Group :: System/Servers
RPM: vsftpd
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: vsftpd-3.0.3-alt2.patch
Download
Download
EXAMPLE/VIRTUAL_USERS/vsftpd.pam | 6 +++--
dummyinc/security/pam_userpass.h | 7 +++++
ftpcmdio.h | 4 ++-
logging.c | 4 +--
port/porting_junk.h | 13 ++++++++++
seccompsandbox.c | 44 ++++++++++++++++++++++++++++++++
str.c | 12 +++------
sysdeputil.c | 33 +++++++++++++++++-------
sysstr.c | 9 ++-----
sysutil.c | 15 +++++------
sysutil.h | 3 ++-
tunables.c | 28 ++++++++++----------
twoprocess.c | 2 +-
utility.h | 10 +++++---
vsf_findlibs.sh | 3 +++
vsftpd.8 | 1 +
vsftpd.conf | 55 ++++++++++++++++++++++++++++++++--------
vsftpd.conf.5 | 36 +++++++++++++-------------
18 files changed, 197 insertions(+), 88 deletions(-)
diff --git a/EXAMPLE/VIRTUAL_USERS/vsftpd.pam b/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
index 5f6864a..98fdbc5 100644
--- a/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
+++ b/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
@@ -1,2 +1,4 @@
-auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
-account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
+#%PAM-1.0
+auth required pam_userpass.so
+auth required pam_userdb.so db=/etc/vsftpd_login use_first_pass
+account required pam_userdb.so db=/etc/vsftpd_login
diff --git a/dummyinc/security/pam_userpass.h b/dummyinc/security/pam_userpass.h
new file mode 100644
index 0000000..4eb2fbb
--- /dev/null
+++ b/dummyinc/security/pam_userpass.h
@@ -0,0 +1,7 @@
+#ifndef VSF_DUMMYINC_PAM_USERPASS_H
+#define VSF_DUMMYINC_PAM_USERPASS_H
+
+#undef VSF_SYSDEP_HAVE_PAM_USERPASS
+
+#endif /* VSF_DUMMYINC_PAM_USERPASS_H */
+
diff --git a/ftpcmdio.h b/ftpcmdio.h
index 0f011ae..87e5a94 100644
--- a/ftpcmdio.h
+++ b/ftpcmdio.h
@@ -1,6 +1,8 @@
#ifndef VSF_FTPCMDIO_H
#define VSF_FTPCMDIO_H
+#include "port/porting_junk.h"
+
struct mystr;
struct vsf_session;
@@ -51,7 +53,7 @@ void vsf_cmdio_write_raw(struct vsf_session* p_sess, const char* p_text);
* write is _guaranteed_ to not block (ditching output if neccessary).
*/
void vsf_cmdio_write_exit(struct vsf_session* p_sess, int status,
- const char* p_text, int exit_val);
+ const char* p_text, int exit_val) VSF_NORETURN;
/* vsf_cmdio_write_str()
* PURPOSE
diff --git a/logging.c b/logging.c
index ad531d6..d999262 100644
--- a/logging.c
+++ b/logging.c
@@ -48,7 +48,7 @@ vsf_log_init(struct vsf_session* p_sess)
}
if (vsf_sysutil_retval_is_error(retval))
{
- die2("failed to open xferlog log file:", tunable_xferlog_file);
+ die("failed to open xferlog log file");
}
p_sess->xferlog_fd = retval;
}
@@ -64,7 +64,7 @@ vsf_log_init(struct vsf_session* p_sess)
}
if (vsf_sysutil_retval_is_error(retval))
{
- die2("failed to open vsftpd log file:", tunable_vsftpd_log_file);
+ die("failed to open vsftpd log file");
}
p_sess->vsftpd_log_fd = retval;
}
diff --git a/port/porting_junk.h b/port/porting_junk.h
index eeb6ee3..4dde416 100644
--- a/port/porting_junk.h
+++ b/port/porting_junk.h
@@ -26,5 +26,18 @@
*/
#include "cmsg_extras.h"
+#if defined(__GNUC__) && defined(__GNUC_MINOR__)
+# define VSF_GNUC_PREREQ(maj, min) \
+ (((__GNUC__ << 16) + __GNUC_MINOR__) >= (((maj) << 16) + (min)))
+#else
+# define VSF_GNUC_PREREQ(maj, min) 0
+#endif
+
+#if VSF_GNUC_PREREQ(2,5)
+# define VSF_NORETURN __attribute__((noreturn))
+#else
+# define VSF_NORETURN
+#endif
+
#endif /* VSF_PORTINGJUNK_H */
diff --git a/seccompsandbox.c b/seccompsandbox.c
index 2c350a9..c5c02f9 100644
--- a/seccompsandbox.c
+++ b/seccompsandbox.c
@@ -12,6 +12,10 @@
#if defined(__linux__) && defined(__x86_64__)
+#ifndef _GNU_SOURCE
+ #define _GNU_SOURCE 1
+#endif
+
#include "session.h"
#include "sysutil.h"
#include "tunables.h"
@@ -46,6 +50,12 @@
#define __NR_openat 257
#endif
+#ifdef O_LARGEFILE
+ #if O_LARGEFILE == 0
+ #undef O_LARGEFILE
+ #endif
+#endif
+
#ifndef O_LARGEFILE
#define O_LARGEFILE 00100000
#endif
@@ -267,6 +277,9 @@ seccomp_sandbox_setup_data_connections()
3, IPPROTO_TCP);
allow_nr(__NR_bind);
allow_nr(__NR_select);
+#ifdef __NR_pselect6
+ allow_nr(__NR_pselect6);
+#endif
if (tunable_port_enable)
{
allow_nr(__NR_connect);
@@ -294,6 +307,11 @@ seccomp_sandbox_setup_base()
allow_nr_2_arg_match(__NR_mmap,
3, PROT_READ|PROT_WRITE,
4, MAP_PRIVATE|MAP_ANON);
+#ifdef __NR_mmap2
+ allow_nr_2_arg_match(__NR_mmap2,
+ 3, PROT_READ|PROT_WRITE,
+ 4, MAP_PRIVATE|MAP_ANON);
+#endif
allow_nr_1_arg_mask(__NR_mprotect, 3, PROT_READ);
allow_nr(__NR_munmap);
allow_nr(__NR_brk);
@@ -301,7 +319,15 @@ seccomp_sandbox_setup_base()
reject_nr(__NR_mremap, ENOSYS);
/* Misc simple low-risk calls. */
+#ifdef __NR_gettimeofday
allow_nr(__NR_gettimeofday); /* Used by logging. */
+#endif
+#ifdef __NR_clock_gettime
+ allow_nr(__NR_clock_gettime); /* Used by logging. */
+#endif
+#ifdef __NR_clock_gettime64
+ allow_nr(__NR_clock_gettime64); /* Used by logging. */
+#endif
allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
allow_nr(__NR_restart_syscall);
allow_nr(__NR_close);
@@ -330,7 +356,15 @@ seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
allow_nr_1_arg_match(__NR_recvfrom, 4, MSG_PEEK);
/* Misc simple low-risk calls */
+#ifdef __NR_nanosleep
allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
+#endif
+#ifdef __NR_clock_nanosleep
+ allow_nr(__NR_clock_nanosleep); /* Used for bandwidth / login throttling. */
+#endif
+#ifdef __NR_clock_nanosleep_time64
+ allow_nr(__NR_clock_nanosleep_time64); /* Used for bandwidth / login throttling. */
+#endif
allow_nr(__NR_getpid); /* Used by logging. */
allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
@@ -409,6 +443,10 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
allow_nr(__NR_getcwd);
allow_nr(__NR_chdir);
allow_nr(__NR_getdents);
+#ifdef __NR_getdents64
+ allow_nr(__NR_getdents64);
+#endif
+ allow_nr(__NR_sysinfo); /* Used by qsort. */
/* Misc */
allow_nr(__NR_umask);
@@ -416,6 +454,9 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
if (tunable_use_sendfile)
{
allow_nr(__NR_sendfile);
+#ifdef __NR_sendfile64
+ allow_nr(__NR_sendfile64);
+#endif
}
if (tunable_idle_session_timeout > 0 ||
tunable_data_connection_timeout > 0 ||
@@ -462,6 +503,9 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
{
reject_nr(__NR_socket, EACCES);
allow_nr_2_arg_match(__NR_mmap, 3, PROT_READ, 4, MAP_SHARED);
+#ifdef __NR_mmap2
+ allow_nr_2_arg_match(__NR_mmap2, 3, PROT_READ, 4, MAP_SHARED);
+#endif
}
if (tunable_write_enable)
diff --git a/str.c b/str.c
index 6596204..bb8114d 100644
--- a/str.c
+++ b/str.c
@@ -458,9 +458,7 @@ str_locate_chars(const struct mystr* p_str, const char* p_chars)
struct str_locate_result retval;
unsigned int num_chars = vsf_sysutil_strlen(p_chars);
unsigned int i = 0;
- retval.found = 0;
- retval.char_found = 0;
- retval.index = 0;
+ vsf_sysutil_memclr(&retval, sizeof(retval));
for (; i < p_str->len; ++i)
{
unsigned int j = 0;
@@ -485,9 +483,7 @@ str_locate_text(const struct mystr* p_str, const char* p_text)
struct str_locate_result retval;
unsigned int i;
unsigned int text_len = vsf_sysutil_strlen(p_text);
- retval.found = 0;
- retval.char_found = 0;
- retval.index = 0;
+ vsf_sysutil_memclr(&retval, sizeof(retval));
if (text_len == 0 || text_len > p_str->len)
{
/* Not found */
@@ -512,9 +508,7 @@ str_locate_text_reverse(const struct mystr* p_str, const char* p_text)
struct str_locate_result retval;
unsigned int i;
unsigned int text_len = vsf_sysutil_strlen(p_text);
- retval.found = 0;
- retval.char_found = 0;
- retval.index = 0;
+ vsf_sysutil_memclr(&retval, sizeof(retval));
if (text_len == 0 || text_len > p_str->len)
{
return retval;
diff --git a/sysdeputil.c b/sysdeputil.c
index 06f01f4..bba4929 100644
--- a/sysdeputil.c
+++ b/sysdeputil.c
@@ -7,6 +7,12 @@
* Highly system dependent utilities - e.g. authentication, capabilities.
*/
+#if (defined(__FreeBSD__) && __FreeBSD__ >= 3)
+ #define _FILE_OFFSET_BITS 64
+ #define _LARGEFILE_SOURCE 1
+ #define _LARGEFILE64_SOURCE 1
+#endif
+
#include "sysdeputil.h"
#include "str.h"
#include "sysutil.h"
@@ -16,15 +22,6 @@
#include "tunables.h"
#include "builddefs.h"
-/* For Linux, this adds nothing :-) */
-#include "port/porting_junk.h"
-
-#if (defined(__FreeBSD__) && __FreeBSD__ >= 3)
- #define _FILE_OFFSET_BITS 64
- #define _LARGEFILE_SOURCE 1
- #define _LARGEFILE64_SOURCE 1
-#endif
-
/* For INT_MAX */
#include <limits.h>
@@ -54,6 +51,7 @@
#undef VSF_SYSDEP_HAVE_LINUX_CLONE
#ifdef VSF_BUILD_PAM
#define VSF_SYSDEP_HAVE_PAM
+ #define VSF_SYSDEP_HAVE_PAM_USERPASS
#endif
#define VSF_SYSDEP_HAVE_SHADOW
#define VSF_SYSDEP_HAVE_USERSHELL
@@ -167,6 +165,7 @@
/* PAM support - we include our own dummy version if the system lacks this */
#include <security/pam_appl.h>
+#include <security/pam_userpass.h>
/* No PAM? Try getspnam() with a getpwnam() fallback */
#ifndef VSF_SYSDEP_HAVE_PAM
@@ -312,9 +311,13 @@ vsf_sysdep_check_auth(struct mystr* p_user_str,
typedef lo_const void* pam_item_t;
static pam_handle_t* s_pamh;
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
static struct mystr s_pword_str;
static int pam_conv_func(int nmsg, const struct pam_message** p_msg,
struct pam_response** p_reply, void* p_addata);
+#else
+static pam_userpass_t userpass;
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
static void vsf_auth_shutdown(void);
int
@@ -327,14 +330,24 @@ vsf_sysdep_check_auth(struct mystr* p_user_str,
const char* pam_user_name = 0;
struct pam_conv the_conv =
{
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
&pam_conv_func,
0
+#else
+ pam_userpass_conv,
+ &userpass
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
};
if (s_pamh != 0)
{
bug("vsf_sysdep_check_auth");
}
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
str_copy(&s_pword_str, p_pass_str);
+#else
+ userpass.user = str_getbuf(p_user_str);
+ userpass.pass = str_getbuf(p_pass_str);
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
if (tunable_pam_service_name)
{
retval = pam_start(tunable_pam_service_name,
@@ -444,6 +457,7 @@ vsf_auth_shutdown(void)
vsf_remove_uwtmp();
}
+#ifndef VSF_SYSDEP_HAVE_PAM_USERPASS
static int
pam_conv_func(int nmsg, const struct pam_message** p_msg,
struct pam_response** p_reply, void* p_addata)
@@ -479,6 +493,7 @@ pam_conv_func(int nmsg, const struct pam_message** p_msg,
*p_reply = p_resps;
return PAM_SUCCESS;
}
+#endif /* VSF_SYSDEP_HAVE_PAM_USERPASS */
#endif /* VSF_SYSDEP_HAVE_PAM */
diff --git a/sysstr.c b/sysstr.c
index d86cdf1..b764684 100644
--- a/sysstr.c
+++ b/sysstr.c
@@ -74,19 +74,14 @@ str_chdir(const struct mystr* p_str)
int
str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
{
- enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown;
switch (mode)
{
case kVSFSysStrOpenReadOnly:
- open_mode = kVSFSysUtilOpenReadOnly;
- break;
- case kVSFSysStrOpenUnknown:
- /* Fall through */
+ return vsf_sysutil_open_file(str_getbuf(p_str), kVSFSysUtilOpenReadOnly);
default:
bug("unknown mode value in str_open");
- break;
+ return -1;
}
- return vsf_sysutil_open_file(str_getbuf(p_str), open_mode);
}
int
diff --git a/sysutil.c b/sysutil.c
index 5cdb6ef..4924730 100644
--- a/sysutil.c
+++ b/sysutil.c
@@ -10,21 +10,18 @@
* dependencies on libc or syscalls.
*/
-#define PRIVATE_HANDS_OFF_syscall_retval syscall_retval
-#define PRIVATE_HANDS_OFF_exit_status exit_status
-#include "sysutil.h"
-#include "utility.h"
-#include "tunables.h"
-#include "sysdeputil.h"
-
/* Activate 64-bit file support on Linux/32bit plus others */
#define _FILE_OFFSET_BITS 64
#define _LARGEFILE_SOURCE 1
#define _LARGEFILE64_SOURCE 1
#define _LARGE_FILES 1
-/* For Linux, this adds nothing :-) */
-#include "port/porting_junk.h"
+#define PRIVATE_HANDS_OFF_syscall_retval syscall_retval
+#define PRIVATE_HANDS_OFF_exit_status exit_status
+#include "sysutil.h"
+#include "utility.h"
+#include "tunables.h"
+#include "sysdeputil.h"
#include <signal.h>
#include <string.h>
diff --git a/sysutil.h b/sysutil.h
index c34778c..6b64963 100644
--- a/sysutil.h
+++ b/sysutil.h
@@ -6,6 +6,7 @@
#ifndef VSF_FILESIZE_H
#include "filesize.h"
#endif
+#include "port/porting_junk.h"
/* Return value queries */
int vsf_sysutil_retval_is_error(int retval);
@@ -168,7 +169,7 @@ unsigned int vsf_sysutil_getpid(void);
void vsf_sysutil_post_fork(void);
int vsf_sysutil_fork(void);
int vsf_sysutil_fork_failok(void);
-void vsf_sysutil_exit(int exit_code);
+void vsf_sysutil_exit(int exit_code) VSF_NORETURN;
struct vsf_sysutil_wait_retval
{
int PRIVATE_HANDS_OFF_syscall_retval;
diff --git a/tunables.c b/tunables.c
index 284a10d..1eb76e6 100644
--- a/tunables.c
+++ b/tunables.c
@@ -179,8 +179,8 @@ tunables_load_defaults()
tunable_userlist_deny = 1;
tunable_use_localtime = 0;
tunable_check_shell = 1;
- tunable_hide_ids = 0;
- tunable_listen = 1;
+ tunable_hide_ids = 1;
+ tunable_listen = 0;
tunable_port_promiscuous = 0;
tunable_passwd_chroot_enable = 0;
tunable_no_anon_password = 0;
@@ -237,8 +237,8 @@ tunables_load_defaults()
tunable_idle_session_timeout = 300;
tunable_data_connection_timeout = 300;
/* IPPORT_USERRESERVED + 1 */
- tunable_pasv_min_port = 5001;
- tunable_pasv_max_port = 0;
+ tunable_pasv_min_port = 49152;
+ tunable_pasv_max_port = 65535;
tunable_anon_max_rate = 0;
tunable_local_max_rate = 0;
/* IPPORT_FTP */
@@ -254,19 +254,19 @@ tunables_load_defaults()
/* -rw------- */
tunable_chown_upload_mode = 0600;
- install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
- install_str_setting("ftp", &tunable_ftp_username);
+ install_str_setting("/var/empty", &tunable_secure_chroot_dir);
+ install_str_setting("vsftpd", &tunable_ftp_username);
install_str_setting("root", &tunable_chown_username);
install_str_setting("/var/log/xferlog", &tunable_xferlog_file);
install_str_setting("/var/log/vsftpd.log", &tunable_vsftpd_log_file);
install_str_setting(".message", &tunable_message_file);
- install_str_setting("nobody", &tunable_nopriv_user);
+ install_str_setting("novsftpd", &tunable_nopriv_user);
install_str_setting(0, &tunable_ftpd_banner);
- install_str_setting("/etc/vsftpd.banned_emails", &tunable_banned_email_file);
- install_str_setting("/etc/vsftpd.chroot_list", &tunable_chroot_list_file);
- install_str_setting("ftp", &tunable_pam_service_name);
- install_str_setting("ftp", &tunable_guest_username);
- install_str_setting("/etc/vsftpd.user_list", &tunable_userlist_file);
+ install_str_setting("/etc/vsftpd/banned_emails", &tunable_banned_email_file);
+ install_str_setting("/etc/vsftpd/chroot_list", &tunable_chroot_list_file);
+ install_str_setting("vsftpd", &tunable_pam_service_name);
+ install_str_setting("vsftpd", &tunable_guest_username);
+ install_str_setting("/etc/vsftpd/user_list", &tunable_userlist_file);
install_str_setting(0, &tunable_anon_root);
install_str_setting(0, &tunable_local_root);
install_str_setting(0, &tunable_banner_file);
@@ -279,9 +279,9 @@ tunables_load_defaults()
install_str_setting(0, &tunable_hide_file);
install_str_setting(0, &tunable_deny_file);
install_str_setting(0, &tunable_user_sub_token);
- install_str_setting("/etc/vsftpd.email_passwords",
+ install_str_setting("/etc/vsftpd/email_passwords",
&tunable_email_password_file);
- install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
+ install_str_setting("/var/lib/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
diff --git a/twoprocess.c b/twoprocess.c
index 33d84dc..35b674f 100644
--- a/twoprocess.c
+++ b/twoprocess.c
@@ -43,7 +43,7 @@ static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
const struct mystr* p_user_str,
const struct mystr* p_orig_user_str);
-static void
+static void VSF_NORETURN
handle_sigchld(void* duff)
{
diff --git a/utility.h b/utility.h
index aae3052..e5677fa 100644
--- a/utility.h
+++ b/utility.h
@@ -1,6 +1,8 @@
#ifndef VSF_UTILITY_H
#define VSF_UTILITY_H
+#include "port/porting_junk.h"
+
struct mystr;
/* die()
@@ -10,7 +12,7 @@ struct mystr;
* PARAMETERS
* p_text - text string describing why the process is exiting
*/
-void die(const char* p_text);
+void die(const char* p_text) VSF_NORETURN;
/* die2()
* PURPOSE
@@ -20,7 +22,7 @@ void die(const char* p_text);
* p_text1 - text string describing why the process is exiting
* p_text2 - text to safely concatenate to p_text1
*/
-void die2(const char* p_text1, const char* p_text2);
+void die2(const char* p_text1, const char* p_text2) VSF_NORETURN;
/* bug()
* PURPOSE
@@ -29,7 +31,7 @@ void die2(const char* p_text1, const char* p_text2);
* PARAMETERS
* p_text - text string describing what bug trap has triggered
* */
-void bug(const char* p_text);
+void bug(const char* p_text) VSF_NORETURN;
/* vsf_exit()
* PURPOSE
@@ -38,7 +40,7 @@ void bug(const char* p_text);
* PARAMETERS
* p_text - text string describing why the process is exiting
*/
-void vsf_exit(const char* p_text);
+void vsf_exit(const char* p_text) VSF_NORETURN;
#endif
diff --git a/vsf_findlibs.sh b/vsf_findlibs.sh
index f5d485d..272288c 100755
--- a/vsf_findlibs.sh
+++ b/vsf_findlibs.sh
@@ -21,6 +21,9 @@ if find_func pam_start sysdeputil.o; then
locate_library /usr/lib/libpam.sl && echo "-lpam";
# AIX ends shared libraries with .a
locate_library /usr/lib/libpam.a && echo "-lpam";
+ if find_func pam_userpass_conv sysdeputil.o; then
+ locate_library /usr/lib/libpam_userpass.so && echo "-lpam_userpass";
+ fi
else
locate_library /lib/libcrypt.so && echo "-lcrypt";
locate_library /usr/lib/libcrypt.so && echo "-lcrypt";
diff --git a/vsftpd.8 b/vsftpd.8
index 6640b57..4445396 100644
--- a/vsftpd.8
+++ b/vsftpd.8
@@ -1,6 +1,7 @@
.\" Copyright (c) 2001 Daniel Jacobowitz <dan@debian.org>
.Dd March 8, 2001
.Dt VSFTPD 8
+.Os "ALT Linux"
.Sh NAME
.Nm vsftpd
.Nd Very Secure FTP Daemon
diff --git a/vsftpd.conf b/vsftpd.conf
index cc1c607..b95c58a 100644
--- a/vsftpd.conf
+++ b/vsftpd.conf
@@ -1,14 +1,21 @@
-# Example config file /etc/vsftpd.conf
+# The configuration file for vsftpd.
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
-# Please see vsftpd.conf.5 for all compiled in defaults.
+# Please see vsftpd.conf(5) for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
-# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
+# Please read the vsftpd.conf(5) manual page to get a full idea of vsftpd's
# capabilities.
#
+# Uncomment this to disallow the PORT method of obtaining a data connection.
+#port_enable=NO
+#
+# Uncomment this to disallow the PASV method of obtaining a data connection.
+#pasv_enable=NO
+#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+# You might want to install anonftp to provide /var/ftp and ftpadmin group.
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
@@ -21,6 +28,16 @@ anonymous_enable=YES
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
+# The minimum port to allocate for PASV style data connections.
+# Can be used to specify a narrow port range to assist firewalling.
+# The default is shown below.
+#pasv_min_port=49152
+#
+# The maximum port to allocate for PASV style data connections.
+# Can be used to specify a narrow port range to assist firewalling.
+# The default is shown below.
+#pasv_max_port=65535
+#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
@@ -62,7 +79,7 @@ connect_from_port_20=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
+#nopriv_user=novsftpd
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
@@ -87,18 +104,24 @@ connect_from_port_20=YES
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
-#banned_email_file=/etc/vsftpd.banned_emails
+#banned_email_file=/etc/vsftpd/banned_emails
+#
+# If enabled, local users will be (by default) placed in a chroot() jail
+# in their home directory after login.
+# Warning: this option has non-trivial security implications, especially
+# if the users also have shell access or write access.
+# Only enable if you know what you are doing (and you probably don't).
+#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
-# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
-# the user does not have write access to the top level directory within the
-# chroot)
-#chroot_local_user=YES
+# Warning: these features have non-trivial security implications, especially
+# if the users also have shell access or write access.
+# Only enable if you know what you are doing (and you probably don't).
#chroot_list_enable=YES
# (default follows)
-#chroot_list_file=/etc/vsftpd.chroot_list
+#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
@@ -106,10 +129,20 @@ connect_from_port_20=YES
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
+# If enabled, all user and group information in directory listings will be
+# displayed as "ftp".
+# The default is to hide user and group information.
+#hide_ids=YES
+#
+# If enabled, vsftpd will display directory listings with the time in your
+# local time zone. The default is to display GMT. The times returned by the
+# MDTM FTP command are also affected by this option.
+#use_localtime=YES
+#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
-listen=YES
+#listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index fcc6022..daf0a1e 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -138,7 +138,7 @@ chroot() jail in their home directory upon login. The meaning is slightly
different if chroot_local_user is set to YES. In this case, the list becomes
a list of users which are NOT to be placed in a chroot() jail.
By default, the file containing this list is
-/etc/vsftpd.chroot_list, but you may override this with the
+/etc/vsftpd/chroot_list, but you may override this with the
.BR chroot_list_file
setting.
@@ -177,7 +177,7 @@ Default: NO
.B deny_email_enable
If activated, you may provide a list of anonymous password e-mail responses
which cause login to be denied. By default, the file containing this list is
-/etc/vsftpd.banned_emails, but you may override this with the
+/etc/vsftpd/banned_emails, but you may override this with the
.BR banned_email_file
setting.
@@ -262,7 +262,7 @@ Default: NO
If enabled, all user and group information in directory listings will be
displayed as "ftp".
-Default: NO
+Default: YES
.TP
.B implicit_ssl
If enabled, an SSL handshake is the first thing expect on all connections
@@ -433,7 +433,7 @@ anonymous logins are prevented unless the password provided is listed in the
file specified by the
.BR email_password_file
setting. The file format is one password per line, no extra whitespace. The
-default filename is /etc/vsftpd.email_passwords.
+default filename is /etc/vsftpd/email_passwords.
Default: NO
.TP
@@ -734,13 +734,13 @@ Default: 0 (unlimited)
The maximum port to allocate for PASV style data connections. Can be used to
specify a narrow port range to assist firewalling.
-Default: 0 (use any port)
+Default: 65535
.TP
.B pasv_min_port
The minimum port to allocate for PASV style data connections. Can be used to
specify a narrow port range to assist firewalling.
-Default: 0 (use any port)
+Default: 49152
.TP
.B trans_chunk_size
You probably don't want to change this, but try setting it to something like
@@ -764,7 +764,7 @@ passwords which are not permitted. This file is consulted if the option
.BR deny_email_enable
is enabled.
-Default: /etc/vsftpd.banned_emails
+Default: /etc/vsftpd/banned_emails
.TP
.B banner_file
This option is the name of a file containing text to display when someone
@@ -803,7 +803,7 @@ is enabled. If the option
is enabled, then the list file becomes a list of users to NOT place in a
chroot() jail.
-Default: /etc/vsftpd.chroot_list
+Default: /etc/vsftpd/chroot_list
.TP
.B cmds_allowed
This options specifies a comma separated list of allowed FTP commands (post
@@ -864,13 +864,13 @@ This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
setting.
-Default: /etc/vsftpd.email_passwords
+Default: /etc/vsftpd/email_passwords
.TP
.B ftp_username
This is the name of the user we use for handling anonymous FTP. The home
directory of this user is the root of the anonymous FTP area.
-Default: ftp
+Default: vsftpd
.TP
.B ftpd_banner
This string option allows you to override the greeting banner displayed
@@ -884,7 +884,7 @@ See the boolean setting
for a description of what constitutes a guest login. This setting is the
real username which guest users are mapped to.
-Default: ftp
+Default: vsftpd
.TP
.B hide_file
This option can be used to set a pattern for filenames (and directory names
@@ -935,12 +935,12 @@ totally unprivileged. Note that this should be a dedicated user, rather
than nobody. The user nobody tends to be used for rather a lot of important
things on most machines.
-Default: nobody
+Default: novsftpd
.TP
.B pam_service_name
This string is the name of the PAM service vsftpd will use.
-Default: ftp
+Default: vsftpd
.TP
.B pasv_address
Use this option to override the IP address that vsftpd will advertise in
@@ -955,7 +955,7 @@ Default: (none - the address is taken from the incoming connected socket)
This option specifies the location of the RSA certificate to use for SSL
encrypted connections.
-Default: /usr/share/ssl/certs/vsftpd.pem
+Default: /var/lib/ssl/certs/vsftpd.pem
.TP
.B rsa_private_key_file
This option specifies the location of the RSA private key to use for SSL
@@ -969,7 +969,7 @@ This option should be the name of a directory which is empty. Also, the
directory should not be writable by the ftp user. This directory is used
as a secure chroot() jail at times vsftpd does not require filesystem access.
-Default: /usr/share/empty
+Default: /var/empty
.TP
.B ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will allow for
@@ -987,10 +987,10 @@ the manual page, on a per-user basis. Usage is simple, and is best illustrated
with an example. If you set
.BR user_config_dir
to be
-.BR /etc/vsftpd_user_conf
+.BR /etc/vsftpd/user_conf
and then log on as the user "chris", then vsftpd will apply the settings in
the file
-.BR /etc/vsftpd_user_conf/chris
+.BR /etc/vsftpd/user_conf/chris
for the duration of the session. The format of this file is as detailed in
this manual page! PLEASE NOTE that not all settings are effective on a
per-user basis. For example, many settings only prior to the user's session
@@ -1026,7 +1026,7 @@ This option is the name of the file loaded when the
.BR userlist_enable
option is active.
-Default: /etc/vsftpd.user_list
+Default: /etc/vsftpd/user_list
.TP
.B vsftpd_log_file
This option is the name of the file to which we write the vsftpd style