Re: [oe] [meta-networking][PATCH v2] Upgrade vsftpd to 3.0.0

[Rongqing Li]

On 07/18/2013 09:17 PM, Joe MacDonald wrote:

[Re: [meta-networking][PATCH v2] Upgrade vsftpd to 3.0.0] On 13.07.18 (Thu 
16:22) Rongqing Li wrote:

On 07/18/2013 02:43 AM, Joe MacDonald wrote:

Hi Roy,

I merged this into my tree yesterday and on review it turns out I did
have a question for you (and for anyone else on the list with an
opinion) and a bit of feedback.

This adds (unconditional) support for tcp-wrappers and makes it a
requirement for the upgraded vsftp.  Is this something we could make
conditional based on tcp-wrappers being present?  Or does anyone think
this is something worth doing?  tcp-wrappers is coming from oe-core and
I don't have any systems where the new requirement would be a problem,
but does anyone else have a system they'd want vsftp without
tcp-wrappers?

A couple of other things below ...

[[meta-networking][PATCH v2] Upgrade vsftpd to 3.0.0] On 13.07.16 (Tue 20:51) 
rongqing...@windriver.com wrote:

From: "Roy.Li" <rongqing...@windriver.com>

Upgrade vsftpd to 3.0.0 with below modification:
1. more strict access limitation, like: do not allow anonymous access
2. use vsftpd.ftpusers and vsftpd.user_list to confine user access
3. enable pam if DISTRO_FEATURE includes pam
4. enable tcp-wrapper
5. install vsftpd.conf with 0600 permission, not 0755

Signed-off-by: Roy.Li <rongqing...@windriver.com>
---
  .../recipes-daemons/vsftpd/files/vsftpd.conf       |   43 +++++++++++++++++---
  .../recipes-daemons/vsftpd/files/vsftpd.ftpusers   |   15 +++++++
  .../recipes-daemons/vsftpd/files/vsftpd.user_list  |   20 +++++++++
  .../makefile-destdir.patch                         |    4 +-
  .../makefile-libs.patch                            |    2 +-
  .../makefile-strip.patch                           |    6 +--
  .../{vsftpd-2.3.5 => vsftpd-3.0.0}/nopam.patch     |    0
  .../vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch |   25 ++++++++++++
  .../vsftpd/{vsftpd_2.3.5.bb => vsftpd_3.0.0.bb}    |   36 +++++++++++++---
  9 files changed, 133 insertions(+), 18 deletions(-)
  mode change 100755 => 100644 
meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
  create mode 100644 
meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers
  create mode 100644 
meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
  rename meta-networking/recipes-daemons/vsftpd/{vsftpd-2.3.5 => 
vsftpd-3.0.0}/makefile-destdir.patch (95%)
  rename meta-networking/recipes-daemons/vsftpd/{vsftpd-2.3.5 => 
vsftpd-3.0.0}/makefile-libs.patch (92%)
  rename meta-networking/recipes-daemons/vsftpd/{vsftpd-2.3.5 => 
vsftpd-3.0.0}/makefile-strip.patch (68%)
  rename meta-networking/recipes-daemons/vsftpd/{vsftpd-2.3.5 => 
vsftpd-3.0.0}/nopam.patch (100%)
  create mode 100644 
meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
  rename meta-networking/recipes-daemons/vsftpd/{vsftpd_2.3.5.bb => 
vsftpd_3.0.0.bb} (48%)

diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf 
b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
old mode 100755
new mode 100644
index 08f91e0..bb19294
--- a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
@@ -12,17 +12,17 @@
  listen=YES

  # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
-anonymous_enable=YES
+anonymous_enable=NO
  #
  # Uncomment this to allow local users to log in.
-#local_enable=YES
+local_enable=YES
  #
  # Uncomment this to enable any form of FTP write command.
  write_enable=YES
  #
  # Default umask for local users is 077. You may wish to change this to 022,
  # if your users expect that (022 is used by most other ftpd's)
-#local_umask=022
+local_umask=022
  #
  # Uncomment this to allow the anonymous FTP user to upload files. This only
  # has an effect if the above global write enable is activated. Also, you will
@@ -54,7 +54,7 @@ connect_from_port_20=YES
  #xferlog_file=/var/log/vsftpd.log
  #
  # If you want, you can have your log file in standard ftpd xferlog format
-#xferlog_std_format=YES
+xferlog_std_format=YES
  #
  # You may change the default value for timing out an idle session.
  #idle_session_timeout=600
@@ -64,7 +64,7 @@ connect_from_port_20=YES
  #
  # It is recommended that you define on your system a unique user which the
  # ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
+#nopriv_user=ftp
  #
  # Enable this and the server will recognise asynchronous ABOR requests. Not
  # recommended for security (the code is non-trivial). Not enabling it,
@@ -105,4 +105,35 @@ connect_from_port_20=YES
  # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
  # the presence of the "-R" option, so there is a strong case for enabling it.
  #ls_recurse_enable=YES
-
+#
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd

I haven't tried this, does it do the right thing when PAM is not present
on the system?  In particular, what's it do when nopam.patch is applied?
In that same vein:

Yes, it works well when no pam.

It only tells vsftpd should find which files to apply pam library.

like: /etc/pam.d/vsftpd

Okay, I'm mainly interested to know if it short-circuits anything in the
configuration that would cause the non-PAM scenario to no longer allow
anyone to log in when the above configuration says "no anonymous / local
users allowed".  Sounds like not, so that's cool.

ERROR: Command Error: exit status: 1  Output:
Applying patch nopam.patch
patching file builddefs.h
Hunk #1 FAILED at 2.
1 out of 1 hunk FAILED -- rejects in file builddefs.h
Patch nopam.patch does not apply (enforce with -f)
ERROR: Function failed: patch_do_patch
ERROR: Logfile of failure stored in: 
/home/jjm/yocto/yocto-build/tmp/work/core2-poky-linux/vsftpd/3.0.0-r0/temp/log.do_patch.26623
ERROR: Task 1 
(/home/jjm/yocto/meta-oe/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb,
 do_patch) failed with exit code '1'

I had to refresh nopam.patch.  Can you send an updated version with a
sign-off on it?

OK.

+#
+# This option is examined if userlist_enable is activated. If you set this
+# setting to NO, then users will be denied login  unless  they are  explicitly
+# listed  in the file specified by userlist_file.  When login is denied, the
+# denial is issued before the user is asked for a password.
+userlist_deny=YES
+#
+# If enabled, vsftpd will load a list of usernames, from the filename given by
+# userlist_file.  If a user tries to log in using  a  name in  this  file,  
they
+# will be denied before they are asked for a password. This may be useful in
+# preventing cleartext passwords being transmitted. See also userlist_deny.
+userlist_enable=YES

I've always disliked these options in vsftpd.  They are confusing and
lead to inconsistent configurations.  That said, the behaviour is
predictable right up until we factor in the (unused?) vsftp.ftpusers
file.  I think that was intended to be a whitelist and I think it's a
redhatism, but I really don't know.  Can you confirm (a) it's needed and
(b) it does something when we already have vsftp.user_list?  Or dump it

>from the commit?  I'd really rather not install both unless both are

absolutely necessary.  The configuration you have with userlist_deny=YES
is okay, though what's the behaviour of userlist_deny=NO, have an empty
file and allow PAM logins?  That seems to be the safest default
configuration here, since you also are disabling anonymous logins
(something I think is a good plan).

-J.

I think vsftpd.user_list has given a good comments.

It does.  We're not looking to address how vsftpd implemented a solution
that may or may not be simpler than hosts.allow/hosts.deny, I'm just
saying that I'd like to see the default configuration as straightforward
as possible.

+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
@@ -0,0 +1,20 @@
+# vsftpd userlist
+# If userlist_deny=NO, only allow users in this file
+# If userlist_deny=YES (default), never allow users in this file, and
+# do not even prompt for a password.
+# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
+# for users that are denied.

They are not necessary, but I am keeping these configurations are same
as Fedora Core.

I've not logged into a FC machine in a very long time, but if the
comment above is to be taken at face value, then your install rule for
vsftpd.ftpusers is incorrect.  It installs the file into
/etc/vsftpd.ftpusers, not /etc/vsftpd/ftpusers.  I'd rather see ftpusers
not installed at all, or left empty, but I'll be okay with this approach
so long as the docs are accurate.

-J.

Ok, I will fix it.

-Roy

-Roy

+#
+# If enabled,  vsftpd  will display directory listings with the time in your
+# local time zone. The default is to display GMT. The times returned by the
+# MDTM FTP command are also affected by this option.
+use_localtime=YES
+#
+# If set to YES, local users will be (by default) placed in a chroot() jail in
+# their home directory after login.  Warning: This  option has  security
+# implications,  especially  if  the users have upload permission, or shell 
access.
+# Only enable if you know what you are doing.  Note that these security 
implications
+# are not vsftpd specific. They apply to all FTP daemons which offer to put
+# local  users in chroot() jails.
+chroot_local_user=YES
+#
+allow_writeable_chroot=YES
+#
+tcp_wrappers=YES
diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers 
b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers
new file mode 100644
index 0000000..096142f
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers
@@ -0,0 +1,15 @@
+# Users that are not allowed to login via ftp
+root
+bin
+daemon
+adm
+lp
+sync
+shutdown
+halt
+mail
+news
+uucp
+operator
+games
+nobody
diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list 
b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
new file mode 100644
index 0000000..3e2760f
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
@@ -0,0 +1,20 @@
+# vsftpd userlist
+# If userlist_deny=NO, only allow users in this file
+# If userlist_deny=YES (default), never allow users in this file, and
+# do not even prompt for a password.
+# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
+# for users that are denied.
+root
+bin
+daemon
+adm
+lp
+sync
+shutdown
+halt
+mail
+news
+uucp
+operator
+games
+nobody
diff --git 
a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch 
b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch
similarity index 95%
rename from 
meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch
rename to 
meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch
index ee37f26..1980d09 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch
@@ -7,8 +7,8 @@ Signed-off-by: Paul Eggleton <paul.eggle...@linux.intel.com>
  diff --git a/Makefile b/Makefile
  --- a/Makefile
  +++ b/Makefile
-@@ -24,21 +24,21 @@ vsftpd: $(OBJS)
-       $(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS)
+@@ -24,21 +24,21 @@
+       $(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS)

   install:
  -     if [ -x /usr/local/sbin ]; then \
diff --git 
a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch 
b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch
similarity index 92%
rename from 
meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch
rename to 
meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch
index 6a419db..9a10f72 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch
@@ -10,7 +10,7 @@ Signed-off-by: Paul Eggleton <paul.eggle...@linux.intel.com>
  diff --git a/Makefile b/Makefile
  --- a/Makefile
  +++ b/Makefile
-@@ -5,7 +5,7 @@ IFLAGS  = -idirafter dummyinc
+@@ -5,7 +5,7 @@
   #CFLAGS = -g
   CFLAGS       =       -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion

diff --git 
a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch 
b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch
similarity index 68%
rename from 
meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch
rename to 
meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch
index a2e0cd0..fd31600 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch
@@ -7,11 +7,11 @@ Signed-off-by: Paul Eggleton <paul.eggle...@linux.intel.com>
  diff --git a/Makefile b/Makefile
  --- a/Makefile
  +++ b/Makefile
-@@ -6,7 +6,6 @@ IFLAGS  = -idirafter dummyinc
- CFLAGS        =       -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
+@@ -9,7 +9,6 @@ CFLAGS =       -O2 -fPIE -fstack-protector 
--param=ssp-buffer-size=4 \
+       #-pedantic -Wconversion

   LIBS =       -lssl -lcrypto -lnsl -lresolv
  -LINK =       -Wl,-s
+ LDFLAGS       =       -fPIE -pie -Wl,-z,relro -Wl,-z,now

   OBJS =       main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
-               tunables.o ftpdataio.o secbuf.o ls.o \
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch 
b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch
similarity index 100%
rename from meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch
rename to meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch
diff --git 
a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
 
b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
new file mode 100644
index 0000000..69745b3
--- /dev/null
+++ 
b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
@@ -0,0 +1,25 @@
+Enable tcp_wrapper.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Roy.Li <rongqing...@windriver.com>
+---
+ builddefs.h |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/builddefs.h b/builddefs.h
+index e908352..0106d1a 100644
+--- a/builddefs.h
++++ b/builddefs.h
+@@ -1,7 +1,7 @@
+ #ifndef VSF_BUILDDEFS_H
+ #define VSF_BUILDDEFS_H
+
+-#undef VSF_BUILD_TCPWRAPPERS
++#define VSF_BUILD_TCPWRAPPERS
+ #define VSF_BUILD_PAM
+ #undef VSF_BUILD_SSL
+
+--
+1.7.1
+
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb 
b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
similarity index 48%
rename from meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb
rename to meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
index f146910..0ea1359 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
@@ -4,18 +4,29 @@ SECTION = "network"
  LICENSE = "GPLv2"
  LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271"

-DEPENDS = "libcap openssl"
+DEPENDS = "libcap openssl tcp-wrappers"

  SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
             file://makefile-destdir.patch \
             file://makefile-libs.patch \
             file://makefile-strip.patch \
-           file://nopam.patch \
             file://init \
-           file://vsftpd.conf"
+           file://vsftpd.conf \
+           file://vsftpd-tcp_wrappers-support.patch \
+           file://vsftpd.user_list \
+           file://vsftpd.ftpusers \
+"

-SRC_URI[md5sum] = "01398a5bef8e85b6cf2c213a4b011eca"
-SRC_URI[sha256sum] = 
"d87ee2987df8f03e1dbe294905f7907b2798deb89c67ca965f6e2f60879e54f1"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271 \
+                        file://COPYRIGHT;md5=04251b2eb0f298dae376d92454f6f72e \
+                        file://LICENSE;md5=654df2042d44b8cac8a5654fc5be63eb"
+SRC_URI[md5sum] = "ad9fa952558c2c5b0426ccaccff0f972"
+SRC_URI[sha256sum] = 
"ef70205dcd0c7f03b008b9578fb44c0cbe31e66daab8cfafb9904747c17fc2a8"
+
+DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+RDEPENDS_${PN} += "${@base_contains('DISTRO_FEATURES', 'pam', 
'pam-plugin-listfile', '', d)}"
+SRC_URI += "${@base_contains('DISTRO_FEATURES', 'pam', '', 'file://nopam.patch', 
d)}"
+PAMLIB = "${@base_contains('DISTRO_FEATURES', 'pam', '-L${STAGING_BASELIBDIR} 
-lpam', '', d)}"

  inherit update-rc.d useradd

@@ -29,15 +40,28 @@ do_configure() {
      mv tunables.c.new tunables.c
  }

+do_compile() {
+   oe_runmake "LIBS=-L${STAGING_LIBDIR} -lcrypt -lcap ${PAMLIB} -lwrap"
+}
+
  do_install() {
      install -d ${D}${sbindir}
      install -d ${D}${mandir}/man8
      install -d ${D}${mandir}/man5
      oe_runmake 'DESTDIR=${D}' install
      install -d ${D}${sysconfdir}
-    install -m 0755 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
+    install -m 600 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
      install -d ${D}${sysconfdir}/init.d/
      install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd
+
+    install -m 600 ${WORKDIR}/vsftpd.ftpusers ${D}${sysconfdir}/
+    install -m 600 ${WORKDIR}/vsftpd.user_list ${D}${sysconfdir}/
+    if ! test -z ${PAMLIB} ; then
+        install -d ${D}${sysconfdir}/pam.d/
+        cp ${S}/RedHat/vsftpd.pam ${D}${sysconfdir}/pam.d/vsftpd
+        sed -i "s:/lib/security:${base_libdir}/security:" 
${D}${sysconfdir}/pam.d/vsftpd
+        sed -i "s:ftpusers:vsftpd.ftpusers:" ${D}${sysconfdir}/pam.d/vsftpd
+    fi
  }

  INITSCRIPT_PACKAGES = "${PN}"

--
Best Reagrds,
Roy | RongQing Li
_______________________________________________
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel