Group :: System/Servers
RPM: vsftpd
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: vsftpd-2.1.0-alt1.patch
Download
Download
EXAMPLE/VIRTUAL_USERS/vsftpd.pam | 6 +++-
dummyinc/security/pam_userpass.h | 7 +++++
ftpcmdio.h | 3 ++
logging.c | 4 +-
sysdeputil.c | 18 +++++++++++++
sysutil.h | 3 ++
tunables.c | 28 ++++++++++----------
twoprocess.c | 3 ++
utility.h | 12 +++++++++
vsf_findlibs.sh | 3 ++
vsftpd.8 | 2 +
vsftpd.conf | 50 ++++++++++++++++++++++++++++++++-----
vsftpd.conf.5 | 38 ++++++++++++++--------------
13 files changed, 133 insertions(+), 44 deletions(-)
diff --git a/EXAMPLE/VIRTUAL_USERS/vsftpd.pam b/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
index 5f6864a..98fdbc5 100644
--- a/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
+++ b/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
@@ -1,2 +1,4 @@
-auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
-account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
+#%PAM-1.0
+auth required pam_userpass.so
+auth required pam_userdb.so db=/etc/vsftpd_login use_first_pass
+account required pam_userdb.so db=/etc/vsftpd_login
diff --git a/dummyinc/security/pam_userpass.h b/dummyinc/security/pam_userpass.h
new file mode 100644
index 0000000..4eb2fbb
--- /dev/null
+++ b/dummyinc/security/pam_userpass.h
@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_PAM_USERPASS_H
+#define VSF_DUMMYINC_PAM_USERPASS_H
+
+#undef VSF_SYSDEP_HAVE_PAM_USERPASS
+
+#endif /* VSF_DUMMYINC_PAM_USERPASS_H */
+
diff --git a/ftpcmdio.h b/ftpcmdio.h
index 6dec96e..2b22ff7 100644
--- a/ftpcmdio.h
+++ b/ftpcmdio.h
@@ -50,6 +50,9 @@ void vsf_cmdio_write_raw(struct vsf_session* p_sess, const char* p_text);
* The same as vsf_cmdio_write(), and then the calling process is exited. The
* write is _guaranteed_ to not block (ditching output if neccessary).
*/
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void vsf_cmdio_write_exit(struct vsf_session* p_sess, int status,
const char* p_text);
diff --git a/logging.c b/logging.c
index 370fbab..40d8a07 100644
--- a/logging.c
+++ b/logging.c
@@ -44,7 +44,7 @@ vsf_log_init(struct vsf_session* p_sess)
retval = vsf_sysutil_create_or_open_file(tunable_xferlog_file, 0600);
if (vsf_sysutil_retval_is_error(retval))
{
- die2("failed to open xferlog log file:", tunable_xferlog_file);
+ die("failed to open xferlog log file");
}
p_sess->xferlog_fd = retval;
}
@@ -55,7 +55,7 @@ vsf_log_init(struct vsf_session* p_sess)
retval = vsf_sysutil_create_or_open_file(tunable_vsftpd_log_file, 0600);
if (vsf_sysutil_retval_is_error(retval))
{
- die2("failed to open vsftpd log file:", tunable_vsftpd_log_file);
+ die("failed to open vsftpd log file");
}
p_sess->vsftpd_log_fd = retval;
}
diff --git a/sysdeputil.c b/sysdeputil.c
index 04a5cf8..7a80309 100644
--- a/sysdeputil.c
+++ b/sysdeputil.c
@@ -53,6 +53,7 @@
#undef VSF_SYSDEP_NEED_OLD_FD_PASSING
#ifdef VSF_BUILD_PAM
#define VSF_SYSDEP_HAVE_PAM
+ #define VSF_SYSDEP_HAVE_PAM_USERPASS
#endif
#define VSF_SYSDEP_HAVE_SHADOW
#define VSF_SYSDEP_HAVE_USERSHELL
@@ -147,6 +148,7 @@
/* PAM support - we include our own dummy version if the system lacks this */
#include <security/pam_appl.h>
+#include <security/pam_userpass.h>
/* No PAM? Try getspnam() with a getpwnam() fallback */
#ifndef VSF_SYSDEP_HAVE_PAM
@@ -285,9 +287,13 @@ vsf_sysdep_check_auth(const struct mystr* p_user_str,
#else /* VSF_SYSDEP_HAVE_PAM */
static pam_handle_t* s_pamh;
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
static struct mystr s_pword_str;
static int pam_conv_func(int nmsg, const struct pam_message** p_msg,
struct pam_response** p_reply, void* p_addata);
+#else
+static pam_userpass_t userpass;
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
static void vsf_auth_shutdown(void);
int
@@ -298,14 +304,24 @@ vsf_sysdep_check_auth(const struct mystr* p_user_str,
int retval;
struct pam_conv the_conv =
{
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
&pam_conv_func,
0
+#else
+ pam_userpass_conv,
+ &userpass
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
};
if (s_pamh != 0)
{
bug("vsf_sysdep_check_auth");
}
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
str_copy(&s_pword_str, p_pass_str);
+#else
+ userpass.user = str_getbuf(p_user_str);
+ userpass.pass = str_getbuf(p_pass_str);
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
retval = pam_start(tunable_pam_service_name,
str_getbuf(p_user_str), &the_conv, &s_pamh);
if (retval != PAM_SUCCESS)
@@ -401,6 +417,7 @@ vsf_auth_shutdown(void)
vsf_remove_uwtmp();
}
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
static int
pam_conv_func(int nmsg, const struct pam_message** p_msg,
struct pam_response** p_reply, void* p_addata)
@@ -436,6 +453,7 @@ pam_conv_func(int nmsg, const struct pam_message** p_msg,
*p_reply = p_resps;
return PAM_SUCCESS;
}
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
#endif /* VSF_SYSDEP_HAVE_PAM */
diff --git a/sysutil.h b/sysutil.h
index 1b8d78c..1095b09 100644
--- a/sysutil.h
+++ b/sysutil.h
@@ -166,6 +166,9 @@ void vsf_sysutil_free(void* p_ptr);
unsigned int vsf_sysutil_getpid(void);
int vsf_sysutil_fork(void);
int vsf_sysutil_fork_failok(void);
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void vsf_sysutil_exit(int exit_code);
struct vsf_sysutil_wait_retval
{
diff --git a/tunables.c b/tunables.c
index fa716b2..a7c1451 100644
--- a/tunables.c
+++ b/tunables.c
@@ -173,8 +173,8 @@ tunables_load_defaults()
tunable_userlist_deny = 1;
tunable_use_localtime = 0;
tunable_check_shell = 1;
- tunable_hide_ids = 0;
- tunable_listen = 1;
+ tunable_hide_ids = 1;
+ tunable_listen = 0;
tunable_port_promiscuous = 0;
tunable_passwd_chroot_enable = 0;
tunable_no_anon_password = 0;
@@ -225,8 +225,8 @@ tunables_load_defaults()
tunable_idle_session_timeout = 300;
tunable_data_connection_timeout = 300;
/* IPPORT_USERRESERVED + 1 */
- tunable_pasv_min_port = 5001;
- tunable_pasv_max_port = 0;
+ tunable_pasv_min_port = 49152;
+ tunable_pasv_max_port = 65535;
tunable_anon_max_rate = 0;
tunable_local_max_rate = 0;
/* IPPORT_FTP */
@@ -242,19 +242,19 @@ tunables_load_defaults()
/* -rw------- */
tunable_chown_upload_mode = 0600;
- install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
- install_str_setting("ftp", &tunable_ftp_username);
+ install_str_setting("/var/empty", &tunable_secure_chroot_dir);
+ install_str_setting("vsftpd", &tunable_ftp_username);
install_str_setting("root", &tunable_chown_username);
install_str_setting("/var/log/xferlog", &tunable_xferlog_file);
install_str_setting("/var/log/vsftpd.log", &tunable_vsftpd_log_file);
install_str_setting(".message", &tunable_message_file);
- install_str_setting("nobody", &tunable_nopriv_user);
+ install_str_setting("novsftpd", &tunable_nopriv_user);
install_str_setting(0, &tunable_ftpd_banner);
- install_str_setting("/etc/vsftpd.banned_emails", &tunable_banned_email_file);
- install_str_setting("/etc/vsftpd.chroot_list", &tunable_chroot_list_file);
- install_str_setting("ftp", &tunable_pam_service_name);
- install_str_setting("ftp", &tunable_guest_username);
- install_str_setting("/etc/vsftpd.user_list", &tunable_userlist_file);
+ install_str_setting("/etc/vsftpd/banned_emails", &tunable_banned_email_file);
+ install_str_setting("/etc/vsftpd/chroot_list", &tunable_chroot_list_file);
+ install_str_setting("vsftpd", &tunable_pam_service_name);
+ install_str_setting("vsftpd", &tunable_guest_username);
+ install_str_setting("/etc/vsftpd/user_list", &tunable_userlist_file);
install_str_setting(0, &tunable_anon_root);
install_str_setting(0, &tunable_local_root);
install_str_setting(0, &tunable_banner_file);
@@ -267,9 +267,9 @@ tunables_load_defaults()
install_str_setting(0, &tunable_hide_file);
install_str_setting(0, &tunable_deny_file);
install_str_setting(0, &tunable_user_sub_token);
- install_str_setting("/etc/vsftpd.email_passwords",
+ install_str_setting("/etc/vsftpd/email_passwords",
&tunable_email_password_file);
- install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
+ install_str_setting("/var/lib/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting("DES-CBC3-SHA", &tunable_ssl_ciphers);
diff --git a/twoprocess.c b/twoprocess.c
index 5d34f45..318cb0a 100644
--- a/twoprocess.c
+++ b/twoprocess.c
@@ -42,6 +42,9 @@ static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
const struct mystr* p_user_str,
const struct mystr* p_orig_user_str);
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
static void
handle_sigchld(void* duff)
{
diff --git a/utility.h b/utility.h
index aae3052..04dfedb 100644
--- a/utility.h
+++ b/utility.h
@@ -10,6 +10,9 @@ struct mystr;
* PARAMETERS
* p_text - text string describing why the process is exiting
*/
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void die(const char* p_text);
/* die2()
@@ -20,6 +23,9 @@ void die(const char* p_text);
* p_text1 - text string describing why the process is exiting
* p_text2 - text to safely concatenate to p_text1
*/
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void die2(const char* p_text1, const char* p_text2);
/* bug()
@@ -29,6 +35,9 @@ void die2(const char* p_text1, const char* p_text2);
* PARAMETERS
* p_text - text string describing what bug trap has triggered
* */
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void bug(const char* p_text);
/* vsf_exit()
@@ -38,6 +47,9 @@ void bug(const char* p_text);
* PARAMETERS
* p_text - text string describing why the process is exiting
*/
+#ifdef __GNUC__
+__attribute__ ((noreturn))
+#endif
void vsf_exit(const char* p_text);
#endif
diff --git a/vsf_findlibs.sh b/vsf_findlibs.sh
index 31647b3..569234a 100755
--- a/vsf_findlibs.sh
+++ b/vsf_findlibs.sh
@@ -18,6 +18,9 @@ if find_func pam_start sysdeputil.o; then
locate_library /usr/lib/libpam.sl && echo "-lpam";
# AIX ends shared libraries with .a
locate_library /usr/lib/libpam.a && echo "-lpam";
+ if find_func pam_userpass_conv sysdeputil.o; then
+ locate_library /usr/lib/libpam_userpass.so && echo "-lpam_userpass";
+ fi
else
locate_library /lib/libcrypt.so && echo "-lcrypt";
locate_library /usr/lib/libcrypt.so && echo "-lcrypt";
diff --git a/vsftpd.8 b/vsftpd.8
index 7672059..13ae82e 100644
--- a/vsftpd.8
+++ b/vsftpd.8
@@ -1,6 +1,7 @@
.\" Copyright (c) 2001 Daniel Jacobowitz <dan@debian.org>
.Dd March 8, 2001
.Dt VSFTPD 8
+.Os "ALT Linux"
.Sh NAME
.Nm vsftpd
.Nd Very Secure FTP Daemon
@@ -33,3 +34,4 @@ root. The default configuration file is
.Pa /etc/vsftpd.conf .
.Sh SEE ALSO
.Xr vsftpd.conf 5
+.end
\ No newline at end of file
diff --git a/vsftpd.conf b/vsftpd.conf
index 1034cbb..f835624 100644
--- a/vsftpd.conf
+++ b/vsftpd.conf
@@ -1,13 +1,19 @@
-# Example config file /etc/vsftpd.conf
+# The configuration file for vsftpd.
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
-# Please see vsftpd.conf.5 for all compiled in defaults.
+# Please see vsftpd.conf(5) for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
-# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
+# Please read the vsftpd.conf(5) manual page to get a full idea of vsftpd's
# capabilities.
#
+# Uncomment this to disallow the PORT method of obtaining a data connection.
+#port_enable=NO
+#
+# Uncomment this to disallow the PASV method of obtaining a data connection.
+#pasv_enable=NO
+#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
@@ -21,6 +27,16 @@ anonymous_enable=YES
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
+# The minimum port to allocate for PASV style data connections.
+# Can be used to specify a narrow port range to assist firewalling.
+# The default is shown below.
+#pasv_min_port=49152
+#
+# The maximum port to allocate for PASV style data connections.
+# Can be used to specify a narrow port range to assist firewalling.
+# The default is shown below.
+#pasv_max_port=65535
+#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
@@ -62,7 +78,7 @@ connect_from_port_20=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
+#nopriv_user=novsftpd
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
@@ -87,14 +103,24 @@ connect_from_port_20=YES
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
-#banned_email_file=/etc/vsftpd.banned_emails
+#banned_email_file=/etc/vsftpd/banned_emails
+#
+# If enabled, local users will be (by default) placed in a chroot() jail
+# in their home directory after login.
+# Warning: this option has non-trivial security implications, especially
+# if the users also have shell access. Only enable if you know what you are
+# doing (and you probably don't).
+#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
+# Warning: these features have non-trivial security implications, especially
+# if the users also have shell access. Only enable if you know what you are
+# doing (and you probably don't).
#chroot_list_enable=YES
# (default follows)
-#chroot_list_file=/etc/vsftpd.chroot_list
+#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
@@ -102,10 +128,20 @@ connect_from_port_20=YES
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
+# If enabled, all user and group information in directory listings will be
+# displayed as "ftp".
+# The default is to hide user and group information.
+#hide_ids=YES
+#
+# If enabled, vsftpd will display directory listings with the time in your
+# local time zone. The default is to display GMT. The times returned by the
+# MDTM FTP command are also affected by this option.
+#use_localtime=YES
+#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
-listen=YES
+#listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 3551ae7..7a645fb 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -138,7 +138,7 @@ chroot() jail in their home directory upon login. The meaning is slightly
different if chroot_local_user is set to YES. In this case, the list becomes
a list of users which are NOT to be placed in a chroot() jail.
By default, the file containing this list is
-/etc/vsftpd.chroot_list, but you may override this with the
+/etc/vsftpd/chroot_list, but you may override this with the
.BR chroot_list_file
setting.
@@ -177,7 +177,7 @@ Default: NO
.B deny_email_enable
If activated, you may provide a list of anonymous password e-mail responses
which cause login to be denied. By default, the file containing this list is
-/etc/vsftpd.banned_emails, but you may override this with the
+/etc/vsftpd/banned_emails, but you may override this with the
.BR banned_email_file
setting.
@@ -262,7 +262,7 @@ Default: NO
If enabled, all user and group information in directory listings will be
displayed as "ftp".
-Default: NO
+Default: YES
.TP
.B implicit_ssl
If enabled, an SSL handshake is the first thing expect on all connections
@@ -277,7 +277,7 @@ not be run from an inetd of some kind. Instead, the vsftpd executable is
run once directly. vsftpd itself will then take care of listening for and
handling incoming connections.
-Default: YES
+Default: NO
.TP
.B listen_ipv6
Like the listen parameter, except vsftpd will listen on an IPv6 socket instead
@@ -430,7 +430,7 @@ anonymous logins are prevented unless the password provided is listed in the
file specified by the
.BR email_password_file
setting. The file format is one password per line, no extra whitespace. The
-default filename is /etc/vsftpd.email_passwords.
+default filename is /etc/vsftpd/email_passwords.
Default: NO
.TP
@@ -731,13 +731,13 @@ Default: 0 (unlimited)
The maximum port to allocate for PASV style data connections. Can be used to
specify a narrow port range to assist firewalling.
-Default: 0 (use any port)
+Default: 65535
.TP
.B pasv_min_port
The minimum port to allocate for PASV style data connections. Can be used to
specify a narrow port range to assist firewalling.
-Default: 0 (use any port)
+Default: 49152
.TP
.B trans_chunk_size
You probably don't want to change this, but try setting it to something like
@@ -761,7 +761,7 @@ passwords which are not permitted. This file is consulted if the option
.BR deny_email_enable
is enabled.
-Default: /etc/vsftpd.banned_emails
+Default: /etc/vsftpd/banned_emails
.TP
.B banner_file
This option is the name of a file containing text to display when someone
@@ -798,7 +798,7 @@ is enabled. If the option
is enabled, then the list file becomes a list of users to NOT place in a
chroot() jail.
-Default: /etc/vsftpd.chroot_list
+Default: /etc/vsftpd/chroot_list
.TP
.B cmds_allowed
This options specifies a comma separated list of allowed FTP commands (post
@@ -859,13 +859,13 @@ This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
setting.
-Default: /etc/vsftpd.email_passwords
+Default: /etc/vsftpd/email_passwords
.TP
.B ftp_username
This is the name of the user we use for handling anonymous FTP. The home
directory of this user is the root of the anonymous FTP area.
-Default: ftp
+Default: vsftpd
.TP
.B ftpd_banner
This string option allows you to override the greeting banner displayed
@@ -879,7 +879,7 @@ See the boolean setting
for a description of what constitutes a guest login. This setting is the
real username which guest users are mapped to.
-Default: ftp
+Default: vsftpd
.TP
.B hide_file
This option can be used to set a pattern for filenames (and directory names
@@ -930,12 +930,12 @@ totally unprivileged. Note that this should be a dedicated user, rather
than nobody. The user nobody tends to be used for rather a lot of important
things on most machines.
-Default: nobody
+Default: novsftpd
.TP
.B pam_service_name
This string is the name of the PAM service vsftpd will use.
-Default: ftp
+Default: vsftpd
.TP
.B pasv_address
Use this option to override the IP address that vsftpd will advertise in
@@ -950,7 +950,7 @@ Default: (none - the address is taken from the incoming connected socket)
This option specifies the location of the RSA certificate to use for SSL
encrypted connections.
-Default: /usr/share/ssl/certs/vsftpd.pem
+Default: /var/lib/ssl/certs/vsftpd.pem
.TP
.B rsa_private_key_file
This option specifies the location of the RSA private key to use for SSL
@@ -964,7 +964,7 @@ This option should be the name of a directory which is empty. Also, the
directory should not be writable by the ftp user. This directory is used
as a secure chroot() jail at times vsftpd does not require filesystem access.
-Default: /usr/share/empty
+Default: /var/empty
.TP
.B ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will allow for
@@ -982,10 +982,10 @@ the manual page, on a per-user basis. Usage is simple, and is best illustrated
with an example. If you set
.BR user_config_dir
to be
-.BR /etc/vsftpd_user_conf
+.BR /etc/vsftpd/user_conf
and then log on as the user "chris", then vsftpd will apply the settings in
the file
-.BR /etc/vsftpd_user_conf/chris
+.BR /etc/vsftpd/user_conf/chris
for the duration of the session. The format of this file is as detailed in
this manual page! PLEASE NOTE that not all settings are effective on a
per-user basis. For example, many settings only prior to the user's session
@@ -1021,7 +1021,7 @@ This option is the name of the file loaded when the
.BR userlist_enable
option is active.
-Default: /etc/vsftpd.user_list
+Default: /etc/vsftpd/user_list
.TP
.B vsftpd_log_file
This option is the name of the file to which we write the vsftpd style