -# chroot) -#chroot_local_user=YES -#chroot_list_enable=YES -# (default follows) -#chroot_list_file=/etc/vsftpd.chroot_list +# Set to NO if you want to disallow the PASV method of obtaining a data +# connection. +#pasv_enable=NO # -# You may activate the "-R" option to the builtin ls. This is disabled by -# default to avoid remote users being able to cause excessive I/O on large -# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume -# the presence of the "-R" option, so there is a strong case for enabling it. -#ls_recurse_enable=YES +# PAM setting. Do NOT change this unless you know what you do! +pam_service_name=vsftpd # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. -listen=YES +listen=NO # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! -#listen_ipv6=YES +listen_ipv6=YES +# +# Set to ssl_enable=YES if you want to enable SSL +ssl_enable=NO +# +# Limit passive ports to this range to assis firewalling +pasv_min_port=30000 +pasv_max_port=30100 + +### security features that are incompatible with some other settings. ### + +# isolate_network ensures the vsftpd subprocess is started in own network +# namespace (see CLONE_NEWNET in clone(2)). It however disables the +# authentication methods needs the network access (LDAP, NIS, ...). +#isolate_network=NO + +# seccomp_sanbox add an aditional security layer limiting the number of a +# syscalls can be performed via vsftpd. However it might happen that a +# whitelist don't allow a legitimate call (usually indirectly triggered by +# third-party library like pam, or openssl) and the process is being killed by kernel. +# +# Therefor if your server dies on common situations (file download, upload), +# uncomment following line and don't forget to open bug at +# https://bugzilla.novell.com +#seccomp_sandbox=NO ++++++ vsftpd-3.0.0-optional-seccomp.patch ++++++ --- vsftpd-3.0.0/seccompsandbox.c 2012-04-04 18:41:51.000000000 -0400 +++ vsftpd-3.0.0+/seccompsandbox.c 2012-04-23 06:06:00.000000000 -0400 @@ -10,7 +10,7 @@ #include "seccompsandbox.h" -#if defined(__linux__) && defined(__x86_64__) +#if defined(__linux__) && defined(__x86_64__) && defined(USE_SECCOMP) #include "session.h" #include "sysutil.h" ++++++ vsftpd-3.0.0_gnu_source_defines.patch ++++++ diff -aur vsftpd-3.0.0/sysdeputil.c vsftpd-3.0.0+/sysdeputil.c --- vsftpd-3.0.0/sysdeputil.c 2010-03-25 23:25:33.000000000 -0400 +++ vsftpd-3.0.0+/sysdeputil.c 2012-04-23 04:39:39.000000000 -0400 @@ -60,7 +60,9 @@ #define VSF_SYSDEP_HAVE_LIBCAP #define VSF_SYSDEP_HAVE_UTMPX +#ifndef __USE_GNU #define __USE_GNU +#endif #include <utmpx.h> /* BEGIN config */ ++++++ vsftpd-3.0.2-s390.patch ++++++ Index: vsftpd-3.0.2/sysdeputil.c =================================================================== --- vsftpd-3.0.2.orig/sysdeputil.c 2014-08-21 16:12:59.845872489 +0200 +++ vsftpd-3.0.2/sysdeputil.c 2014-08-21 16:14:59.641431931 +0200 @@ -66,7 +66,7 @@ #include <utmpx.h> /* BEGIN config */ -#if defined(__linux__) +#if defined(__linux__) && !defined(__s390__) #include <errno.h> #include <syscall.h> #define VSF_SYSDEP_HAVE_LINUX_CLONE ++++++ vsftpd-allow-dev-log-socket.patch ++++++ From: [email protected] Subject: enable /dev/log related socket call Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp sandbox, daemon is killed by SIGSYS. Because the attempt is made by process with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in pam. Anyway I would say the risc is small, and other socket syscalls are disabled. Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024 Index: vsftpd-3.0.2/seccompsandbox.c =================================================================== --- vsftpd-3.0.2.orig/seccompsandbox.c +++ vsftpd-3.0.2/seccompsandbox.c @@ -353,6 +353,15 @@ seccomp_sandbox_setup_prelogin(const str { allow_nr_1_arg_match(__NR_recvmsg, 3, 0); } + + //this is very probably an attempt to open /dev/log + //it fails because process cannot open any file, so it might be safe + //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files) + allow_nr_3_arg_match(__NR_socket, + 1, PF_FILE, + 2, SOCK_DGRAM | SOCK_CLOEXEC, + 3, 0); + } void ++++++ vsftpd-drop-newpid-from-clone.patch ++++++ From: Michal Vyskocil <[email protected]> Subject: Drop CLONE_NEWPID from clone call Kernel autid system prohibits the processes created with CLONE_NEWPID, so an attempt to log into ftp server ends with audit_log_acct_message() failed: Operation not permitted https://bugzilla.novell.com/show_bug.cgi?id=786024#c38 identified-by: Tony Jones <[email protected]> fixes: bnc#786024 Index: vsftpd-3.0.2/sysdeputil.c =================================================================== --- vsftpd-3.0.2.orig/sysdeputil.c +++ vsftpd-3.0.2/sysdeputil.c @@ -1272,7 +1272,7 @@ vsf_sysutil_fork_isolate_all_failok() if (cloneflags_work) { int ret = syscall(__NR_clone, - CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD, + CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD, NULL); if (ret != -1 || (errno != EINVAL && errno != EPERM)) { @@ -1295,7 +1295,7 @@ vsf_sysutil_fork_isolate_failok() static int cloneflags_work = 1; if (cloneflags_work) { - int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL); + int ret = syscall(__NR_clone, CLONE_NEWIPC | SIGCHLD, NULL); if (ret != -1 || (errno != EINVAL && errno != EPERM)) { if (ret == 0) ++++++ vsftpd-enable-dev-log-sendto.patch ++++++ From: [email protected] Subject: enable sendto to /dev/log vsftpd is killed once a file is downloaded and it try to log the success to /dev/log. This patch enables a sendto on fd 4, in a case the syslog logging is enabled. Fixes: https://bugzilla.novell.com/show_bug.cgi?id=812406 --- seccompsandbox.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) Index: vsftpd-3.0.2/seccompsandbox.c =================================================================== --- vsftpd-3.0.2.orig/seccompsandbox.c +++ vsftpd-3.0.2/seccompsandbox.c @@ -503,6 +501,15 @@ seccomp_sandbox_setup_postlogin(const st allow_nr(__NR_chmod); } } + + /* + * MV: this enables logging to the syslog - the vsf_log_do_log are in postlogin.c and privops.c, but hopefully this is enough + */ + if (tunable_syslog_enable) + { + allow_nr_1_arg_mask(__NR_sendto, 1, 4); + } + } void ++++++ vsftpd-enable-fcntl-f_setfl.patch ++++++ From: Michal Vyskocil <[email protected]> Subject: Enable fcntl F_SETFL The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add it unconditionally to seccomp sandbox. I've failed to limit it more, however most arguments of F_SETFL are ignored on Linux and the remaining set seems to be safe. fixes: bnc#786024 --- seccompsandbox.c | 22 ++++++++++++++++++++++ 5 files changed, 45 insertions(+), 6 deletions(-) Index: vsftpd-3.0.2/seccompsandbox.c =================================================================== --- vsftpd-3.0.2.orig/seccompsandbox.c +++ vsftpd-3.0.2/seccompsandbox.c @@ -306,6 +306,25 @@ seccomp_sandbox_setup_base() /* Always need to be able to exit ! */ allow_nr(__NR_exit_group); + + /* + * MV: this is needed for + * vsf_sysutil_activate_noblock + * vsf_sysutil_deactivate_noblock + * + * both called from various places (like all those die, bug in utilities), + * so lets enable it by default + */ + allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL); + allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL); + + /* + * MV: this form have newer worked, neither with O_RDWR, O_RDWR|O_NONBLOCK + * however fcntl(2) says that most of arguments to fcntl are ignored on Linux + * thus this might be safe to do + */ + //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR); + } void ++++++ vsftpd-enable-gettimeofday-sec.patch ++++++ diff -urN vsftpd-3.0.2/seccompsandbox.c vsftpd-3.0.2.new/seccompsandbox.c --- vsftpd-3.0.2/seccompsandbox.c 2012-09-18 08:52:30.000000000 +0200 +++ vsftpd-3.0.2.new/seccompsandbox.c 2014-04-10 14:55:30.855607231 +0200 @@ -303,6 +303,14 @@ allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */ allow_nr(__NR_restart_syscall); allow_nr(__NR_close); + + /* + * Calls to alarm and date + * Seems to be some part of the logging + * wrt bnc#870122 + */ + allow_nr(__NR_alarm); + allow_nr(__NR_gettimeofday); /* Always need to be able to exit ! */ allow_nr(__NR_exit_group); ++++++ vsftpd-root-squashed-chroot.patch ++++++ --- parseconf.c | 1 + secutil.c | 6 ++++-- secutil.h | 2 ++ tunables.c | 2 ++ tunables.h | 1 + twoprocess.c | 6 ++++++ vsftpd.conf | 4 ++++ vsftpd.conf.5 | 7 +++++++ 8 files changed, 27 insertions(+), 2 deletions(-) Index: vsftpd-3.0.2/tunables.c =================================================================== --- vsftpd-3.0.2.orig/tunables.c +++ vsftpd-3.0.2/tunables.c @@ -88,6 +88,7 @@ int tunable_ftp_enable; int tunable_http_enable; int tunable_seccomp_sandbox; int tunable_allow_writeable_chroot; +int tunable_allow_root_squashed_chroot; unsigned int tunable_accept_timeout; unsigned int tunable_connect_timeout; @@ -228,6 +229,7 @@ tunables_load_defaults() tunable_http_enable = 0; tunable_seccomp_sandbox = 1; tunable_allow_writeable_chroot = 0; + tunable_allow_root_squashed_chroot = 0; tunable_accept_timeout = 60; tunable_connect_timeout = 60; Index: vsftpd-3.0.2/tunables.h =================================================================== --- vsftpd-3.0.2.orig/tunables.h +++ vsftpd-3.0.2/tunables.h @@ -89,6 +89,7 @@ extern int tunable_ftp_enable; extern int tunable_http_enable; /* Allow HTTP protocol */ extern int tunable_seccomp_sandbox; /* seccomp filter sandbox */ extern int tunable_allow_writeable_chroot; /* Allow misconfiguration */ +extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */ /* Integer/numeric defines */ extern unsigned int tunable_accept_timeout; Index: vsftpd-3.0.2/parseconf.c =================================================================== --- vsftpd-3.0.2.orig/parseconf.c +++ vsftpd-3.0.2/parseconf.c @@ -107,6 +107,7 @@ parseconf_bool_array[] = { "http_enable", &tunable_http_enable }, { "seccomp_sandbox", &tunable_seccomp_sandbox }, { "allow_writeable_chroot", &tunable_allow_writeable_chroot }, + { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot }, { 0, 0 } }; Index: vsftpd-3.0.2/twoprocess.c =================================================================== --- vsftpd-3.0.2.orig/twoprocess.c +++ vsftpd-3.0.2/twoprocess.c @@ -164,6 +164,9 @@ drop_all_privs(void) { str_alloc_text(&dir_str, tunable_secure_chroot_dir); } + if (tunable_allow_root_squashed_chroot) { + option |= VSF_SECUTIL_OPTION_CHANGE_EUID; + } /* Be kind: give good error message if the secure dir is missing */ { struct vsf_sysutil_statbuf* p_statbuf = 0; @@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se { secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT; } + if (do_chroot && tunable_allow_root_squashed_chroot) { + secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID; + } calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str, p_user_str, p_orig_user_str); vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str, Index: vsftpd-3.0.2/vsftpd.conf.5 =================================================================== --- vsftpd-3.0.2.orig/vsftpd.conf.5 +++ vsftpd-3.0.2/vsftpd.conf.5 @@ -42,6 +42,13 @@ connections. Default: NO .TP +.B allow_root_squashed_chroot +If set to YES, chroot is called with non-root credentials. This enabled chroot +on squashed nfs. This option is applied only if chroot is performed, otherwise +ignored. + +Default: NO +.TP .B anon_mkdir_write_enable If set to YES, anonymous users will be permitted to create new directories under certain conditions. For this to work, the option Index: vsftpd-3.0.2/vsftpd.conf =================================================================== --- vsftpd-3.0.2.orig/vsftpd.conf +++ vsftpd-3.0.2/vsftpd.conf @@ -64,6 +64,10 @@ local_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # +# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root, +# where root becomes nobody and would need -x access. +#allow_root_squashed_chroot=YES +# # The maximum data transfer rate permitted, in bytes per second, for # local authenticated users. The default is 0 (unlimited). #local_max_rate=7200 ++++++ vsftpd.firewall ++++++ ## Name: vsftpd Server ## Description: Opens ports for vsftpd Server. # space separated list of allowed TCP ports TCP="ftp 30000:30100" # space separated list of allowed UDP ports UDP="" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" ++++++ vsftpd.keyring ++++++ pub 1024D/3C0E751C 2004-06-29 uid Chris Evans <[email protected]> sub 1024g/0A9EB17D 2004-06-29 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.19 (GNU/Linux) mQGiBEDh9hcRBACkPpPw2Pm4v6i+dQccbPAmiGyf6Hn7hHyKx25lJD7sK5vQ/L/w 7sKDLBF1JO76+9xN9UQb4emgmRW5T+tll4KD4uaTP1+bopg+RlRSD2S8MqAoYBE/ kUu1je49FNV3VyNHLvi77XkjHd4C0+hoZhnBK/OMo3FXo9vEWrFokXwCtwCgsgxn USwXet4jojSt+//E7W6AYV8D/jUMh02PbxHhbCHYQnITB9aiaMQtCoeAlbj3HAQA +ZgNxApZ6hbhE0I27i4MrGte3O/9l5j3V0rXltpNY9E6tm8HT2UeLc1m7aMCXy+0 IUrtQtuEx50jD3oaKbqix6UcBpDAZh+aeqTGansCHUHvlOuQQFO4vAPSr6aHPDmS 1Dc7A/9JImvSvwq5xbDQWpWMMvpQXkDgCqjkRnvqBHqoXXy7R8xEaYAqcRYVHCo4 hmVYyRXsdY7iPxQkugbLBAPTHq2ajWsZGmrJymVZP7FGz+Rn/j/XoGYrbdJ86fgs XnydJY+/uBaS/A+P/+xeHByr4fqG2T60LUVXtwQP2oP/xYN8kbQkQ2hyaXMgRXZh bnMgPGNocmlzQHNjYXJ5LmJlYXN0cy5vcmc+iF4EExECAB4FAkDh9hcCGwMGCwkI BwMCAxUCAwMWAgECHgECF4AACgkQqmLsRjwOdRwHOACgp9BubQZNeDf+cbTyuhfo +qEedNsAoJIde2sM6Waxd4utyNEGG4pQ3sKeuQENBEDh9h0QBACTJBc/TYG3jVRL 4dI0R1M42DqyaTpm+qDgIgZ6YoXMzw9Z7NiHZaVVrnxYN98mCsNvvevaVT6Jy8Rr FWMf4jx82ulH6NWZ9rKu3V9CXK9VXxt03VAWK2mGaKWlb7QKuiAuxSSrWTFO9neL wWAixHsL0w9l19grtn1eKW9e61wIawADBgP/ab8QxketqpzecJhsIr/XM3k2oeKH mj2BhegIaZzMAqrdvqGIj0cVGpun0tcoB2w4J1S8PyhM0/1PDaTKT+U83Ewljghw Z+J5KUzG8T5xz9Qi3MyG4GnDqCSwZ9gKN8gt354tVd1qioX+ur5rovfVw+21iciW IENPG81Z/P+DJzSISQQYEQIACQUCQOH2HQIbDAAKCRCqYuxGPA51HJUGAJ9ynmOj Hu3p4DUdukkZfSuqyJaAXgCbBxgmdB7hOfSIGyou31PfdaIeFqU= =BKUG -----END PGP PUBLIC KEY BLOCK----- ++++++ vsftpd.logrotate ++++++ /var/log/vsftpd.log { compress dateext maxage 365 rotate 99 size=+1024k notifempty missingok create 600 root root sharedscripts postrotate /sbin/killproc -HUP /usr/sbin/vsftpd endscript } ++++++ vsftpd.pam ++++++ #%PAM-1.0 # Uncomment this to achieve what used to be ftpd -A. # auth required pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed # Uncomment the following line for anonymous ftp. #auth sufficient pam_ftp.so auth required pam_shells.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session ++++++ vsftpd.service ++++++ [Unit] Description=Vsftpd ftp daemon After=network.target [Service] ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf [Install] WantedBy=multi-user.target ++++++ vsftpd.socket ++++++ [Unit] Conflicts=vsftpd.service [Socket] ListenStream=21 Accept=yes [Install] WantedBy=sockets.target ++++++ [email protected] ++++++ [Unit] Description=Very Secure FTP Daemon [Service] Type=simple ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf -obackground=NO -olisten=NO -olisten_ipv6=NO StandardInput=socket SuccessExitStatus=2 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
