Group :: System/Servers
RPM: vsftpd
Navigation
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: vsftpd-2.0.6-alt1.patch
Download
Download
dummyinc/security/pam_userpass.h | 7 ++++++
ftpcmdio.h | 3 ++
logging.c | 4 +-
sysdeputil.c | 18 ++++++++++++++++
sysutil.c | 6 +++-
sysutil.h | 3 ++
tunables.c | 26 ++++++++++++------------
twoprocess.c | 3 ++
utility.h | 12 +++++++++++
vsf_findlibs.sh | 3 ++
vsftpd.8 | 2 +
vsftpd.conf | 41 ++++++++++++++++++++++++++++++++-----
vsftpd.conf.5 | 36 ++++++++++++++++----------------
13 files changed, 123 insertions(+), 41 deletions(-)
diff --git a/dummyinc/security/pam_userpass.h b/dummyinc/security/pam_userpass.h
new file mode 100644
index 0000000..4eb2fbb
--- /dev/null
+++ b/dummyinc/security/pam_userpass.h
@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_PAM_USERPASS_H
+#define VSF_DUMMYINC_PAM_USERPASS_H
+
+#undef VSF_SYSDEP_HAVE_PAM_USERPASS
+
+#endif /* VSF_DUMMYINC_PAM_USERPASS_H */
+
diff --git a/ftpcmdio.h b/ftpcmdio.h
index 6dec96e..2b22ff7 100644
--- a/ftpcmdio.h
+++ b/ftpcmdio.h
@@ -50,6 +50,9 @@ void vsf_cmdio_write_raw(struct vsf_session* p_sess, const char* p_text);
* The same as vsf_cmdio_write(), and then the calling process is exited. The
* write is _guaranteed_ to not block (ditching output if neccessary).
*/
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void vsf_cmdio_write_exit(struct vsf_session* p_sess, int status,
const char* p_text);
diff --git a/logging.c b/logging.c
index 368eb7d..9ae581e 100644
--- a/logging.c
+++ b/logging.c
@@ -44,7 +44,7 @@ vsf_log_init(struct vsf_session* p_sess)
retval = vsf_sysutil_create_or_open_file(tunable_xferlog_file, 0600);
if (vsf_sysutil_retval_is_error(retval))
{- die2("failed to open xferlog log file:", tunable_xferlog_file);+ die("failed to open xferlog log file");}
p_sess->xferlog_fd = retval;
}
@@ -55,7 +55,7 @@ vsf_log_init(struct vsf_session* p_sess)
retval = vsf_sysutil_create_or_open_file(tunable_vsftpd_log_file, 0600);
if (vsf_sysutil_retval_is_error(retval))
{- die2("failed to open vsftpd log file:", tunable_vsftpd_log_file);+ die("failed to open vsftpd log file");}
p_sess->vsftpd_log_fd = retval;
}
diff --git a/sysdeputil.c b/sysdeputil.c
index 3784fef..a563bd4 100644
--- a/sysdeputil.c
+++ b/sysdeputil.c
@@ -49,6 +49,7 @@
#undef VSF_SYSDEP_NEED_OLD_FD_PASSING
#ifdef VSF_BUILD_PAM
#define VSF_SYSDEP_HAVE_PAM
+ #define VSF_SYSDEP_HAVE_PAM_USERPASS
#endif
#define VSF_SYSDEP_HAVE_SHADOW
#define VSF_SYSDEP_HAVE_USERSHELL
@@ -141,6 +142,7 @@
/* PAM support - we include our own dummy version if the system lacks this */
#include <security/pam_appl.h>
+#include <security/pam_userpass.h>
/* No PAM? Try getspnam() with a getpwnam() fallback */
#ifndef VSF_SYSDEP_HAVE_PAM
@@ -276,9 +278,13 @@ vsf_sysdep_check_auth(const struct mystr* p_user_str,
#else /* VSF_SYSDEP_HAVE_PAM */
static pam_handle_t* s_pamh;
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
static struct mystr s_pword_str;
static int pam_conv_func(int nmsg, const struct pam_message** p_msg,
struct pam_response** p_reply, void* p_addata);
+#else
+static pam_userpass_t userpass;
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
static void vsf_auth_shutdown(void);
int
@@ -289,14 +295,24 @@ vsf_sysdep_check_auth(const struct mystr* p_user_str,
int retval;
struct pam_conv the_conv =
{+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
&pam_conv_func,
0
+#else
+ pam_userpass_conv,
+ &userpass
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
};
if (s_pamh != 0)
{ bug("vsf_sysdep_check_auth");}
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
str_copy(&s_pword_str, p_pass_str);
+#else
+ userpass.user = str_getbuf(p_user_str);
+ userpass.pass = str_getbuf(p_pass_str);
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
retval = pam_start(tunable_pam_service_name,
str_getbuf(p_user_str), &the_conv, &s_pamh);
if (retval != PAM_SUCCESS)
@@ -392,6 +408,7 @@ vsf_auth_shutdown(void)
vsf_remove_uwtmp();
}
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
static int
pam_conv_func(int nmsg, const struct pam_message** p_msg,
struct pam_response** p_reply, void* p_addata)
@@ -427,6 +444,7 @@ pam_conv_func(int nmsg, const struct pam_message** p_msg,
*p_reply = p_resps;
return PAM_SUCCESS;
}
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
#endif /* VSF_SYSDEP_HAVE_PAM */
diff --git a/sysutil.c b/sysutil.c
index 20fdf74..ffb1fdd 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -601,17 +601,19 @@ int
vsf_sysutil_wait_exited_normally(
const struct vsf_sysutil_wait_retval* p_waitret)
{- return WIFEXITED(p_waitret->exit_status);
+ int exit_status = p_waitret->exit_status;
+ return WIFEXITED(exit_status);
}
int
vsf_sysutil_wait_get_exitcode(const struct vsf_sysutil_wait_retval* p_waitret)
{+ int exit_status = p_waitret->exit_status;
if (!vsf_sysutil_wait_exited_normally(p_waitret))
{ bug("not a normal exit in vsf_sysutil_wait_get_exitcode");}
- return WEXITSTATUS(p_waitret->exit_status);
+ return WEXITSTATUS(exit_status);
}
void
diff --git a/sysutil.h b/sysutil.h
index 4fced38..a1ceafb 100644
--- a/sysutil.h
+++ b/sysutil.h
@@ -162,6 +162,9 @@ void vsf_sysutil_free(void* p_ptr);
unsigned int vsf_sysutil_getpid(void);
int vsf_sysutil_fork(void);
int vsf_sysutil_fork_failok(void);
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void vsf_sysutil_exit(int exit_code);
struct vsf_sysutil_wait_retval
{diff --git a/tunables.c b/tunables.c
index dabbed7..7c7dbfe 100644
--- a/tunables.c
+++ b/tunables.c
@@ -38,7 +38,7 @@ int tunable_userlist_enable = 0;
int tunable_userlist_deny = 1;
int tunable_use_localtime = 0;
int tunable_check_shell = 1;
-int tunable_hide_ids = 0;
+int tunable_hide_ids = 1;
int tunable_listen = 0;
int tunable_port_promiscuous = 0;
int tunable_passwd_chroot_enable = 0;
@@ -83,8 +83,8 @@ unsigned int tunable_ftp_data_port = 20;
unsigned int tunable_idle_session_timeout = 300;
unsigned int tunable_data_connection_timeout = 300;
/* IPPORT_USERRESERVED + 1 */
-unsigned int tunable_pasv_min_port = 5001;
-unsigned int tunable_pasv_max_port = 0;
+unsigned int tunable_pasv_min_port = 49152;
+unsigned int tunable_pasv_max_port = 65535;
unsigned int tunable_anon_max_rate = 0;
unsigned int tunable_local_max_rate = 0;
/* IPPORT_FTP */
@@ -100,19 +100,19 @@ unsigned int tunable_max_login_fails = 3;
/* -rw------- */
unsigned int tunable_chown_upload_mode = 0600;
-const char* tunable_secure_chroot_dir = "/usr/share/empty";
-const char* tunable_ftp_username = "ftp";
+const char* tunable_secure_chroot_dir = "/var/empty";
+const char* tunable_ftp_username = "vsftpd";
const char* tunable_chown_username = "root";
const char* tunable_xferlog_file = "/var/log/xferlog";
const char* tunable_vsftpd_log_file = "/var/log/vsftpd.log";
const char* tunable_message_file = ".message";
-const char* tunable_nopriv_user = "nobody";
+const char* tunable_nopriv_user = "novsftpd";
const char* tunable_ftpd_banner = 0;
-const char* tunable_banned_email_file = "/etc/vsftpd.banned_emails";
-const char* tunable_chroot_list_file = "/etc/vsftpd.chroot_list";
-const char* tunable_pam_service_name = "ftp";
-const char* tunable_guest_username = "ftp";
-const char* tunable_userlist_file = "/etc/vsftpd.user_list";
+const char* tunable_banned_email_file = "/etc/vsftpd/banned_emails";
+const char* tunable_chroot_list_file = "/etc/vsftpd/chroot_list";
+const char* tunable_pam_service_name = "vsftpd";
+const char* tunable_guest_username = "vsftpd";
+const char* tunable_userlist_file = "/etc/vsftpd/user_list";
const char* tunable_anon_root = 0;
const char* tunable_local_root = 0;
const char* tunable_banner_file = 0;
@@ -124,8 +124,8 @@ const char* tunable_cmds_allowed = 0;
const char* tunable_hide_file = 0;
const char* tunable_deny_file = 0;
const char* tunable_user_sub_token = 0;
-const char* tunable_email_password_file = "/etc/vsftpd.email_passwords";
-const char* tunable_rsa_cert_file = "/usr/share/ssl/certs/vsftpd.pem";
+const char* tunable_email_password_file = "/etc/vsftpd/email_passwords";
+const char* tunable_rsa_cert_file = "/var/lib/ssl/certs/vsftpd.pem";
const char* tunable_dsa_cert_file = 0;
const char* tunable_ssl_ciphers = "DES-CBC3-SHA";
const char* tunable_rsa_private_key_file = 0;
diff --git a/twoprocess.c b/twoprocess.c
index e6cb904..b016096 100644
--- a/twoprocess.c
+++ b/twoprocess.c
@@ -41,6 +41,9 @@ static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
const struct mystr* p_user_str,
const struct mystr* p_orig_user_str);
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
static void
handle_sigchld(int duff)
{diff --git a/utility.h b/utility.h
index aae3052..04dfedb 100644
--- a/utility.h
+++ b/utility.h
@@ -10,6 +10,9 @@ struct mystr;
* PARAMETERS
* p_text - text string describing why the process is exiting
*/
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void die(const char* p_text);
/* die2()
@@ -20,6 +23,9 @@ void die(const char* p_text);
* p_text1 - text string describing why the process is exiting
* p_text2 - text to safely concatenate to p_text1
*/
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void die2(const char* p_text1, const char* p_text2);
/* bug()
@@ -29,6 +35,9 @@ void die2(const char* p_text1, const char* p_text2);
* PARAMETERS
* p_text - text string describing what bug trap has triggered
* */
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void bug(const char* p_text);
/* vsf_exit()
@@ -38,6 +47,9 @@ void bug(const char* p_text);
* PARAMETERS
* p_text - text string describing why the process is exiting
*/
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void vsf_exit(const char* p_text);
#endif
diff --git a/vsf_findlibs.sh b/vsf_findlibs.sh
index 3ae030b..132bf10 100755
--- a/vsf_findlibs.sh
+++ b/vsf_findlibs.sh
@@ -18,6 +18,9 @@ if find_func pam_start sysdeputil.o; then
locate_library /usr/lib/libpam.sl && echo "-lpam";
# AIX ends shared libraries with .a
locate_library /usr/lib/libpam.a && echo "-lpam";
+ if find_func pam_userpass_conv sysdeputil.o; then
+ locate_library /usr/lib/libpam_userpass.so && echo "-lpam_userpass";
+ fi
else
locate_library /lib/libcrypt.so && echo "-lcrypt";
locate_library /usr/lib/libcrypt.so && echo "-lcrypt";
diff --git a/vsftpd.8 b/vsftpd.8
index 8066ea6..33e3d7c 100644
--- a/vsftpd.8
+++ b/vsftpd.8
@@ -1,6 +1,7 @@
.\" Copyright (c) 2001 Daniel Jacobowitz <dan@debian.org>
.Dd March 8, 2001
.Dt VSFTPD 8
+.Os "ALT Linux"
.Sh NAME
.Nm vsftpd
.Nd Very Secure FTP Daemon
@@ -32,3 +33,4 @@ may be given on the command line. The default configuration file is
.Pa /etc/vsftpd.conf .
.Sh SEE ALSO
.Xr vsftpd.conf 5
+.end
\ No newline at end of file
diff --git a/vsftpd.conf b/vsftpd.conf
index 7e30740..93f0a37 100644
--- a/vsftpd.conf
+++ b/vsftpd.conf
@@ -1,13 +1,19 @@
-# Example config file /etc/vsftpd.conf
+# The configuration file for vsftpd.
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
-# Please see vsftpd.conf.5 for all compiled in defaults.
+# Please see vsftpd.conf(5) for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
-# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
+# Please read the vsftpd.conf(5) manual page to get a full idea of vsftpd's
# capabilities.
#
+# Uncomment this to disallow the PORT method of obtaining a data connection.
+#port_enable=NO
+#
+# Uncomment this to disallow the PASV method of obtaining a data connection.
+#pasv_enable=NO
+#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
@@ -21,6 +27,16 @@ anonymous_enable=YES
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
+# The minimum port to allocate for PASV style data connections.
+# Can be used to specify a narrow port range to assist firewalling.
+# The default is shown below.
+#pasv_min_port=49152
+#
+# The maximum port to allocate for PASV style data connections.
+# Can be used to specify a narrow port range to assist firewalling.
+# The default is shown below.
+#pasv_max_port=65535
+#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
@@ -61,7 +77,7 @@ connect_from_port_20=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
+#nopriv_user=novsftpd
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
@@ -86,18 +102,31 @@ connect_from_port_20=YES
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
-#banned_email_file=/etc/vsftpd.banned_emails
+#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
+# Warning: these features have non-trivial security implications, especially
+# if the users also have shell access. Only enable if you know what you are
+# doing (and you probably don't).
#chroot_list_enable=YES
# (default follows)
-#chroot_list_file=/etc/vsftpd.chroot_list
+#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
+#
+# If enabled, all user and group information in directory listings will be
+# displayed as "ftp".
+# The default is to hide user and group information.
+#hide_ids=YES
+#
+# If enabled, vsftpd will display directory listings with the time in your
+# local time zone. The default is to display GMT. The times returned by the
+# MDTM FTP command are also affected by this option.
+#use_localtime=YES
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 86706d0..5194126 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -138,7 +138,7 @@ chroot() jail in their home directory upon login. The meaning is slightly
different if chroot_local_user is set to YES. In this case, the list becomes
a list of users which are NOT to be placed in a chroot() jail.
By default, the file containing this list is
-/etc/vsftpd.chroot_list, but you may override this with the
+/etc/vsftpd/chroot_list, but you may override this with the
.BR chroot_list_file
setting.
@@ -172,7 +172,7 @@ Default: NO
.B deny_email_enable
If activated, you may provide a list of anonymous password e-mail responses
which cause login to be denied. By default, the file containing this list is
-/etc/vsftpd.banned_emails, but you may override this with the
+/etc/vsftpd/banned_emails, but you may override this with the
.BR banned_email_file
setting.
@@ -257,7 +257,7 @@ Default: NO
If enabled, all user and group information in directory listings will be
displayed as "ftp".
-Default: NO
+Default: YES
.TP
.B listen
If enabled, vsftpd will run in standalone mode. This means that vsftpd must
@@ -411,7 +411,7 @@ anonymous logins are prevented unless the password provided is listed in the
file specified by the
.BR email_password_file
setting. The file format is one password per line, no extra whitespace. The
-default filename is /etc/vsftpd.email_passwords.
+default filename is /etc/vsftpd/email_passwords.
Default: NO
.TP
@@ -687,13 +687,13 @@ Default: 0 (unlimited)
The maximum port to allocate for PASV style data connections. Can be used to
specify a narrow port range to assist firewalling.
-Default: 0 (use any port)
+Default: 65535
.TP
.B pasv_min_port
The minimum port to allocate for PASV style data connections. Can be used to
specify a narrow port range to assist firewalling.
-Default: 0 (use any port)
+Default: 49152
.TP
.B trans_chunk_size
You probably don't want to change this, but try setting it to something like
@@ -717,7 +717,7 @@ passwords which are not permitted. This file is consulted if the option
.BR deny_email_enable
is enabled.
-Default: /etc/vsftpd.banned_emails
+Default: /etc/vsftpd/banned_emails
.TP
.B banner_file
This option is the name of a file containing text to display when someone
@@ -754,7 +754,7 @@ is enabled. If the option
is enabled, then the list file becomes a list of users to NOT place in a
chroot() jail.
-Default: /etc/vsftpd.chroot_list
+Default: /etc/vsftpd/chroot_list
.TP
.B cmds_allowed
This options specifies a comma separated list of allowed FTP commands (post
@@ -806,13 +806,13 @@ This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
setting.
-Default: /etc/vsftpd.email_passwords
+Default: /etc/vsftpd/email_passwords
.TP
.B ftp_username
This is the name of the user we use for handling anonymous FTP. The home
directory of this user is the root of the anonymous FTP area.
-Default: ftp
+Default: vsftpd
.TP
.B ftpd_banner
This string option allows you to override the greeting banner displayed
@@ -826,7 +826,7 @@ See the boolean setting
for a description of what constitutes a guest login. This setting is the
real username which guest users are mapped to.
-Default: ftp
+Default: vsftpd
.TP
.B hide_file
This option can be used to set a pattern for filenames (and directory names
@@ -877,12 +877,12 @@ totally unprivileged. Note that this should be a dedicated user, rather
than nobody. The user nobody tends to be used for rather a lot of important
things on most machines.
-Default: nobody
+Default: novsftpd
.TP
.B pam_service_name
This string is the name of the PAM service vsftpd will use.
-Default: ftp
+Default: vsftpd
.TP
.B pasv_address
Use this option to override the IP address that vsftpd will advertise in
@@ -897,7 +897,7 @@ Default: (none - the address is taken from the incoming connected socket)
This option specifies the location of the RSA certificate to use for SSL
encrypted connections.
-Default: /usr/share/ssl/certs/vsftpd.pem
+Default: /var/lib/ssl/certs/vsftpd.pem
.TP
.B rsa_private_key_file
This option specifies the location of the RSA private key to use for SSL
@@ -911,7 +911,7 @@ This option should be the name of a directory which is empty. Also, the
directory should not be writable by the ftp user. This directory is used
as a secure chroot() jail at times vsftpd does not require filesystem access.
-Default: /usr/share/empty
+Default: /var/empty
.TP
.B ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will allow for
@@ -929,10 +929,10 @@ the manual page, on a per-user basis. Usage is simple, and is best illustrated
with an example. If you set
.BR user_config_dir
to be
-.BR /etc/vsftpd_user_conf
+.BR /etc/vsftpd/user_conf
and then log on as the user "chris", then vsftpd will apply the settings in
the file
-.BR /etc/vsftpd_user_conf/chris
+.BR /etc/vsftpd/user_conf/chris
for the duration of the session. The format of this file is as detailed in
this manual page! PLEASE NOTE that not all settings are effective on a
per-user basis. For example, many settings only prior to the user's session
@@ -968,7 +968,7 @@ This option is the name of the file loaded when the
.BR userlist_enable
option is active.
-Default: /etc/vsftpd.user_list
+Default: /etc/vsftpd/user_list
.TP
.B vsftpd_log_file
This option is the name of the file to which we write the vsftpd style