Hello community, here is the log from the commit of package uftpd for openSUSE:Factory checked in at 2019-03-04 09:24:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/uftpd (Old) and /work/SRC/openSUSE:Factory/.uftpd.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "uftpd" Mon Mar 4 09:24:10 2019 rev:4 rq:681113 version:2.7 Changes: -------- --- /work/SRC/openSUSE:Factory/uftpd/uftpd.changes 2018-07-31 15:59:14.079529655 +0200 +++ /work/SRC/openSUSE:Factory/.uftpd.new.28833/uftpd.changes 2019-03-04 09:24:43.176554076 +0100 @@ -1,0 +2,10 @@ +Sun Mar 3 16:50:58 UTC 2019 - Martin Hauke <mar...@gmx.de> + +- Update to version 2.7 + Changes + * Documentation updates, commands added in v2.5 and writable opt + * Require libuEv v2.2, or later + Fixes + * Issues with relative FTP root when running unpriviliged + +------------------------------------------------------------------- Old: ---- uftpd-2.6.tar.gz New: ---- uftpd-2.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ uftpd.spec ++++++ --- /var/tmp/diff_new_pack.Aj6LIA/_old 2019-03-04 09:24:43.776553968 +0100 +++ /var/tmp/diff_new_pack.Aj6LIA/_new 2019-03-04 09:24:43.780553967 +0100 @@ -1,7 +1,7 @@ # # spec file for package uftpd # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2018, Martin Hauke <mar...@gmx.de> # # All modifications and additions to the file contributed by third parties @@ -13,12 +13,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: uftpd -Version: 2.6 +Version: 2.7 Release: 0 Summary: A combined TFTP/FTP server License: ISC @@ -30,7 +30,7 @@ BuildRequires: automake BuildRequires: pkgconfig BuildRequires: pkgconfig(libite) -BuildRequires: pkgconfig(libuev) +BuildRequires: pkgconfig(libuev) >= 2.2.0 Conflicts: tftp Conflicts: atftp Provides: tftp(server) ++++++ uftpd-2.6.tar.gz -> uftpd-2.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/.travis.yml new/uftpd-2.7/.travis.yml --- old/uftpd-2.6/.travis.yml 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/.travis.yml 2019-03-03 15:52:00.000000000 +0100 @@ -34,11 +34,11 @@ branch_pattern: dev install: - - wget https://github.com/troglobit/libuev/releases/download/v2.1.0/libuev-2.1.0.tar.xz + - wget https://github.com/troglobit/libuev/releases/download/v2.2.0/libuev-2.2.0.tar.xz - wget https://github.com/troglobit/libite/releases/download/v1.5.0/libite-1.5.0.tar.xz - - tar xf libuev-2.1.0.tar.xz + - tar xf libuev-2.2.0.tar.xz - tar xf libite-1.5.0.tar.xz - - (cd libuev-2.1.0 && ./configure --prefix=/tmp && make && make install-strip) + - (cd libuev-2.2.0 && ./configure --prefix=/tmp && make && make install-strip) - (cd libite-1.5.0 && ./configure --prefix=/tmp && make && make install-strip) script: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/ChangeLog.md new/uftpd-2.7/ChangeLog.md --- old/uftpd-2.6/ChangeLog.md 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/ChangeLog.md 2019-03-03 15:52:00.000000000 +0100 @@ -3,8 +3,20 @@ All notable changes to the project are documented in this file. -[v2.6][UNRELEASED] ------------------- + +[v2.7][] - 2019-03-03 +--------------------- + +### Changes +- Documentation updates, commands added in v2.5 and `writable` opt +- Require libuEv v2.2, or later + +### Fixes +- Issue #17: Issues with relative FTP root when running unpriviliged + + +[v2.6][] - 2018-07-03 +--------------------- Bug fix release. @@ -380,8 +392,10 @@ Lines must end in the old `\r\n` format, rather than UNIX `\n`. -[UNRELEASED]: https://github.com/troglobit/uftpd/compare/v2.5...HEAD -[v2.5]: https://github.com/troglobit/uftpd/compare/v2.5...v2.5 +[UNRELEASED]: https://github.com/troglobit/uftpd/compare/v2.7...HEAD +[v2.7]: https://github.com/troglobit/uftpd/compare/v2.6...v2.7 +[v2.6]: https://github.com/troglobit/uftpd/compare/v2.5...v2.6 +[v2.5]: https://github.com/troglobit/uftpd/compare/v2.4...v2.5 [v2.4]: https://github.com/troglobit/uftpd/compare/v2.3...v2.4 [v2.3]: https://github.com/troglobit/uftpd/compare/v2.2...v2.3 [v2.2]: https://github.com/troglobit/uftpd/compare/v2.1...v2.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/LICENSE new/uftpd-2.7/LICENSE --- old/uftpd-2.6/LICENSE 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/LICENSE 2019-03-03 15:52:00.000000000 +0100 @@ -1,4 +1,4 @@ -Copyright (C) 2014-2018 Joachim Nilsson <troglo...@gmail.com> +Copyright (C) 2014-2019 Joachim Nilsson <troglo...@gmail.com> Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/README.md new/uftpd-2.7/README.md --- old/uftpd-2.6/README.md 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/README.md 2019-03-03 15:52:00.000000000 +0100 @@ -18,31 +18,11 @@ * Possible to have group writable FTP home directory -Caveat ------- - -uftpd is primarily not targetted at secure installations, it is targeted -at home users and developers in need of a simple FTP/TFTP server. uftpd -allows symlinks to outside the FTP home, as well as a group writable FTP -home directory — user-friendly features that potentially can cause -security breaches, but also very useful for people who just want their -FTP server to work. - -*Seriously*, we do not advise you to ignore any security aspect of your -installation. If security is a concern for you, consider using another -FTP/TFTP server! - -That being said, a lot of care has been taken to lock down and secure -uftpd by default. So, if you refrain from symlinking stuff from your -home directory and take care to set up strict permissions, then uftpd is -likely as secure as any other FTP/TFTP server. - - Usage ----- ``` -uftpd [-hnsv] [-l LEVEL] [-o ftp=PORT,tftp=PORT] [PATH] +uftpd [-hnsv] [-l LEVEL] [-o ftp=PORT,tftp=PORT,writable] [PATH] -h Show this help text -l LEVEL Set log level: none, err, info, notice (default), debug @@ -72,12 +52,17 @@ sudo setcap cap_net_bind_service+ep uftpd -To change port on either FTP or TFTP, use +To change port on either FTP or TFTP, use: uftpd -o ftp=PORT,tftp=PORT Set `PORT` to zero (0) to disable either service. +By default, uftpd will exit if it detects the FTP root is writable. To +allow writable FTP root: + + uftpd -o writable PATH + Running from inetd ------------------ @@ -100,6 +85,19 @@ inetd tftp/udp wait /usr/sbin/in.tfptd -- The uftpd TFTP server +Caveat +------ + +uftpd is primarily not targetted at secure installations, it is targeted +at users in need of a *simple* FTP/TFTP server. + +uftpd allows symlinks outside the FTP root, as well as a group writable +FTP home directory — user-friendly features that potentially can +cause security breaches, but also very useful for people who just want +their FTP server to work. A lot of care has been taken, however, to +lock down and secure uftpd by default. + + Build & Install --------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/configure.ac new/uftpd-2.7/configure.ac --- old/uftpd-2.6/configure.ac 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/configure.ac 2019-03-03 15:52:00.000000000 +0100 @@ -1,4 +1,4 @@ -AC_INIT([uftpd], [2.6], [https://github.com/troglobit/uftpd/issues]) +AC_INIT([uftpd], [2.7], [https://github.com/troglobit/uftpd/issues],, [http://troglobit.com/uftpd.html]) AM_INIT_AUTOMAKE([1.11 foreign no-dist-gzip dist-xz]) AM_SILENT_RULES([yes]) @@ -21,7 +21,7 @@ AC_TYPE_UINT32_T # Check for required libraries -PKG_CHECK_MODULES([uev], [libuev >= 2.1.0]) +PKG_CHECK_MODULES([uev], [libuev >= 2.2.0]) PKG_CHECK_MODULES([lite], [libite >= 1.5.0]) AC_OUTPUT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/debian/changelog new/uftpd-2.7/debian/changelog --- old/uftpd-2.6/debian/changelog 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/debian/changelog 2019-03-03 15:52:00.000000000 +0100 @@ -1,3 +1,10 @@ +uftpd (2.7) unstable; urgency=medium + + * Bug fix release + * Fix running uftpd as unpriviliged user using a relative FTP root + + -- Joachim Nilsson <troglo...@gmail.com> Sun, 03 Mar 2019 11:39:03 +0100 + uftpd (2.6) unstable; urgency=medium * Bug fix release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/debian/copyright new/uftpd-2.7/debian/copyright --- old/uftpd-2.6/debian/copyright 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/debian/copyright 2019-03-03 15:52:00.000000000 +0100 @@ -1,5 +1,5 @@ -Copyright: (c) 2014-2018 Joachim Nilsson <troglo...@gmail.com> +Copyright: (c) 2014-2019 Joachim Nilsson <troglo...@gmail.com> License: ISC Permission to use, copy, modify, and/or distribute this software for any diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/man/uftpd.8 new/uftpd-2.7/man/uftpd.8 --- old/uftpd-2.6/man/uftpd.8 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/man/uftpd.8 2019-03-03 15:52:00.000000000 +0100 @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 2014-2018 Joachim Nilsson <troglo...@gmail.com> +.\" Copyright (c) 2014-2019 Joachim Nilsson <troglo...@gmail.com> .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,9 +13,9 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd Sep 03, 2017 +.Dd Mar 03, 2019 .Dt UFTPD 8 -.Os "uftpd (2.4)" +.Os "uftpd (2.7)" .Sh NAME .Nm uftpd .Nd @@ -24,7 +24,7 @@ .Nm .Op Fl hnsv .Op Fl l Ar LVL -.Op Fl o Ar ftp=PORT,tftp=PORT +.Op Fl o Ar ftp=PORT,tftp=PORT,writable .Op Ar PATH .Sh DESCRIPTION .Nm @@ -59,7 +59,7 @@ .It Fl o Set .Nm -option: +option, seprate multiple options with comma: .Bl -tag .It Ar ftp=PORT .It Ar tftp=PORT @@ -74,8 +74,8 @@ .Pp The .Ar writable -option is to enable writable FTP root, which is not recommended. Some -people want this, but it is recommended to instead rely on a writable +option enables writable FTP root, which is not recommended. Some people +want this, but it is recommended to instead rely on a writable sub-directory, like .Ar upload/ , or similar. @@ -85,7 +85,10 @@ .It Fl v Show program version .It Ar PATH -Root directory. The default is to serve files from the FTP user's $HOME +Root directory. The default is to serve files from the FTP user's $HOME. +When started as root +.Nm +will chroot to this directory as a security measure. .El .Pp .Sh Inetd @@ -131,13 +134,18 @@ .It ABOR Ta "abort current transfer" .It CDUP Ta "shorthand for CD .. command" .It CWD Ta "change working directory" +.It CLNT Ta "accepted and ignored by server" .It DELE Ta "delete a file" +.It EPRT Ta "RFC 2428, extended PORT command" .It EPSV Ta "extended PASV command, used by VLC for Android" +.It FEAT Ta "list supported features" +.It HELP Ta "show help text" .It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA" -.It NLST Ta "like LIST, but much less verbose" +.It MDTM Ta "RFC 3659, return the last-modified time of a file" .It MLST Ta "RFC 3659 extension to LIST" .It MLSD Ta "RFC 3659 extension to LIST" .It MKD Ta "make a directory" +.It NLST Ta "like LIST, but much less verbose" .It NOOP Ta "do nothing, used for keep-alive" .It PASS Ta "specify password" .It PASV Ta "prepare for server-to-server transfer" @@ -172,8 +180,9 @@ .El .Pp .Nm -supports TFTP blocksize negotiation, according to RFC2348. -Support for WRQ is not yet implemented, patches welcome! +supports TFTP blocksize negotiation, according to RFC2348, so full sized +Ethernet frames can be used, which greatly speeds up transfers. Support +for WRQ is not yet implemented, patches welcome! .Pp .Sh FILES .Bl -tag -width /etc/ftpwelcome -compact diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/src/common.c new/uftpd-2.7/src/common.c --- old/uftpd-2.6/src/common.c 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/src/common.c 2019-03-03 15:52:00.000000000 +0100 @@ -1,6 +1,6 @@ /* Common methods shared between FTP and TFTP engines * - * Copyright (c) 2014-2018 Joachim Nilsson <troglo...@gmail.com> + * Copyright (c) 2014-2019 Joachim Nilsson <troglo...@gmail.com> * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/src/ftpcmd.c new/uftpd-2.7/src/ftpcmd.c --- old/uftpd-2.6/src/ftpcmd.c 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/src/ftpcmd.c 2019-03-03 15:52:00.000000000 +0100 @@ -1,6 +1,6 @@ /* FTP engine * - * Copyright (c) 2014-2018 Joachim Nilsson <troglo...@gmail.com> + * Copyright (c) 2014-2019 Joachim Nilsson <troglo...@gmail.com> * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/src/log.c new/uftpd-2.7/src/log.c --- old/uftpd-2.6/src/log.c 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/src/log.c 2019-03-03 15:52:00.000000000 +0100 @@ -1,6 +1,6 @@ /* uftpd -- the no nonsense (T)FTP server * - * Copyright (c) 2014-2018 Joachim Nilsson <troglo...@gmail.com> + * Copyright (c) 2014-2019 Joachim Nilsson <troglo...@gmail.com> * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/src/tftpcmd.c new/uftpd-2.7/src/tftpcmd.c --- old/uftpd-2.6/src/tftpcmd.c 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/src/tftpcmd.c 2019-03-03 15:52:00.000000000 +0100 @@ -1,6 +1,6 @@ /* TFTP Engine * - * Copyright (c) 2014-2018 Joachim Nilsson <troglo...@gmail.com> + * Copyright (c) 2014-2019 Joachim Nilsson <troglo...@gmail.com> * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/src/uftpd.c new/uftpd-2.7/src/uftpd.c --- old/uftpd-2.6/src/uftpd.c 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/src/uftpd.c 2019-03-03 15:52:00.000000000 +0100 @@ -1,6 +1,6 @@ /* uftpd -- the no nonsense (T)FTP server * - * Copyright (c) 2014-2018 Joachim Nilsson <troglo...@gmail.com> + * Copyright (c) 2014-2019 Joachim Nilsson <troglo...@gmail.com> * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -52,7 +52,7 @@ if (is_inetd) printf("\nUsage: %s [-hv] [-l LEVEL] [PATH]\n\n", prognm); else - printf("\nUsage: %s [-hnsv] [-l LEVEL] [-o ftp=PORT,tftp=PORT] [PATH]\n\n", prognm); + printf("\nUsage: %s [-hnsv] [-l LEVEL] [-o ftp=PORT,tftp=PORT,writable] [PATH]\n\n", prognm); printf(" -h Show this help text\n" " -l LEVEL Set log level: none, err, info, notice (default), debug\n"); @@ -66,7 +66,10 @@ printf(" -v Show program version\n\n"); printf("The optional 'PATH' defaults to the $HOME of the /etc/passwd user 'ftp'\n" - "Bug report address: %-40s\n\n", PACKAGE_BUGREPORT); + "Bug report address: %-40s\n", PACKAGE_BUGREPORT); +#ifdef PACKAGE_URL + printf("Project homepage: %s\n", PACKAGE_URL); +#endif return code; } @@ -147,7 +150,7 @@ return 1; } - if (!do_insecure && access(home, W_OK)) { + if (!do_insecure && !access(home, W_OK)) { ERR(0, "FTP root %s writable, possible security violation!", home); return 1; } @@ -354,17 +357,11 @@ } if (optind < argc) { - size_t len; - - home = strdup(argv[optind]); + home = realpath(argv[optind], NULL); if (!home) { - ERR(errno, "Failed allocating memory"); + ERR(errno, "Invalid FTP root"); return 1; } - - len = strlen(home) - 1; - if (home[len] == '/') - home[len] = 0; } /* Inetd mode enforces foreground and syslog */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uftpd-2.6/src/uftpd.h new/uftpd-2.7/src/uftpd.h --- old/uftpd-2.6/src/uftpd.h 2018-07-03 17:32:03.000000000 +0200 +++ new/uftpd-2.7/src/uftpd.h 2019-03-03 15:52:00.000000000 +0100 @@ -1,6 +1,6 @@ /* uftpd -- the no nonsense (T)FTP server * - * Copyright (c) 2014-2018 Joachim Nilsson <troglo...@gmail.com> + * Copyright (c) 2014-2019 Joachim Nilsson <troglo...@gmail.com> * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above