From f89d930201725d0427b0c1e881cff929c5a8ef7e Mon Sep 17 00:00:00 2001 From: Andreas Oberritter Date: Mon, 20 Feb 2012 18:29:41 +0000 Subject: [PATCH] vsftpd: add new package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hello Eric, On 20.02.2012 14:51, Eric BĂ©nard wrote: > - imported 2.0.5 from oe-classic > - upgrade to 2.3.5 which is latest stable > - tested on ARMv5 with Angstrom I created a recipe for vsftpd, too. Here's my version for your reference. All patches were taken from the Debian or Ubuntu package. It differs from your recipe in these ways: - uses openssl - uses pam if available - uses xinetd - allows to set custom default configuration options in bbappends - only build-tested with OE-core, no runtime tests so far. Regards, Andreas Signed-off-by: Koen Kooi --- vsftpd/01-builddefs.patch | 18 ++++++ vsftpd/02-config.patch | 120 ++++++++++++++++++++++++++++++++++++ vsftpd/03-db-doc.patch | 19 ++++++ vsftpd/04-link-local.patch | 91 +++++++++++++++++++++++++++ vsftpd/05-whitespaces.patch | 81 ++++++++++++++++++++++++ vsftpd/06-greedy.patch | 32 ++++++++++ vsftpd/07-utf8.patch | 58 +++++++++++++++++ vsftpd/08-manpage.patch | 23 +++++++ vsftpd/09-s390.patch | 15 +++++ vsftpd/10-remote-dos.patch | 69 +++++++++++++++++++++ vsftpd/vsftpd.conf | 105 +++++++++++++++++++++++++++++++ vsftpd/vsftpd.xinetd.in | 7 +++ vsftpd_2.3.5.bb | 95 ++++++++++++++++++++++++++++ 13 files changed, 733 insertions(+) create mode 100644 vsftpd/01-builddefs.patch create mode 100644 vsftpd/02-config.patch create mode 100644 vsftpd/03-db-doc.patch create mode 100644 vsftpd/04-link-local.patch create mode 100644 vsftpd/05-whitespaces.patch create mode 100644 vsftpd/06-greedy.patch create mode 100644 vsftpd/07-utf8.patch create mode 100644 vsftpd/08-manpage.patch create mode 100644 vsftpd/09-s390.patch create mode 100644 vsftpd/10-remote-dos.patch create mode 100644 vsftpd/vsftpd.conf create mode 100644 vsftpd/vsftpd.xinetd.in create mode 100644 vsftpd_2.3.5.bb diff --git a/vsftpd/01-builddefs.patch b/vsftpd/01-builddefs.patch new file mode 100644 index 0000000000..a757d990bf --- /dev/null +++ b/vsftpd/01-builddefs.patch @@ -0,0 +1,18 @@ +Author: Daniel Jacobowitz +Description: Build with tcpwrapper and SSL support. + +diff -Naurp vsftpd.orig/builddefs.h vsftpd/builddefs.h +--- vsftpd.orig/builddefs.h 2009-01-31 00:02:36.000000000 +0000 ++++ vsftpd/builddefs.h 2009-01-31 00:26:34.000000000 +0000 +@@ -1,9 +1,9 @@ + #ifndef VSF_BUILDDEFS_H + #define VSF_BUILDDEFS_H + +-#undef VSF_BUILD_TCPWRAPPERS ++#define VSF_BUILD_TCPWRAPPERS 1 + #define VSF_BUILD_PAM +-#undef VSF_BUILD_SSL ++#define VSF_BUILD_SSL + + #endif /* VSF_BUILDDEFS_H */ + diff --git a/vsftpd/02-config.patch b/vsftpd/02-config.patch new file mode 100644 index 0000000000..6d7965d02f --- /dev/null +++ b/vsftpd/02-config.patch @@ -0,0 +1,120 @@ +Author: Daniel Jacobowitz +Description: Set default configuration. + +diff -Naurp vsftpd.orig/tunables.c vsftpd/tunables.c +--- vsftpd.orig/tunables.c 2009-07-15 22:08:27.000000000 +0200 ++++ vsftpd/tunables.c 2009-11-06 13:33:34.000000000 +0100 +@@ -246,7 +246,7 @@ tunables_load_defaults() + /* -rw------- */ + tunable_chown_upload_mode = 0600; + +- install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir); ++ install_str_setting("/var/run/vsftpd/empty", &tunable_secure_chroot_dir); + install_str_setting("ftp", &tunable_ftp_username); + install_str_setting("root", &tunable_chown_username); + install_str_setting("/var/log/xferlog", &tunable_xferlog_file); +@@ -256,7 +256,7 @@ tunables_load_defaults() + install_str_setting(0, &tunable_ftpd_banner); + install_str_setting("/etc/vsftpd.banned_emails", &tunable_banned_email_file); + install_str_setting("/etc/vsftpd.chroot_list", &tunable_chroot_list_file); +- install_str_setting("ftp", &tunable_pam_service_name); ++ install_str_setting("vsftpd", &tunable_pam_service_name); + install_str_setting("ftp", &tunable_guest_username); + install_str_setting("/etc/vsftpd.user_list", &tunable_userlist_file); + install_str_setting(0, &tunable_anon_root); +diff -Naurp vsftpd.orig/vsftpd.conf vsftpd/vsftpd.conf +--- vsftpd.orig/vsftpd.conf 2009-11-06 08:41:11.000000000 +0100 ++++ vsftpd/vsftpd.conf 2009-11-06 13:35:37.000000000 +0100 +@@ -8,6 +8,17 @@ + # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's + # capabilities. + # ++# ++# Run standalone? vsftpd can run either from an inetd or as a standalone ++# daemon started from an initscript. ++listen=YES ++# ++# Run standalone with IPv6? ++# Like the listen parameter, except vsftpd will listen on an IPv6 socket ++# instead of an IPv4 one. This parameter and the listen parameter are mutually ++# exclusive. ++#listen_ipv6=YES ++# + # Allow anonymous FTP? (Beware - allowed by default if you comment this out). + anonymous_enable=YES + # +@@ -34,6 +45,12 @@ anonymous_enable=YES + # go into a certain directory. + dirmessage_enable=YES + # ++# If enabled, vsftpd will display directory listings with the time ++# in your local time zone. The default is to display GMT. The ++# times returned by the MDTM FTP command are also affected by this ++# option. ++use_localtime=YES ++# + # Activate logging of uploads/downloads. + xferlog_enable=YES + # +@@ -89,6 +106,11 @@ connect_from_port_20=YES + # (default follows) + #banned_email_file=/etc/vsftpd.banned_emails + # ++# You may restrict local users to their home directories. See the FAQ for ++# the possible risks in this before using chroot_local_user or ++# chroot_list_enable below. ++#chroot_local_user=YES ++# + # You may specify an explicit list of local users to chroot() to their home + # directory. If chroot_local_user is YES, then this list becomes a list of + # users to NOT chroot(). +@@ -103,12 +125,20 @@ connect_from_port_20=YES + # the presence of the "-R" option, so there is a strong case for enabling it. + #ls_recurse_enable=YES + # +-# When "listen" directive is enabled, vsftpd runs in standalone mode and +-# listens on IPv4 sockets. This directive cannot be used in conjunction +-# with the listen_ipv6 directive. +-listen=YES ++# Customization + # +-# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 +-# sockets, you must run two copies of vsftpd with two configuration files. +-# Make sure, that one of the listen options is commented !! +-#listen_ipv6=YES ++# Some of vsftpd's settings don't fit the filesystem layout by ++# default. ++# ++# This option should be the name of a directory which is empty. Also, the ++# directory should not be writable by the ftp user. This directory is used ++# as a secure chroot() jail at times vsftpd does not require filesystem ++# access. ++secure_chroot_dir=/var/run/vsftpd/empty ++# ++# This string is the name of the PAM service vsftpd will use. ++pam_service_name=vsftpd ++# ++# This option specifies the location of the RSA certificate to use for SSL ++# encrypted connections. ++rsa_cert_file=/etc/ssl/private/vsftpd.pem +diff -Naurp vsftpd.orig/vsftpd.conf.5 vsftpd/vsftpd.conf.5 +--- vsftpd.orig/vsftpd.conf.5 2009-11-06 08:41:11.000000000 +0100 ++++ vsftpd/vsftpd.conf.5 2009-11-06 13:37:10.000000000 +0100 +@@ -940,7 +940,7 @@ Default: nobody + .B pam_service_name + This string is the name of the PAM service vsftpd will use. + +-Default: ftp ++Default: vsftpd + .TP + .B pasv_address + Use this option to override the IP address that vsftpd will advertise in +@@ -969,7 +969,7 @@ This option should be the name of a dire + directory should not be writable by the ftp user. This directory is used + as a secure chroot() jail at times vsftpd does not require filesystem access. + +-Default: /usr/share/empty ++Default: /var/run/vsftpd/empty + .TP + .B ssl_ciphers + This option can be used to select which SSL ciphers vsftpd will allow for diff --git a/vsftpd/03-db-doc.patch b/vsftpd/03-db-doc.patch new file mode 100644 index 0000000000..d544ef0c1a --- /dev/null +++ b/vsftpd/03-db-doc.patch @@ -0,0 +1,19 @@ +Author: shaul Karl +Description: + A short explanation how to find out the right db version (Closes: #478282). + +diff -Naurp vsftpd.orig/EXAMPLE/VIRTUAL_USERS/README vsftpd/EXAMPLE/VIRTUAL_USERS/README +--- vsftpd.orig/EXAMPLE/VIRTUAL_USERS/README 2009-01-31 00:02:36.000000000 +0000 ++++ vsftpd/EXAMPLE/VIRTUAL_USERS/README 2009-01-31 01:38:11.000000000 +0000 +@@ -21,7 +21,10 @@ NOTE: Many systems have multiple version + need to use e.g. db3_load for correct operation. This is known to affect + some Debian systems. The core issue is that pam_userdb expects its login + database to be a specific db version (often db3, whereas db4 may be installed +-on your system). ++on your system). You might check ahead what specific db version you'll need ++by looking at the dependcies of the pam module. Some methods to do that is to ++run ldd on the pam_userdb.so or look at the dependencies of the package with ++the pam modules. + + This will create /etc/vsftpd_login.db. Obviously, you may want to make sure + the permissions are restricted: diff --git a/vsftpd/04-link-local.patch b/vsftpd/04-link-local.patch new file mode 100644 index 0000000000..53b3735610 --- /dev/null +++ b/vsftpd/04-link-local.patch @@ -0,0 +1,91 @@ +Author: Michael Stapelberg +Description: + vsftpd does not accept IPv6 scope identifier in listen_address6 + (Closes: #544993). + . + When specifying a link-local address, you need a scope identifier (tha name of + the index usually), thus you cannot use the following: + listen_address6=fe80::21f:16ff:fe06:3aab + but you have to use: + listen_address6=fe80::21f:16ff:fe06:3aab%eth0 + so that it is clear on which interface this link-local address should be used. + . + Unfortunately, vsftpd does not correctly parse the address mentioned above and + thus fails to be useful in link-local-only environments. + . + This patch fixes it. + +diff -Naurp vsftpd.orig/standalone.c vsftpd/standalone.c +--- vsftpd.orig/standalone.c 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/standalone.c 2009-10-17 17:10:02.000000000 +0200 +@@ -7,6 +7,8 @@ + * Code to listen on the network and launch children servants. + */ + ++#include ++ + #include "standalone.h" + + #include "parseconf.h" +@@ -111,8 +113,17 @@ vsf_standalone_main(void) + else + { + struct mystr addr_str = INIT_MYSTR; ++ struct mystr scope_id = INIT_MYSTR; + const unsigned char* p_raw_addr; ++ unsigned int if_index = 0; ++ ++ /* See if we got a scope id */ + str_alloc_text(&addr_str, tunable_listen_address6); ++ str_split_char(&addr_str, &scope_id, '%'); ++ if (str_getlen(&scope_id) > 0) { ++ if_index = if_nametoindex(str_getbuf(&scope_id)); ++ str_free(&scope_id); ++ } + p_raw_addr = vsf_sysutil_parse_ipv6(&addr_str); + str_free(&addr_str); + if (!p_raw_addr) +@@ -120,6 +131,7 @@ vsf_standalone_main(void) + die2("bad listen_address6: ", tunable_listen_address6); + } + vsf_sysutil_sockaddr_set_ipv6addr(p_sockaddr, p_raw_addr); ++ vsf_sysutil_sockaddr_set_ipv6scope(p_sockaddr, if_index); + } + retval = vsf_sysutil_bind(listen_sock, p_sockaddr); + vsf_sysutil_free(p_sockaddr); +diff -Naurp vsftpd.orig/sysutil.c vsftpd/sysutil.c +--- vsftpd.orig/sysutil.c 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/sysutil.c 2009-10-17 17:10:02.000000000 +0200 +@@ -2039,6 +2039,19 @@ vsf_sysutil_sockaddr_set_ipv6addr(struct + } + } + ++int ++vsf_sysutil_sockaddr_get_ipv6scope(struct vsf_sysutil_sockaddr* p_sockptr) ++{ ++ return p_sockptr->u.u_sockaddr_in6.sin6_scope_id; ++} ++ ++void ++vsf_sysutil_sockaddr_set_ipv6scope(struct vsf_sysutil_sockaddr* p_sockptr, ++ const int scope_id) ++{ ++ p_sockptr->u.u_sockaddr_in6.sin6_scope_id = scope_id; ++} ++ + const void* + vsf_sysutil_sockaddr_ipv6_v4(const struct vsf_sysutil_sockaddr* p_addr) + { +diff -Naurp vsftpd.orig/sysutil.h vsftpd/sysutil.h +--- vsftpd.orig/sysutil.h 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/sysutil.h 2009-10-17 17:10:02.000000000 +0200 +@@ -228,6 +228,9 @@ void vsf_sysutil_sockaddr_set_ipv4addr(s + const unsigned char* p_raw); + void vsf_sysutil_sockaddr_set_ipv6addr(struct vsf_sysutil_sockaddr* p_sockptr, + const unsigned char* p_raw); ++void vsf_sysutil_sockaddr_set_ipv6scope(struct vsf_sysutil_sockaddr* p_sockptr, ++ const int scope_id); ++int vsf_sysutil_sockaddr_get_ipv6scope(struct vsf_sysutil_sockaddr* p_sockptr); + void vsf_sysutil_sockaddr_set_any(struct vsf_sysutil_sockaddr* p_sockaddr); + unsigned short vsf_sysutil_sockaddr_get_port( + const struct vsf_sysutil_sockaddr* p_sockptr); diff --git a/vsftpd/05-whitespaces.patch b/vsftpd/05-whitespaces.patch new file mode 100644 index 0000000000..569ce38ed4 --- /dev/null +++ b/vsftpd/05-whitespaces.patch @@ -0,0 +1,81 @@ +Author: Jiri Skala +Description: trim white spaces from option values (Closes: #419857, #536803). + +diff -Naurp vsftpd.orig/parseconf.c vsftpd/parseconf.c +--- vsftpd.orig/parseconf.c 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/parseconf.c 2009-10-18 11:28:31.000000000 +0200 +@@ -275,7 +275,7 @@ vsf_parseconf_load_setting(const char* p + } + else + { +- *p_curr_setting = str_strdup(&s_value_str); ++ *p_curr_setting = str_strdup_trimmed(&s_value_str); + } + return; + } +diff -Naurp vsftpd.orig/str.c vsftpd/str.c +--- vsftpd.orig/str.c 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/str.c 2009-10-18 11:28:31.000000000 +0200 +@@ -89,6 +89,18 @@ str_strdup(const struct mystr* p_str) + return vsf_sysutil_strdup(str_getbuf(p_str)); + } + ++const char* ++str_strdup_trimmed(const struct mystr* p_str) ++{ ++ const char* p_trimmed = str_getbuf(p_str); ++ int h, t, newlen; ++ ++ for (h = 0; h < (int)str_getlen(p_str) && vsf_sysutil_isspace(p_trimmed[h]); h++) ; ++ for (t = str_getlen(p_str) - 1; t >= 0 && vsf_sysutil_isspace(p_trimmed[t]); t--) ; ++ newlen = t - h + 1; ++ return newlen ? vsf_sysutil_strndup(p_trimmed+h, (unsigned int)newlen) : 0L; ++} ++ + void + str_alloc_alt_term(struct mystr* p_str, const char* p_src, char term) + { +diff -Naurp vsftpd.orig/str.h vsftpd/str.h +--- vsftpd.orig/str.h 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/str.h 2009-10-18 11:28:31.000000000 +0200 +@@ -31,6 +31,7 @@ void str_alloc_ulong(struct mystr* p_str + void str_alloc_filesize_t(struct mystr* p_str, filesize_t the_filesize); + void str_copy(struct mystr* p_dest, const struct mystr* p_src); + const char* str_strdup(const struct mystr* p_str); ++const char* str_strdup_trimmed(const struct mystr* p_str); + void str_empty(struct mystr* p_str); + void str_free(struct mystr* p_str); + void str_trunc(struct mystr* p_str, unsigned int trunc_len); +diff -Naurp vsftpd.orig/sysutil.c vsftpd/sysutil.c +--- vsftpd.orig/sysutil.c 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/sysutil.c 2009-10-18 11:28:31.000000000 +0200 +@@ -1033,6 +1033,18 @@ vsf_sysutil_strdup(const char* p_str) + return strdup(p_str); + } + ++char* ++vsf_sysutil_strndup(const char* p_str, unsigned int p_len) ++{ ++ char *new = (char *)malloc(p_len+1); ++ ++ if (new == NULL) ++ return NULL; ++ ++ new[p_len]='\0'; ++ return (char *)memcpy(new, p_str, p_len); ++} ++ + void + vsf_sysutil_memclr(void* p_dest, unsigned int size) + { +diff -Naurp vsftpd.orig/sysutil.h vsftpd/sysutil.h +--- vsftpd.orig/sysutil.h 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/sysutil.h 2009-10-18 11:28:31.000000000 +0200 +@@ -186,6 +186,7 @@ int vsf_sysutil_wait_get_exitcode( + /* Various string functions */ + unsigned int vsf_sysutil_strlen(const char* p_text); + char* vsf_sysutil_strdup(const char* p_str); ++char* vsf_sysutil_strndup(const char* p_str, unsigned int p_len); + void vsf_sysutil_memclr(void* p_dest, unsigned int size); + void vsf_sysutil_memcpy(void* p_dest, const void* p_src, + const unsigned int size); diff --git a/vsftpd/06-greedy.patch b/vsftpd/06-greedy.patch new file mode 100644 index 0000000000..ff73c9c285 --- /dev/null +++ b/vsftpd/06-greedy.patch @@ -0,0 +1,32 @@ +Author: Martin Nagy +Description: Fix file listing issue with wildcard (Bugzilla: #392181). + +diff -Naurp vsftpd.orig/ls.c vsftpd/ls.c +--- vsftpd.orig/ls.c 2009-10-02 14:15:18.000000000 +0200 ++++ vsftpd/ls.c 2009-10-18 11:48:29.000000000 +0200 +@@ -281,6 +281,25 @@ vsf_filename_passes_filter(const struct + { + goto out; + } ++ if (!must_match_at_current_pos) ++ { ++ struct mystr scan_fwd = INIT_MYSTR; ++ ++ str_mid_to_end(&name_remain_str, &scan_fwd, ++ indexx + str_getlen(&s_match_needed_str)); ++ /* We're allowed to be greedy, test if it match further along ++ * keep advancing indexx while we can still match. ++ */ ++ while( (locate_result = str_locate_str(&scan_fwd, &s_match_needed_str)), ++ locate_result.found ) ++ { ++ indexx += locate_result.index + str_getlen(&s_match_needed_str); ++ str_mid_to_end(&scan_fwd, &temp_str, ++ locate_result.index + str_getlen(&s_match_needed_str)); ++ str_copy(&scan_fwd, &temp_str); ++ } ++ str_free(&scan_fwd); ++ } + /* Chop matched string out of remainder */ + str_mid_to_end(&name_remain_str, &temp_str, + indexx + str_getlen(&s_match_needed_str)); diff --git a/vsftpd/07-utf8.patch b/vsftpd/07-utf8.patch new file mode 100644 index 0000000000..cf03e08ad3 --- /dev/null +++ b/vsftpd/07-utf8.patch @@ -0,0 +1,58 @@ +Author: Chuck Short +Description: Adding support for UTF8. + +diff -Naurp vsftpd.orig/features.c vsftpd/features.c +--- vsftpd.orig/features.c 2008-12-04 06:00:47.000000000 +0000 ++++ vsftpd/features.c 2010-02-25 13:28:06.000000000 +0000 +@@ -21,6 +21,10 @@ handle_feat(struct vsf_session* p_sess) + vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); + vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); + } ++ if (tunable_utf8_filesystem) ++ { ++ vsf_cmdio_write_raw(p_sess, " UTF8\r\n"); ++ } + if (tunable_port_enable) + { + vsf_cmdio_write_raw(p_sess, " EPRT\r\n"); +diff -Naurp vsftpd.orig/parseconf.c vsftpd/parseconf.c +--- vsftpd.orig/parseconf.c 2009-08-07 18:46:40.000000000 +0000 ++++ vsftpd/parseconf.c 2010-02-25 13:28:06.000000000 +0000 +@@ -28,6 +28,7 @@ static struct parseconf_bool_setting + parseconf_bool_array[] = + { + { "anonymous_enable", &tunable_anonymous_enable }, ++ { "utf8_filesystem", &tunable_utf8_filesystem }, + { "local_enable", &tunable_local_enable }, + { "pasv_enable", &tunable_pasv_enable }, + { "port_enable", &tunable_port_enable }, +diff -Naurp vsftpd.orig/tunables.c vsftpd/tunables.c +--- vsftpd.orig/tunables.c 2009-07-15 20:08:27.000000000 +0000 ++++ vsftpd/tunables.c 2010-02-25 13:28:06.000000000 +0000 +@@ -10,6 +10,7 @@ + + int tunable_anonymous_enable; + int tunable_local_enable; ++int tunable_utf8_filesystem; + int tunable_pasv_enable; + int tunable_port_enable; + int tunable_chroot_local_user; +@@ -146,6 +147,7 @@ tunables_load_defaults() + { + tunable_anonymous_enable = 1; + tunable_local_enable = 0; ++ tunable_utf8_filesystem = 0; + tunable_pasv_enable = 1; + tunable_port_enable = 1; + tunable_chroot_local_user = 0; +diff -Naurp vsftpd.orig/tunables.h vsftpd/tunables.h +--- vsftpd.orig/tunables.h 2009-07-07 01:37:28.000000000 +0000 ++++ vsftpd/tunables.h 2010-02-25 13:28:06.000000000 +0000 +@@ -11,6 +11,7 @@ void tunables_load_defaults(); + /* Booleans */ + extern int tunable_anonymous_enable; /* Allow anon logins */ + extern int tunable_local_enable; /* Allow local logins */ ++extern int tunable_utf8_filesystem; /* Server uses UTF8 Filesystem */ + extern int tunable_pasv_enable; /* Allow PASV */ + extern int tunable_port_enable; /* Allow PORT */ + extern int tunable_chroot_local_user; /* Restrict local to home dir */ diff --git a/vsftpd/08-manpage.patch b/vsftpd/08-manpage.patch new file mode 100644 index 0000000000..3a4f9620dc --- /dev/null +++ b/vsftpd/08-manpage.patch @@ -0,0 +1,23 @@ +Author: Daniel Baumann +Description: Fixing manpage formating. + +diff -Naurp vsftpd.orig/vsftpd.8 vsftpd/vsftpd.8 +--- vsftpd.orig/vsftpd.8 2009-07-17 20:56:23.000000000 +0000 ++++ vsftpd/vsftpd.8 2010-04-08 05:18:00.000000000 +0000 +@@ -57,4 +57,3 @@ setting and any identical setting that w + .Pa /etc/vsftpd.conf + .Sh SEE ALSO + .Xr vsftpd.conf 5 +-.end +diff -Naurp vsftpd.orig/vsftpd.conf.5 vsftpd/vsftpd.conf.5 +--- vsftpd.orig/vsftpd.conf.5 2009-10-19 02:46:30.000000000 +0000 ++++ vsftpd/vsftpd.conf.5 2010-04-08 05:18:08.000000000 +0000 +@@ -404,7 +404,7 @@ reuse (which proves that they know the s + channel). Although this is a secure default, it may break many FTP clients, + so you may want to disable it. For a discussion of the consequences, see + http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html +-(Added in v2.1.0). ++ (Added in v2.1.0). + + Default: YES + .TP diff --git a/vsftpd/09-s390.patch b/vsftpd/09-s390.patch new file mode 100644 index 0000000000..4711f9bc68 --- /dev/null +++ b/vsftpd/09-s390.patch @@ -0,0 +1,15 @@ +Author: Philipp Kern +Description: Fix vsftpd on s390 (Closes: #602726). + +diff -Naurp vsftpd.orig/sysdeputil.c vsftpd/sysdeputil.c +--- vsftpd.orig/sysdeputil.c 2011-09-05 16:03:18.728857644 +0200 ++++ vsftpd/sysdeputil.c 2011-09-05 16:05:12.909423834 +0200 +@@ -64,7 +64,7 @@ + #include + + /* BEGIN config */ +-#if defined(__linux__) ++#if defined(__linux__) && !defined(__s390__) + #include + #include + #define VSF_SYSDEP_HAVE_LINUX_CLONE diff --git a/vsftpd/10-remote-dos.patch b/vsftpd/10-remote-dos.patch new file mode 100644 index 0000000000..fee3ebe3ef --- /dev/null +++ b/vsftpd/10-remote-dos.patch @@ -0,0 +1,69 @@ +Author: Ben Hutchings +Description: Remote DoS on Linux 2.6.32 (Closes: #629373). + +diff -Naurp vsftpd.orig/sysdeputil.c vsftpd/sysdeputil.c +--- vsftpd.orig/sysdeputil.c 2010-03-26 04:25:33.000000000 +0100 ++++ vsftpd/sysdeputil.c 2011-09-05 15:16:05.347070790 +0200 +@@ -25,6 +25,11 @@ + #define _LARGEFILE64_SOURCE 1 + #endif + ++#ifdef __linux__ ++ #include ++ #include ++#endif ++ + /* For INT_MAX */ + #include + +@@ -1259,11 +1264,36 @@ vsf_set_term_if_parent_dies() + #endif + } + ++#ifdef VSF_SYSDEP_HAVE_LINUX_CLONE ++/* On Linux versions <2.6.35, netns cleanup may be so slow that ++ * creating a netns per connection allows a remote denial-of-service. ++ * We therefore do not use CLONE_NEWNET on these versions. ++ */ ++static int ++vsf_sysutil_netns_cleanup_is_fast(void) ++{ ++#ifdef __linux__ ++ struct utsname utsname; ++ int r1, r2, r3 = 0; ++ return (uname(&utsname) == 0 && ++ sscanf(utsname.release, "%d.%d.%d", &r1, &r2, &r3) >= 2 && ++ ((r1 << 16) | (r2 << 8) | r3) >= ((2 << 16) | (6 << 8) | 35)); ++#else ++ /* Assume any other kernel that has the feature don't have this problem */ ++ return 1; ++#endif ++} ++#endif ++ + int + vsf_sysutil_fork_isolate_all_failok() + { + #ifdef VSF_SYSDEP_HAVE_LINUX_CLONE +- static int cloneflags_work = 1; ++ static int cloneflags_work = -1; ++ if (cloneflags_work < 0) ++ { ++ cloneflags_work = vsf_sysutil_netns_cleanup_is_fast(); ++ } + if (cloneflags_work) + { + int ret = syscall(__NR_clone, +@@ -1309,7 +1339,11 @@ int + vsf_sysutil_fork_newnet() + { + #ifdef VSF_SYSDEP_HAVE_LINUX_CLONE +- static int cloneflags_work = 1; ++ static int cloneflags_work = -1; ++ if (cloneflags_work < 0) ++ { ++ cloneflags_work = vsf_sysutil_netns_cleanup_is_fast(); ++ } + if (cloneflags_work) + { + int ret = syscall(__NR_clone, CLONE_NEWNET | SIGCHLD, NULL); diff --git a/vsftpd/vsftpd.conf b/vsftpd/vsftpd.conf new file mode 100644 index 0000000000..28ad4e06fc --- /dev/null +++ b/vsftpd/vsftpd.conf @@ -0,0 +1,105 @@ +# Opendreambox /etc/vsftpd.conf +# +# Please see vsftpd.conf.5 for all compiled in defaults. +# +# READ THIS: This example file is NOT an exhaustive list of vsftpd options. +# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's +# capabilities. +# +# Allow anonymous FTP? (Beware - allowed by default if you comment this out). +anonymous_enable=NO +# +# Uncomment this to allow local users to log in. +local_enable=YES +# +# Uncomment this to enable any form of FTP write command. +write_enable=YES +# +# Default umask for local users is 077. You may wish to change this to 022, +# if your users expect that (022 is used by most other ftpd's) +#local_umask=022 +# +# Uncomment this to allow the anonymous FTP user to upload files. This only +# has an effect if the above global write enable is activated. Also, you will +# obviously need to create a directory writable by the FTP user. +#anon_upload_enable=YES +# +# Uncomment this if you want the anonymous FTP user to be able to create +# new directories. +#anon_mkdir_write_enable=YES +# +# Activate directory messages - messages given to remote users when they +# go into a certain directory. +dirmessage_enable=YES +# +# Activate logging of uploads/downloads. +#xferlog_enable=YES +# +# Make sure PORT transfer connections originate from port 20 (ftp-data). +connect_from_port_20=YES +# +# If you want, you can arrange for uploaded anonymous files to be owned by +# a different user. Note! Using "root" for uploaded files is not +# recommended! +#chown_uploads=YES +#chown_username=whoever +# +# You may override where the log file goes if you like. The default is shown +# below. +#xferlog_file=/var/log/vsftpd.log +# +# If you want, you can have your log file in standard ftpd xferlog format +#xferlog_std_format=YES +# +# You may change the default value for timing out an idle session. +#idle_session_timeout=600 +# +# You may change the default value for timing out a data connection. +#data_connection_timeout=120 +# +# It is recommended that you define on your system a unique user which the +# ftp server can use as a totally isolated and unprivileged user. +#nopriv_user=ftpsecure +# +# Enable this and the server will recognise asynchronous ABOR requests. Not +# recommended for security (the code is non-trivial). Not enabling it, +# however, may confuse older FTP clients. +async_abor_enable=YES +# +# By default the server will pretend to allow ASCII mode but in fact ignore +# the request. Turn on the below options to have the server actually do ASCII +# mangling on files when in ASCII mode. +# Beware that turning on ascii_download_enable enables malicious remote parties +# to consume your I/O resources, by issuing the command "SIZE /big/file" in +# ASCII mode. +# These ASCII options are split into upload and download because you may wish +# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking), +# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be +# on the client anyway.. +#ascii_upload_enable=YES +#ascii_download_enable=YES +# +# You may fully customise the login banner string: +ftpd_banner=Welcome to the OpenDreambox FTP service. +# +# You may specify a file of disallowed anonymous e-mail addresses. Apparently +# useful for combatting certain DoS attacks. +#deny_email_enable=YES +# (default follows) +#banned_email_file=/etc/vsftpd.banned_emails +# +# You may specify an explicit list of local users to chroot() to their home +# directory. If chroot_local_user is YES, then this list becomes a list of +# users to NOT chroot(). +#chroot_list_enable=YES +# (default follows) +#chroot_list_file=/etc/vsftpd.chroot_list +# +# You may activate the "-R" option to the builtin ls. This is disabled by +# default to avoid remote users being able to cause excessive I/O on large +# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume +# the presence of the "-R" option, so there is a strong case for enabling it. +ls_recurse_enable=YES +# +secure_chroot_dir=/dev/shm +local_root=/ diff --git a/vsftpd/vsftpd.xinetd.in b/vsftpd/vsftpd.xinetd.in new file mode 100644 index 0000000000..000f62ad72 --- /dev/null +++ b/vsftpd/vsftpd.xinetd.in @@ -0,0 +1,7 @@ +service ftp +{ + socket_type = stream + user = root + server = @SBINDIR@/vsftpd + wait = no +} diff --git a/vsftpd_2.3.5.bb b/vsftpd_2.3.5.bb new file mode 100644 index 0000000000..5cd9b9d4a5 --- /dev/null +++ b/vsftpd_2.3.5.bb @@ -0,0 +1,95 @@ +DESCRIPTION = "lightweight, efficient FTP server written for security" +HOMEPAGE = "https://security.appspot.com/vsftpd.html" +SECTION = "console/network" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271" +DEPENDS = "libcap openssl" +DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +SRC_URI = " \ + https://security.appspot.com/downloads/${BP}.tar.gz \ + file://vsftpd.xinetd.in \ + file://01-builddefs.patch \ + file://02-config.patch \ + file://03-db-doc.patch \ + file://04-link-local.patch \ + file://05-whitespaces.patch \ + file://06-greedy.patch \ + file://07-utf8.patch \ + file://08-manpage.patch \ + file://09-s390.patch \ + file://10-remote-dos.patch \ +" +SRC_URI[md5sum] = "01398a5bef8e85b6cf2c213a4b011eca" +SRC_URI[sha256sum] = "d87ee2987df8f03e1dbe294905f7907b2798deb89c67ca965f6e2f60879e54f1" + +S = "${WORKDIR}/${BP}" + +inherit useradd + +CFLAGS = "${TARGET_CFLAGS}" +CFLAGS += "-DVSF_BUILD_SSL=1" +CFLAGS += "${@base_contains('DISTRO_FEATURES', 'pam', '-DVSF_BUILD_PAM=1', '', d)}" + +LIBS = "-lcap -lcrypt -lssl -lcrypto" +LIBS += "${@base_contains('DISTRO_FEATURES', 'pam', '-lpam', '', d)}" + +LINK = "${TARGET_LDFLAGS}" + +SECURE_CHROOT_DIR = "${datadir}/${BPN}/chroot" +RSA_CERT_FILE = "${sysconfdir}/ssl/private/${BPN}.pem" + +do_configure() { + rm -f builddefs.h + touch builddefs.h + set_default() { + NAME=$1 + VALUE=$2 + sed -e "s,^#\?${NAME}=.*,${NAME}=${VALUE}," -i vsftpd.conf + } + set_default listen NO + set_default listen_ipv6 NO + set_default anonymous_enable NO + set_default local_enable YES + set_default write_enable YES + set_default anon_upload_enable NO + set_default anon_mkdir_write_enable NO + set_default dirmessage_enable NO + set_default use_localtime YES + set_default xferlog_enable NO + set_default connect_from_port_20 YES + set_default chown_uploads NO + set_default nopriv_user vsftpd + set_default async_abor_enable YES + set_default ascii_upload_enable NO + set_default ascii_download_enable NO + set_default ftpd_banner "Welcome to the ${DISTRO_NAME} FTP service!" + set_default chroot_local_user NO + set_default chroot_list_enable NO + set_default ls_recurse_enable YES + set_default secure_chroot_dir "${SECURE_CHROOT_DIR}" + set_default rsa_cert_file "${RSA_CERT_FILE}" + + sed -e 's,@SBINDIR@,${sbindir},' ${WORKDIR}/vsftpd.xinetd.in > vsftpd.xinetd +} +do_compile() { + oe_runmake 'CFLAGS=${CFLAGS}' 'LIBS=${LIBS}' 'LINK=${LINK}' +} +do_install() { + install -d ${D}${sysconfdir} + install -m 644 vsftpd.conf ${D}${sysconfdir} + install -d ${D}${sbindir} + install -m 755 vsftpd ${D}${sbindir}/vsftpd + install -d ${D}${mandir}/man8 + install -m 644 vsftpd.8 ${D}${mandir}/man8/vsftpd.8 + install -d ${D}${mandir}/man5 + install -m 644 vsftpd.conf.5 ${D}${mandir}/man5/vsftpd.conf.5 + install -d ${D}${sysconfdir}/xinetd.d + install -m 644 vsftpd.xinetd ${D}${sysconfdir}/xinetd.d/vsftpd + install -d ${D}${SECURE_CHROOT_DIR} +} + +RDEPENDS_${PN} = "xinetd" + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "--home-dir ${SECURE_CHROOT_DIR} --no-create-home --system --shell /bin/false --user-group vsftpd"