From 67c6e52220dcf4ac757d5186f9545b75fcfb55b0 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Aug 19 2009 15:41:06 +0000 Subject: Use mod_vroot to work around PAM/chroot issues (#477120, #506735) --- diff --git a/.cvsignore b/.cvsignore index 421c8fc..38d4377 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,2 @@ proftpd-1.3.2a.tar.bz2 +proftpd-mod-vroot-0.8.5.tar.gz diff --git a/proftpd.conf b/proftpd.conf index 4ab3e6c..65af247 100644 --- a/proftpd.conf +++ b/proftpd.conf @@ -11,7 +11,11 @@ ServerAdmin root@localhost DefaultServer on # Cause every FTP user except adm to be chrooted into their home directory +# Aliasing /etc/security/pam_env.conf into the chroot allows pam_env to +# work at session-end time (http://bugzilla.redhat.com/477120) +VRootEngine on DefaultRoot ~ !adm +VRootAlias etc/security/pam_env.conf /etc/security/pam_env.conf # Use pam to authenticate (default) and be authoritative AuthPAMConfig proftpd diff --git a/proftpd.pam b/proftpd.pam index 9623bb9..16013d1 100644 --- a/proftpd.pam +++ b/proftpd.pam @@ -4,6 +4,5 @@ auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers oner auth required pam_shells.so auth include system-auth account include system-auth -# Comment the following line if you are having PAM issues with chrooted users session include system-auth session required pam_loginuid.so diff --git a/proftpd.spec b/proftpd.spec index 3bcf498..b73bb7a 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -7,7 +7,7 @@ %endif #global prever rc3 -%global rpmrel 2 +%global rpmrel 3 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd @@ -26,6 +26,7 @@ Source6: proftpd.pam Source7: proftpd-mod_quotatab_ldap.ldif Source8: proftpd-mod_quotatab_ldap.schema Source9: proftpd.sysconfig +Source10: http://www.castaglia.org/proftpd/modules/proftpd-mod-vroot-0.8.5.tar.gz Patch0: proftpd-1.3.2rc3-nostrip.patch Patch1: proftpd-1.3.2a-defines.patch Patch2: proftpd-1.3.2-parallel-build.patch @@ -77,7 +78,10 @@ Module to add PostgreSQL support to the ProFTPD FTP server. %prep -%setup -q -n %{name}-%{version}%{?prever} +%setup -q -n %{name}-%{version}%{?prever} -a 10 + +# Copy mod_vroot source into place +%{__cp} -p mod_vroot/mod_vroot.c contrib/ # Don't strip binaries - needed for useful debuginfo %patch0 -p1 -b .nostrip @@ -143,7 +147,7 @@ SMOD5=mod_wrap2:mod_wrap2_file:mod_wrap2_sql --enable-shadow \ --with-libraries="%{_libdir}/mysql" \ --with-includes="%{_includedir}/mysql" \ - --with-modules=mod_readme:mod_auth_pam:mod_tls \ + --with-modules=mod_readme:mod_auth_pam:mod_tls:mod_vroot \ --with-shared=${SMOD1}:${SMOD2}:${SMOD3}:${SMOD4}:${SMOD5}:mod_ifsession %{__make} %{?_smp_mflags} @@ -274,6 +278,9 @@ fi %changelog +* Wed Aug 19 2009 Paul Howarth 1.3.2a-3 +- Use mod_vroot to work around PAM/chroot issues (#477120, #506735) + * Fri Jul 31 2009 Paul Howarth 1.3.2a-2 - Add upstream patch to fix parallel build (http://bugs.proftpd.org/3189) diff --git a/sources b/sources index 08e23d8..c6e9b0e 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ ad3cbb5db30c5ae39e09b308892392b3 proftpd-1.3.2a.tar.bz2 +139fc328c43a9afbe290ec787713096b proftpd-mod-vroot-0.8.5.tar.gz