From e000aa4ebebacb05a03c64dcb02bbcd1d79da13d Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Nov 18 2016 09:25:51 +0000 Subject: Review patches and spec file. --- diff --git a/0001-Don-t-use-the-provided-script-to-locate-libraries.patch b/0001-Don-t-use-the-provided-script-to-locate-libraries.patch new file mode 100644 index 0000000..fdeb69e --- /dev/null +++ b/0001-Don-t-use-the-provided-script-to-locate-libraries.patch @@ -0,0 +1,27 @@ +From 7bd573d76e9c1996ad5a96f0289731a253a24301 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Tue, 6 Sep 2016 13:35:51 +0200 +Subject: [PATCH 01/33] Don't use the provided script to locate libraries. + +This branch is Fedora (RHEL) specific, so we know what +libraries we have and want to use. +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index c63ed1b..98118dc 100644 +--- a/Makefile ++++ b/Makefile +@@ -8,7 +8,7 @@ CFLAGS = -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \ + -D_FORTIFY_SOURCE=2 \ + #-pedantic -Wconversion + +-LIBS = `./vsf_findlibs.sh` ++LIBS = -lwrap -lnsl -lpam -lcap -ldl -lcrypto + LINK = -Wl,-s + LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now + +-- +2.7.4 + diff --git a/0002-Enable-build-with-SSL.patch b/0002-Enable-build-with-SSL.patch new file mode 100644 index 0000000..41180fa --- /dev/null +++ b/0002-Enable-build-with-SSL.patch @@ -0,0 +1,25 @@ +From 6fe24bc56694808ac7f8038855883a971967f0fb Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Tue, 6 Sep 2016 13:40:53 +0200 +Subject: [PATCH 02/33] Enable build with SSL. + +--- + builddefs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/builddefs.h b/builddefs.h +index e908352..63cc62b 100644 +--- a/builddefs.h ++++ b/builddefs.h +@@ -3,7 +3,7 @@ + + #undef VSF_BUILD_TCPWRAPPERS + #define VSF_BUILD_PAM +-#undef VSF_BUILD_SSL ++#define VSF_BUILD_SSL + + #endif /* VSF_BUILDDEFS_H */ + +-- +2.7.4 + diff --git a/0003-Enable-build-with-TCP-Wrapper.patch b/0003-Enable-build-with-TCP-Wrapper.patch new file mode 100644 index 0000000..baa8881 --- /dev/null +++ b/0003-Enable-build-with-TCP-Wrapper.patch @@ -0,0 +1,25 @@ +From 1e0e2b13836d40f5a3f4cb20f2b3ea8204115b51 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Tue, 6 Sep 2016 13:42:09 +0200 +Subject: [PATCH 03/33] Enable build with TCP Wrapper + +--- + builddefs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/builddefs.h b/builddefs.h +index 63cc62b..83de674 100644 +--- a/builddefs.h ++++ b/builddefs.h +@@ -1,7 +1,7 @@ + #ifndef VSF_BUILDDEFS_H + #define VSF_BUILDDEFS_H + +-#undef VSF_BUILD_TCPWRAPPERS ++#define VSF_BUILD_TCPWRAPPERS + #define VSF_BUILD_PAM + #define VSF_BUILD_SSL + +-- +2.7.4 + diff --git a/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch b/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch new file mode 100644 index 0000000..4380365 --- /dev/null +++ b/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch @@ -0,0 +1,483 @@ +From fff93602a4b252be8d674e27083dde68a7acf038 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Tue, 6 Sep 2016 13:46:03 +0200 +Subject: [PATCH 04/33] Use /etc/vsftpd/ dir for config files instead of /etc. + +--- + EXAMPLE/INTERNET_SITE/README | 6 +++--- + EXAMPLE/INTERNET_SITE_NOINETD/README | 4 ++-- + EXAMPLE/PER_IP_CONFIG/README | 4 ++-- + EXAMPLE/VIRTUAL_USERS/README | 14 +++++++------- + FAQ | 8 ++++---- + INSTALL | 10 +++++----- + README | 5 +++++ + defs.h | 2 +- + tunables.c | 10 +++++----- + vsftpd.8 | 10 +++++----- + vsftpd.conf | 20 +++++++++++++------- + vsftpd.conf.5 | 22 +++++++++++----------- + 12 files changed, 63 insertions(+), 52 deletions(-) + +diff --git a/EXAMPLE/INTERNET_SITE/README b/EXAMPLE/INTERNET_SITE/README +index 12b10a5..fe3d7ca 100644 +--- a/EXAMPLE/INTERNET_SITE/README ++++ b/EXAMPLE/INTERNET_SITE/README +@@ -41,13 +41,13 @@ no_access = 192.168.1.3 + As an example of how to ban certain sites from connecting, 192.168.1.3 will + be denied access. + +-banner_fail = /etc/vsftpd.busy_banner ++banner_fail = /etc/vsftpd/busy_banner + + This is the file to display to users if the connection is refused for whatever + reason (too many users, IP banned). + + Example of how to populate it: +-echo "421 Server busy, please try later." > /etc/vsftpd.busy_banner ++echo "421 Server busy, please try later." > /etc/vsftpd/busy_banner + + log_on_success += PID HOST DURATION + log_on_failure += HOST +@@ -62,7 +62,7 @@ Step 2) Set up your vsftpd configuration file. + + An example file is supplied. Install it like this: + +-cp vsftpd.conf /etc ++cp vsftpd.conf /etc/vsftpd + + Let's example the contents of the file: + +diff --git a/EXAMPLE/INTERNET_SITE_NOINETD/README b/EXAMPLE/INTERNET_SITE_NOINETD/README +index ce17af2..9198c5f 100644 +--- a/EXAMPLE/INTERNET_SITE_NOINETD/README ++++ b/EXAMPLE/INTERNET_SITE_NOINETD/README +@@ -17,7 +17,7 @@ even per-connect-IP configurability. + + To use this example config: + +-1) Copy the vsftpd.conf file in this directory to /etc/vsftpd.conf. ++1) Copy the vsftpd.conf file in this directory to /etc/vsftpd/vsftpd.conf. + + 2) Start up vsftpd, e.g. + vsftpd & +@@ -51,5 +51,5 @@ in the vsftpd.conf: + listen_address=192.168.1.2 + + And launch vsftpd with a specific config file like this: +-vsftpd /etc/vsftpd.conf.site1 & ++vsftpd /etc/vsftpd/vsftpd.conf.site1 & + +diff --git a/EXAMPLE/PER_IP_CONFIG/README b/EXAMPLE/PER_IP_CONFIG/README +index a9ef352..34924d5 100644 +--- a/EXAMPLE/PER_IP_CONFIG/README ++++ b/EXAMPLE/PER_IP_CONFIG/README +@@ -20,12 +20,12 @@ directory: hosts.allow. It lives at /etc/hosts.allow. + + Let's have a look at the example: + +-vsftpd: 192.168.1.3: setenv VSFTPD_LOAD_CONF /etc/vsftpd_tcp_wrap.conf ++vsftpd: 192.168.1.3: setenv VSFTPD_LOAD_CONF /etc/vsftpd/tcp_wrap.conf + vsftpd: 192.168.1.4: DENY + + The first line: + If a client connects from 192.168.1.3, then vsftpd will apply the vsftpd +-config file /etc/vsftpd_tcp_wrap.conf to the session! These settings are ++config file /etc/vsftpd/tcp_wrap.conf to the session! These settings are + applied ON TOP of the default vsftpd.conf. + This is obviously very powerful. You might use this to apply different + access restrictions for some IPs (e.g. the ability to upload). +diff --git a/EXAMPLE/VIRTUAL_USERS/README b/EXAMPLE/VIRTUAL_USERS/README +index b48995d..72972fa 100644 +--- a/EXAMPLE/VIRTUAL_USERS/README ++++ b/EXAMPLE/VIRTUAL_USERS/README +@@ -15,7 +15,7 @@ See example file "logins.txt" - this specifies "tom" with password "foo" and + "fred" with password "bar". + Whilst logged in as root, create the actual database file like this: + +-db_load -T -t hash -f logins.txt /etc/vsftpd_login.db ++db_load -T -t hash -f logins.txt /etc/vsftpd/login.db + (Requires the Berkeley db program installed). + NOTE: Many systems have multiple versions of "db" installed, so you may + need to use e.g. db3_load for correct operation. This is known to affect +@@ -23,10 +23,10 @@ some Debian systems. The core issue is that pam_userdb expects its login + database to be a specific db version (often db3, whereas db4 may be installed + on your system). + +-This will create /etc/vsftpd_login.db. Obviously, you may want to make sure ++This will create /etc/vsftpd/login.db. Obviously, you may want to make sure + the permissions are restricted: + +-chmod 600 /etc/vsftpd_login.db ++chmod 600 /etc/vsftpd/login.db + + For more information on maintaing your login database, look around for + documentation on "Berkeley DB", e.g. +@@ -37,8 +37,8 @@ Step 2) Create a PAM file which uses your new database. + + See the example file vsftpd.pam. It contains two lines: + +-auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login +-account required /lib/security/pam_userdb.so db=/etc/vsftpd_login ++auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login ++account required /lib/security/pam_userdb.so db=/etc/vsftpd/login + + This tells PAM to authenticate users using our new database. Copy this PAM + file to the PAM directory - typically /etc/pam.d/ +@@ -108,9 +108,9 @@ pasv_max_port=30999 + These put a port range on passive FTP incoming requests - very useful if + you are configuring a firewall. + +-Copy the example vsftpd.conf file to /etc: ++Copy the example vsftpd.conf file to /etc/vsftpd: + +-cp vsftpd.conf /etc/ ++cp vsftpd.conf /etc/vsftpd/ + + + Step 5) Start up vsftpd. +diff --git a/FAQ b/FAQ +index 59fe56b..0142a0d 100644 +--- a/FAQ ++++ b/FAQ +@@ -35,7 +35,7 @@ needs this user to run bits of itself with no privilege. + Q) Help! Local users cannot log in. + A) There are various possible problems. + A1) By default, vsftpd disables any logins other than anonymous logins. Put +-local_enable=YES in your /etc/vsftpd.conf to allow local users to log in. ++local_enable=YES in your /etc/vsftpd/vsftpd.conf to allow local users to log in. + A2) vsftpd tries to link with PAM. (Run "ldd vsftpd" and look for libpam to + find out whether this has happened or not). If vsftpd links with PAM, then + you will need to have a PAM file installed for the vsftpd service. There is +@@ -47,12 +47,12 @@ system have a "shadow.h" file in the include path? + A4) If you are not using PAM, then vsftpd will do its own check for a valid + user shell in /etc/shells. You may need to disable this if you use an invalid + shell to disable logins other than FTP logins. Put check_shell=NO in your +-/etc/vsftpd.conf. ++/etc/vsftpd/vsftpd.conf. + + Q) Help! Uploads or other write commands give me "500 Unknown command.". + A) By default, write commands, including uploads and new directories, are + disabled. This is a security measure. To enable writes, put write_enable=YES +-in your /etc/vsftpd.conf. ++in your /etc/vsftpd/vsftpd.conf. + + Q) Help! What are the security implications referred to in the + "chroot_local_user" option? +@@ -88,7 +88,7 @@ A2) Alternatively, run as many copies as vsftpd as necessary, in standalone + mode. Use "listen_address=x.x.x.x" to set the virtual IP. + + Q) Help! Does vsftpd support virtual users? +-A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd.conf. This ++A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd/vsftpd.conf. This + has the effect of mapping every non-anonymous successful login to the local + username specified in "guest_username". Then, use PAM and (e.g.) its pam_userdb + module to provide authentication against an external (i.e. non-/etc/passwd) +diff --git a/INSTALL b/INSTALL +index 4f811aa..93a8a81 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -56,14 +56,14 @@ cp vsftpd.8 /usr/local/man/man8 + + "make install" doesn't copy the sample config file. It is recommended you + do this: +-cp vsftpd.conf /etc ++cp vsftpd.conf /etc/vsftpd + + Step 4) Smoke test (without an inetd). + + vsftpd can run standalone or via an inetd (such as inetd or xinetd). You will + typically get more control running vsftpd from an inetd. But first we will run + it without, so we can check things are going well so far. +-Edit /etc/vsftpd.conf, and add this line at the bottom: ++Edit /etc/vsftpd/vsftpd.conf, and add this line at the bottom: + + listen=YES + +@@ -135,11 +135,11 @@ cp RedHat/vsftpd.pam /etc/pam.d/ftp + Step 7) Customize your configuration + + As well as the above three pre-requisites, you are recommended to install a +-config file. The default location for the config file is /etc/vsftpd.conf. ++config file. The default location for the config file is /etc/vsftpd/vsftpd.conf. + There is a sample vsftpd.conf in the distribution tarball. You probably want +-to copy that to /etc/vsftpd.conf as a basis for modification, i.e.: ++to copy that to /etc/vsftpd/vsftpd.conf as a basis for modification, i.e.: + +-cp vsftpd.conf /etc ++cp vsftpd.conf /etc/vsftpd + + The default configuration allows neither local user logins nor anonymous + uploads. You may wish to change these defaults. +diff --git a/README b/README +index 86643c1..adc7f42 100644 +--- a/README ++++ b/README +@@ -37,3 +37,8 @@ All configuration options are documented in the manual page vsftpd.conf.5. + Various example configurations are discussed in the EXAMPLE directory. + Frequently asked questions are tackled in the FAQ file. + ++Important Note ++============== ++The location of configuration files was changed to /etc/vsftpd/. If you want ++to migrate your old conf files from /etc (files vsftpd.xxxx.rpmsave) use ++/etc/vsfptd/vsftpd_conf_migrate.sh +diff --git a/defs.h b/defs.h +index 0ff5864..ca11eac 100644 +--- a/defs.h ++++ b/defs.h +@@ -1,7 +1,7 @@ + #ifndef VSF_DEFS_H + #define VSF_DEFS_H + +-#define VSFTP_DEFAULT_CONFIG "/etc/vsftpd.conf" ++#define VSFTP_DEFAULT_CONFIG "/etc/vsftpd/vsftpd.conf" + + #define VSFTP_COMMAND_FD 0 + +diff --git a/tunables.c b/tunables.c +index 284a10d..0ac4c34 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -190,7 +190,7 @@ tunables_load_defaults() + tunable_listen_ipv6 = 0; + tunable_dual_log_enable = 0; + tunable_syslog_enable = 0; +- tunable_background = 0; ++ tunable_background = 1; + tunable_virtual_use_local_privs = 0; + tunable_session_support = 0; + tunable_download_enable = 1; +@@ -262,11 +262,11 @@ tunables_load_defaults() + install_str_setting(".message", &tunable_message_file); + install_str_setting("nobody", &tunable_nopriv_user); + install_str_setting(0, &tunable_ftpd_banner); +- install_str_setting("/etc/vsftpd.banned_emails", &tunable_banned_email_file); +- install_str_setting("/etc/vsftpd.chroot_list", &tunable_chroot_list_file); ++ install_str_setting("/etc/vsftpd/banned_emails", &tunable_banned_email_file); ++ install_str_setting("/etc/vsftpd/chroot_list", &tunable_chroot_list_file); + install_str_setting("ftp", &tunable_pam_service_name); + install_str_setting("ftp", &tunable_guest_username); +- install_str_setting("/etc/vsftpd.user_list", &tunable_userlist_file); ++ install_str_setting("/etc/vsftpd/user_list", &tunable_userlist_file); + install_str_setting(0, &tunable_anon_root); + install_str_setting(0, &tunable_local_root); + install_str_setting(0, &tunable_banner_file); +@@ -279,7 +279,7 @@ tunables_load_defaults() + install_str_setting(0, &tunable_hide_file); + install_str_setting(0, &tunable_deny_file); + install_str_setting(0, &tunable_user_sub_token); +- install_str_setting("/etc/vsftpd.email_passwords", ++ install_str_setting("/etc/vsftpd/email_passwords", + &tunable_email_password_file); + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); +diff --git a/vsftpd.8 b/vsftpd.8 +index 6640b57..c920e7d 100644 +--- a/vsftpd.8 ++++ b/vsftpd.8 +@@ -21,7 +21,7 @@ itself will listen on the network. This latter mode is easier to use, and + recommended. It is activated by setting + .Pa listen=YES + in +-.Pa /etc/vsftpd.conf . ++.Pa /etc/vsftpd/vsftpd.conf . + Direct execution of the + .Nm vsftpd + binary will then launch the FTP service ready for immediate client connections. +@@ -33,7 +33,7 @@ as root. Any command line option not starting with a "-" character is treated + as a config file that will be loaded. Note that config files are loaded in the + strict order that they are encountered on the command line. + If no config files are specified, the default configuration file of +-.Pa /etc/vsftpd.conf ++.Pa /etc/vsftpd/vsftpd.conf + will be loaded, after all other command line options are processed. + .Pp + Supported options are: +@@ -47,14 +47,14 @@ their appearance on the command line, including intermingling with loading of + config files. + .El + .Sh EXAMPLES +-vsftpd -olisten=NO /etc/vsftpd.conf -oftpd_banner=blah ++vsftpd -olisten=NO /etc/vsftpd/vsftpd.conf -oftpd_banner=blah + .Pp + That example overrides vsftpd's built-in default for the "listen" option to be +-NO, but then loads /etc/vsftpd.conf which may override that setting. Finally, ++NO, but then loads /etc/vsftpd/vsftpd.conf which may override that setting. Finally, + the "ftpd_banner" setting is set to "blah", which overrides any default vsftpd + setting and any identical setting that was in the config file. + .Sh FILES +-.Pa /etc/vsftpd.conf ++.Pa /etc/vsftpd/vsftpd.conf + .Sh SEE ALSO + .Xr vsftpd.conf 5 + .end +diff --git a/vsftpd.conf b/vsftpd.conf +index cc1c607..db44170 100644 +--- a/vsftpd.conf ++++ b/vsftpd.conf +@@ -1,4 +1,4 @@ +-# Example config file /etc/vsftpd.conf ++# Example config file /etc/vsftpd/vsftpd.conf + # + # The default compiled in settings are fairly paranoid. This sample file + # loosens things up a bit, to make the ftp daemon more usable. +@@ -12,18 +12,20 @@ + anonymous_enable=YES + # + # Uncomment this to allow local users to log in. +-#local_enable=YES ++# When SELinux is enforcing check for SE bool ftp_home_dir ++local_enable=YES + # + # Uncomment this to enable any form of FTP write command. +-#write_enable=YES ++write_enable=YES + # + # Default umask for local users is 077. You may wish to change this to 022, + # if your users expect that (022 is used by most other ftpd's) +-#local_umask=022 ++local_umask=022 + # + # Uncomment this to allow the anonymous FTP user to upload files. This only + # has an effect if the above global write enable is activated. Also, you will + # obviously need to create a directory writable by the FTP user. ++# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access + #anon_upload_enable=YES + # + # Uncomment this if you want the anonymous FTP user to be able to create +@@ -52,7 +54,7 @@ connect_from_port_20=YES + # + # If you want, you can have your log file in standard ftpd xferlog format. + # Note that the default log file location is /var/log/xferlog in this case. +-#xferlog_std_format=YES ++xferlog_std_format=YES + # + # You may change the default value for timing out an idle session. + #idle_session_timeout=600 +@@ -87,7 +89,7 @@ connect_from_port_20=YES + # useful for combatting certain DoS attacks. + #deny_email_enable=YES + # (default follows) +-#banned_email_file=/etc/vsftpd.banned_emails ++#banned_email_file=/etc/vsftpd/banned_emails + # + # You may specify an explicit list of local users to chroot() to their home + # directory. If chroot_local_user is YES, then this list becomes a list of +@@ -98,7 +100,7 @@ connect_from_port_20=YES + #chroot_local_user=YES + #chroot_list_enable=YES + # (default follows) +-#chroot_list_file=/etc/vsftpd.chroot_list ++#chroot_list_file=/etc/vsftpd/chroot_list + # + # You may activate the "-R" option to the builtin ls. This is disabled by + # default to avoid remote users being able to cause excessive I/O on large +@@ -115,3 +117,7 @@ listen=YES + # sockets, you must run two copies of vsftpd with two configuration files. + # Make sure, that one of the listen options is commented !! + #listen_ipv6=YES ++ ++pam_service_name=vsftpd ++userlist_enable=YES ++tcp_wrappers=YES +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index fcc6022..5e46a2f 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -4,7 +4,7 @@ vsftpd.conf \- config file for vsftpd + .SH DESCRIPTION + vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By + default, vsftpd looks for this file at the location +-.BR /etc/vsftpd.conf . ++.BR /etc/vsftpd/vsftpd.conf . + However, you may override this by specifying a command line argument to + vsftpd. The command line argument is the pathname of the configuration file + for vsftpd. This behaviour is useful because you may wish to use an advanced +@@ -110,7 +110,7 @@ When enabled, and vsftpd is started in "listen" mode, vsftpd will background + the listener process. i.e. control will immediately be returned to the shell + which launched vsftpd. + +-Default: NO ++Default: YES + .TP + .B check_shell + Note! This option only has an effect for non-PAM builds of vsftpd. If disabled, +@@ -138,7 +138,7 @@ chroot() jail in their home directory upon login. The meaning is slightly + different if chroot_local_user is set to YES. In this case, the list becomes + a list of users which are NOT to be placed in a chroot() jail. + By default, the file containing this list is +-/etc/vsftpd.chroot_list, but you may override this with the ++/etc/vsftpd/chroot_list, but you may override this with the + .BR chroot_list_file + setting. + +@@ -177,7 +177,7 @@ Default: NO + .B deny_email_enable + If activated, you may provide a list of anonymous password e-mail responses + which cause login to be denied. By default, the file containing this list is +-/etc/vsftpd.banned_emails, but you may override this with the ++/etc/vsftpd/banned_emails, but you may override this with the + .BR banned_email_file + setting. + +@@ -433,7 +433,7 @@ anonymous logins are prevented unless the password provided is listed in the + file specified by the + .BR email_password_file + setting. The file format is one password per line, no extra whitespace. The +-default filename is /etc/vsftpd.email_passwords. ++default filename is /etc/vsftpd/email_passwords. + + Default: NO + .TP +@@ -764,7 +764,7 @@ passwords which are not permitted. This file is consulted if the option + .BR deny_email_enable + is enabled. + +-Default: /etc/vsftpd.banned_emails ++Default: /etc/vsftpd/banned_emails + .TP + .B banner_file + This option is the name of a file containing text to display when someone +@@ -803,7 +803,7 @@ is enabled. If the option + is enabled, then the list file becomes a list of users to NOT place in a + chroot() jail. + +-Default: /etc/vsftpd.chroot_list ++Default: /etvsftpd.confc/vsftpd.chroot_list + .TP + .B cmds_allowed + This options specifies a comma separated list of allowed FTP commands (post +@@ -864,7 +864,7 @@ This option can be used to provide an alternate file for usage by the + .BR secure_email_list_enable + setting. + +-Default: /etc/vsftpd.email_passwords ++Default: /etc/vsftpd/email_passwords + .TP + .B ftp_username + This is the name of the user we use for handling anonymous FTP. The home +@@ -987,10 +987,10 @@ the manual page, on a per-user basis. Usage is simple, and is best illustrated + with an example. If you set + .BR user_config_dir + to be +-.BR /etc/vsftpd_user_conf ++.BR /etc/vsftpd/user_conf + and then log on as the user "chris", then vsftpd will apply the settings in + the file +-.BR /etc/vsftpd_user_conf/chris ++.BR /etc/vsftpd/user_conf/chris + for the duration of the session. The format of this file is as detailed in + this manual page! PLEASE NOTE that not all settings are effective on a + per-user basis. For example, many settings only prior to the user's session +@@ -1026,7 +1026,7 @@ This option is the name of the file loaded when the + .BR userlist_enable + option is active. + +-Default: /etc/vsftpd.user_list ++Default: /etc/vsftpd/user_list + .TP + .B vsftpd_log_file + This option is the name of the file to which we write the vsftpd style +-- +2.7.4 + diff --git a/0005-Use-hostname-when-calling-PAM-authentication-module.patch b/0005-Use-hostname-when-calling-PAM-authentication-module.patch new file mode 100644 index 0000000..7d8d7de --- /dev/null +++ b/0005-Use-hostname-when-calling-PAM-authentication-module.patch @@ -0,0 +1,75 @@ +From 08c49b78942d40c99fae8c40e7668aa73e1bd695 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Tue, 6 Sep 2016 15:01:23 +0200 +Subject: [PATCH 05/33] Use hostname when calling PAM authentication module. + +Currently the vsftpd passes all logins as IP addresses +into PAM. This prevents administrators from setting up +ACLs based on domain (e.g. .example.com). This patch +enables reverse host lookup and use hostname instead +of address if there is one. +--- + sysdeputil.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/sysdeputil.c b/sysdeputil.c +index 06f01f4..b2782da 100644 +--- a/sysdeputil.c ++++ b/sysdeputil.c +@@ -16,6 +16,10 @@ + #include "tunables.h" + #include "builddefs.h" + ++/* For gethostbyaddr, inet_addr */ ++#include ++#include ++ + /* For Linux, this adds nothing :-) */ + #include "port/porting_junk.h" + +@@ -323,6 +327,10 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, + const struct mystr* p_remote_host) + { + int retval = -1; ++#ifdef PAM_RHOST ++ struct sockaddr_in sin; ++ struct hostent *host; ++#endif + pam_item_t item; + const char* pam_user_name = 0; + struct pam_conv the_conv = +@@ -346,7 +354,12 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, + return 0; + } + #ifdef PAM_RHOST +- retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); ++ sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); ++ host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); ++ if (host != (struct hostent*)0) ++ retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); ++ else ++ retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); + if (retval != PAM_SUCCESS) + { + (void) pam_end(s_pamh, retval); +@@ -559,7 +572,7 @@ vsf_sysdep_has_capabilities(void) + } + return s_runtime_has_caps; + } +- ++ + #ifndef VSF_SYSDEP_HAVE_LIBCAP + static int + do_checkcap(void) +@@ -1081,7 +1094,7 @@ vsf_sysutil_recv_fd(const int sock_fd) + msg.msg_flags = 0; + /* In case something goes wrong, set the fd to -1 before the syscall */ + p_fd = (int*)CMSG_DATA(CMSG_FIRSTHDR(&msg)); +- *p_fd = -1; ++ *p_fd = -1; + retval = recvmsg(sock_fd, &msg, 0); + if (retval != 1) + { +-- +2.7.4 + diff --git a/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch b/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch new file mode 100644 index 0000000..22af9be --- /dev/null +++ b/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch @@ -0,0 +1,35 @@ +From 423cbf4ddca6578b87e0f8a3fc425688cd1ca89c Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Tue, 6 Sep 2016 16:18:39 +0200 +Subject: [PATCH 06/33] Close stdin/out/err before listening for incoming + connections. + +When running vsftpd as a stand-alone FTP daemon, vsftpd +did not close stdin/out/err. This caused the start script +to hang waiting for stdin to close. Before this patch was +applied, one had to hit ctrl+c in order to get shell prompt +back. Correct behavior: +$ /etc/init.d/vsftpd start | tee +Starting vsftpd for vsftpd: [ OK ] +$ +--- + standalone.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/standalone.c b/standalone.c +index ba01ab1..e0f2d5b 100644 +--- a/standalone.c ++++ b/standalone.c +@@ -130,6 +130,9 @@ vsf_standalone_main(void) + die("could not bind listening IPv6 socket"); + } + } ++ vsf_sysutil_close(0); ++ vsf_sysutil_close(1); ++ vsf_sysutil_close(2); + retval = vsf_sysutil_listen(listen_sock, VSFTP_LISTEN_BACKLOG); + if (vsf_sysutil_retval_is_error(retval)) + { +-- +2.7.4 + diff --git a/0007-Make-filename-filters-smarter.patch b/0007-Make-filename-filters-smarter.patch new file mode 100644 index 0000000..21c7b78 --- /dev/null +++ b/0007-Make-filename-filters-smarter.patch @@ -0,0 +1,102 @@ +From 548375b2122f83771dc0b8571f16e5b5adabba98 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 10:04:31 +0200 +Subject: [PATCH 07/33] Make filename filters smarter. + +In the original version vsftpd was not able to prevent +users from downloading for instance /etc/passwd by +defining filters such as deny_file=/etc/passwd or /etc* +or passwd. Example of erroneous behavior: +230 Login successful. +Remote system type is UNIX. +Using binary mode to transfer files. +ftp> cd / +250 Directory successfully changed. +ftp> cd /etc +550 Permission denied. +ftp> cd etc +250 Directory successfully changed. +ftp> get passwd +local: passwd remote: passwd +227 Entering Passive Mode (127,0,0,1,99,251) +150 Opening BINARY mode data connection for passwd (2813 bytes). +226 File send OK. +2813 bytes received in 0.00016 seconds (1.7e+04 Kbytes/s) +ftp> quit +221 Goodbye. +--- + ls.c | 24 +++++++++++++++++++++++- + str.c | 11 +++++++++++ + str.h | 1 + + 3 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/ls.c b/ls.c +index 7e1376d..f489478 100644 +--- a/ls.c ++++ b/ls.c +@@ -246,8 +246,30 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, + int ret = 0; + char last_token = 0; + int must_match_at_current_pos = 1; ++ ++ + str_copy(&filter_remain_str, p_filter_str); +- str_copy(&name_remain_str, p_filename_str); ++ ++ if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) { ++ if (str_get_char_at(p_filter_str, 0) == '/') { ++ if (str_get_char_at(p_filename_str, 0) != '/') { ++ str_getcwd (&name_remain_str); ++ ++ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */ ++ str_append_char (&name_remain_str, '/'); ++ ++ str_append_str (&name_remain_str, p_filename_str); ++ } ++ else ++ str_copy (&name_remain_str, p_filename_str); ++ } else { ++ if (str_get_char_at(p_filter_str, 0) != '{') ++ str_basename (&name_remain_str, p_filename_str); ++ else ++ str_copy (&name_remain_str, p_filename_str); ++ } ++ } else ++ str_copy(&name_remain_str, p_filename_str); + + while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) + { +diff --git a/str.c b/str.c +index 6596204..ba4b92a 100644 +--- a/str.c ++++ b/str.c +@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_str, char new_char) + } + } + ++void ++str_basename (struct mystr* d_str, const struct mystr* path) ++{ ++ static struct mystr tmp; ++ ++ str_copy (&tmp, path); ++ str_split_char_reverse(&tmp, d_str, '/'); ++ ++ if (str_isempty(d_str)) ++ str_copy (d_str, path); ++} +diff --git a/str.h b/str.h +index ab0a9a4..3a21b50 100644 +--- a/str.h ++++ b/str.h +@@ -100,6 +100,7 @@ void str_replace_unprintable(struct mystr* p_str, char new_char); + int str_atoi(const struct mystr* p_str); + filesize_t str_a_to_filesize_t(const struct mystr* p_str); + unsigned int str_octal_to_uint(const struct mystr* p_str); ++void str_basename (struct mystr* d_str, const struct mystr* path); + + /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string + * buffer, starting at character position 'p_pos'. The extracted line will +-- +2.7.4 + diff --git a/0008-Write-denied-logins-into-the-log.patch b/0008-Write-denied-logins-into-the-log.patch new file mode 100644 index 0000000..7a927ef --- /dev/null +++ b/0008-Write-denied-logins-into-the-log.patch @@ -0,0 +1,147 @@ +From 75c172596aa9e7a9f32062579f7f98783341c924 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 10:17:17 +0200 +Subject: [PATCH 08/33] Write denied logins into the log. + +This patch adds a new option 'userlist_log'. If enabled, +every login denial based on the user list will be logged. +--- + logging.c | 7 +++++++ + logging.h | 11 +++++++++++ + parseconf.c | 1 + + prelogin.c | 14 ++++++++++++++ + tunables.c | 2 ++ + tunables.h | 1 + + vsftpd.conf.5 | 8 ++++++++ + 7 files changed, 44 insertions(+) + +diff --git a/logging.c b/logging.c +index ad531d6..99671b4 100644 +--- a/logging.c ++++ b/logging.c +@@ -103,6 +103,13 @@ vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what, + vsf_log_common(p_sess, 1, what, p_str); + } + ++void ++vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what, ++ struct mystr* p_str) ++{ ++ vsf_log_common(p_sess, 0, what, p_str); ++} ++ + int + vsf_log_entry_pending(struct vsf_session* p_sess) + { +diff --git a/logging.h b/logging.h +index 48f88ec..1ff57d1 100644 +--- a/logging.h ++++ b/logging.h +@@ -80,5 +80,16 @@ void vsf_log_do_log(struct vsf_session* p_sess, int succeeded); + void vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what, + struct mystr* p_str); + ++/* vsf_log_failed_line() ++ * PURPOSE ++ * Same as vsf_log_line(), except that it logs the line as failed operation. ++ * PARAMETERS ++ * p_sess - the current session object ++ * what - the type of operation to log ++ * p_str - the string to log ++ */ ++void vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what, ++ struct mystr* p_str); ++ + #endif /* VSF_LOGGING_H */ + +diff --git a/parseconf.c b/parseconf.c +index ea2242b..385afd2 100644 +--- a/parseconf.c ++++ b/parseconf.c +@@ -91,6 +91,7 @@ parseconf_bool_array[] = + { "mdtm_write", &tunable_mdtm_write }, + { "lock_upload_files", &tunable_lock_upload_files }, + { "pasv_addr_resolve", &tunable_pasv_addr_resolve }, ++ { "userlist_log", &tunable_userlist_log }, + { "debug_ssl", &tunable_debug_ssl }, + { "require_cert", &tunable_require_cert }, + { "validate_cert", &tunable_validate_cert }, +diff --git a/prelogin.c b/prelogin.c +index df4aade..1588bc1 100644 +--- a/prelogin.c ++++ b/prelogin.c +@@ -246,6 +246,20 @@ handle_user_command(struct vsf_session* p_sess) + check_login_delay(); + vsf_cmdio_write(p_sess, FTP_LOGINERR, "Permission denied."); + check_login_fails(p_sess); ++ if (tunable_userlist_log) ++ { ++ struct mystr str_log_line = INIT_MYSTR; ++ if (tunable_userlist_deny) ++ { ++ str_alloc_text(&str_log_line, "User is in the deny user list."); ++ } ++ else ++ { ++ str_alloc_text(&str_log_line, "User is not in the allow user list."); ++ } ++ vsf_log_failed_line(p_sess, kVSFLogEntryLogin, &str_log_line); ++ str_free(&str_log_line); ++ } + str_empty(&p_sess->user_str); + return; + } +diff --git a/tunables.c b/tunables.c +index 0ac4c34..b30fca1 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl; + int tunable_mdtm_write; + int tunable_lock_upload_files; + int tunable_pasv_addr_resolve; ++int tunable_userlist_log; + int tunable_debug_ssl; + int tunable_require_cert; + int tunable_validate_cert; +@@ -212,6 +213,7 @@ tunables_load_defaults() + tunable_mdtm_write = 1; + tunable_lock_upload_files = 1; + tunable_pasv_addr_resolve = 0; ++ tunable_userlist_log = 0; + tunable_debug_ssl = 0; + tunable_require_cert = 0; + tunable_validate_cert = 0; +diff --git a/tunables.h b/tunables.h +index 05d2456..e44d64c 100644 +--- a/tunables.h ++++ b/tunables.h +@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ + extern int tunable_mdtm_write; /* Allow MDTM to set timestamps */ + extern int tunable_lock_upload_files; /* Lock uploading files */ + extern int tunable_pasv_addr_resolve; /* DNS resolve pasv_addr */ ++extern int tunable_userlist_log; /* Log every failed login attempt */ + extern int tunable_debug_ssl; /* Verbose SSL logging */ + extern int tunable_require_cert; /* SSL client cert required */ + extern int tunable_validate_cert; /* SSL certs must be valid */ +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 5e46a2f..9d767b1 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -588,6 +588,14 @@ Self-signed certs do not constitute OK validation. (New in v2.0.6). + + Default: NO + .TP ++.B userlist_log ++This option is examined if ++.BR userlist_enable ++is activated. If enabled, every login denial based on the user list will be ++logged. ++ ++Default: NO ++.TP + .B virtual_use_local_privs + If enabled, virtual users will use the same privileges as local users. By + default, virtual users will use the same privileges as anonymous users, which +-- +2.7.4 + diff --git a/0009-Trim-whitespaces-when-reading-configuration.patch b/0009-Trim-whitespaces-when-reading-configuration.patch new file mode 100644 index 0000000..6aa8c70 --- /dev/null +++ b/0009-Trim-whitespaces-when-reading-configuration.patch @@ -0,0 +1,99 @@ +From d024bc27cee40f21e6a3841266062408c44e56fb Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 10:35:54 +0200 +Subject: [PATCH 09/33] Trim whitespaces when reading configuration. + +--- + parseconf.c | 2 +- + str.c | 12 ++++++++++++ + str.h | 1 + + sysutil.c | 12 ++++++++++++ + sysutil.h | 1 + + 5 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/parseconf.c b/parseconf.c +index 385afd2..30df598 100644 +--- a/parseconf.c ++++ b/parseconf.c +@@ -280,7 +280,7 @@ vsf_parseconf_load_setting(const char* p_setting, int errs_fatal) + } + else + { +- *p_curr_setting = str_strdup(&s_value_str); ++ *p_curr_setting = str_strdup_trimmed(&s_value_str); + } + return; + } +diff --git a/str.c b/str.c +index ba4b92a..41b27db 100644 +--- a/str.c ++++ b/str.c +@@ -104,6 +104,18 @@ str_strdup(const struct mystr* p_str) + return vsf_sysutil_strdup(str_getbuf(p_str)); + } + ++const char* ++str_strdup_trimmed(const struct mystr* p_str) ++{ ++ const char* p_trimmed = str_getbuf(p_str); ++ int h, t, newlen; ++ ++ for (h = 0; h < (int)str_getlen(p_str) && vsf_sysutil_isspace(p_trimmed[h]); h++) ; ++ for (t = str_getlen(p_str) - 1; t >= 0 && vsf_sysutil_isspace(p_trimmed[t]); t--) ; ++ newlen = t - h + 1; ++ return newlen ? vsf_sysutil_strndup(p_trimmed+h, (unsigned int)newlen) : 0L; ++} ++ + void + str_alloc_alt_term(struct mystr* p_str, const char* p_src, char term) + { +diff --git a/str.h b/str.h +index 3a21b50..44270da 100644 +--- a/str.h ++++ b/str.h +@@ -31,6 +31,7 @@ void str_alloc_ulong(struct mystr* p_str, unsigned long the_ulong); + void str_alloc_filesize_t(struct mystr* p_str, filesize_t the_filesize); + void str_copy(struct mystr* p_dest, const struct mystr* p_src); + const char* str_strdup(const struct mystr* p_str); ++const char* str_strdup_trimmed(const struct mystr* p_str); + void str_empty(struct mystr* p_str); + void str_free(struct mystr* p_str); + void str_trunc(struct mystr* p_str, unsigned int trunc_len); +diff --git a/sysutil.c b/sysutil.c +index 5cdb6ef..428a34a 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -1035,6 +1035,18 @@ vsf_sysutil_strdup(const char* p_str) + return strdup(p_str); + } + ++char* ++vsf_sysutil_strndup(const char* p_str, unsigned int p_len) ++{ ++ char *new = (char *)malloc(p_len+1); ++ ++ if (new == NULL) ++ return NULL; ++ ++ new[p_len]='\0'; ++ return (char *)memcpy(new, p_str, p_len); ++} ++ + void + vsf_sysutil_memclr(void* p_dest, unsigned int size) + { +diff --git a/sysutil.h b/sysutil.h +index c34778c..c2ddd15 100644 +--- a/sysutil.h ++++ b/sysutil.h +@@ -186,6 +186,7 @@ int vsf_sysutil_wait_get_exitcode( + /* Various string functions */ + unsigned int vsf_sysutil_strlen(const char* p_text); + char* vsf_sysutil_strdup(const char* p_str); ++char* vsf_sysutil_strndup(const char* p_str, unsigned int p_len); + void vsf_sysutil_memclr(void* p_dest, unsigned int size); + void vsf_sysutil_memcpy(void* p_dest, const void* p_src, + const unsigned int size); +-- +2.7.4 + diff --git a/0010-Improve-daemonizing.patch b/0010-Improve-daemonizing.patch new file mode 100644 index 0000000..366bee6 --- /dev/null +++ b/0010-Improve-daemonizing.patch @@ -0,0 +1,209 @@ +From 569e7078244470ac0fcc2af3947c2735338555ec Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 11:29:29 +0200 +Subject: [PATCH 10/33] Improve daemonizing + +Init script gets correct return code if binding fails. +--- + standalone.c | 38 +++++++++++++++++++++++++++++++++++++- + sysutil.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + sysutil.h | 7 ++++++- + 3 files changed, 102 insertions(+), 2 deletions(-) + +diff --git a/standalone.c b/standalone.c +index e0f2d5b..3b65ea2 100644 +--- a/standalone.c ++++ b/standalone.c +@@ -26,6 +26,8 @@ static unsigned int s_ipaddr_size; + + static void handle_sigchld(void* duff); + static void handle_sighup(void* duff); ++static void handle_sigusr1(int sig); ++static void handle_sigalrm(int sig); + static void prepare_child(int sockfd); + static unsigned int handle_ip_count(void* p_raw_addr); + static void drop_ip_count(void* p_raw_addr); +@@ -46,11 +48,23 @@ vsf_standalone_main(void) + } + if (tunable_background) + { ++ vsf_sysutil_sigaction(kVSFSysUtilSigALRM, handle_sigalrm); ++ vsf_sysutil_sigaction(kVSFSysUtilSigUSR1, handle_sigusr1); ++ + int forkret = vsf_sysutil_fork(); + if (forkret > 0) + { + /* Parent, just exit */ +- vsf_sysutil_exit(0); ++ vsf_sysutil_set_alarm(3); ++ vsf_sysutil_pause(); ++ ++ vsf_sysutil_exit(1); ++ } ++ else if (forkret == 0) ++ { ++ // Son, restore original signal handler ++ vsf_sysutil_sigaction(kVSFSysUtilSigALRM, 0L); ++ vsf_sysutil_sigaction(kVSFSysUtilSigUSR1, 0L); + } + /* Son, close standard FDs to avoid SSH hang-on-exit */ + vsf_sysutil_reopen_standard_fds(); +@@ -99,6 +113,10 @@ vsf_standalone_main(void) + { + die("could not bind listening IPv4 socket"); + } ++ if (tunable_background) ++ { ++ vsf_sysutil_kill(vsf_sysutil_getppid(), kVSFSysUtilSigUSR1); ++ } + } + else + { +@@ -129,6 +147,10 @@ vsf_standalone_main(void) + { + die("could not bind listening IPv6 socket"); + } ++ if (tunable_background) ++ { ++ vsf_sysutil_kill(vsf_sysutil_getppid(), kVSFSysUtilSigUSR1); ++ } + } + vsf_sysutil_close(0); + vsf_sysutil_close(1); +@@ -268,6 +290,20 @@ handle_sighup(void* duff) + vsf_parseconf_load_file(0, 0); + } + ++static void ++handle_sigalrm(int sig) ++{ ++ (void)sig; // avoid unused parameter error ++ vsf_sysutil_exit(1); ++} ++ ++static void ++handle_sigusr1(int sig) ++{ ++ (void)sig; // avoid unused parameter error ++ vsf_sysutil_exit(0); ++} ++ + static unsigned int + hash_ip(unsigned int buckets, void* p_key) + { +diff --git a/sysutil.c b/sysutil.c +index 428a34a..c848356 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -201,6 +201,9 @@ vsf_sysutil_translate_sig(const enum EVSFSysUtilSignal sig) + case kVSFSysUtilSigHUP: + realsig = SIGHUP; + break; ++ case kVSFSysUtilSigUSR1: ++ realsig = SIGUSR1; ++ break; + default: + bug("unknown signal in vsf_sysutil_translate_sig"); + break; +@@ -549,6 +552,12 @@ vsf_sysutil_getpid(void) + return (unsigned int) s_current_pid; + } + ++unsigned int ++vsf_sysutil_getppid(void) ++{ ++ return (unsigned int)getppid(); ++} ++ + int + vsf_sysutil_fork(void) + { +@@ -2871,3 +2880,53 @@ vsf_sysutil_post_fork() + s_sig_details[i].pending = 0; + } + } ++ ++static struct sigaction sigalr, sigusr1; ++ ++void ++vsf_sysutil_sigaction(const enum EVSFSysUtilSignal sig, void (*p_handlefunc)(int)) ++{ ++ int realsig = vsf_sysutil_translate_sig(sig); ++ int retval; ++ struct sigaction sigact, *origsigact=NULL; ++ if (realsig==SIGALRM) ++ { ++ origsigact = &sigalr; ++ } ++ else if (realsig==SIGUSR1) ++ { ++ origsigact = &sigusr1; ++ } ++ vsf_sysutil_memclr(&sigact, sizeof(sigact)); ++ if (p_handlefunc != NULL) ++ { ++ sigact.sa_handler = p_handlefunc; ++ retval = sigfillset(&sigact.sa_mask); ++ if (retval != 0) ++ { ++ die("sigfillset"); ++ } ++ retval = sigaction(realsig, &sigact, origsigact); ++ } ++ else ++ { ++ retval = sigaction(realsig, origsigact, NULL); ++ } ++ if (retval != 0) ++ { ++ die("sigaction"); ++ } ++} ++ ++int ++vsf_sysutil_kill(int pid, int sig) ++{ ++ int realsig = vsf_sysutil_translate_sig(sig); ++ return kill(pid, realsig); ++} ++ ++int ++vsf_sysutil_pause() ++{ ++ return pause(); ++} +diff --git a/sysutil.h b/sysutil.h +index c2ddd15..bfc92cb 100644 +--- a/sysutil.h ++++ b/sysutil.h +@@ -30,7 +30,8 @@ enum EVSFSysUtilSignal + kVSFSysUtilSigCHLD, + kVSFSysUtilSigPIPE, + kVSFSysUtilSigURG, +- kVSFSysUtilSigHUP ++ kVSFSysUtilSigHUP, ++ kVSFSysUtilSigUSR1 + }; + enum EVSFSysUtilInterruptContext + { +@@ -165,6 +166,7 @@ void vsf_sysutil_free(void* p_ptr); + + /* Process creation/exit/process handling */ + unsigned int vsf_sysutil_getpid(void); ++unsigned int vsf_sysutil_getppid(void); + void vsf_sysutil_post_fork(void); + int vsf_sysutil_fork(void); + int vsf_sysutil_fork_failok(void); +@@ -182,6 +184,9 @@ int vsf_sysutil_wait_exited_normally( + const struct vsf_sysutil_wait_retval* p_waitret); + int vsf_sysutil_wait_get_exitcode( + const struct vsf_sysutil_wait_retval* p_waitret); ++void vsf_sysutil_sigaction(const enum EVSFSysUtilSignal sig, void (*p_handlefunc)(int)); ++int vsf_sysutil_kill(int pid, int sig); ++int vsf_sysutil_pause(); + + /* Various string functions */ + unsigned int vsf_sysutil_strlen(const char* p_text); +-- +2.7.4 + diff --git a/0011-Fix-listing-with-more-than-one-star.patch b/0011-Fix-listing-with-more-than-one-star.patch new file mode 100644 index 0000000..bc56d65 --- /dev/null +++ b/0011-Fix-listing-with-more-than-one-star.patch @@ -0,0 +1,38 @@ +From 32e6642640635d7305969f808b5badb706a11bff Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 11:36:17 +0200 +Subject: [PATCH 11/33] Fix listing with more than one star '*'. + +This is a regression introduced by some previous patch. +--- + ls.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/ls.c b/ls.c +index f489478..616b2d9 100644 +--- a/ls.c ++++ b/ls.c +@@ -311,6 +311,20 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, + { + goto out; + } ++ if (!must_match_at_current_pos && last_token == 0) ++ { ++ struct mystr last_str = INIT_MYSTR; ++ str_mid_to_end(&name_remain_str, &last_str, ++ str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str)); ++ locate_result = str_locate_str(&last_str, &s_match_needed_str); ++ str_free(&last_str); ++ ++ if (locate_result.found) ++ { ++ ret = 1; ++ } ++ goto out; ++ } + /* Chop matched string out of remainder */ + str_mid_to_end(&name_remain_str, &temp_str, + indexx + str_getlen(&s_match_needed_str)); +-- +2.7.4 + diff --git a/0012-Replace-syscall-__NR_clone-.-with-clone.patch b/0012-Replace-syscall-__NR_clone-.-with-clone.patch new file mode 100644 index 0000000..de7aba4 --- /dev/null +++ b/0012-Replace-syscall-__NR_clone-.-with-clone.patch @@ -0,0 +1,35 @@ +From 0c3a1123c391995ab46cfde603fa025ff180a819 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 11:43:54 +0200 +Subject: [PATCH 12/33] Replace syscall(__NR_clone ..) with clone () + +in order to fix incorrect order of params on s390 arch +--- + sysdeputil.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sysdeputil.c b/sysdeputil.c +index b2782da..3bbabaa 100644 +--- a/sysdeputil.c ++++ b/sysdeputil.c +@@ -1306,7 +1306,7 @@ vsf_sysutil_fork_isolate_failok() + static int cloneflags_work = 1; + if (cloneflags_work) + { +- int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL); ++ int ret = clone(NULL, NULL, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL); + if (ret != -1 || (errno != EINVAL && errno != EPERM)) + { + if (ret == 0) +@@ -1328,7 +1328,7 @@ vsf_sysutil_fork_newnet() + static int cloneflags_work = 1; + if (cloneflags_work) + { +- int ret = syscall(__NR_clone, CLONE_NEWNET | SIGCHLD, NULL); ++ int ret = clone(NULL, NULL, CLONE_NEWNET | SIGCHLD, NULL); + if (ret != -1 || (errno != EINVAL && errno != EPERM)) + { + if (ret == 0) +-- +2.7.4 + diff --git a/0013-Extend-man-pages-with-systemd-info.patch b/0013-Extend-man-pages-with-systemd-info.patch new file mode 100644 index 0000000..cde58f4 --- /dev/null +++ b/0013-Extend-man-pages-with-systemd-info.patch @@ -0,0 +1,86 @@ +From 813a4bc45d45f4af94c699893cb2d2ba998d5d31 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 11:53:07 +0200 +Subject: [PATCH 13/33] Extend man pages with systemd info. + +Man pages now reflect how is vsftpd used as +systemd service. +--- + vsftpd.8 | 24 ++++++++++++++++++++++++ + vsftpd.conf.5 | 18 +++++++++++++++++- + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/vsftpd.8 b/vsftpd.8 +index c920e7d..fbeb1a2 100644 +--- a/vsftpd.8 ++++ b/vsftpd.8 +@@ -25,6 +25,23 @@ in + Direct execution of the + .Nm vsftpd + binary will then launch the FTP service ready for immediate client connections. ++.Pp ++Systemd changes the vsftpd daemon start-up. The vsftpd package contains vsftpd-generator script generating symbolic links to /var/run/systemd/generator/vsftpd.target.wants directory. The generator is called during e.g. 'systemctl --system daemon-reload'. All these symbolic links link /usr/lib/systemd/system/vsftpd@.service file. ++The vsftpd daemon(s) is/are controlled by one of following ways: ++.Pp ++1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration file ++.br ++# systemctl {start,stop,...} vsftpd[.service] ++.Pp ++2. Single daemon using /etc/vsftpd/.conf ++.br ++# systemctl {start,stop,...} vsftpd@[.service] ++.Pp ++3. All instances together ++.br ++# systemctl {restart,stop} vsftpd.target ++.Pp ++See systemd.unit(5), systemd.target(5) for further details. + .Sh OPTIONS + An optional + configuration file or files +@@ -55,6 +72,13 @@ the "ftpd_banner" setting is set to "blah", which overrides any default vsftpd + setting and any identical setting that was in the config file. + .Sh FILES + .Pa /etc/vsftpd/vsftpd.conf ++.Pp ++.Pa /usr/lib/systemd/system/vsftpd.service ++.Pp ++.Pa /usr/lib/systemd/system/vsftpd@.service ++.Pp ++.Pa /usr/lib/systemd/system/vsftpd.target + .Sh SEE ALSO + .Xr vsftpd.conf 5 ++.Xr systemd.unit 5 + .end +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 9d767b1..0744f85 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -12,7 +12,23 @@ inetd such as + .BR xinetd + to launch vsftpd with different configuration files on a per virtual host + basis. +- ++.P ++Systemd changes the vsftpd daemon start-up. The vsftpd package contains vsftpd-generator script generating symbolic links to /var/run/systemd/generator/vsftpd.target.wants directory. The generator is called during e. g. 'systemctl --system daemon-reload'. All these symbolic links link /usr/lib/systemd/system/vsftpd@.service file. ++The vsftpd daemon(s) is/are controlled by one of following ways: ++.P ++1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration file ++.br ++# systemctl {start,stop,...} vsftpd[.service] ++.P ++2. Single daemon using /etc/vsftpd/.conf ++.br ++# systemctl {start,stop,...} vsftpd@[.service] ++.P ++3. All instances together ++.br ++# systemctl {restart,stop} vsftpd.target ++.P ++See systemd.unit(5), systemd.target(5) for further details. + .SH FORMAT + The format of vsftpd.conf is very simple. Each line is either a comment or + a directive. Comment lines start with a # and are ignored. A directive line +-- +2.7.4 + diff --git a/0014-Add-support-for-square-brackets-in-ls.patch b/0014-Add-support-for-square-brackets-in-ls.patch new file mode 100644 index 0000000..b53b9ee --- /dev/null +++ b/0014-Add-support-for-square-brackets-in-ls.patch @@ -0,0 +1,277 @@ +From ba0520650ae7f9f63e48ba9fb3a94297aebe2d0c Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 14:22:21 +0200 +Subject: [PATCH 14/33] Add support for square brackets in ls. + +--- + ls.c | 222 +++++++++++++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 150 insertions(+), 72 deletions(-) + +diff --git a/ls.c b/ls.c +index 616b2d9..b840136 100644 +--- a/ls.c ++++ b/ls.c +@@ -246,7 +246,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, + int ret = 0; + char last_token = 0; + int must_match_at_current_pos = 1; +- ++ int matched = 0; + + str_copy(&filter_remain_str, p_filter_str); + +@@ -276,7 +276,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, + static struct mystr s_match_needed_str; + /* Locate next special token */ + struct str_locate_result locate_result = +- str_locate_chars(&filter_remain_str, "*?{"); ++ str_locate_chars(&filter_remain_str, "*?{["); + (*iters)++; + /* Isolate text leading up to token (if any) - needs to be matched */ + if (locate_result.found) +@@ -294,94 +294,172 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, + str_empty(&filter_remain_str); + last_token = 0; + } +- if (!str_isempty(&s_match_needed_str)) +- { +- /* Need to match something.. could be a match which has to start at +- * current position, or we could allow it to start anywhere +- */ +- unsigned int indexx; +- locate_result = str_locate_str(&name_remain_str, &s_match_needed_str); +- if (!locate_result.found) ++ ++ matched = 0; ++ do { ++ if (!str_isempty(&s_match_needed_str)) + { +- /* Fail */ +- goto out; ++ if (!matched) ++ { ++ matched = 1; ++ } ++ /* Need to match something.. could be a match which has to start at ++ * current position, or we could allow it to start anywhere ++ */ ++ unsigned int indexx; ++ locate_result = str_locate_str(&name_remain_str, &s_match_needed_str); ++ if (!locate_result.found) ++ { ++ /* Fail */ ++ goto out; ++ } ++ indexx = locate_result.index; ++ if (must_match_at_current_pos && indexx > 0) ++ { ++ goto out; ++ } ++ if (!must_match_at_current_pos && last_token == 0) ++ { ++ struct mystr last_str = INIT_MYSTR; ++ str_mid_to_end(&name_remain_str, &last_str, ++ str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str)); ++ locate_result = str_locate_str(&last_str, &s_match_needed_str); ++ str_free(&last_str); ++ ++ if (locate_result.found) ++ { ++ ret = 1; ++ } ++ goto out; ++ } ++ /* Chop matched string out of remainder */ ++ str_mid_to_end(&name_remain_str, &temp_str, ++ indexx + str_getlen(&s_match_needed_str)); ++ str_copy(&name_remain_str, &temp_str); + } +- indexx = locate_result.index; +- if (must_match_at_current_pos && indexx > 0) ++ if (last_token == '?') + { +- goto out; ++ if (str_isempty(&name_remain_str)) ++ { ++ goto out; ++ } ++ str_right(&name_remain_str, &temp_str, str_getlen(&name_remain_str) - 1); ++ str_copy(&name_remain_str, &temp_str); ++ must_match_at_current_pos = 1; + } +- if (!must_match_at_current_pos && last_token == 0) ++ else if (last_token == '{') + { +- struct mystr last_str = INIT_MYSTR; +- str_mid_to_end(&name_remain_str, &last_str, +- str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str)); +- locate_result = str_locate_str(&last_str, &s_match_needed_str); +- str_free(&last_str); ++ struct str_locate_result end_brace = ++ str_locate_char(&filter_remain_str, '}'); ++ must_match_at_current_pos = 1; ++ if (end_brace.found) ++ { ++ int entire = (*iters == 1 && last_token == '{'); + +- if (locate_result.found) ++ str_split_char(&filter_remain_str, &temp_str, '}'); ++ str_copy(&brace_list_str, &filter_remain_str); ++ str_copy(&filter_remain_str, &temp_str); ++ str_split_char(&brace_list_str, &temp_str, ','); ++ while (!str_isempty(&brace_list_str)) ++ { ++ str_empty(&new_filter_str); ++ if (!matched && !entire) ++ { ++ str_append_char(&new_filter_str, '*'); ++ } ++ str_append_str(&new_filter_str, &brace_list_str); ++ str_append_str(&new_filter_str, &filter_remain_str); ++ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str, ++ iters)) ++ { ++ ret = 1; ++ goto out; ++ } ++ str_copy(&brace_list_str, &temp_str); ++ str_split_char(&brace_list_str, &temp_str, ','); ++ } ++ goto out; ++ } ++ else if (str_isempty(&name_remain_str) || ++ str_get_char_at(&name_remain_str, 0) != '{') + { +- ret = 1; ++ goto out; ++ } ++ else ++ { ++ str_right(&name_remain_str, &temp_str, ++ str_getlen(&name_remain_str) - 1); ++ str_copy(&name_remain_str, &temp_str); + } +- goto out; +- } +- /* Chop matched string out of remainder */ +- str_mid_to_end(&name_remain_str, &temp_str, +- indexx + str_getlen(&s_match_needed_str)); +- str_copy(&name_remain_str, &temp_str); +- } +- if (last_token == '?') +- { +- if (str_isempty(&name_remain_str)) +- { +- goto out; + } +- str_right(&name_remain_str, &temp_str, str_getlen(&name_remain_str) - 1); +- str_copy(&name_remain_str, &temp_str); +- must_match_at_current_pos = 1; +- } +- else if (last_token == '{') +- { +- struct str_locate_result end_brace = +- str_locate_char(&filter_remain_str, '}'); +- must_match_at_current_pos = 1; +- if (end_brace.found) ++ else if (last_token == '[') + { +- str_split_char(&filter_remain_str, &temp_str, '}'); +- str_copy(&brace_list_str, &filter_remain_str); +- str_copy(&filter_remain_str, &temp_str); +- str_split_char(&brace_list_str, &temp_str, ','); +- while (!str_isempty(&brace_list_str)) ++ struct str_locate_result end_sqb = ++ str_locate_char(&filter_remain_str, ']'); ++ must_match_at_current_pos = 1; ++ if (end_sqb.found) + { +- str_copy(&new_filter_str, &brace_list_str); +- str_append_str(&new_filter_str, &filter_remain_str); +- if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str, +- iters)) ++ unsigned int cur_pos; ++ char stch, ench; ++ const char *p_brace; ++ ++ str_split_char(&filter_remain_str, &temp_str, ']'); ++ str_copy(&brace_list_str, &filter_remain_str); ++ str_copy(&filter_remain_str, &temp_str); ++ p_brace = str_getbuf(&brace_list_str); ++ for (cur_pos = 0; cur_pos < str_getlen(&brace_list_str);) + { +- ret = 1; +- goto out; ++ stch = p_brace[cur_pos]; ++ // char vers. range ++ if (cur_pos + 2 < str_getlen(&brace_list_str) && ++ p_brace[cur_pos+1] == '-') ++ { ++ ench = p_brace[cur_pos+2]; ++ cur_pos += 3; ++ } ++ else ++ { ++ ench = stch; ++ cur_pos++; ++ } ++ // expand char[s] ++ for (;stch <= ench && !str_isempty(&brace_list_str); stch++) ++ { ++ str_empty(&new_filter_str); ++ if (!matched) ++ { ++ str_append_char(&new_filter_str, '*'); ++ } ++ str_append_char(&new_filter_str, stch); ++ str_append_str(&new_filter_str, &filter_remain_str); ++ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str, ++ iters)) ++ { ++ ret = 1; ++ goto out; ++ } ++ } + } +- str_copy(&brace_list_str, &temp_str); +- str_split_char(&brace_list_str, &temp_str, ','); ++ goto out; ++ } ++ else if (str_isempty(&name_remain_str) || ++ str_get_char_at(&name_remain_str, 0) != '[') ++ { ++ goto out; ++ } ++ else ++ { ++ str_right(&name_remain_str, &temp_str, ++ str_getlen(&name_remain_str) - 1); ++ str_copy(&name_remain_str, &temp_str); + } +- goto out; +- } +- else if (str_isempty(&name_remain_str) || +- str_get_char_at(&name_remain_str, 0) != '{') +- { +- goto out; + } + else + { +- str_right(&name_remain_str, &temp_str, +- str_getlen(&name_remain_str) - 1); +- str_copy(&name_remain_str, &temp_str); ++ must_match_at_current_pos = 0; + } +- } +- else +- { +- must_match_at_current_pos = 0; +- } ++ } while (locate_result.found && ++ str_getlen(&name_remain_str) > 0 && last_token != '*'); + } + /* Any incoming string left means no match unless we ended on the correct + * type of wildcard. +-- +2.7.4 + diff --git a/0015-Listen-on-IPv6-by-default.patch b/0015-Listen-on-IPv6-by-default.patch new file mode 100644 index 0000000..1e7a7f6 --- /dev/null +++ b/0015-Listen-on-IPv6-by-default.patch @@ -0,0 +1,55 @@ +From c5daaedf1efe23b397a5950f5503f5cbfac871c8 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 14:25:28 +0200 +Subject: [PATCH 15/33] Listen on IPv6 by default. + +--- + vsftpd.conf | 14 +++++++++----- + vsftpd.conf.5 | 5 +++-- + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/vsftpd.conf b/vsftpd.conf +index db44170..ae6c6c9 100644 +--- a/vsftpd.conf ++++ b/vsftpd.conf +@@ -111,12 +111,16 @@ xferlog_std_format=YES + # When "listen" directive is enabled, vsftpd runs in standalone mode and + # listens on IPv4 sockets. This directive cannot be used in conjunction + # with the listen_ipv6 directive. +-listen=YES +-# +-# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 +-# sockets, you must run two copies of vsftpd with two configuration files. ++listen=NO ++# ++# This directive enables listening on IPv6 sockets. By default, listening ++# on the IPv6 "any" address (::) will accept connections from both IPv6 ++# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 ++# sockets. If you want that (perhaps because you want to listen on specific ++# addresses) then you must run two copies of vsftpd with two configuration ++# files. + # Make sure, that one of the listen options is commented !! +-#listen_ipv6=YES ++listen_ipv6=YES + + pam_service_name=vsftpd + userlist_enable=YES +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 0744f85..72bb86f 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -297,8 +297,9 @@ Default: NO + .TP + .B listen_ipv6 + Like the listen parameter, except vsftpd will listen on an IPv6 socket instead +-of an IPv4 one. This parameter and the listen parameter are mutually +-exclusive. ++of an IPv4 one. Note that a socket listening on the IPv6 "any" address (::) ++will accept both IPv6 and IPv4 connections by default. This parameter and the ++listen parameter are mutually exclusive. + + Default: NO + .TP +-- +2.7.4 + diff --git a/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch b/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch new file mode 100644 index 0000000..31779c2 --- /dev/null +++ b/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch @@ -0,0 +1,27 @@ +From 048208a4db5d7164d89ba5d7545e281d0a3472d3 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 15:35:59 +0200 +Subject: [PATCH 16/33] Increase VSFTP_AS_LIMIT from 200UL to 400UL. + +When using a PAM module to get users from LDAP or database the old +limit was insufficient. +--- + defs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/defs.h b/defs.h +index ca11eac..bde3232 100644 +--- a/defs.h ++++ b/defs.h +@@ -19,7 +19,7 @@ + /* Must be at least the size of VSFTP_MAX_COMMAND_LINE, VSFTP_DIR_BUFSIZE and + VSFTP_DATA_BUFSIZE*2 */ + #define VSFTP_PRIVSOCK_MAXSTR VSFTP_DATA_BUFSIZE * 2 +-#define VSFTP_AS_LIMIT 200UL * 1024 * 1024 ++#define VSFTP_AS_LIMIT 400UL * 1024 * 1024 + + #endif /* VSF_DEFS_H */ + +-- +2.7.4 + diff --git a/0017-Fix-an-issue-with-timestamps-during-DST.patch b/0017-Fix-an-issue-with-timestamps-during-DST.patch new file mode 100644 index 0000000..ec3af9f --- /dev/null +++ b/0017-Fix-an-issue-with-timestamps-during-DST.patch @@ -0,0 +1,161 @@ +From 5ec0b86e5c1ff060720b5a6cd1af9d93ec993650 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 29 Sep 2016 11:14:03 +0200 +Subject: [PATCH 17/33] Fix an issue with timestamps during DST. + +vsftpd now checks whether a file was uploaded during DST and +adjust the timestamp accordingly. +--- + sysutil.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 77 insertions(+), 27 deletions(-) + +diff --git a/sysutil.c b/sysutil.c +index c848356..2abdd13 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -26,8 +26,10 @@ + /* For Linux, this adds nothing :-) */ + #include "port/porting_junk.h" + ++#define F_LOCALTIME "/etc/localtime" ++#define BUFTZSIZ 64 ++ + #include +-#include + #include + #include + #include +@@ -56,6 +58,11 @@ + #include + #include + ++#ifndef __USE_GNU ++ #define __USE_GNU ++#endif ++#include ++ + /* Private variables to this file */ + /* Current umask() */ + static unsigned int s_current_umask; +@@ -2574,49 +2581,92 @@ error: + die("reopening standard file descriptors to /dev/null failed"); + } + ++char* vsf_sysutil_get_tz() ++{ ++ char *ret_tz = NULL; ++ char buff[BUFTZSIZ]; ++ off_t s_pos, e_pos; ++ size_t rcnt, rest; ++ int fd; ++ ++ if ((fd = open(F_LOCALTIME, O_RDONLY)) > -1) ++ { ++ if ((e_pos = lseek(fd, 0, SEEK_END)) <= 0) ++ { ++ close(fd); ++ return NULL; ++ } ++ s_pos = e_pos > BUFTZSIZ ? e_pos - BUFTZSIZ : 0; ++ lseek(fd, s_pos, SEEK_SET); ++ rcnt = read(fd, buff, BUFTZSIZ); ++ ++ if (rcnt && buff[rcnt-1] == '\n') ++ { ++ buff[rcnt-1] = 0; ++ e_pos--; ++ } ++ ++ do { ++ char *nl = memrchr(buff, '\n', rcnt); ++ if (rcnt && nl) ++ { ++ int offset = (++nl) - buff; ++ int len = e_pos - s_pos - offset; ++ if (len) ++ { ++ lseek(fd, s_pos + offset, SEEK_SET); ++ ret_tz = calloc(1, len+4); ++ memcpy(ret_tz, "TZ=", 3); ++ rcnt = read(fd, ret_tz+3, len); ++ } ++ break; ++ } ++ if (!s_pos) ++ { ++ break; ++ } ++ rest = s_pos > BUFTZSIZ ? s_pos - BUFTZSIZ : 0; ++ s_pos -= rest; ++ lseek(fd, s_pos, SEEK_SET); ++ rcnt = read(fd, buff, rest); ++ } while (rcnt > 0); ++ ++ close (fd); ++ } ++ ++ return ret_tz; ++} ++ + void + vsf_sysutil_tzset(void) + { + int retval; +- char tzbuf[sizeof("+HHMM!")]; ++ char *tz=NULL, tzbuf[sizeof("+HHMM!")]; + time_t the_time = time(NULL); + struct tm* p_tm; ++ ++ /* Set our timezone in the TZ environment variable to cater for the fact ++ * that modern glibc does not cache /etc/localtime (which becomes inaccessible ++ * when we chroot(). ++ */ ++ tz = vsf_sysutil_get_tz();; ++ if (tz) ++ { ++ putenv(tz); ++ } + tzset(); + p_tm = localtime(&the_time); + if (p_tm == NULL) + { + die("localtime"); + } +- /* Set our timezone in the TZ environment variable to cater for the fact +- * that modern glibc does not cache /etc/localtime (which becomes inaccessible +- * when we chroot(). +- */ + retval = strftime(tzbuf, sizeof(tzbuf), "%z", p_tm); + tzbuf[sizeof(tzbuf) - 1] = '\0'; + if (retval == 5) + { +- /* Static because putenv() does not copy the string. */ +- static char envtz[sizeof("TZ=UTC-hh:mm")]; +- /* Insert a colon so we have e.g. -05:00 instead of -0500 */ +- tzbuf[5] = tzbuf[4]; +- tzbuf[4] = tzbuf[3]; +- tzbuf[3] = ':'; +- /* Invert the sign - we just got the offset _from_ UTC but for TZ, we need +- * the offset _to_ UTC. +- */ +- if (tzbuf[0] == '+') +- { +- tzbuf[0] = '-'; +- } +- else +- { +- tzbuf[0] = '+'; +- } +- snprintf(envtz, sizeof(envtz), "TZ=UTC%s", tzbuf); +- putenv(envtz); + s_timezone = ((tzbuf[1] - '0') * 10 + (tzbuf[2] - '0')) * 60 * 60; +- s_timezone += ((tzbuf[4] - '0') * 10 + (tzbuf[5] - '0')) * 60; +- if (tzbuf[0] == '-') ++ s_timezone += ((tzbuf[3] - '0') * 10 + (tzbuf[4] - '0')) * 60; ++ if (tzbuf[0] == '+') + { + s_timezone *= -1; + } +-- +2.7.4 + diff --git a/0018-Change-the-default-log-file-in-configuration.patch b/0018-Change-the-default-log-file-in-configuration.patch new file mode 100644 index 0000000..990cf90 --- /dev/null +++ b/0018-Change-the-default-log-file-in-configuration.patch @@ -0,0 +1,43 @@ +From 61dac172bdb14c5a37713078828ea8c8f78c7eb6 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 29 Sep 2016 13:53:16 +0200 +Subject: [PATCH 18/33] Change the default log file in configuration. + +Previous "default" value was wrong. +tunables.c:262 => install_str_setting("/var/log/xferlog", +&tunable_xferlog_file); +--- + RedHat/vsftpd.log | 6 ++++++ + vsftpd.conf | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/RedHat/vsftpd.log b/RedHat/vsftpd.log +index d338de8..14731c1 100644 +--- a/RedHat/vsftpd.log ++++ b/RedHat/vsftpd.log +@@ -3,3 +3,9 @@ + nocompress + missingok + } ++ ++/var/log/xferlog { ++ # ftpd doesn't handle SIGHUP properly ++ nocompress ++ missingok ++} +diff --git a/vsftpd.conf b/vsftpd.conf +index ae6c6c9..39d1955 100644 +--- a/vsftpd.conf ++++ b/vsftpd.conf +@@ -50,7 +50,7 @@ connect_from_port_20=YES + # + # You may override where the log file goes if you like. The default is shown + # below. +-#xferlog_file=/var/log/vsftpd.log ++#xferlog_file=/var/log/xferlog + # + # If you want, you can have your log file in standard ftpd xferlog format. + # Note that the default log file location is /var/log/xferlog in this case. +-- +2.7.4 + diff --git a/0019-Introduce-reverse_lookup_enable-option.patch b/0019-Introduce-reverse_lookup_enable-option.patch new file mode 100644 index 0000000..dbf01c0 --- /dev/null +++ b/0019-Introduce-reverse_lookup_enable-option.patch @@ -0,0 +1,109 @@ +From 721de88621100f6ed33f1602415bc249f3ed3219 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 10:22:32 +0100 +Subject: [PATCH 19/33] Introduce reverse_lookup_enable option. + +vsftpd can transform IP address into hostname before +PAM authentication. You can disable it to prevent +performance issues. +--- + parseconf.c | 1 + + sysdeputil.c | 14 +++++++++----- + tunables.c | 2 ++ + tunables.h | 1 + + vsftpd.conf.5 | 9 +++++++++ + 5 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/parseconf.c b/parseconf.c +index 30df598..3e0dba4 100644 +--- a/parseconf.c ++++ b/parseconf.c +@@ -91,6 +91,7 @@ parseconf_bool_array[] = + { "mdtm_write", &tunable_mdtm_write }, + { "lock_upload_files", &tunable_lock_upload_files }, + { "pasv_addr_resolve", &tunable_pasv_addr_resolve }, ++ { "reverse_lookup_enable", &tunable_reverse_lookup_enable }, + { "userlist_log", &tunable_userlist_log }, + { "debug_ssl", &tunable_debug_ssl }, + { "require_cert", &tunable_require_cert }, +diff --git a/sysdeputil.c b/sysdeputil.c +index 3bbabaa..2063c87 100644 +--- a/sysdeputil.c ++++ b/sysdeputil.c +@@ -354,12 +354,16 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, + return 0; + } + #ifdef PAM_RHOST +- sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); +- host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); +- if (host != (struct hostent*)0) +- retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); +- else ++ if (tunable_reverse_lookup_enable) { ++ sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); ++ host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); ++ if (host != (struct hostent*)0) ++ retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); ++ else ++ retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); ++ } else { + retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); ++ } + if (retval != PAM_SUCCESS) + { + (void) pam_end(s_pamh, retval); +diff --git a/tunables.c b/tunables.c +index b30fca1..c737465 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl; + int tunable_mdtm_write; + int tunable_lock_upload_files; + int tunable_pasv_addr_resolve; ++int tunable_reverse_lookup_enable; + int tunable_userlist_log; + int tunable_debug_ssl; + int tunable_require_cert; +@@ -213,6 +214,7 @@ tunables_load_defaults() + tunable_mdtm_write = 1; + tunable_lock_upload_files = 1; + tunable_pasv_addr_resolve = 0; ++ tunable_reverse_lookup_enable = 1; + tunable_userlist_log = 0; + tunable_debug_ssl = 0; + tunable_require_cert = 0; +diff --git a/tunables.h b/tunables.h +index e44d64c..9553038 100644 +--- a/tunables.h ++++ b/tunables.h +@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ + extern int tunable_mdtm_write; /* Allow MDTM to set timestamps */ + extern int tunable_lock_upload_files; /* Lock uploading files */ + extern int tunable_pasv_addr_resolve; /* DNS resolve pasv_addr */ ++extern int tunable_reverse_lookup_enable; /* Get hostname before pam auth */ + extern int tunable_userlist_log; /* Log every failed login attempt */ + extern int tunable_debug_ssl; /* Verbose SSL logging */ + extern int tunable_require_cert; /* SSL client cert required */ +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 72bb86f..fb6324e 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -425,6 +425,15 @@ http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html + + Default: YES + .TP ++.B reverse_lookup_enable ++Set to YES if you want vsftpd to transform the ip address into the hostname, ++before pam authentication. This is useful if you use pam_access including the ++hostname. If you want vsftpd to run on the environment where the reverse lookup ++for some hostname is available and the name server doesn't respond for a while, ++you should set this to NO to avoid a performance issue. ++ ++Default: YES ++.TP + .B run_as_launching_user + Set to YES if you want vsftpd to run as the user which launched vsftpd. This is + useful where root access is not available. MASSIVE WARNING! Do NOT enable this +-- +2.7.4 + diff --git a/0020-Use-unsigned-int-for-uid-and-gid-representation.patch b/0020-Use-unsigned-int-for-uid-and-gid-representation.patch new file mode 100644 index 0000000..f5cd8f0 --- /dev/null +++ b/0020-Use-unsigned-int-for-uid-and-gid-representation.patch @@ -0,0 +1,250 @@ +From dcaaf1e0dd3985e229a87de18b83f301d30b6ce9 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 10:31:39 +0100 +Subject: [PATCH 20/33] Use unsigned int for uid and gid representation. + +--- + ls.c | 4 ++-- + privops.c | 3 +-- + session.h | 6 +++--- + sysutil.c | 44 ++++++++++++++------------------------------ + sysutil.h | 20 ++++++++++---------- + 5 files changed, 30 insertions(+), 47 deletions(-) + +diff --git a/ls.c b/ls.c +index b840136..3c0988c 100644 +--- a/ls.c ++++ b/ls.c +@@ -503,7 +503,7 @@ build_dir_line(struct mystr* p_str, const struct mystr* p_filename_str, + } + else + { +- int uid = vsf_sysutil_statbuf_get_uid(p_stat); ++ unsigned int uid = vsf_sysutil_statbuf_get_uid(p_stat); + struct vsf_sysutil_user* p_user = 0; + if (tunable_text_userdb_names) + { +@@ -528,7 +528,7 @@ build_dir_line(struct mystr* p_str, const struct mystr* p_filename_str, + } + else + { +- int gid = vsf_sysutil_statbuf_get_gid(p_stat); ++ unsigned int gid = vsf_sysutil_statbuf_get_gid(p_stat); + struct vsf_sysutil_group* p_group = 0; + if (tunable_text_userdb_names) + { +diff --git a/privops.c b/privops.c +index 21d7267..f27c5c4 100644 +--- a/privops.c ++++ b/privops.c +@@ -236,8 +236,7 @@ vsf_privop_do_file_chown(struct vsf_session* p_sess, int fd) + /* Drop it like a hot potato unless it's a regular file owned by + * the the anonymous ftp user + */ +- if (p_sess->anon_upload_chown_uid == -1 || +- !vsf_sysutil_statbuf_is_regfile(s_p_statbuf) || ++ if (!vsf_sysutil_statbuf_is_regfile(s_p_statbuf) || + (vsf_sysutil_statbuf_get_uid(s_p_statbuf) != p_sess->anon_ftp_uid && + vsf_sysutil_statbuf_get_uid(s_p_statbuf) != p_sess->guest_user_uid)) + { +diff --git a/session.h b/session.h +index 27a488f..956bfb7 100644 +--- a/session.h ++++ b/session.h +@@ -54,9 +54,9 @@ struct vsf_session + struct mystr_list* p_visited_dir_list; + + /* Details of userids which are interesting to us */ +- int anon_ftp_uid; +- int guest_user_uid; +- int anon_upload_chown_uid; ++ unsigned int anon_ftp_uid; ++ unsigned int guest_user_uid; ++ unsigned int anon_upload_chown_uid; + + /* Things we need to cache before we chroot() */ + struct mystr banned_email_str; +diff --git a/sysutil.c b/sysutil.c +index 2abdd13..9881a66 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -1454,14 +1454,14 @@ vsf_sysutil_statbuf_get_size(const struct vsf_sysutil_statbuf* p_statbuf) + return p_stat->st_size; + } + +-int ++unsigned int + vsf_sysutil_statbuf_get_uid(const struct vsf_sysutil_statbuf* p_statbuf) + { + const struct stat* p_stat = (const struct stat*) p_statbuf; + return p_stat->st_uid; + } + +-int ++unsigned int + vsf_sysutil_statbuf_get_gid(const struct vsf_sysutil_statbuf* p_statbuf) + { + const struct stat* p_stat = (const struct stat*) p_statbuf; +@@ -1502,7 +1502,7 @@ vsf_sysutil_statbuf_get_sortkey_mtime( + } + + void +-vsf_sysutil_fchown(const int fd, const int uid, const int gid) ++vsf_sysutil_fchown(const int fd, const unsigned int uid, const unsigned int gid) + { + if (fchown(fd, uid, gid) != 0) + { +@@ -2320,13 +2320,9 @@ vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr, + } + + struct vsf_sysutil_user* +-vsf_sysutil_getpwuid(const int uid) ++vsf_sysutil_getpwuid(const unsigned int uid) + { +- if (uid < 0) +- { +- bug("negative uid in vsf_sysutil_getpwuid"); +- } +- return (struct vsf_sysutil_user*) getpwuid((unsigned int) uid); ++ return (struct vsf_sysutil_user*) getpwuid(uid); + } + + struct vsf_sysutil_user* +@@ -2349,14 +2345,14 @@ vsf_sysutil_user_get_homedir(const struct vsf_sysutil_user* p_user) + return p_passwd->pw_dir; + } + +-int ++unsigned int + vsf_sysutil_user_getuid(const struct vsf_sysutil_user* p_user) + { + const struct passwd* p_passwd = (const struct passwd*) p_user; + return p_passwd->pw_uid; + } + +-int ++unsigned int + vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user) + { + const struct passwd* p_passwd = (const struct passwd*) p_user; +@@ -2364,13 +2360,9 @@ vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user) + } + + struct vsf_sysutil_group* +-vsf_sysutil_getgrgid(const int gid) ++vsf_sysutil_getgrgid(const unsigned int gid) + { +- if (gid < 0) +- { +- die("negative gid in vsf_sysutil_getgrgid"); +- } +- return (struct vsf_sysutil_group*) getgrgid((unsigned int) gid); ++ return (struct vsf_sysutil_group*) getgrgid(gid); + } + + const char* +@@ -2445,25 +2437,17 @@ vsf_sysutil_setgid_numeric(int gid) + } + } + +-int ++unsigned int + vsf_sysutil_geteuid(void) + { +- int retval = geteuid(); +- if (retval < 0) +- { +- die("geteuid"); +- } ++ unsigned int retval = geteuid(); + return retval; + } + +-int ++unsigned int + vsf_sysutil_getegid(void) + { +- int retval = getegid(); +- if (retval < 0) +- { +- die("getegid"); +- } ++ unsigned int retval = getegid(); + return retval; + } + +@@ -2854,7 +2838,7 @@ vsf_sysutil_ftruncate(int fd) + } + } + +-int ++unsigned int + vsf_sysutil_getuid(void) + { + return getuid(); +diff --git a/sysutil.h b/sysutil.h +index bfc92cb..79b5514 100644 +--- a/sysutil.h ++++ b/sysutil.h +@@ -129,15 +129,15 @@ const char* vsf_sysutil_statbuf_get_numeric_date( + const struct vsf_sysutil_statbuf* p_stat, int use_localtime); + unsigned int vsf_sysutil_statbuf_get_links( + const struct vsf_sysutil_statbuf* p_stat); +-int vsf_sysutil_statbuf_get_uid(const struct vsf_sysutil_statbuf* p_stat); +-int vsf_sysutil_statbuf_get_gid(const struct vsf_sysutil_statbuf* p_stat); ++unsigned int vsf_sysutil_statbuf_get_uid(const struct vsf_sysutil_statbuf* p_stat); ++unsigned int vsf_sysutil_statbuf_get_gid(const struct vsf_sysutil_statbuf* p_stat); + int vsf_sysutil_statbuf_is_readable_other( + const struct vsf_sysutil_statbuf* p_stat); + const char* vsf_sysutil_statbuf_get_sortkey_mtime( + const struct vsf_sysutil_statbuf* p_stat); + + int vsf_sysutil_chmod(const char* p_filename, unsigned int mode); +-void vsf_sysutil_fchown(const int fd, const int uid, const int gid); ++void vsf_sysutil_fchown(const int fd, const unsigned int uid, const unsigned int gid); + void vsf_sysutil_fchmod(const int fd, unsigned int mode); + int vsf_sysutil_readlink(const char* p_filename, char* p_dest, + unsigned int bufsiz); +@@ -290,15 +290,15 @@ int vsf_sysutil_inet_aton( + struct vsf_sysutil_user; + struct vsf_sysutil_group; + +-struct vsf_sysutil_user* vsf_sysutil_getpwuid(const int uid); ++struct vsf_sysutil_user* vsf_sysutil_getpwuid(const unsigned int uid); + struct vsf_sysutil_user* vsf_sysutil_getpwnam(const char* p_user); + const char* vsf_sysutil_user_getname(const struct vsf_sysutil_user* p_user); + const char* vsf_sysutil_user_get_homedir( + const struct vsf_sysutil_user* p_user); +-int vsf_sysutil_user_getuid(const struct vsf_sysutil_user* p_user); +-int vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user); ++unsigned int vsf_sysutil_user_getuid(const struct vsf_sysutil_user* p_user); ++unsigned int vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user); + +-struct vsf_sysutil_group* vsf_sysutil_getgrgid(const int gid); ++struct vsf_sysutil_group* vsf_sysutil_getgrgid(const unsigned int gid); + const char* vsf_sysutil_group_getname(const struct vsf_sysutil_group* p_group); + + /* More random things */ +@@ -316,7 +316,7 @@ void vsf_sysutil_qsort(void* p_base, unsigned int num_elem, + char* vsf_sysutil_getenv(const char* p_var); + typedef void (*exitfunc_t)(void); + void vsf_sysutil_set_exit_func(exitfunc_t exitfunc); +-int vsf_sysutil_getuid(void); ++unsigned int vsf_sysutil_getuid(void); + + /* Syslogging (bah) */ + void vsf_sysutil_openlog(int force); +@@ -329,8 +329,8 @@ void vsf_sysutil_setuid(const struct vsf_sysutil_user* p_user); + void vsf_sysutil_setgid(const struct vsf_sysutil_user* p_user); + void vsf_sysutil_setuid_numeric(int uid); + void vsf_sysutil_setgid_numeric(int gid); +-int vsf_sysutil_geteuid(void); +-int vsf_sysutil_getegid(void); ++unsigned int vsf_sysutil_geteuid(void); ++unsigned int vsf_sysutil_getegid(void); + void vsf_sysutil_seteuid(const struct vsf_sysutil_user* p_user); + void vsf_sysutil_setegid(const struct vsf_sysutil_user* p_user); + void vsf_sysutil_seteuid_numeric(int uid); +-- +2.7.4 + diff --git a/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/0021-Introduce-support-for-DHE-based-cipher-suites.patch new file mode 100644 index 0000000..ad7e5ba --- /dev/null +++ b/0021-Introduce-support-for-DHE-based-cipher-suites.patch @@ -0,0 +1,226 @@ +From 4eac1dbb5f70a652d31847eec7c28d245f36cdbb Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 10:48:28 +0100 +Subject: [PATCH 21/33] Introduce support for DHE based cipher suites. + +--- + parseconf.c | 1 + + ssl.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + tunables.c | 5 +++- + tunables.h | 1 + + vsftpd.conf.5 | 6 ++++ + 5 files changed, 104 insertions(+), 2 deletions(-) + +diff --git a/parseconf.c b/parseconf.c +index 3e0dba4..38e3182 100644 +--- a/parseconf.c ++++ b/parseconf.c +@@ -176,6 +176,7 @@ parseconf_str_array[] = + { "email_password_file", &tunable_email_password_file }, + { "rsa_cert_file", &tunable_rsa_cert_file }, + { "dsa_cert_file", &tunable_dsa_cert_file }, ++ { "dh_param_file", &tunable_dh_param_file }, + { "ssl_ciphers", &tunable_ssl_ciphers }, + { "rsa_private_key_file", &tunable_rsa_private_key_file }, + { "dsa_private_key_file", &tunable_dsa_private_key_file }, +diff --git a/ssl.c b/ssl.c +index c362983..22b69b3 100644 +--- a/ssl.c ++++ b/ssl.c +@@ -28,6 +28,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + +@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); + static long bio_callback( + BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); + static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); ++static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); + static int ssl_cert_digest( + SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); + static void maybe_log_shutdown_state(struct vsf_session* p_sess); +@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess, + static int ssl_inited; + static struct mystr debug_str; + ++ ++// Grab prime number from OpenSSL; ++// (get_rfc*) for all available primes. ++// wraps selection of comparable algorithm strength ++#if !defined(match_dh_bits) ++ #define match_dh_bits(keylen) \ ++ keylen >= 8191 ? 8192 : \ ++ keylen >= 6143 ? 6144 : \ ++ keylen >= 4095 ? 4096 : \ ++ keylen >= 3071 ? 3072 : \ ++ keylen >= 2047 ? 2048 : \ ++ keylen >= 1535 ? 1536 : \ ++ keylen >= 1023 ? 1024 : 768 ++#endif ++ ++#if !defined(DH_get_prime) ++ BIGNUM * ++ DH_get_prime(int bits) ++ { ++ switch (bits) { ++ case 768: return get_rfc2409_prime_768(NULL); ++ case 1024: return get_rfc2409_prime_1024(NULL); ++ case 1536: return get_rfc3526_prime_1536(NULL); ++ case 2048: return get_rfc3526_prime_2048(NULL); ++ case 3072: return get_rfc3526_prime_3072(NULL); ++ case 4096: return get_rfc3526_prime_4096(NULL); ++ case 6144: return get_rfc3526_prime_6144(NULL); ++ case 8192: return get_rfc3526_prime_8192(NULL); ++ // shouldn't happen when used match_dh_bits; strict compiler ++ default: return NULL; ++ } ++} ++#endif ++ ++#if !defined(DH_get_dh) ++ // Grab DH parameters ++ DH * ++ DH_get_dh(int size) ++ { ++ DH *dh = DH_new(); ++ if (!dh) { ++ return NULL; ++ } ++ dh->p = DH_get_prime(match_dh_bits(size)); ++ BN_dec2bn(&dh->g, "2"); ++ if (!dh->p || !dh->g) ++ { ++ DH_free(dh); ++ return NULL; ++ } ++ return dh; ++ } ++#endif ++ + void + ssl_init(struct vsf_session* p_sess) + { +@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) + { + die("SSL: could not allocate SSL context"); + } +- options = SSL_OP_ALL; ++ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; + if (!tunable_sslv2) + { + options |= SSL_OP_NO_SSLv2; +@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess) + die("SSL: cannot load DSA private key"); + } + } ++ if (tunable_dh_param_file) ++ { ++ BIO *bio; ++ DH *dhparams = NULL; ++ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) ++ { ++ die("SSL: cannot load custom DH params"); ++ } ++ else ++ { ++ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); ++ BIO_free(bio); ++ ++ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams)) ++ { ++ die("SSL: setting custom DH params failed"); ++ } ++ } ++ } + if (tunable_ssl_ciphers && + SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) + { +@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) + /* Ensure cached session doesn't expire */ + SSL_CTX_set_timeout(p_ctx, INT_MAX); + } ++ ++ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); ++ + p_sess->p_ssl_ctx = p_ctx; + ssl_inited = 1; + } +@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx) + return 1; + } + ++#define UNUSED(x) ( (void)(x) ) ++ ++static DH * ++ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) ++{ ++ // strict compiler bypassing ++ UNUSED(ssl); ++ UNUSED(is_export); ++ ++ return DH_get_dh(keylength); ++} ++ + void + ssl_add_entropy(struct vsf_session* p_sess) + { +diff --git a/tunables.c b/tunables.c +index c737465..1ea7227 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -140,6 +140,7 @@ const char* tunable_user_sub_token; + const char* tunable_email_password_file; + const char* tunable_rsa_cert_file; + const char* tunable_dsa_cert_file; ++const char* tunable_dh_param_file; + const char* tunable_ssl_ciphers; + const char* tunable_rsa_private_key_file; + const char* tunable_dsa_private_key_file; +@@ -288,7 +289,9 @@ tunables_load_defaults() + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); +- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); ++ install_str_setting(0, &tunable_dh_param_file); ++ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", ++ &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +diff --git a/tunables.h b/tunables.h +index 9553038..3995472 100644 +--- a/tunables.h ++++ b/tunables.h +@@ -142,6 +142,7 @@ extern const char* tunable_user_sub_token; + extern const char* tunable_email_password_file; + extern const char* tunable_rsa_cert_file; + extern const char* tunable_dsa_cert_file; ++extern const char* tunable_dh_param_file; + extern const char* tunable_ssl_ciphers; + extern const char* tunable_rsa_private_key_file; + extern const char* tunable_dsa_private_key_file; +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index fb6324e..ff94eca 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -893,6 +893,12 @@ to be in the same file as the certificate. + + Default: (none) + .TP ++.B dh_param_file ++This option specifies the location of the custom parameters used for ++ephemeral Diffie-Hellman key exchange in SSL. ++ ++Default: (none - use built in parameters appropriate for certificate key size) ++.TP + .B email_password_file + This option can be used to provide an alternate file for usage by the + .BR secure_email_list_enable +-- +2.7.4 + diff --git a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch new file mode 100644 index 0000000..b4eb574 --- /dev/null +++ b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch @@ -0,0 +1,136 @@ +From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 10:49:22 +0100 +Subject: [PATCH 22/33] Introduce support for EDDHE based cipher suites. + +--- + parseconf.c | 1 + + ssl.c | 37 ++++++++++++++++++++++++++++++++++++- + tunables.c | 4 +++- + tunables.h | 1 + + vsftpd.conf.5 | 8 ++++++++ + 5 files changed, 49 insertions(+), 2 deletions(-) + +diff --git a/parseconf.c b/parseconf.c +index 38e3182..a2c715b 100644 +--- a/parseconf.c ++++ b/parseconf.c +@@ -177,6 +177,7 @@ parseconf_str_array[] = + { "rsa_cert_file", &tunable_rsa_cert_file }, + { "dsa_cert_file", &tunable_dsa_cert_file }, + { "dh_param_file", &tunable_dh_param_file }, ++ { "ecdh_param_file", &tunable_ecdh_param_file }, + { "ssl_ciphers", &tunable_ssl_ciphers }, + { "rsa_private_key_file", &tunable_rsa_private_key_file }, + { "dsa_private_key_file", &tunable_dsa_private_key_file }, +diff --git a/ssl.c b/ssl.c +index 22b69b3..96bf8ad 100644 +--- a/ssl.c ++++ b/ssl.c +@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) + { + die("SSL: could not allocate SSL context"); + } +- options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; ++ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE; + if (!tunable_sslv2) + { + options |= SSL_OP_NO_SSLv2; +@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess) + + SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); + ++ if (tunable_ecdh_param_file) ++ { ++ BIO *bio; ++ int nid; ++ EC_GROUP *ecparams = NULL; ++ EC_KEY *eckey; ++ ++ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL) ++ die("SSL: cannot load custom ec params"); ++ else ++ { ++ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); ++ BIO_free(bio); ++ ++ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) && ++ (eckey = EC_KEY_new_by_curve_name(nid))) ++ { ++ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey)) ++ die("SSL: setting custom EC params failed"); ++ } ++ else ++ { ++ die("SSL: getting ec group or key failed"); ++ } ++ } ++ } ++ else ++ { ++#if defined(SSL_CTX_set_ecdh_auto) ++ SSL_CTX_set_ecdh_auto(p_ctx, 1); ++#else ++ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); ++#endif ++ } ++ + p_sess->p_ssl_ctx = p_ctx; + ssl_inited = 1; + } +diff --git a/tunables.c b/tunables.c +index 1ea7227..93f85b1 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -141,6 +141,7 @@ const char* tunable_email_password_file; + const char* tunable_rsa_cert_file; + const char* tunable_dsa_cert_file; + const char* tunable_dh_param_file; ++const char* tunable_ecdh_param_file; + const char* tunable_ssl_ciphers; + const char* tunable_rsa_private_key_file; + const char* tunable_dsa_private_key_file; +@@ -290,7 +291,8 @@ tunables_load_defaults() + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); + install_str_setting(0, &tunable_dh_param_file); +- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", ++ install_str_setting(0, &tunable_ecdh_param_file); ++ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", + &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); +diff --git a/tunables.h b/tunables.h +index 3995472..3e2d40c 100644 +--- a/tunables.h ++++ b/tunables.h +@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file; + extern const char* tunable_rsa_cert_file; + extern const char* tunable_dsa_cert_file; + extern const char* tunable_dh_param_file; ++extern const char* tunable_ecdh_param_file; + extern const char* tunable_ssl_ciphers; + extern const char* tunable_rsa_private_key_file; + extern const char* tunable_dsa_private_key_file; +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index ff94eca..e242873 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL. + + Default: (none - use built in parameters appropriate for certificate key size) + .TP ++.B ecdh_param_file ++This option specifies the location of custom parameters for ephemeral ++Elliptic Curve Diffie-Hellman (ECDH) key exchange. ++ ++Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and ++automatically selected curve based on client preferences with OpenSSL 1.0.2 ++and later) ++.TP + .B email_password_file + This option can be used to provide an alternate file for usage by the + .BR secure_email_list_enable +-- +2.7.4 + diff --git a/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch b/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch new file mode 100644 index 0000000..077d261 --- /dev/null +++ b/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch @@ -0,0 +1,63 @@ +From 3d02ef3be17f37baf729e786a8f36af4982f70ad Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 10:52:16 +0100 +Subject: [PATCH 23/33] Add documentation for isolate_* options. Correct + default + +values of max_clients, max_per_ip. +--- + vsftpd.conf.5 | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index e242873..31d317f 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -652,6 +652,21 @@ change it with the setting + .BR xferlog_file . + + Default: NO ++.TP ++.B isolate_network ++If enabled, use CLONE_NEWNET to isolate the untrusted processes so that ++they can't do arbitrary connect() and instead have to ask the privileged ++process for sockets ( ++.BR port_promiscuous ++have to be disabled). ++ ++Default: YES ++.TP ++.B isolate ++If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate processes to their ++ipc and pid namespaces. So separated processes can not interact with each other. ++ ++Default: YES + + .SH NUMERIC OPTIONS + Below is a list of numeric options. A numeric option must be set to a non +@@ -749,8 +764,9 @@ Default: 077 + .B max_clients + If vsftpd is in standalone mode, this is the maximum number of clients which + may be connected. Any additional clients connecting will get an error message. ++The value 0 switches off the limit. + +-Default: 0 (unlimited) ++Default: 2000 + .TP + .B max_login_fails + After this many login failures, the session is killed. +@@ -760,9 +776,9 @@ Default: 3 + .B max_per_ip + If vsftpd is in standalone mode, this is the maximum number of clients which + may be connected from the same source internet address. A client will get an +-error message if they go over this limit. ++error message if they go over this limit. The value 0 switches off the limit. + +-Default: 0 (unlimited) ++Default: 50 + .TP + .B pasv_max_port + The maximum port to allocate for PASV style data connections. Can be used to +-- +2.7.4 + diff --git a/0024-Introduce-new-return-value-450.patch b/0024-Introduce-new-return-value-450.patch new file mode 100644 index 0000000..f8c7b8c --- /dev/null +++ b/0024-Introduce-new-return-value-450.patch @@ -0,0 +1,77 @@ +From 1d5cdf309387ff92988ab17d746f015d833a4b92 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 11:08:52 +0100 +Subject: [PATCH 24/33] Introduce new return value 450: + + *450 Requested file action not taken. + File unavailable (e.g., file busy). +--- + ftpcodes.h | 1 + + postlogin.c | 9 ++++++++- + sysutil.c | 3 +++ + sysutil.h | 3 ++- + 4 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/ftpcodes.h b/ftpcodes.h +index 93290c0..81e25c5 100644 +--- a/ftpcodes.h ++++ b/ftpcodes.h +@@ -52,6 +52,7 @@ + #define FTP_TLS_FAIL 421 + #define FTP_BADSENDCONN 425 + #define FTP_BADSENDNET 426 ++#define FTP_FILETMPFAIL 450 + #define FTP_BADSENDFILE 451 + + #define FTP_BADCMD 500 +diff --git a/postlogin.c b/postlogin.c +index bf12970..29958c0 100644 +--- a/postlogin.c ++++ b/postlogin.c +@@ -679,7 +679,14 @@ handle_retr(struct vsf_session* p_sess, int is_http) + opened_file = str_open(&p_sess->ftp_arg_str, kVSFSysStrOpenReadOnly); + if (vsf_sysutil_retval_is_error(opened_file)) + { +- vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file."); ++ if (kVSFSysUtilErrAGAIN == vsf_sysutil_get_error()) ++ { ++ vsf_cmdio_write(p_sess, FTP_FILETMPFAIL, "Temporarily failed to open file"); ++ } ++ else ++ { ++ vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file."); ++ } + return; + } + /* Lock file if required */ +diff --git a/sysutil.c b/sysutil.c +index 9881a66..6d7cb3f 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -1632,6 +1632,9 @@ vsf_sysutil_get_error(void) + case ENOENT: + retval = kVSFSysUtilErrNOENT; + break; ++ case EAGAIN: ++ retval = kVSFSysUtilErrAGAIN; ++ break; + default: + break; + } +diff --git a/sysutil.h b/sysutil.h +index 79b5514..c145bdf 100644 +--- a/sysutil.h ++++ b/sysutil.h +@@ -18,7 +18,8 @@ enum EVSFSysUtilError + kVSFSysUtilErrINVAL, + kVSFSysUtilErrOPNOTSUPP, + kVSFSysUtilErrACCES, +- kVSFSysUtilErrNOENT ++ kVSFSysUtilErrNOENT, ++ kVSFSysUtilErrAGAIN + }; + enum EVSFSysUtilError vsf_sysutil_get_error(void); + +-- +2.7.4 + diff --git a/0025-Improve-local_max_rate-option.patch b/0025-Improve-local_max_rate-option.patch new file mode 100644 index 0000000..3560d87 --- /dev/null +++ b/0025-Improve-local_max_rate-option.patch @@ -0,0 +1,90 @@ +From 386db86fe865fb552b1867af4bf4b78dbf9080cf Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 12:44:26 +0100 +Subject: [PATCH 25/33] Improve local_max_rate option. + +Now it should work as expected. +--- + ftpdataio.c | 14 +++++++------- + main.c | 2 +- + session.h | 3 ++- + 3 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/ftpdataio.c b/ftpdataio.c +index 3e4e9c9..00f9021 100644 +--- a/ftpdataio.c ++++ b/ftpdataio.c +@@ -249,7 +249,7 @@ handle_io(int retval, int fd, void* p_private) + { + long curr_sec; + long curr_usec; +- unsigned int bw_rate; ++ unsigned long bw_rate; + double elapsed; + double pause_time; + double rate_ratio; +@@ -276,19 +276,16 @@ handle_io(int retval, int fd, void* p_private) + { + elapsed = (double) 0.01; + } +- bw_rate = (unsigned int) ((double) retval / elapsed); +- if (bw_rate <= p_sess->bw_rate_max) ++ p_sess->bw_retval += retval; ++ bw_rate = (unsigned long) ((double) p_sess->bw_retval / elapsed); ++ if (bw_rate <= p_sess->bw_rate_max || p_sess->bw_retval < (unsigned long)(10*retval)) + { +- p_sess->bw_send_start_sec = curr_sec; +- p_sess->bw_send_start_usec = curr_usec; + return; + } + /* Tut! Rate exceeded, calculate a pause to bring things back into line */ + rate_ratio = (double) bw_rate / (double) p_sess->bw_rate_max; + pause_time = (rate_ratio - (double) 1) * elapsed; + vsf_sysutil_sleep(pause_time); +- p_sess->bw_send_start_sec = vsf_sysutil_get_time_sec(); +- p_sess->bw_send_start_usec = vsf_sysutil_get_time_usec(); + } + + int +@@ -441,6 +438,9 @@ struct vsf_transfer_ret + vsf_ftpdataio_transfer_file(struct vsf_session* p_sess, int remote_fd, + int file_fd, int is_recv, int is_ascii) + { ++ p_sess->bw_send_start_sec = vsf_sysutil_get_time_sec(); ++ p_sess->bw_send_start_usec = vsf_sysutil_get_time_usec(); ++ p_sess->bw_retval = 0; + if (!is_recv) + { + if (is_ascii || p_sess->data_use_ssl) +diff --git a/main.c b/main.c +index eaba265..f1e2f69 100644 +--- a/main.c ++++ b/main.c +@@ -40,7 +40,7 @@ main(int argc, const char* argv[]) + /* Control connection */ + 0, 0, 0, 0, 0, + /* Data connection */ +- -1, 0, -1, 0, 0, 0, 0, ++ -1, 0, -1, 0, 0, 0, 0, 0, + /* Login */ + 1, 0, INIT_MYSTR, INIT_MYSTR, + /* Protocol state */ +diff --git a/session.h b/session.h +index 956bfb7..3e8fdd5 100644 +--- a/session.h ++++ b/session.h +@@ -29,9 +29,10 @@ struct vsf_session + struct vsf_sysutil_sockaddr* p_port_sockaddr; + int data_fd; + int data_progress; +- unsigned int bw_rate_max; ++ unsigned long bw_rate_max; + long bw_send_start_sec; + long bw_send_start_usec; ++ unsigned long bw_retval; + + /* Details of the login */ + int is_anonymous; +-- +2.7.4 + diff --git a/0026-Prevent-hanging-in-SIGCHLD-handler.patch b/0026-Prevent-hanging-in-SIGCHLD-handler.patch new file mode 100644 index 0000000..9b186a8 --- /dev/null +++ b/0026-Prevent-hanging-in-SIGCHLD-handler.patch @@ -0,0 +1,81 @@ +From 1e65a0a15f819b8bf1b551bd84f71d0da1f5a00c Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:02:27 +0100 +Subject: [PATCH 26/33] Prevent hanging in SIGCHLD handler. + +vsftpd can now handle pam_exec.so in pam.d config without hanging +in SIGCHLD handler. +--- + sysutil.c | 4 ++-- + sysutil.h | 2 +- + twoprocess.c | 13 +++++++++++-- + 3 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/sysutil.c b/sysutil.c +index 6d7cb3f..099748f 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -608,13 +608,13 @@ vsf_sysutil_exit(int exit_code) + } + + struct vsf_sysutil_wait_retval +-vsf_sysutil_wait(void) ++vsf_sysutil_wait(int hang) + { + struct vsf_sysutil_wait_retval retval; + vsf_sysutil_memclr(&retval, sizeof(retval)); + while (1) + { +- int sys_ret = wait(&retval.exit_status); ++ int sys_ret = waitpid(-1, &retval.exit_status, hang ? 0 : WNOHANG); + if (sys_ret < 0 && errno == EINTR) + { + vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0); +diff --git a/sysutil.h b/sysutil.h +index c145bdf..13153cd 100644 +--- a/sysutil.h ++++ b/sysutil.h +@@ -177,7 +177,7 @@ struct vsf_sysutil_wait_retval + int PRIVATE_HANDS_OFF_syscall_retval; + int PRIVATE_HANDS_OFF_exit_status; + }; +-struct vsf_sysutil_wait_retval vsf_sysutil_wait(void); ++struct vsf_sysutil_wait_retval vsf_sysutil_wait(int hang); + int vsf_sysutil_wait_reap_one(void); + int vsf_sysutil_wait_get_retval( + const struct vsf_sysutil_wait_retval* p_waitret); +diff --git a/twoprocess.c b/twoprocess.c +index 33d84dc..b1891e7 100644 +--- a/twoprocess.c ++++ b/twoprocess.c +@@ -47,8 +47,17 @@ static void + handle_sigchld(void* duff) + { + +- struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait(); ++ struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait(0); + (void) duff; ++ if (!vsf_sysutil_wait_get_exitcode(&wait_retval) && ++ !vsf_sysutil_wait_get_retval(&wait_retval)) ++ /* There was nobody to wait for, possibly caused by underlying library ++ * which created a new process through fork()/vfork() and already picked ++ * it up, e.g. by pam_exec.so or integrity check routines for libraries ++ * when FIPS mode is on (nss freebl), which can lead to calling prelink ++ * if the prelink package is installed. ++ */ ++ return; + /* Child died, so we'll do the same! Report it as an error unless the child + * exited normally with zero exit code + */ +@@ -390,7 +399,7 @@ common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str, + priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK); + if (!p_sess->control_use_ssl) + { +- (void) vsf_sysutil_wait(); ++ (void) vsf_sysutil_wait(1); + } + else + { +-- +2.7.4 + diff --git a/0027-Delete-files-when-upload-fails.patch b/0027-Delete-files-when-upload-fails.patch new file mode 100644 index 0000000..98222e1 --- /dev/null +++ b/0027-Delete-files-when-upload-fails.patch @@ -0,0 +1,138 @@ +From 6224ecc5ac209323baa775880c0602c3fde3590a Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:10:41 +0100 +Subject: [PATCH 27/33] Delete files when upload fails. + +Previously the uploaded file wasn't removed when the network was +disconnected. Now it is successfully deleted. +--- + ftpcodes.h | 3 ++- + ftpdataio.c | 8 ++++++++ + main.c | 2 +- + postlogin.c | 9 ++++++++- + session.h | 1 + + sysutil.c | 10 ++++++++++ + sysutil.h | 1 + + 7 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/ftpcodes.h b/ftpcodes.h +index 81e25c5..54dfae7 100644 +--- a/ftpcodes.h ++++ b/ftpcodes.h +@@ -15,7 +15,8 @@ + #define FTP_PBSZOK 200 + #define FTP_PROTOK 200 + #define FTP_OPTSOK 200 +-#define FTP_ALLOOK 202 ++#define FTP_ALLOOK 200 ++#define FTP_ALLOIGN 202 + #define FTP_FEAT 211 + #define FTP_STATOK 211 + #define FTP_SIZEOK 213 +diff --git a/ftpdataio.c b/ftpdataio.c +index 00f9021..c859d80 100644 +--- a/ftpdataio.c ++++ b/ftpdataio.c +@@ -242,6 +242,10 @@ init_data_sock_params(struct vsf_session* p_sess, int sock_fd) + /* Start the timeout monitor */ + vsf_sysutil_install_io_handler(handle_io, p_sess); + start_data_alarm(p_sess); ++ if(tunable_delete_failed_uploads) ++ { ++ vsf_sysutil_rcvtimeo(sock_fd); ++ } + } + + static void +@@ -615,6 +619,10 @@ do_file_recv(struct vsf_session* p_sess, int file_fd, int is_ascii) + else if (retval == 0 && !prev_cr) + { + /* Transfer done, nifty */ ++ if (tunable_delete_failed_uploads && ++ !is_ascii && p_sess->upload_size > 0 && ++ p_sess->upload_size != ret_struct.transferred) ++ ret_struct.retval = -2; + return ret_struct; + } + num_to_write = (unsigned int) retval; +diff --git a/main.c b/main.c +index f1e2f69..f039081 100644 +--- a/main.c ++++ b/main.c +@@ -44,7 +44,7 @@ main(int argc, const char* argv[]) + /* Login */ + 1, 0, INIT_MYSTR, INIT_MYSTR, + /* Protocol state */ +- 0, 1, INIT_MYSTR, 0, 0, ++ 0, 0, 1, INIT_MYSTR, 0, 0, + /* HTTP hacks */ + 0, INIT_MYSTR, + /* Session state */ +diff --git a/postlogin.c b/postlogin.c +index 29958c0..e473c34 100644 +--- a/postlogin.c ++++ b/postlogin.c +@@ -356,7 +356,14 @@ process_post_login(struct vsf_session* p_sess) + } + else if (str_equal_text(&p_sess->ftp_cmd_str, "ALLO")) + { +- vsf_cmdio_write(p_sess, FTP_ALLOOK, "ALLO command ignored."); ++ if (tunable_delete_failed_uploads && !p_sess->is_ascii) ++ { ++ p_sess->upload_size = (filesize_t)vsf_sysutil_atoi(str_getbuf(&p_sess->ftp_cmd_str)+5); ++ vsf_cmdio_write(p_sess, FTP_ALLOOK, "The filesize has been allocated."); ++ } ++ else { ++ vsf_cmdio_write(p_sess, FTP_ALLOIGN, "ALLO command ignored."); ++ } + } + else if (str_equal_text(&p_sess->ftp_cmd_str, "REIN")) + { +diff --git a/session.h b/session.h +index 3e8fdd5..4eccf46 100644 +--- a/session.h ++++ b/session.h +@@ -41,6 +41,7 @@ struct vsf_session + struct mystr anon_pass_str; + + /* Details of the FTP protocol state */ ++ filesize_t upload_size; + filesize_t restart_pos; + int is_ascii; + struct mystr rnfr_filename_str; +diff --git a/sysutil.c b/sysutil.c +index 099748f..42bcdf8 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -681,6 +681,16 @@ vsf_sysutil_activate_keepalive(int fd) + } + + void ++vsf_sysutil_rcvtimeo(int fd) ++{ ++ struct timeval tv; ++ ++ tv.tv_sec = tunable_data_connection_timeout; ++ tv.tv_usec = 0; ++ setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(struct timeval)); ++} ++ ++void + vsf_sysutil_activate_reuseaddr(int fd) + { + int reuseaddr = 1; +diff --git a/sysutil.h b/sysutil.h +index 13153cd..2886bbc 100644 +--- a/sysutil.h ++++ b/sysutil.h +@@ -266,6 +266,7 @@ void vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr, + const char* p_name); + /* Option setting on sockets */ + void vsf_sysutil_activate_keepalive(int fd); ++void vsf_sysutil_rcvtimeo(int fd); + void vsf_sysutil_set_iptos_throughput(int fd); + void vsf_sysutil_activate_reuseaddr(int fd); + void vsf_sysutil_set_nodelay(int fd); +-- +2.7.4 + diff --git a/0028-Fix-man-page-rendering.patch b/0028-Fix-man-page-rendering.patch new file mode 100644 index 0000000..4d6e5e7 --- /dev/null +++ b/0028-Fix-man-page-rendering.patch @@ -0,0 +1,26 @@ +From ea99be1a7a5973bbe8ed798b65abe5ce3b92f5df Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:12:52 +0100 +Subject: [PATCH 28/33] Fix man page rendering. + +--- + vsftpd.conf.5 | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 31d317f..cf1ae34 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -495,7 +495,8 @@ Default: NO + .TP + .B ssl_request_cert + If enabled, vsftpd will request (but not necessarily require; see +-.BR require_cert) a certificate on incoming SSL connections. Normally this ++.BR require_cert ) ++a certificate on incoming SSL connections. Normally this + should not cause any trouble at all, but IBM zOS seems to have issues. + (New in v2.0.7). + +-- +2.7.4 + diff --git a/0029-Fix-segfault-in-config-file-parser.patch b/0029-Fix-segfault-in-config-file-parser.patch new file mode 100644 index 0000000..899bbd3 --- /dev/null +++ b/0029-Fix-segfault-in-config-file-parser.patch @@ -0,0 +1,25 @@ +From 34b9e1d10c6be736f1b20be8795c655446f38c5e Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:14:55 +0100 +Subject: [PATCH 29/33] Fix segfault in config file parser. + +--- + str.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/str.c b/str.c +index 41b27db..82b8ae4 100644 +--- a/str.c ++++ b/str.c +@@ -113,7 +113,7 @@ str_strdup_trimmed(const struct mystr* p_str) + for (h = 0; h < (int)str_getlen(p_str) && vsf_sysutil_isspace(p_trimmed[h]); h++) ; + for (t = str_getlen(p_str) - 1; t >= 0 && vsf_sysutil_isspace(p_trimmed[t]); t--) ; + newlen = t - h + 1; +- return newlen ? vsf_sysutil_strndup(p_trimmed+h, (unsigned int)newlen) : 0L; ++ return (newlen > 0) ? vsf_sysutil_strndup(p_trimmed+h, (unsigned int)newlen) : 0L; + } + + void +-- +2.7.4 + diff --git a/0030-Fix-logging-into-syslog-when-enabled-in-config.patch b/0030-Fix-logging-into-syslog-when-enabled-in-config.patch new file mode 100644 index 0000000..c828c27 --- /dev/null +++ b/0030-Fix-logging-into-syslog-when-enabled-in-config.patch @@ -0,0 +1,25 @@ +From 03ff061f18f555d7bec62fa6a597a275b4b3f1c7 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:18:22 +0100 +Subject: [PATCH 30/33] Fix logging into syslog when enabled in config. + +--- + logging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/logging.c b/logging.c +index 99671b4..c4461f7 100644 +--- a/logging.c ++++ b/logging.c +@@ -32,7 +32,7 @@ vsf_log_init(struct vsf_session* p_sess) + { + if (tunable_syslog_enable || tunable_tcp_wrappers) + { +- vsf_sysutil_openlog(1); ++ vsf_sysutil_openlog(0); + } + if (!tunable_xferlog_enable && !tunable_dual_log_enable) + { +-- +2.7.4 + diff --git a/0031-Fix-question-mark-wildcard-withing-a-file-name.patch b/0031-Fix-question-mark-wildcard-withing-a-file-name.patch new file mode 100644 index 0000000..457404b --- /dev/null +++ b/0031-Fix-question-mark-wildcard-withing-a-file-name.patch @@ -0,0 +1,28 @@ +From 0da42468ac9518a544aad57d22d7697d6bdfa969 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:25:12 +0100 +Subject: [PATCH 31/33] Fix question mark wildcard withing a file name. + +Previously '?' worked only at the end of a file name, now it can +be used anywhere. +--- + ls.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ls.c b/ls.c +index 3c0988c..35c15c7 100644 +--- a/ls.c ++++ b/ls.c +@@ -459,7 +459,8 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, + must_match_at_current_pos = 0; + } + } while (locate_result.found && +- str_getlen(&name_remain_str) > 0 && last_token != '*'); ++ str_getlen(&name_remain_str) > 0 && ++ last_token != '*' && last_token != '?'); + } + /* Any incoming string left means no match unless we ended on the correct + * type of wildcard. +-- +2.7.4 + diff --git a/0032-Propagate-errors-from-nfs-with-quota-to-client.patch b/0032-Propagate-errors-from-nfs-with-quota-to-client.patch new file mode 100644 index 0000000..46a60c4 --- /dev/null +++ b/0032-Propagate-errors-from-nfs-with-quota-to-client.patch @@ -0,0 +1,147 @@ +From aa9cb48373018502ef99a57aad70b69c0c75ff65 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:29:59 +0100 +Subject: [PATCH 32/33] Propagate errors from nfs with quota to client. + +vsftpd now checks for errors when closing newly uploaded file and +forward errors to the client (e.g. when file system quota was +exceeded) +--- + ftpcodes.h | 1 + + postlogin.c | 32 ++++++++++++++++++++++++++++++-- + sysutil.c | 21 +++++++++++++++++++++ + sysutil.h | 1 + + 4 files changed, 53 insertions(+), 2 deletions(-) + +diff --git a/ftpcodes.h b/ftpcodes.h +index 54dfae7..97801f3 100644 +--- a/ftpcodes.h ++++ b/ftpcodes.h +@@ -74,6 +74,7 @@ + #define FTP_NOHANDLEPROT 536 + #define FTP_FILEFAIL 550 + #define FTP_NOPERM 550 ++#define FTP_DISKQUOTA 552 + #define FTP_UPLOADFAIL 553 + + #endif /* VSF_FTPCODES_H */ +diff --git a/postlogin.c b/postlogin.c +index e473c34..8363c9c 100644 +--- a/postlogin.c ++++ b/postlogin.c +@@ -28,6 +28,8 @@ + #include "vsftpver.h" + #include "opts.h" + ++#include ++ + /* Private local functions */ + static void handle_pwd(struct vsf_session* p_sess); + static void handle_cwd(struct vsf_session* p_sess); +@@ -1035,8 +1037,10 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique) + struct vsf_transfer_ret trans_ret; + int new_file_fd; + int remote_fd; ++ int close_errno; + int success = 0; + int created = 0; ++ int closed = 0; + int do_truncate = 0; + filesize_t offset = p_sess->restart_pos; + p_sess->restart_pos = 0; +@@ -1149,6 +1153,18 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique) + trans_ret = vsf_ftpdataio_transfer_file(p_sess, remote_fd, + new_file_fd, 1, 0); + } ++ ++ /* Need to check close operation here because some errors ++ * like EIO, EDQUOT, ENOSPC can be detected only on close ++ * when using NFS ++ */ ++ close_errno = vsf_sysutil_close_errno(new_file_fd); ++ closed = 1; ++ if (close_errno != 0) ++ { ++ trans_ret.retval = -1; ++ } ++ + if (vsf_ftpdataio_dispose_transfer_fd(p_sess) != 1 && trans_ret.retval == 0) + { + trans_ret.retval = -2; +@@ -1161,7 +1177,16 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique) + } + if (trans_ret.retval == -1) + { +- vsf_cmdio_write(p_sess, FTP_BADSENDFILE, "Failure writing to local file."); ++ /* Disk quota exceeded */ ++ if (close_errno == EDQUOT) ++ { ++ vsf_cmdio_write(p_sess, FTP_DISKQUOTA, "Disk quota exceeded."); ++ } ++ /* any other local error */ ++ else ++ { ++ vsf_cmdio_write(p_sess, FTP_BADSENDFILE, "Failure writing to local file."); ++ } + } + else if (trans_ret.retval == -2) + { +@@ -1183,7 +1208,10 @@ port_pasv_cleanup_out: + { + str_unlink(p_filename); + } +- vsf_sysutil_close(new_file_fd); ++ if (!closed) ++ { ++ vsf_sysutil_close(new_file_fd); ++ } + } + + static void +diff --git a/sysutil.c b/sysutil.c +index 42bcdf8..1c0422e 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -1269,6 +1269,27 @@ vsf_sysutil_close(int fd) + } + + int ++vsf_sysutil_close_errno(int fd) ++{ ++ while (1) ++ { ++ int retval = close(fd); ++ if (retval != 0) ++ { ++ if (errno == EINTR) ++ { ++ vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0); ++ continue; ++ } ++ else { ++ return errno; ++ } ++ } ++ return 0; ++ } ++} ++ ++int + vsf_sysutil_close_failok(int fd) + { + return close(fd); +diff --git a/sysutil.h b/sysutil.h +index 2886bbc..be727f5 100644 +--- a/sysutil.h ++++ b/sysutil.h +@@ -92,6 +92,7 @@ int vsf_sysutil_create_or_open_file_append(const char* p_filename, + int vsf_sysutil_create_or_open_file(const char* p_filename, unsigned int mode); + void vsf_sysutil_dupfd2(int old_fd, int new_fd); + void vsf_sysutil_close(int fd); ++int vsf_sysutil_close_errno(int fd); + int vsf_sysutil_close_failok(int fd); + int vsf_sysutil_unlink(const char* p_dead); + int vsf_sysutil_write_access(const char* p_filename); +-- +2.7.4 + diff --git a/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch b/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch new file mode 100644 index 0000000..a7254e2 --- /dev/null +++ b/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch @@ -0,0 +1,153 @@ +From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:36:17 +0100 +Subject: [PATCH 33/33] Introduce TLSv1.1 and TLSv1.2 options. + +Users can now enable a specific version of TLS protocol. +--- + parseconf.c | 2 ++ + ssl.c | 8 ++++++++ + tunables.c | 9 +++++++-- + tunables.h | 2 ++ + vsftpd.conf.5 | 24 ++++++++++++++++++++---- + 5 files changed, 39 insertions(+), 6 deletions(-) + +diff --git a/parseconf.c b/parseconf.c +index a2c715b..33a1349 100644 +--- a/parseconf.c ++++ b/parseconf.c +@@ -85,6 +85,8 @@ parseconf_bool_array[] = + { "ssl_sslv2", &tunable_sslv2 }, + { "ssl_sslv3", &tunable_sslv3 }, + { "ssl_tlsv1", &tunable_tlsv1 }, ++ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, ++ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, + { "tilde_user_enable", &tunable_tilde_user_enable }, + { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, + { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, +diff --git a/ssl.c b/ssl.c +index 96bf8ad..ba8a613 100644 +--- a/ssl.c ++++ b/ssl.c +@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess) + { + options |= SSL_OP_NO_TLSv1; + } ++ if (!tunable_tlsv1_1) ++ { ++ options |= SSL_OP_NO_TLSv1_1; ++ } ++ if (!tunable_tlsv1_2) ++ { ++ options |= SSL_OP_NO_TLSv1_2; ++ } + SSL_CTX_set_options(p_ctx, options); + if (tunable_rsa_cert_file) + { +diff --git a/tunables.c b/tunables.c +index 93f85b1..78f2bcd 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; + int tunable_sslv2; + int tunable_sslv3; + int tunable_tlsv1; ++int tunable_tlsv1_1; ++int tunable_tlsv1_2; + int tunable_tilde_user_enable; + int tunable_force_anon_logins_ssl; + int tunable_force_anon_data_ssl; +@@ -209,7 +211,10 @@ tunables_load_defaults() + tunable_force_local_data_ssl = 1; + tunable_sslv2 = 0; + tunable_sslv3 = 0; ++ /* TLSv1 up to TLSv1.2 is enabled by default */ + tunable_tlsv1 = 1; ++ tunable_tlsv1_1 = 1; ++ tunable_tlsv1_2 = 1; + tunable_tilde_user_enable = 0; + tunable_force_anon_logins_ssl = 0; + tunable_force_anon_data_ssl = 0; +@@ -292,8 +297,8 @@ tunables_load_defaults() + install_str_setting(0, &tunable_dsa_cert_file); + install_str_setting(0, &tunable_dh_param_file); + install_str_setting(0, &tunable_ecdh_param_file); +- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", +- &tunable_ssl_ciphers); ++ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", ++ &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +diff --git a/tunables.h b/tunables.h +index 3e2d40c..a466427 100644 +--- a/tunables.h ++++ b/tunables.h +@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */ + extern int tunable_sslv2; /* Allow SSLv2 */ + extern int tunable_sslv3; /* Allow SSLv3 */ + extern int tunable_tlsv1; /* Allow TLSv1 */ ++extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ ++extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ + extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ + extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ + extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index cf1ae34..a3d569e 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -506,7 +506,7 @@ Default: YES + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit SSL v2 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. + + Default: NO + .TP +@@ -514,7 +514,7 @@ Default: NO + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit SSL v3 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. + + Default: NO + .TP +@@ -522,7 +522,23 @@ Default: NO + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit TLS v1 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. ++ ++Default: YES ++.TP ++.B ssl_tlsv1_1 ++Only applies if ++.BR ssl_enable ++is activated. If enabled, this option will permit TLS v1.1 protocol connections. ++TLS v1.2 connections are preferred. ++ ++Default: YES ++.TP ++.B ssl_tlsv1_2 ++Only applies if ++.BR ssl_enable ++is activated. If enabled, this option will permit TLS v1.2 protocol connections. ++TLS v1.2 connections are preferred. + + Default: YES + .TP +@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful + security precaution as it prevents malicious remote parties forcing a cipher + which they have found problems with. + +-Default: DES-CBC3-SHA ++Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 + .TP + .B user_config_dir + This powerful option allows the override of any config option specified in +-- +2.7.4 + diff --git a/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch b/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch new file mode 100644 index 0000000..62fb66b --- /dev/null +++ b/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch @@ -0,0 +1,25 @@ +From 4922e60589326540b2ee4f0bdfd6cb95f645f3d5 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Fri, 18 Nov 2016 10:23:29 +0100 +Subject: [PATCH] Turn off seccomp sandbox, because it is too strict. + +--- + tunables.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tunables.c b/tunables.c +index 78f2bcd..5440c00 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -237,7 +237,7 @@ tunables_load_defaults() + tunable_isolate_network = 1; + tunable_ftp_enable = 1; + tunable_http_enable = 0; +- tunable_seccomp_sandbox = 1; ++ tunable_seccomp_sandbox = 0; + tunable_allow_writeable_chroot = 0; + + tunable_accept_timeout = 60; +-- +2.7.4 + diff --git a/vsftpd-2.0.5-fix_qm.patch b/vsftpd-2.0.5-fix_qm.patch deleted file mode 100644 index 1890624..0000000 --- a/vsftpd-2.0.5-fix_qm.patch +++ /dev/null @@ -1,26 +0,0 @@ -From cdcb1c5f660fb4f72b4896f5145a34e9dd158252 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 12:00:34 +0100 -Subject: [PATCH 26/26] Applied vsftpd-2.0.5-fix_qm.patch - ---- - ls.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ls.c b/ls.c -index f18791d..de68c30 100644 ---- a/ls.c -+++ b/ls.c -@@ -459,7 +459,8 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, - must_match_at_current_pos = 0; - } - } while (locate_result.found && -- str_getlen(&name_remain_str) > 0 && last_token != '*'); -+ str_getlen(&name_remain_str) > 0 && -+ last_token != '*' && last_token != '?'); - } - /* Any incoming string left means no match unless we ended on the correct - * type of wildcard. --- -2.5.0 - diff --git a/vsftpd-2.1.0-build_ssl.patch b/vsftpd-2.1.0-build_ssl.patch deleted file mode 100644 index ce183b5..0000000 --- a/vsftpd-2.1.0-build_ssl.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 2ee718251d602abf6f4c5bb2fc6d829e32d3f3e1 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 02/26] Applied vsftpd-2.1.0-build_ssl.patch - ---- - builddefs.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/builddefs.h b/builddefs.h -index e908352..63cc62b 100644 ---- a/builddefs.h -+++ b/builddefs.h -@@ -3,7 +3,7 @@ - - #undef VSF_BUILD_TCPWRAPPERS - #define VSF_BUILD_PAM --#undef VSF_BUILD_SSL -+#define VSF_BUILD_SSL - - #endif /* VSF_BUILDDEFS_H */ - --- -2.5.0 - diff --git a/vsftpd-2.1.0-configuration.patch b/vsftpd-2.1.0-configuration.patch deleted file mode 100644 index 5675351..0000000 --- a/vsftpd-2.1.0-configuration.patch +++ /dev/null @@ -1,483 +0,0 @@ -From 4c4dcfaa65c86da78d2cf49f0f4a5c8d63a78d3a Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 04/26] Applied vsftpd-2.1.0-configuration.patch - ---- - EXAMPLE/INTERNET_SITE/README | 6 +++--- - EXAMPLE/INTERNET_SITE_NOINETD/README | 4 ++-- - EXAMPLE/PER_IP_CONFIG/README | 4 ++-- - EXAMPLE/VIRTUAL_USERS/README | 14 +++++++------- - FAQ | 8 ++++---- - INSTALL | 10 +++++----- - README | 5 +++++ - defs.h | 2 +- - tunables.c | 10 +++++----- - vsftpd.8 | 10 +++++----- - vsftpd.conf | 20 +++++++++++++------- - vsftpd.conf.5 | 22 +++++++++++----------- - 12 files changed, 63 insertions(+), 52 deletions(-) - -diff --git a/EXAMPLE/INTERNET_SITE/README b/EXAMPLE/INTERNET_SITE/README -index 12b10a5..fe3d7ca 100644 ---- a/EXAMPLE/INTERNET_SITE/README -+++ b/EXAMPLE/INTERNET_SITE/README -@@ -41,13 +41,13 @@ no_access = 192.168.1.3 - As an example of how to ban certain sites from connecting, 192.168.1.3 will - be denied access. - --banner_fail = /etc/vsftpd.busy_banner -+banner_fail = /etc/vsftpd/busy_banner - - This is the file to display to users if the connection is refused for whatever - reason (too many users, IP banned). - - Example of how to populate it: --echo "421 Server busy, please try later." > /etc/vsftpd.busy_banner -+echo "421 Server busy, please try later." > /etc/vsftpd/busy_banner - - log_on_success += PID HOST DURATION - log_on_failure += HOST -@@ -62,7 +62,7 @@ Step 2) Set up your vsftpd configuration file. - - An example file is supplied. Install it like this: - --cp vsftpd.conf /etc -+cp vsftpd.conf /etc/vsftpd - - Let's example the contents of the file: - -diff --git a/EXAMPLE/INTERNET_SITE_NOINETD/README b/EXAMPLE/INTERNET_SITE_NOINETD/README -index ce17af2..9198c5f 100644 ---- a/EXAMPLE/INTERNET_SITE_NOINETD/README -+++ b/EXAMPLE/INTERNET_SITE_NOINETD/README -@@ -17,7 +17,7 @@ even per-connect-IP configurability. - - To use this example config: - --1) Copy the vsftpd.conf file in this directory to /etc/vsftpd.conf. -+1) Copy the vsftpd.conf file in this directory to /etc/vsftpd/vsftpd.conf. - - 2) Start up vsftpd, e.g. - vsftpd & -@@ -51,5 +51,5 @@ in the vsftpd.conf: - listen_address=192.168.1.2 - - And launch vsftpd with a specific config file like this: --vsftpd /etc/vsftpd.conf.site1 & -+vsftpd /etc/vsftpd/vsftpd.conf.site1 & - -diff --git a/EXAMPLE/PER_IP_CONFIG/README b/EXAMPLE/PER_IP_CONFIG/README -index a9ef352..34924d5 100644 ---- a/EXAMPLE/PER_IP_CONFIG/README -+++ b/EXAMPLE/PER_IP_CONFIG/README -@@ -20,12 +20,12 @@ directory: hosts.allow. It lives at /etc/hosts.allow. - - Let's have a look at the example: - --vsftpd: 192.168.1.3: setenv VSFTPD_LOAD_CONF /etc/vsftpd_tcp_wrap.conf -+vsftpd: 192.168.1.3: setenv VSFTPD_LOAD_CONF /etc/vsftpd/tcp_wrap.conf - vsftpd: 192.168.1.4: DENY - - The first line: - If a client connects from 192.168.1.3, then vsftpd will apply the vsftpd --config file /etc/vsftpd_tcp_wrap.conf to the session! These settings are -+config file /etc/vsftpd/tcp_wrap.conf to the session! These settings are - applied ON TOP of the default vsftpd.conf. - This is obviously very powerful. You might use this to apply different - access restrictions for some IPs (e.g. the ability to upload). -diff --git a/EXAMPLE/VIRTUAL_USERS/README b/EXAMPLE/VIRTUAL_USERS/README -index b48995d..72972fa 100644 ---- a/EXAMPLE/VIRTUAL_USERS/README -+++ b/EXAMPLE/VIRTUAL_USERS/README -@@ -15,7 +15,7 @@ See example file "logins.txt" - this specifies "tom" with password "foo" and - "fred" with password "bar". - Whilst logged in as root, create the actual database file like this: - --db_load -T -t hash -f logins.txt /etc/vsftpd_login.db -+db_load -T -t hash -f logins.txt /etc/vsftpd/login.db - (Requires the Berkeley db program installed). - NOTE: Many systems have multiple versions of "db" installed, so you may - need to use e.g. db3_load for correct operation. This is known to affect -@@ -23,10 +23,10 @@ some Debian systems. The core issue is that pam_userdb expects its login - database to be a specific db version (often db3, whereas db4 may be installed - on your system). - --This will create /etc/vsftpd_login.db. Obviously, you may want to make sure -+This will create /etc/vsftpd/login.db. Obviously, you may want to make sure - the permissions are restricted: - --chmod 600 /etc/vsftpd_login.db -+chmod 600 /etc/vsftpd/login.db - - For more information on maintaing your login database, look around for - documentation on "Berkeley DB", e.g. -@@ -37,8 +37,8 @@ Step 2) Create a PAM file which uses your new database. - - See the example file vsftpd.pam. It contains two lines: - --auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login --account required /lib/security/pam_userdb.so db=/etc/vsftpd_login -+auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login -+account required /lib/security/pam_userdb.so db=/etc/vsftpd/login - - This tells PAM to authenticate users using our new database. Copy this PAM - file to the PAM directory - typically /etc/pam.d/ -@@ -108,9 +108,9 @@ pasv_max_port=30999 - These put a port range on passive FTP incoming requests - very useful if - you are configuring a firewall. - --Copy the example vsftpd.conf file to /etc: -+Copy the example vsftpd.conf file to /etc/vsftpd: - --cp vsftpd.conf /etc/ -+cp vsftpd.conf /etc/vsftpd/ - - - Step 5) Start up vsftpd. -diff --git a/FAQ b/FAQ -index 59fe56b..0142a0d 100644 ---- a/FAQ -+++ b/FAQ -@@ -35,7 +35,7 @@ needs this user to run bits of itself with no privilege. - Q) Help! Local users cannot log in. - A) There are various possible problems. - A1) By default, vsftpd disables any logins other than anonymous logins. Put --local_enable=YES in your /etc/vsftpd.conf to allow local users to log in. -+local_enable=YES in your /etc/vsftpd/vsftpd.conf to allow local users to log in. - A2) vsftpd tries to link with PAM. (Run "ldd vsftpd" and look for libpam to - find out whether this has happened or not). If vsftpd links with PAM, then - you will need to have a PAM file installed for the vsftpd service. There is -@@ -47,12 +47,12 @@ system have a "shadow.h" file in the include path? - A4) If you are not using PAM, then vsftpd will do its own check for a valid - user shell in /etc/shells. You may need to disable this if you use an invalid - shell to disable logins other than FTP logins. Put check_shell=NO in your --/etc/vsftpd.conf. -+/etc/vsftpd/vsftpd.conf. - - Q) Help! Uploads or other write commands give me "500 Unknown command.". - A) By default, write commands, including uploads and new directories, are - disabled. This is a security measure. To enable writes, put write_enable=YES --in your /etc/vsftpd.conf. -+in your /etc/vsftpd/vsftpd.conf. - - Q) Help! What are the security implications referred to in the - "chroot_local_user" option? -@@ -88,7 +88,7 @@ A2) Alternatively, run as many copies as vsftpd as necessary, in standalone - mode. Use "listen_address=x.x.x.x" to set the virtual IP. - - Q) Help! Does vsftpd support virtual users? --A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd.conf. This -+A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd/vsftpd.conf. This - has the effect of mapping every non-anonymous successful login to the local - username specified in "guest_username". Then, use PAM and (e.g.) its pam_userdb - module to provide authentication against an external (i.e. non-/etc/passwd) -diff --git a/INSTALL b/INSTALL -index 4f811aa..93a8a81 100644 ---- a/INSTALL -+++ b/INSTALL -@@ -56,14 +56,14 @@ cp vsftpd.8 /usr/local/man/man8 - - "make install" doesn't copy the sample config file. It is recommended you - do this: --cp vsftpd.conf /etc -+cp vsftpd.conf /etc/vsftpd - - Step 4) Smoke test (without an inetd). - - vsftpd can run standalone or via an inetd (such as inetd or xinetd). You will - typically get more control running vsftpd from an inetd. But first we will run - it without, so we can check things are going well so far. --Edit /etc/vsftpd.conf, and add this line at the bottom: -+Edit /etc/vsftpd/vsftpd.conf, and add this line at the bottom: - - listen=YES - -@@ -135,11 +135,11 @@ cp RedHat/vsftpd.pam /etc/pam.d/ftp - Step 7) Customize your configuration - - As well as the above three pre-requisites, you are recommended to install a --config file. The default location for the config file is /etc/vsftpd.conf. -+config file. The default location for the config file is /etc/vsftpd/vsftpd.conf. - There is a sample vsftpd.conf in the distribution tarball. You probably want --to copy that to /etc/vsftpd.conf as a basis for modification, i.e.: -+to copy that to /etc/vsftpd/vsftpd.conf as a basis for modification, i.e.: - --cp vsftpd.conf /etc -+cp vsftpd.conf /etc/vsftpd - - The default configuration allows neither local user logins nor anonymous - uploads. You may wish to change these defaults. -diff --git a/README b/README -index 86643c1..adc7f42 100644 ---- a/README -+++ b/README -@@ -37,3 +37,8 @@ All configuration options are documented in the manual page vsftpd.conf.5. - Various example configurations are discussed in the EXAMPLE directory. - Frequently asked questions are tackled in the FAQ file. - -+Important Note -+============== -+The location of configuration files was changed to /etc/vsftpd/. If you want -+to migrate your old conf files from /etc (files vsftpd.xxxx.rpmsave) use -+/etc/vsfptd/vsftpd_conf_migrate.sh -diff --git a/defs.h b/defs.h -index 0ff5864..ca11eac 100644 ---- a/defs.h -+++ b/defs.h -@@ -1,7 +1,7 @@ - #ifndef VSF_DEFS_H - #define VSF_DEFS_H - --#define VSFTP_DEFAULT_CONFIG "/etc/vsftpd.conf" -+#define VSFTP_DEFAULT_CONFIG "/etc/vsftpd/vsftpd.conf" - - #define VSFTP_COMMAND_FD 0 - -diff --git a/tunables.c b/tunables.c -index 284a10d..0ac4c34 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -190,7 +190,7 @@ tunables_load_defaults() - tunable_listen_ipv6 = 0; - tunable_dual_log_enable = 0; - tunable_syslog_enable = 0; -- tunable_background = 0; -+ tunable_background = 1; - tunable_virtual_use_local_privs = 0; - tunable_session_support = 0; - tunable_download_enable = 1; -@@ -262,11 +262,11 @@ tunables_load_defaults() - install_str_setting(".message", &tunable_message_file); - install_str_setting("nobody", &tunable_nopriv_user); - install_str_setting(0, &tunable_ftpd_banner); -- install_str_setting("/etc/vsftpd.banned_emails", &tunable_banned_email_file); -- install_str_setting("/etc/vsftpd.chroot_list", &tunable_chroot_list_file); -+ install_str_setting("/etc/vsftpd/banned_emails", &tunable_banned_email_file); -+ install_str_setting("/etc/vsftpd/chroot_list", &tunable_chroot_list_file); - install_str_setting("ftp", &tunable_pam_service_name); - install_str_setting("ftp", &tunable_guest_username); -- install_str_setting("/etc/vsftpd.user_list", &tunable_userlist_file); -+ install_str_setting("/etc/vsftpd/user_list", &tunable_userlist_file); - install_str_setting(0, &tunable_anon_root); - install_str_setting(0, &tunable_local_root); - install_str_setting(0, &tunable_banner_file); -@@ -279,7 +279,7 @@ tunables_load_defaults() - install_str_setting(0, &tunable_hide_file); - install_str_setting(0, &tunable_deny_file); - install_str_setting(0, &tunable_user_sub_token); -- install_str_setting("/etc/vsftpd.email_passwords", -+ install_str_setting("/etc/vsftpd/email_passwords", - &tunable_email_password_file); - install_str_setting("/usr/share/ssl/certs/vsftpd.pem", - &tunable_rsa_cert_file); -diff --git a/vsftpd.8 b/vsftpd.8 -index 6640b57..c920e7d 100644 ---- a/vsftpd.8 -+++ b/vsftpd.8 -@@ -21,7 +21,7 @@ itself will listen on the network. This latter mode is easier to use, and - recommended. It is activated by setting - .Pa listen=YES - in --.Pa /etc/vsftpd.conf . -+.Pa /etc/vsftpd/vsftpd.conf . - Direct execution of the - .Nm vsftpd - binary will then launch the FTP service ready for immediate client connections. -@@ -33,7 +33,7 @@ as root. Any command line option not starting with a "-" character is treated - as a config file that will be loaded. Note that config files are loaded in the - strict order that they are encountered on the command line. - If no config files are specified, the default configuration file of --.Pa /etc/vsftpd.conf -+.Pa /etc/vsftpd/vsftpd.conf - will be loaded, after all other command line options are processed. - .Pp - Supported options are: -@@ -47,14 +47,14 @@ their appearance on the command line, including intermingling with loading of - config files. - .El - .Sh EXAMPLES --vsftpd -olisten=NO /etc/vsftpd.conf -oftpd_banner=blah -+vsftpd -olisten=NO /etc/vsftpd/vsftpd.conf -oftpd_banner=blah - .Pp - That example overrides vsftpd's built-in default for the "listen" option to be --NO, but then loads /etc/vsftpd.conf which may override that setting. Finally, -+NO, but then loads /etc/vsftpd/vsftpd.conf which may override that setting. Finally, - the "ftpd_banner" setting is set to "blah", which overrides any default vsftpd - setting and any identical setting that was in the config file. - .Sh FILES --.Pa /etc/vsftpd.conf -+.Pa /etc/vsftpd/vsftpd.conf - .Sh SEE ALSO - .Xr vsftpd.conf 5 - .end -diff --git a/vsftpd.conf b/vsftpd.conf -index cc1c607..db44170 100644 ---- a/vsftpd.conf -+++ b/vsftpd.conf -@@ -1,4 +1,4 @@ --# Example config file /etc/vsftpd.conf -+# Example config file /etc/vsftpd/vsftpd.conf - # - # The default compiled in settings are fairly paranoid. This sample file - # loosens things up a bit, to make the ftp daemon more usable. -@@ -12,18 +12,20 @@ - anonymous_enable=YES - # - # Uncomment this to allow local users to log in. --#local_enable=YES -+# When SELinux is enforcing check for SE bool ftp_home_dir -+local_enable=YES - # - # Uncomment this to enable any form of FTP write command. --#write_enable=YES -+write_enable=YES - # - # Default umask for local users is 077. You may wish to change this to 022, - # if your users expect that (022 is used by most other ftpd's) --#local_umask=022 -+local_umask=022 - # - # Uncomment this to allow the anonymous FTP user to upload files. This only - # has an effect if the above global write enable is activated. Also, you will - # obviously need to create a directory writable by the FTP user. -+# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access - #anon_upload_enable=YES - # - # Uncomment this if you want the anonymous FTP user to be able to create -@@ -52,7 +54,7 @@ connect_from_port_20=YES - # - # If you want, you can have your log file in standard ftpd xferlog format. - # Note that the default log file location is /var/log/xferlog in this case. --#xferlog_std_format=YES -+xferlog_std_format=YES - # - # You may change the default value for timing out an idle session. - #idle_session_timeout=600 -@@ -87,7 +89,7 @@ connect_from_port_20=YES - # useful for combatting certain DoS attacks. - #deny_email_enable=YES - # (default follows) --#banned_email_file=/etc/vsftpd.banned_emails -+#banned_email_file=/etc/vsftpd/banned_emails - # - # You may specify an explicit list of local users to chroot() to their home - # directory. If chroot_local_user is YES, then this list becomes a list of -@@ -98,7 +100,7 @@ connect_from_port_20=YES - #chroot_local_user=YES - #chroot_list_enable=YES - # (default follows) --#chroot_list_file=/etc/vsftpd.chroot_list -+#chroot_list_file=/etc/vsftpd/chroot_list - # - # You may activate the "-R" option to the builtin ls. This is disabled by - # default to avoid remote users being able to cause excessive I/O on large -@@ -115,3 +117,7 @@ listen=YES - # sockets, you must run two copies of vsftpd with two configuration files. - # Make sure, that one of the listen options is commented !! - #listen_ipv6=YES -+ -+pam_service_name=vsftpd -+userlist_enable=YES -+tcp_wrappers=YES -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index fcc6022..5e46a2f 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -4,7 +4,7 @@ vsftpd.conf \- config file for vsftpd - .SH DESCRIPTION - vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By - default, vsftpd looks for this file at the location --.BR /etc/vsftpd.conf . -+.BR /etc/vsftpd/vsftpd.conf . - However, you may override this by specifying a command line argument to - vsftpd. The command line argument is the pathname of the configuration file - for vsftpd. This behaviour is useful because you may wish to use an advanced -@@ -110,7 +110,7 @@ When enabled, and vsftpd is started in "listen" mode, vsftpd will background - the listener process. i.e. control will immediately be returned to the shell - which launched vsftpd. - --Default: NO -+Default: YES - .TP - .B check_shell - Note! This option only has an effect for non-PAM builds of vsftpd. If disabled, -@@ -138,7 +138,7 @@ chroot() jail in their home directory upon login. The meaning is slightly - different if chroot_local_user is set to YES. In this case, the list becomes - a list of users which are NOT to be placed in a chroot() jail. - By default, the file containing this list is --/etc/vsftpd.chroot_list, but you may override this with the -+/etc/vsftpd/chroot_list, but you may override this with the - .BR chroot_list_file - setting. - -@@ -177,7 +177,7 @@ Default: NO - .B deny_email_enable - If activated, you may provide a list of anonymous password e-mail responses - which cause login to be denied. By default, the file containing this list is --/etc/vsftpd.banned_emails, but you may override this with the -+/etc/vsftpd/banned_emails, but you may override this with the - .BR banned_email_file - setting. - -@@ -433,7 +433,7 @@ anonymous logins are prevented unless the password provided is listed in the - file specified by the - .BR email_password_file - setting. The file format is one password per line, no extra whitespace. The --default filename is /etc/vsftpd.email_passwords. -+default filename is /etc/vsftpd/email_passwords. - - Default: NO - .TP -@@ -764,7 +764,7 @@ passwords which are not permitted. This file is consulted if the option - .BR deny_email_enable - is enabled. - --Default: /etc/vsftpd.banned_emails -+Default: /etc/vsftpd/banned_emails - .TP - .B banner_file - This option is the name of a file containing text to display when someone -@@ -803,7 +803,7 @@ is enabled. If the option - is enabled, then the list file becomes a list of users to NOT place in a - chroot() jail. - --Default: /etc/vsftpd.chroot_list -+Default: /etvsftpd.confc/vsftpd.chroot_list - .TP - .B cmds_allowed - This options specifies a comma separated list of allowed FTP commands (post -@@ -864,7 +864,7 @@ This option can be used to provide an alternate file for usage by the - .BR secure_email_list_enable - setting. - --Default: /etc/vsftpd.email_passwords -+Default: /etc/vsftpd/email_passwords - .TP - .B ftp_username - This is the name of the user we use for handling anonymous FTP. The home -@@ -987,10 +987,10 @@ the manual page, on a per-user basis. Usage is simple, and is best illustrated - with an example. If you set - .BR user_config_dir - to be --.BR /etc/vsftpd_user_conf -+.BR /etc/vsftpd/user_conf - and then log on as the user "chris", then vsftpd will apply the settings in - the file --.BR /etc/vsftpd_user_conf/chris -+.BR /etc/vsftpd/user_conf/chris - for the duration of the session. The format of this file is as detailed in - this manual page! PLEASE NOTE that not all settings are effective on a - per-user basis. For example, many settings only prior to the user's session -@@ -1026,7 +1026,7 @@ This option is the name of the file loaded when the - .BR userlist_enable - option is active. - --Default: /etc/vsftpd.user_list -+Default: /etc/vsftpd/user_list - .TP - .B vsftpd_log_file - This option is the name of the file to which we write the vsftpd style --- -2.5.0 - diff --git a/vsftpd-2.1.0-filter.patch b/vsftpd-2.1.0-filter.patch deleted file mode 100644 index 5632b62..0000000 --- a/vsftpd-2.1.0-filter.patch +++ /dev/null @@ -1,83 +0,0 @@ -From d8f1f584c96d3449265a54fa62c5944b1b7c915c Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 07/26] Applied vsftpd-2.1.0-filter.patch - ---- - ls.c | 26 ++++++++++++++++++++++++-- - str.c | 11 +++++++++++ - str.h | 1 + - 3 files changed, 36 insertions(+), 2 deletions(-) - -diff --git a/ls.c b/ls.c -index 7e1376d..e9302dd 100644 ---- a/ls.c -+++ b/ls.c -@@ -246,9 +246,31 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, - int ret = 0; - char last_token = 0; - int must_match_at_current_pos = 1; -+ -+ - str_copy(&filter_remain_str, p_filter_str); -- str_copy(&name_remain_str, p_filename_str); -- -+ -+ if (!str_isempty (&filter_remain_str) && !str_isempty(p_filename_str)) { -+ if (str_get_char_at(p_filter_str, 0) == '/') { -+ if (str_get_char_at(p_filename_str, 0) != '/') { -+ str_getcwd (&name_remain_str); -+ -+ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */ -+ str_append_char (&name_remain_str, '/'); -+ -+ str_append_str (&name_remain_str, p_filename_str); -+ } -+ else -+ str_copy (&name_remain_str, p_filename_str); -+ } else { -+ if (str_get_char_at(p_filter_str, 0) != '{') -+ str_basename (&name_remain_str, p_filename_str); -+ else -+ str_copy (&name_remain_str, p_filename_str); -+ } -+ } else -+ str_copy(&name_remain_str, p_filename_str); -+ - while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) - { - static struct mystr s_match_needed_str; -diff --git a/str.c b/str.c -index 6596204..ba4b92a 100644 ---- a/str.c -+++ b/str.c -@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_str, char new_char) - } - } - -+void -+str_basename (struct mystr* d_str, const struct mystr* path) -+{ -+ static struct mystr tmp; -+ -+ str_copy (&tmp, path); -+ str_split_char_reverse(&tmp, d_str, '/'); -+ -+ if (str_isempty(d_str)) -+ str_copy (d_str, path); -+} -diff --git a/str.h b/str.h -index ab0a9a4..3a21b50 100644 ---- a/str.h -+++ b/str.h -@@ -100,6 +100,7 @@ void str_replace_unprintable(struct mystr* p_str, char new_char); - int str_atoi(const struct mystr* p_str); - filesize_t str_a_to_filesize_t(const struct mystr* p_str); - unsigned int str_octal_to_uint(const struct mystr* p_str); -+void str_basename (struct mystr* d_str, const struct mystr* path); - - /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string - * buffer, starting at character position 'p_pos'. The extracted line will --- -2.5.0 - diff --git a/vsftpd-2.1.0-libs.patch b/vsftpd-2.1.0-libs.patch deleted file mode 100644 index 1bfa426..0000000 --- a/vsftpd-2.1.0-libs.patch +++ /dev/null @@ -1,25 +0,0 @@ -From e007fc137c6bee2d359af9cfc88cd01fb672cc1e Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 01/26] Applied vsftpd-2.1.0-libs.patch - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index c63ed1b..98118dc 100644 ---- a/Makefile -+++ b/Makefile -@@ -8,7 +8,7 @@ CFLAGS = -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \ - -D_FORTIFY_SOURCE=2 \ - #-pedantic -Wconversion - --LIBS = `./vsf_findlibs.sh` -+LIBS = -lwrap -lnsl -lpam -lcap -ldl -lcrypto - LINK = -Wl,-s - LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now - --- -2.5.0 - diff --git a/vsftpd-2.1.0-pam_hostname.patch b/vsftpd-2.1.0-pam_hostname.patch deleted file mode 100644 index f523d30..0000000 --- a/vsftpd-2.1.0-pam_hostname.patch +++ /dev/null @@ -1,70 +0,0 @@ -From fb9754bb10105b6c23d355fd448f55ab94c704b8 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 05/26] Applied vsftpd-2.1.0-pam_hostname.patch - ---- - sysdeputil.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/sysdeputil.c b/sysdeputil.c -index 06f01f4..b2782da 100644 ---- a/sysdeputil.c -+++ b/sysdeputil.c -@@ -16,6 +16,10 @@ - #include "tunables.h" - #include "builddefs.h" - -+/* For gethostbyaddr, inet_addr */ -+#include -+#include -+ - /* For Linux, this adds nothing :-) */ - #include "port/porting_junk.h" - -@@ -323,6 +327,10 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, - const struct mystr* p_remote_host) - { - int retval = -1; -+#ifdef PAM_RHOST -+ struct sockaddr_in sin; -+ struct hostent *host; -+#endif - pam_item_t item; - const char* pam_user_name = 0; - struct pam_conv the_conv = -@@ -346,7 +354,12 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, - return 0; - } - #ifdef PAM_RHOST -- retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); -+ sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); -+ host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); -+ if (host != (struct hostent*)0) -+ retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); -+ else -+ retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); - if (retval != PAM_SUCCESS) - { - (void) pam_end(s_pamh, retval); -@@ -559,7 +572,7 @@ vsf_sysdep_has_capabilities(void) - } - return s_runtime_has_caps; - } -- -+ - #ifndef VSF_SYSDEP_HAVE_LIBCAP - static int - do_checkcap(void) -@@ -1081,7 +1094,7 @@ vsf_sysutil_recv_fd(const int sock_fd) - msg.msg_flags = 0; - /* In case something goes wrong, set the fd to -1 before the syscall */ - p_fd = (int*)CMSG_DATA(CMSG_FIRSTHDR(&msg)); -- *p_fd = -1; -+ *p_fd = -1; - retval = recvmsg(sock_fd, &msg, 0); - if (retval != 1) - { --- -2.5.0 - diff --git a/vsftpd-2.1.0-tcp_wrappers.patch b/vsftpd-2.1.0-tcp_wrappers.patch deleted file mode 100644 index 4fe87d4..0000000 --- a/vsftpd-2.1.0-tcp_wrappers.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3e01cb1388681f8a956c954570db4fe8ac61d1bc Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 03/26] Applied vsftpd-2.1.0-tcp_wrappers.patch - ---- - builddefs.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/builddefs.h b/builddefs.h -index 63cc62b..83de674 100644 ---- a/builddefs.h -+++ b/builddefs.h -@@ -1,7 +1,7 @@ - #ifndef VSF_BUILDDEFS_H - #define VSF_BUILDDEFS_H - --#undef VSF_BUILD_TCPWRAPPERS -+#define VSF_BUILD_TCPWRAPPERS - #define VSF_BUILD_PAM - #define VSF_BUILD_SSL - --- -2.5.0 - diff --git a/vsftpd-2.1.0-trim.patch b/vsftpd-2.1.0-trim.patch deleted file mode 100644 index 8de7c1b..0000000 --- a/vsftpd-2.1.0-trim.patch +++ /dev/null @@ -1,99 +0,0 @@ -From aea6f1b484d06c56f636ae5ed7df232d6a94f57a Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 09/26] Applied vsftpd-2.1.0-trim.patch - ---- - parseconf.c | 2 +- - str.c | 12 ++++++++++++ - str.h | 1 + - sysutil.c | 12 ++++++++++++ - sysutil.h | 1 + - 5 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/parseconf.c b/parseconf.c -index 385afd2..30df598 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -280,7 +280,7 @@ vsf_parseconf_load_setting(const char* p_setting, int errs_fatal) - } - else - { -- *p_curr_setting = str_strdup(&s_value_str); -+ *p_curr_setting = str_strdup_trimmed(&s_value_str); - } - return; - } -diff --git a/str.c b/str.c -index ba4b92a..41b27db 100644 ---- a/str.c -+++ b/str.c -@@ -104,6 +104,18 @@ str_strdup(const struct mystr* p_str) - return vsf_sysutil_strdup(str_getbuf(p_str)); - } - -+const char* -+str_strdup_trimmed(const struct mystr* p_str) -+{ -+ const char* p_trimmed = str_getbuf(p_str); -+ int h, t, newlen; -+ -+ for (h = 0; h < (int)str_getlen(p_str) && vsf_sysutil_isspace(p_trimmed[h]); h++) ; -+ for (t = str_getlen(p_str) - 1; t >= 0 && vsf_sysutil_isspace(p_trimmed[t]); t--) ; -+ newlen = t - h + 1; -+ return newlen ? vsf_sysutil_strndup(p_trimmed+h, (unsigned int)newlen) : 0L; -+} -+ - void - str_alloc_alt_term(struct mystr* p_str, const char* p_src, char term) - { -diff --git a/str.h b/str.h -index 3a21b50..44270da 100644 ---- a/str.h -+++ b/str.h -@@ -31,6 +31,7 @@ void str_alloc_ulong(struct mystr* p_str, unsigned long the_ulong); - void str_alloc_filesize_t(struct mystr* p_str, filesize_t the_filesize); - void str_copy(struct mystr* p_dest, const struct mystr* p_src); - const char* str_strdup(const struct mystr* p_str); -+const char* str_strdup_trimmed(const struct mystr* p_str); - void str_empty(struct mystr* p_str); - void str_free(struct mystr* p_str); - void str_trunc(struct mystr* p_str, unsigned int trunc_len); -diff --git a/sysutil.c b/sysutil.c -index 5cdb6ef..428a34a 100644 ---- a/sysutil.c -+++ b/sysutil.c -@@ -1035,6 +1035,18 @@ vsf_sysutil_strdup(const char* p_str) - return strdup(p_str); - } - -+char* -+vsf_sysutil_strndup(const char* p_str, unsigned int p_len) -+{ -+ char *new = (char *)malloc(p_len+1); -+ -+ if (new == NULL) -+ return NULL; -+ -+ new[p_len]='\0'; -+ return (char *)memcpy(new, p_str, p_len); -+} -+ - void - vsf_sysutil_memclr(void* p_dest, unsigned int size) - { -diff --git a/sysutil.h b/sysutil.h -index c34778c..c2ddd15 100644 ---- a/sysutil.h -+++ b/sysutil.h -@@ -186,6 +186,7 @@ int vsf_sysutil_wait_get_exitcode( - /* Various string functions */ - unsigned int vsf_sysutil_strlen(const char* p_text); - char* vsf_sysutil_strdup(const char* p_str); -+char* vsf_sysutil_strndup(const char* p_str, unsigned int p_len); - void vsf_sysutil_memclr(void* p_dest, unsigned int size); - void vsf_sysutil_memcpy(void* p_dest, const void* p_src, - const unsigned int size); --- -2.5.0 - diff --git a/vsftpd-2.1.0-userlist_log.patch b/vsftpd-2.1.0-userlist_log.patch deleted file mode 100644 index b855ca7..0000000 --- a/vsftpd-2.1.0-userlist_log.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 2f563a92cf4c12d8a37e413ffdc14a7eb4637c03 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 08/26] Applied vsftpd-2.1.0-userlist_log.patch - ---- - logging.c | 7 +++++++ - logging.h | 11 +++++++++++ - parseconf.c | 1 + - prelogin.c | 14 ++++++++++++++ - tunables.c | 2 ++ - tunables.h | 1 + - vsftpd.conf.5 | 8 ++++++++ - 7 files changed, 44 insertions(+) - -diff --git a/logging.c b/logging.c -index ad531d6..99671b4 100644 ---- a/logging.c -+++ b/logging.c -@@ -103,6 +103,13 @@ vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what, - vsf_log_common(p_sess, 1, what, p_str); - } - -+void -+vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what, -+ struct mystr* p_str) -+{ -+ vsf_log_common(p_sess, 0, what, p_str); -+} -+ - int - vsf_log_entry_pending(struct vsf_session* p_sess) - { -diff --git a/logging.h b/logging.h -index 48f88ec..1ff57d1 100644 ---- a/logging.h -+++ b/logging.h -@@ -80,5 +80,16 @@ void vsf_log_do_log(struct vsf_session* p_sess, int succeeded); - void vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what, - struct mystr* p_str); - -+/* vsf_log_failed_line() -+ * PURPOSE -+ * Same as vsf_log_line(), except that it logs the line as failed operation. -+ * PARAMETERS -+ * p_sess - the current session object -+ * what - the type of operation to log -+ * p_str - the string to log -+ */ -+void vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what, -+ struct mystr* p_str); -+ - #endif /* VSF_LOGGING_H */ - -diff --git a/parseconf.c b/parseconf.c -index ea2242b..385afd2 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -91,6 +91,7 @@ parseconf_bool_array[] = - { "mdtm_write", &tunable_mdtm_write }, - { "lock_upload_files", &tunable_lock_upload_files }, - { "pasv_addr_resolve", &tunable_pasv_addr_resolve }, -+ { "userlist_log", &tunable_userlist_log }, - { "debug_ssl", &tunable_debug_ssl }, - { "require_cert", &tunable_require_cert }, - { "validate_cert", &tunable_validate_cert }, -diff --git a/prelogin.c b/prelogin.c -index df4aade..1588bc1 100644 ---- a/prelogin.c -+++ b/prelogin.c -@@ -246,6 +246,20 @@ handle_user_command(struct vsf_session* p_sess) - check_login_delay(); - vsf_cmdio_write(p_sess, FTP_LOGINERR, "Permission denied."); - check_login_fails(p_sess); -+ if (tunable_userlist_log) -+ { -+ struct mystr str_log_line = INIT_MYSTR; -+ if (tunable_userlist_deny) -+ { -+ str_alloc_text(&str_log_line, "User is in the deny user list."); -+ } -+ else -+ { -+ str_alloc_text(&str_log_line, "User is not in the allow user list."); -+ } -+ vsf_log_failed_line(p_sess, kVSFLogEntryLogin, &str_log_line); -+ str_free(&str_log_line); -+ } - str_empty(&p_sess->user_str); - return; - } -diff --git a/tunables.c b/tunables.c -index 0ac4c34..b30fca1 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl; - int tunable_mdtm_write; - int tunable_lock_upload_files; - int tunable_pasv_addr_resolve; -+int tunable_userlist_log; - int tunable_debug_ssl; - int tunable_require_cert; - int tunable_validate_cert; -@@ -212,6 +213,7 @@ tunables_load_defaults() - tunable_mdtm_write = 1; - tunable_lock_upload_files = 1; - tunable_pasv_addr_resolve = 0; -+ tunable_userlist_log = 0; - tunable_debug_ssl = 0; - tunable_require_cert = 0; - tunable_validate_cert = 0; -diff --git a/tunables.h b/tunables.h -index 05d2456..e44d64c 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ - extern int tunable_mdtm_write; /* Allow MDTM to set timestamps */ - extern int tunable_lock_upload_files; /* Lock uploading files */ - extern int tunable_pasv_addr_resolve; /* DNS resolve pasv_addr */ -+extern int tunable_userlist_log; /* Log every failed login attempt */ - extern int tunable_debug_ssl; /* Verbose SSL logging */ - extern int tunable_require_cert; /* SSL client cert required */ - extern int tunable_validate_cert; /* SSL certs must be valid */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 5e46a2f..9d767b1 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -588,6 +588,14 @@ Self-signed certs do not constitute OK validation. (New in v2.0.6). - - Default: NO - .TP -+.B userlist_log -+This option is examined if -+.BR userlist_enable -+is activated. If enabled, every login denial based on the user list will be -+logged. -+ -+Default: NO -+.TP - .B virtual_use_local_privs - If enabled, virtual users will use the same privileges as local users. By - default, virtual users will use the same privileges as anonymous users, which --- -2.5.0 - diff --git a/vsftpd-2.1.1-daemonize_plus.patch b/vsftpd-2.1.1-daemonize_plus.patch deleted file mode 100644 index d9d7e04..0000000 --- a/vsftpd-2.1.1-daemonize_plus.patch +++ /dev/null @@ -1,208 +0,0 @@ -From 662531f296a0b7341e4e6817e084585a7e7a1d87 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 10/26] Applied vsftpd-2.1.1-daemonize_plus.patch - ---- - standalone.c | 38 +++++++++++++++++++++++++++++++++++++- - sysutil.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - sysutil.h | 7 ++++++- - 3 files changed, 102 insertions(+), 2 deletions(-) - -diff --git a/standalone.c b/standalone.c -index e0f2d5b..3b65ea2 100644 ---- a/standalone.c -+++ b/standalone.c -@@ -26,6 +26,8 @@ static unsigned int s_ipaddr_size; - - static void handle_sigchld(void* duff); - static void handle_sighup(void* duff); -+static void handle_sigusr1(int sig); -+static void handle_sigalrm(int sig); - static void prepare_child(int sockfd); - static unsigned int handle_ip_count(void* p_raw_addr); - static void drop_ip_count(void* p_raw_addr); -@@ -46,11 +48,23 @@ vsf_standalone_main(void) - } - if (tunable_background) - { -+ vsf_sysutil_sigaction(kVSFSysUtilSigALRM, handle_sigalrm); -+ vsf_sysutil_sigaction(kVSFSysUtilSigUSR1, handle_sigusr1); -+ - int forkret = vsf_sysutil_fork(); - if (forkret > 0) - { - /* Parent, just exit */ -- vsf_sysutil_exit(0); -+ vsf_sysutil_set_alarm(3); -+ vsf_sysutil_pause(); -+ -+ vsf_sysutil_exit(1); -+ } -+ else if (forkret == 0) -+ { -+ // Son, restore original signal handler -+ vsf_sysutil_sigaction(kVSFSysUtilSigALRM, 0L); -+ vsf_sysutil_sigaction(kVSFSysUtilSigUSR1, 0L); - } - /* Son, close standard FDs to avoid SSH hang-on-exit */ - vsf_sysutil_reopen_standard_fds(); -@@ -99,6 +113,10 @@ vsf_standalone_main(void) - { - die("could not bind listening IPv4 socket"); - } -+ if (tunable_background) -+ { -+ vsf_sysutil_kill(vsf_sysutil_getppid(), kVSFSysUtilSigUSR1); -+ } - } - else - { -@@ -129,6 +147,10 @@ vsf_standalone_main(void) - { - die("could not bind listening IPv6 socket"); - } -+ if (tunable_background) -+ { -+ vsf_sysutil_kill(vsf_sysutil_getppid(), kVSFSysUtilSigUSR1); -+ } - } - vsf_sysutil_close(0); - vsf_sysutil_close(1); -@@ -268,6 +290,20 @@ handle_sighup(void* duff) - vsf_parseconf_load_file(0, 0); - } - -+static void -+handle_sigalrm(int sig) -+{ -+ (void)sig; // avoid unused parameter error -+ vsf_sysutil_exit(1); -+} -+ -+static void -+handle_sigusr1(int sig) -+{ -+ (void)sig; // avoid unused parameter error -+ vsf_sysutil_exit(0); -+} -+ - static unsigned int - hash_ip(unsigned int buckets, void* p_key) - { -diff --git a/sysutil.c b/sysutil.c -index 428a34a..c848356 100644 ---- a/sysutil.c -+++ b/sysutil.c -@@ -201,6 +201,9 @@ vsf_sysutil_translate_sig(const enum EVSFSysUtilSignal sig) - case kVSFSysUtilSigHUP: - realsig = SIGHUP; - break; -+ case kVSFSysUtilSigUSR1: -+ realsig = SIGUSR1; -+ break; - default: - bug("unknown signal in vsf_sysutil_translate_sig"); - break; -@@ -549,6 +552,12 @@ vsf_sysutil_getpid(void) - return (unsigned int) s_current_pid; - } - -+unsigned int -+vsf_sysutil_getppid(void) -+{ -+ return (unsigned int)getppid(); -+} -+ - int - vsf_sysutil_fork(void) - { -@@ -2871,3 +2880,53 @@ vsf_sysutil_post_fork() - s_sig_details[i].pending = 0; - } - } -+ -+static struct sigaction sigalr, sigusr1; -+ -+void -+vsf_sysutil_sigaction(const enum EVSFSysUtilSignal sig, void (*p_handlefunc)(int)) -+{ -+ int realsig = vsf_sysutil_translate_sig(sig); -+ int retval; -+ struct sigaction sigact, *origsigact=NULL; -+ if (realsig==SIGALRM) -+ { -+ origsigact = &sigalr; -+ } -+ else if (realsig==SIGUSR1) -+ { -+ origsigact = &sigusr1; -+ } -+ vsf_sysutil_memclr(&sigact, sizeof(sigact)); -+ if (p_handlefunc != NULL) -+ { -+ sigact.sa_handler = p_handlefunc; -+ retval = sigfillset(&sigact.sa_mask); -+ if (retval != 0) -+ { -+ die("sigfillset"); -+ } -+ retval = sigaction(realsig, &sigact, origsigact); -+ } -+ else -+ { -+ retval = sigaction(realsig, origsigact, NULL); -+ } -+ if (retval != 0) -+ { -+ die("sigaction"); -+ } -+} -+ -+int -+vsf_sysutil_kill(int pid, int sig) -+{ -+ int realsig = vsf_sysutil_translate_sig(sig); -+ return kill(pid, realsig); -+} -+ -+int -+vsf_sysutil_pause() -+{ -+ return pause(); -+} -diff --git a/sysutil.h b/sysutil.h -index c2ddd15..bfc92cb 100644 ---- a/sysutil.h -+++ b/sysutil.h -@@ -30,7 +30,8 @@ enum EVSFSysUtilSignal - kVSFSysUtilSigCHLD, - kVSFSysUtilSigPIPE, - kVSFSysUtilSigURG, -- kVSFSysUtilSigHUP -+ kVSFSysUtilSigHUP, -+ kVSFSysUtilSigUSR1 - }; - enum EVSFSysUtilInterruptContext - { -@@ -165,6 +166,7 @@ void vsf_sysutil_free(void* p_ptr); - - /* Process creation/exit/process handling */ - unsigned int vsf_sysutil_getpid(void); -+unsigned int vsf_sysutil_getppid(void); - void vsf_sysutil_post_fork(void); - int vsf_sysutil_fork(void); - int vsf_sysutil_fork_failok(void); -@@ -182,6 +184,9 @@ int vsf_sysutil_wait_exited_normally( - const struct vsf_sysutil_wait_retval* p_waitret); - int vsf_sysutil_wait_get_exitcode( - const struct vsf_sysutil_wait_retval* p_waitret); -+void vsf_sysutil_sigaction(const enum EVSFSysUtilSignal sig, void (*p_handlefunc)(int)); -+int vsf_sysutil_kill(int pid, int sig); -+int vsf_sysutil_pause(); - - /* Various string functions */ - unsigned int vsf_sysutil_strlen(const char* p_text); --- -2.5.0 - diff --git a/vsftpd-2.2.0-wildchar.patch b/vsftpd-2.2.0-wildchar.patch deleted file mode 100644 index 88c934b..0000000 --- a/vsftpd-2.2.0-wildchar.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 46b1cacac22d4c5f0b7695579860f7ecc28d3efb Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 11/26] Applied vsftpd-2.2.0-wildchar.patch - ---- - ls.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/ls.c b/ls.c -index e9302dd..92be544 100644 ---- a/ls.c -+++ b/ls.c -@@ -311,6 +311,20 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, - { - goto out; - } -+ if (!must_match_at_current_pos && last_token == 0) -+ { -+ struct mystr last_str = INIT_MYSTR; -+ str_mid_to_end(&name_remain_str, &last_str, -+ str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str)); -+ locate_result = str_locate_str(&last_str, &s_match_needed_str); -+ str_free(&last_str); -+ -+ if (locate_result.found) -+ { -+ ret = 1; -+ } -+ goto out; -+ } - /* Chop matched string out of remainder */ - str_mid_to_end(&name_remain_str, &temp_str, - indexx + str_getlen(&s_match_needed_str)); --- -2.5.0 - diff --git a/vsftpd-2.2.2-blank-chars-overflow.patch b/vsftpd-2.2.2-blank-chars-overflow.patch deleted file mode 100644 index c558db0..0000000 --- a/vsftpd-2.2.2-blank-chars-overflow.patch +++ /dev/null @@ -1,25 +0,0 @@ -From c7cbcc64c824d1a2a60f8d81c26d5c8215463623 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Fri, 8 Apr 2016 15:05:06 +0200 -Subject: [PATCH 6/7] vsftpd-2.2.2-blank-chars-overflow - ---- - str.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/str.c b/str.c -index 41b27db..82b8ae4 100644 ---- a/str.c -+++ b/str.c -@@ -113,7 +113,7 @@ str_strdup_trimmed(const struct mystr* p_str) - for (h = 0; h < (int)str_getlen(p_str) && vsf_sysutil_isspace(p_trimmed[h]); h++) ; - for (t = str_getlen(p_str) - 1; t >= 0 && vsf_sysutil_isspace(p_trimmed[t]); t--) ; - newlen = t - h + 1; -- return newlen ? vsf_sysutil_strndup(p_trimmed+h, (unsigned int)newlen) : 0L; -+ return (newlen > 0) ? vsf_sysutil_strndup(p_trimmed+h, (unsigned int)newlen) : 0L; - } - - void --- -2.5.5 - diff --git a/vsftpd-2.2.2-clone.patch b/vsftpd-2.2.2-clone.patch deleted file mode 100644 index 82b8db7..0000000 --- a/vsftpd-2.2.2-clone.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 1220fb187aa6b114ae4877fd74a42979d580d8ef Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 12/26] Applied vsftpd-2.2.2-clone.patch - ---- - sysdeputil.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/sysdeputil.c b/sysdeputil.c -index b2782da..3bbabaa 100644 ---- a/sysdeputil.c -+++ b/sysdeputil.c -@@ -1306,7 +1306,7 @@ vsf_sysutil_fork_isolate_failok() - static int cloneflags_work = 1; - if (cloneflags_work) - { -- int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL); -+ int ret = clone(NULL, NULL, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL); - if (ret != -1 || (errno != EINVAL && errno != EPERM)) - { - if (ret == 0) -@@ -1328,7 +1328,7 @@ vsf_sysutil_fork_newnet() - static int cloneflags_work = 1; - if (cloneflags_work) - { -- int ret = syscall(__NR_clone, CLONE_NEWNET | SIGCHLD, NULL); -+ int ret = clone(NULL, NULL, CLONE_NEWNET | SIGCHLD, NULL); - if (ret != -1 || (errno != EINVAL && errno != EPERM)) - { - if (ret == 0) --- -2.5.0 - diff --git a/vsftpd-2.2.2-man-pages.patch b/vsftpd-2.2.2-man-pages.patch deleted file mode 100644 index d59104a..0000000 --- a/vsftpd-2.2.2-man-pages.patch +++ /dev/null @@ -1,26 +0,0 @@ -From ab49bde79f81a422629210c23ccc83bc4e14ad2a Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Fri, 8 Apr 2016 15:03:16 +0200 -Subject: [PATCH 5/7] vsftpd-2.2.2-man-pages - ---- - vsftpd.conf.5 | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 7a8f130..45cd3c0 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -495,7 +495,8 @@ Default: NO - .TP - .B ssl_request_cert - If enabled, vsftpd will request (but not necessarily require; see --.BR require_cert) a certificate on incoming SSL connections. Normally this -+.BR require_cert ) -+a certificate on incoming SSL connections. Normally this - should not cause any trouble at all, but IBM zOS seems to have issues. - (New in v2.0.7). - --- -2.5.5 - diff --git a/vsftpd-2.2.2-nfs-fail.patch b/vsftpd-2.2.2-nfs-fail.patch deleted file mode 100644 index 674a01e..0000000 --- a/vsftpd-2.2.2-nfs-fail.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 1be2ebccc0a5e1040fa9bb5f1cac8040070830df Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 14:51:29 +0100 -Subject: [PATCH 25/26] Applied vsftpd-2.2.2-nfs-fail.patch - ---- - ftpcodes.h | 1 + - postlogin.c | 32 ++++++++++++++++++++++++++++++-- - sysutil.c | 21 +++++++++++++++++++++ - sysutil.h | 1 + - 4 files changed, 53 insertions(+), 2 deletions(-) - -diff --git a/ftpcodes.h b/ftpcodes.h -index 81e25c5..3950f92 100644 ---- a/ftpcodes.h -+++ b/ftpcodes.h -@@ -73,6 +73,7 @@ - #define FTP_NOHANDLEPROT 536 - #define FTP_FILEFAIL 550 - #define FTP_NOPERM 550 -+#define FTP_DISKQUOTA 552 - #define FTP_UPLOADFAIL 553 - - #endif /* VSF_FTPCODES_H */ -diff --git a/postlogin.c b/postlogin.c -index 29958c0..154c16a 100644 ---- a/postlogin.c -+++ b/postlogin.c -@@ -28,6 +28,8 @@ - #include "vsftpver.h" - #include "opts.h" - -+#include -+ - /* Private local functions */ - static void handle_pwd(struct vsf_session* p_sess); - static void handle_cwd(struct vsf_session* p_sess); -@@ -1028,8 +1030,10 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique) - struct vsf_transfer_ret trans_ret; - int new_file_fd; - int remote_fd; -+ int close_errno; - int success = 0; - int created = 0; -+ int closed = 0; - int do_truncate = 0; - filesize_t offset = p_sess->restart_pos; - p_sess->restart_pos = 0; -@@ -1142,6 +1146,18 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique) - trans_ret = vsf_ftpdataio_transfer_file(p_sess, remote_fd, - new_file_fd, 1, 0); - } -+ -+ /* Need to check close operation here because some errors -+ * like EIO, EDQUOT, ENOSPC can be detected only on close -+ * when using NFS -+ */ -+ close_errno = vsf_sysutil_close_errno(new_file_fd); -+ closed = 1; -+ if (close_errno != 0) -+ { -+ trans_ret.retval = -1; -+ } -+ - if (vsf_ftpdataio_dispose_transfer_fd(p_sess) != 1 && trans_ret.retval == 0) - { - trans_ret.retval = -2; -@@ -1154,7 +1170,16 @@ handle_upload_common(struct vsf_session* p_sess, int is_append, int is_unique) - } - if (trans_ret.retval == -1) - { -- vsf_cmdio_write(p_sess, FTP_BADSENDFILE, "Failure writing to local file."); -+ /* Disk quota exceeded */ -+ if (close_errno == EDQUOT) -+ { -+ vsf_cmdio_write(p_sess, FTP_DISKQUOTA, "Disk quota exceeded."); -+ } -+ /* any other local error */ -+ else -+ { -+ vsf_cmdio_write(p_sess, FTP_BADSENDFILE, "Failure writing to local file."); -+ } - } - else if (trans_ret.retval == -2) - { -@@ -1176,7 +1201,10 @@ port_pasv_cleanup_out: - { - str_unlink(p_filename); - } -- vsf_sysutil_close(new_file_fd); -+ if (!closed) -+ { -+ vsf_sysutil_close(new_file_fd); -+ } - } - - static void -diff --git a/sysutil.c b/sysutil.c -index a924edf..6dfe350 100644 ---- a/sysutil.c -+++ b/sysutil.c -@@ -1259,6 +1259,27 @@ vsf_sysutil_close(int fd) - } - - int -+vsf_sysutil_close_errno(int fd) -+{ -+ while (1) -+ { -+ int retval = close(fd); -+ if (retval != 0) -+ { -+ if (errno == EINTR) -+ { -+ vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0); -+ continue; -+ } -+ else { -+ return errno; -+ } -+ } -+ return 0; -+ } -+} -+ -+int - vsf_sysutil_close_failok(int fd) - { - return close(fd); -diff --git a/sysutil.h b/sysutil.h -index c145bdf..26698cd 100644 ---- a/sysutil.h -+++ b/sysutil.h -@@ -92,6 +92,7 @@ int vsf_sysutil_create_or_open_file_append(const char* p_filename, - int vsf_sysutil_create_or_open_file(const char* p_filename, unsigned int mode); - void vsf_sysutil_dupfd2(int old_fd, int new_fd); - void vsf_sysutil_close(int fd); -+int vsf_sysutil_close_errno(int fd); - int vsf_sysutil_close_failok(int fd); - int vsf_sysutil_unlink(const char* p_dead); - int vsf_sysutil_write_access(const char* p_filename); --- -2.5.0 - diff --git a/vsftpd-2.2.2-syslog.patch b/vsftpd-2.2.2-syslog.patch deleted file mode 100644 index d92cdae..0000000 --- a/vsftpd-2.2.2-syslog.patch +++ /dev/null @@ -1,25 +0,0 @@ -From a480a9659fb0cab1c44006f6c06013e6e7f78948 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Fri, 8 Apr 2016 15:05:53 +0200 -Subject: [PATCH 7/7] vsftpd-2.2.2-syslog - ---- - logging.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/logging.c b/logging.c -index 99671b4..c4461f7 100644 ---- a/logging.c -+++ b/logging.c -@@ -32,7 +32,7 @@ vsf_log_init(struct vsf_session* p_sess) - { - if (tunable_syslog_enable || tunable_tcp_wrappers) - { -- vsf_sysutil_openlog(1); -+ vsf_sysutil_openlog(0); - } - if (!tunable_xferlog_enable && !tunable_dual_log_enable) - { --- -2.5.5 - diff --git a/vsftpd-2.3.4-listen_ipv6.patch b/vsftpd-2.3.4-listen_ipv6.patch deleted file mode 100644 index ff28cc7..0000000 --- a/vsftpd-2.3.4-listen_ipv6.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d723e42f895f8bbf6888512a772aa549b0a396d9 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 15/26] Applied vsftpd-2.3.4-listen_ipv6.patch - ---- - vsftpd.conf | 14 +++++++++----- - vsftpd.conf.5 | 5 +++-- - 2 files changed, 12 insertions(+), 7 deletions(-) - -diff --git a/vsftpd.conf b/vsftpd.conf -index db44170..ae6c6c9 100644 ---- a/vsftpd.conf -+++ b/vsftpd.conf -@@ -111,12 +111,16 @@ xferlog_std_format=YES - # When "listen" directive is enabled, vsftpd runs in standalone mode and - # listens on IPv4 sockets. This directive cannot be used in conjunction - # with the listen_ipv6 directive. --listen=YES --# --# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 --# sockets, you must run two copies of vsftpd with two configuration files. -+listen=NO -+# -+# This directive enables listening on IPv6 sockets. By default, listening -+# on the IPv6 "any" address (::) will accept connections from both IPv6 -+# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 -+# sockets. If you want that (perhaps because you want to listen on specific -+# addresses) then you must run two copies of vsftpd with two configuration -+# files. - # Make sure, that one of the listen options is commented !! --#listen_ipv6=YES -+listen_ipv6=YES - - pam_service_name=vsftpd - userlist_enable=YES -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 0744f85..72bb86f 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -297,8 +297,9 @@ Default: NO - .TP - .B listen_ipv6 - Like the listen parameter, except vsftpd will listen on an IPv6 socket instead --of an IPv4 one. This parameter and the listen parameter are mutually --exclusive. -+of an IPv4 one. Note that a socket listening on the IPv6 "any" address (::) -+will accept both IPv6 and IPv4 connections by default. This parameter and the -+listen parameter are mutually exclusive. - - Default: NO - .TP --- -2.5.0 - diff --git a/vsftpd-2.3.4-sd.patch b/vsftpd-2.3.4-sd.patch deleted file mode 100644 index bf6ac30..0000000 --- a/vsftpd-2.3.4-sd.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 4b7a6eecf79ee63c21fa27e5f5c22f248824991c Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 13/26] Applied vsftpd-2.3.4-sd.patch - ---- - vsftpd.8 | 24 ++++++++++++++++++++++++ - vsftpd.conf.5 | 18 +++++++++++++++++- - 2 files changed, 41 insertions(+), 1 deletion(-) - -diff --git a/vsftpd.8 b/vsftpd.8 -index c920e7d..fbeb1a2 100644 ---- a/vsftpd.8 -+++ b/vsftpd.8 -@@ -25,6 +25,23 @@ in - Direct execution of the - .Nm vsftpd - binary will then launch the FTP service ready for immediate client connections. -+.Pp -+Systemd changes the vsftpd daemon start-up. The vsftpd package contains vsftpd-generator script generating symbolic links to /var/run/systemd/generator/vsftpd.target.wants directory. The generator is called during e.g. 'systemctl --system daemon-reload'. All these symbolic links link /usr/lib/systemd/system/vsftpd@.service file. -+The vsftpd daemon(s) is/are controlled by one of following ways: -+.Pp -+1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration file -+.br -+# systemctl {start,stop,...} vsftpd[.service] -+.Pp -+2. Single daemon using /etc/vsftpd/.conf -+.br -+# systemctl {start,stop,...} vsftpd@[.service] -+.Pp -+3. All instances together -+.br -+# systemctl {restart,stop} vsftpd.target -+.Pp -+See systemd.unit(5), systemd.target(5) for further details. - .Sh OPTIONS - An optional - configuration file or files -@@ -55,6 +72,13 @@ the "ftpd_banner" setting is set to "blah", which overrides any default vsftpd - setting and any identical setting that was in the config file. - .Sh FILES - .Pa /etc/vsftpd/vsftpd.conf -+.Pp -+.Pa /usr/lib/systemd/system/vsftpd.service -+.Pp -+.Pa /usr/lib/systemd/system/vsftpd@.service -+.Pp -+.Pa /usr/lib/systemd/system/vsftpd.target - .Sh SEE ALSO - .Xr vsftpd.conf 5 -+.Xr systemd.unit 5 - .end -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 9d767b1..0744f85 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -12,7 +12,23 @@ inetd such as - .BR xinetd - to launch vsftpd with different configuration files on a per virtual host - basis. -- -+.P -+Systemd changes the vsftpd daemon start-up. The vsftpd package contains vsftpd-generator script generating symbolic links to /var/run/systemd/generator/vsftpd.target.wants directory. The generator is called during e. g. 'systemctl --system daemon-reload'. All these symbolic links link /usr/lib/systemd/system/vsftpd@.service file. -+The vsftpd daemon(s) is/are controlled by one of following ways: -+.P -+1. Single daemon using default /etc/vsftpd/vsftpd.conf configuration file -+.br -+# systemctl {start,stop,...} vsftpd[.service] -+.P -+2. Single daemon using /etc/vsftpd/.conf -+.br -+# systemctl {start,stop,...} vsftpd@[.service] -+.P -+3. All instances together -+.br -+# systemctl {restart,stop} vsftpd.target -+.P -+See systemd.unit(5), systemd.target(5) for further details. - .SH FORMAT - The format of vsftpd.conf is very simple. Each line is either a comment or - a directive. Comment lines start with a # and are ignored. A directive line --- -2.5.0 - diff --git a/vsftpd-2.3.4-sqb.patch b/vsftpd-2.3.4-sqb.patch deleted file mode 100644 index 163f247..0000000 --- a/vsftpd-2.3.4-sqb.patch +++ /dev/null @@ -1,277 +0,0 @@ -From 9db0f2142b7d456af0a147a53c7555996e90dfd6 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 14/26] Applied vsftpd-2.3.4-sqb.patch - ---- - ls.c | 222 +++++++++++++++++++++++++++++++++++++++++++++---------------------- - 1 file changed, 150 insertions(+), 72 deletions(-) - -diff --git a/ls.c b/ls.c -index 92be544..0ad7f54 100644 ---- a/ls.c -+++ b/ls.c -@@ -246,7 +246,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, - int ret = 0; - char last_token = 0; - int must_match_at_current_pos = 1; -- -+ int matched = 0; - - str_copy(&filter_remain_str, p_filter_str); - -@@ -276,7 +276,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, - static struct mystr s_match_needed_str; - /* Locate next special token */ - struct str_locate_result locate_result = -- str_locate_chars(&filter_remain_str, "*?{"); -+ str_locate_chars(&filter_remain_str, "*?{["); - (*iters)++; - /* Isolate text leading up to token (if any) - needs to be matched */ - if (locate_result.found) -@@ -294,94 +294,172 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, - str_empty(&filter_remain_str); - last_token = 0; - } -- if (!str_isempty(&s_match_needed_str)) -- { -- /* Need to match something.. could be a match which has to start at -- * current position, or we could allow it to start anywhere -- */ -- unsigned int indexx; -- locate_result = str_locate_str(&name_remain_str, &s_match_needed_str); -- if (!locate_result.found) -+ -+ matched = 0; -+ do { -+ if (!str_isempty(&s_match_needed_str)) - { -- /* Fail */ -- goto out; -+ if (!matched) -+ { -+ matched = 1; -+ } -+ /* Need to match something.. could be a match which has to start at -+ * current position, or we could allow it to start anywhere -+ */ -+ unsigned int indexx; -+ locate_result = str_locate_str(&name_remain_str, &s_match_needed_str); -+ if (!locate_result.found) -+ { -+ /* Fail */ -+ goto out; -+ } -+ indexx = locate_result.index; -+ if (must_match_at_current_pos && indexx > 0) -+ { -+ goto out; -+ } -+ if (!must_match_at_current_pos && last_token == 0) -+ { -+ struct mystr last_str = INIT_MYSTR; -+ str_mid_to_end(&name_remain_str, &last_str, -+ str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str)); -+ locate_result = str_locate_str(&last_str, &s_match_needed_str); -+ str_free(&last_str); -+ -+ if (locate_result.found) -+ { -+ ret = 1; -+ } -+ goto out; -+ } -+ /* Chop matched string out of remainder */ -+ str_mid_to_end(&name_remain_str, &temp_str, -+ indexx + str_getlen(&s_match_needed_str)); -+ str_copy(&name_remain_str, &temp_str); - } -- indexx = locate_result.index; -- if (must_match_at_current_pos && indexx > 0) -+ if (last_token == '?') - { -- goto out; -+ if (str_isempty(&name_remain_str)) -+ { -+ goto out; -+ } -+ str_right(&name_remain_str, &temp_str, str_getlen(&name_remain_str) - 1); -+ str_copy(&name_remain_str, &temp_str); -+ must_match_at_current_pos = 1; - } -- if (!must_match_at_current_pos && last_token == 0) -+ else if (last_token == '{') - { -- struct mystr last_str = INIT_MYSTR; -- str_mid_to_end(&name_remain_str, &last_str, -- str_getlen(&name_remain_str) - str_getlen(&s_match_needed_str)); -- locate_result = str_locate_str(&last_str, &s_match_needed_str); -- str_free(&last_str); -+ struct str_locate_result end_brace = -+ str_locate_char(&filter_remain_str, '}'); -+ must_match_at_current_pos = 1; -+ if (end_brace.found) -+ { -+ int entire = (*iters == 1 && last_token == '{'); - -- if (locate_result.found) -+ str_split_char(&filter_remain_str, &temp_str, '}'); -+ str_copy(&brace_list_str, &filter_remain_str); -+ str_copy(&filter_remain_str, &temp_str); -+ str_split_char(&brace_list_str, &temp_str, ','); -+ while (!str_isempty(&brace_list_str)) -+ { -+ str_empty(&new_filter_str); -+ if (!matched && !entire) -+ { -+ str_append_char(&new_filter_str, '*'); -+ } -+ str_append_str(&new_filter_str, &brace_list_str); -+ str_append_str(&new_filter_str, &filter_remain_str); -+ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str, -+ iters)) -+ { -+ ret = 1; -+ goto out; -+ } -+ str_copy(&brace_list_str, &temp_str); -+ str_split_char(&brace_list_str, &temp_str, ','); -+ } -+ goto out; -+ } -+ else if (str_isempty(&name_remain_str) || -+ str_get_char_at(&name_remain_str, 0) != '{') - { -- ret = 1; -+ goto out; -+ } -+ else -+ { -+ str_right(&name_remain_str, &temp_str, -+ str_getlen(&name_remain_str) - 1); -+ str_copy(&name_remain_str, &temp_str); - } -- goto out; -- } -- /* Chop matched string out of remainder */ -- str_mid_to_end(&name_remain_str, &temp_str, -- indexx + str_getlen(&s_match_needed_str)); -- str_copy(&name_remain_str, &temp_str); -- } -- if (last_token == '?') -- { -- if (str_isempty(&name_remain_str)) -- { -- goto out; - } -- str_right(&name_remain_str, &temp_str, str_getlen(&name_remain_str) - 1); -- str_copy(&name_remain_str, &temp_str); -- must_match_at_current_pos = 1; -- } -- else if (last_token == '{') -- { -- struct str_locate_result end_brace = -- str_locate_char(&filter_remain_str, '}'); -- must_match_at_current_pos = 1; -- if (end_brace.found) -+ else if (last_token == '[') - { -- str_split_char(&filter_remain_str, &temp_str, '}'); -- str_copy(&brace_list_str, &filter_remain_str); -- str_copy(&filter_remain_str, &temp_str); -- str_split_char(&brace_list_str, &temp_str, ','); -- while (!str_isempty(&brace_list_str)) -+ struct str_locate_result end_sqb = -+ str_locate_char(&filter_remain_str, ']'); -+ must_match_at_current_pos = 1; -+ if (end_sqb.found) - { -- str_copy(&new_filter_str, &brace_list_str); -- str_append_str(&new_filter_str, &filter_remain_str); -- if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str, -- iters)) -+ unsigned int cur_pos; -+ char stch, ench; -+ const char *p_brace; -+ -+ str_split_char(&filter_remain_str, &temp_str, ']'); -+ str_copy(&brace_list_str, &filter_remain_str); -+ str_copy(&filter_remain_str, &temp_str); -+ p_brace = str_getbuf(&brace_list_str); -+ for (cur_pos = 0; cur_pos < str_getlen(&brace_list_str);) - { -- ret = 1; -- goto out; -+ stch = p_brace[cur_pos]; -+ // char vers. range -+ if (cur_pos + 2 < str_getlen(&brace_list_str) && -+ p_brace[cur_pos+1] == '-') -+ { -+ ench = p_brace[cur_pos+2]; -+ cur_pos += 3; -+ } -+ else -+ { -+ ench = stch; -+ cur_pos++; -+ } -+ // expand char[s] -+ for (;stch <= ench && !str_isempty(&brace_list_str); stch++) -+ { -+ str_empty(&new_filter_str); -+ if (!matched) -+ { -+ str_append_char(&new_filter_str, '*'); -+ } -+ str_append_char(&new_filter_str, stch); -+ str_append_str(&new_filter_str, &filter_remain_str); -+ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str, -+ iters)) -+ { -+ ret = 1; -+ goto out; -+ } -+ } - } -- str_copy(&brace_list_str, &temp_str); -- str_split_char(&brace_list_str, &temp_str, ','); -+ goto out; -+ } -+ else if (str_isempty(&name_remain_str) || -+ str_get_char_at(&name_remain_str, 0) != '[') -+ { -+ goto out; -+ } -+ else -+ { -+ str_right(&name_remain_str, &temp_str, -+ str_getlen(&name_remain_str) - 1); -+ str_copy(&name_remain_str, &temp_str); - } -- goto out; -- } -- else if (str_isempty(&name_remain_str) || -- str_get_char_at(&name_remain_str, 0) != '{') -- { -- goto out; - } - else - { -- str_right(&name_remain_str, &temp_str, -- str_getlen(&name_remain_str) - 1); -- str_copy(&name_remain_str, &temp_str); -+ must_match_at_current_pos = 0; - } -- } -- else -- { -- must_match_at_current_pos = 0; -- } -+ } while (locate_result.found && -+ str_getlen(&name_remain_str) > 0 && last_token != '*'); - } - /* Any incoming string left means no match unless we ended on the correct - * type of wildcard. --- -2.5.0 - diff --git a/vsftpd-2.3.5-aslim.patch b/vsftpd-2.3.5-aslim.patch deleted file mode 100644 index 6f271e2..0000000 --- a/vsftpd-2.3.5-aslim.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up vsftpd-3.0.3/defs.h.aslim vsftpd-3.0.3/defs.h ---- vsftpd-3.0.3/defs.h.aslim 2016-03-03 16:55:42.760819658 +0100 -+++ vsftpd-3.0.3/defs.h 2016-03-03 17:01:49.606873710 +0100 -@@ -19,7 +19,7 @@ - /* Must be at least the size of VSFTP_MAX_COMMAND_LINE, VSFTP_DIR_BUFSIZE and - VSFTP_DATA_BUFSIZE*2 */ - #define VSFTP_PRIVSOCK_MAXSTR VSFTP_DATA_BUFSIZE * 2 --#define VSFTP_AS_LIMIT 200UL * 1024 * 1024 -+#define VSFTP_AS_LIMIT 400UL * 1024 * 1024 - - #endif /* VSF_DEFS_H */ - diff --git a/vsftpd-3.0.0-logrotate.patch b/vsftpd-3.0.0-logrotate.patch deleted file mode 100644 index 317821a..0000000 --- a/vsftpd-3.0.0-logrotate.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 5a4adb1078552f3f17f21dab9cacadbcacf593ec Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 18/26] Applied vsftpd-3.0.0-logrotate.patch - ---- - RedHat/vsftpd.log | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/RedHat/vsftpd.log b/RedHat/vsftpd.log -index d338de8..14731c1 100644 ---- a/RedHat/vsftpd.log -+++ b/RedHat/vsftpd.log -@@ -3,3 +3,9 @@ - nocompress - missingok - } -+ -+/var/log/xferlog { -+ # ftpd doesn't handle SIGHUP properly -+ nocompress -+ missingok -+} --- -2.5.0 - diff --git a/vsftpd-3.0.0-tz.patch b/vsftpd-3.0.0-tz.patch deleted file mode 100644 index 827b6c7..0000000 --- a/vsftpd-3.0.0-tz.patch +++ /dev/null @@ -1,159 +0,0 @@ -From cc7c4ed98d69230f24a4437db2ba6bee20f4e494 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 16/26] Applied vsftpd-3.0.0-tz.patch - ---- - sysutil.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++---------------- - 1 file changed, 77 insertions(+), 27 deletions(-) - -diff --git a/sysutil.c b/sysutil.c -index c848356..497d670 100644 ---- a/sysutil.c -+++ b/sysutil.c -@@ -26,8 +26,10 @@ - /* For Linux, this adds nothing :-) */ - #include "port/porting_junk.h" - -+#define F_LOCALTIME "/etc/localtime" -+#define BUFTZSIZ 64 -+ - #include --#include - #include - #include - #include -@@ -55,6 +57,11 @@ - #include - #include - #include -+ -+#ifndef __USE_GNU -+ #define __USE_GNU -+#endif -+#include - - /* Private variables to this file */ - /* Current umask() */ -@@ -2574,49 +2581,92 @@ error: - die("reopening standard file descriptors to /dev/null failed"); - } - -+char* vsf_sysutil_get_tz() -+{ -+ char *ret_tz = NULL; -+ char buff[BUFTZSIZ]; -+ off_t s_pos, e_pos; -+ size_t rcnt, rest; -+ int fd; -+ -+ if ((fd = open(F_LOCALTIME, O_RDONLY)) > -1) -+ { -+ if ((e_pos = lseek(fd, 0, SEEK_END)) <= 0) -+ { -+ close(fd); -+ return NULL; -+ } -+ s_pos = e_pos > BUFTZSIZ ? e_pos - BUFTZSIZ : 0; -+ lseek(fd, s_pos, SEEK_SET); -+ rcnt = read(fd, buff, BUFTZSIZ); -+ -+ if (rcnt && buff[rcnt-1] == '\n') -+ { -+ buff[rcnt-1] = 0; -+ e_pos--; -+ } -+ -+ do { -+ char *nl = memrchr(buff, '\n', rcnt); -+ if (rcnt && nl) -+ { -+ int offset = (++nl) - buff; -+ int len = e_pos - s_pos - offset; -+ if (len) -+ { -+ lseek(fd, s_pos + offset, SEEK_SET); -+ ret_tz = calloc(1, len+4); -+ memcpy(ret_tz, "TZ=", 3); -+ rcnt = read(fd, ret_tz+3, len); -+ } -+ break; -+ } -+ if (!s_pos) -+ { -+ break; -+ } -+ rest = s_pos > BUFTZSIZ ? s_pos - BUFTZSIZ : 0; -+ s_pos -= rest; -+ lseek(fd, s_pos, SEEK_SET); -+ rcnt = read(fd, buff, rest); -+ } while (rcnt > 0); -+ -+ close (fd); -+ } -+ -+ return ret_tz; -+} -+ - void - vsf_sysutil_tzset(void) - { - int retval; -- char tzbuf[sizeof("+HHMM!")]; -+ char *tz=NULL, tzbuf[sizeof("+HHMM!")]; - time_t the_time = time(NULL); - struct tm* p_tm; -+ -+ /* Set our timezone in the TZ environment variable to cater for the fact -+ * that modern glibc does not cache /etc/localtime (which becomes inaccessible -+ * when we chroot(). -+ */ -+ tz = vsf_sysutil_get_tz();; -+ if (tz) -+ { -+ putenv(tz); -+ } - tzset(); - p_tm = localtime(&the_time); - if (p_tm == NULL) - { - die("localtime"); - } -- /* Set our timezone in the TZ environment variable to cater for the fact -- * that modern glibc does not cache /etc/localtime (which becomes inaccessible -- * when we chroot(). -- */ - retval = strftime(tzbuf, sizeof(tzbuf), "%z", p_tm); - tzbuf[sizeof(tzbuf) - 1] = '\0'; - if (retval == 5) - { -- /* Static because putenv() does not copy the string. */ -- static char envtz[sizeof("TZ=UTC-hh:mm")]; -- /* Insert a colon so we have e.g. -05:00 instead of -0500 */ -- tzbuf[5] = tzbuf[4]; -- tzbuf[4] = tzbuf[3]; -- tzbuf[3] = ':'; -- /* Invert the sign - we just got the offset _from_ UTC but for TZ, we need -- * the offset _to_ UTC. -- */ -- if (tzbuf[0] == '+') -- { -- tzbuf[0] = '-'; -- } -- else -- { -- tzbuf[0] = '+'; -- } -- snprintf(envtz, sizeof(envtz), "TZ=UTC%s", tzbuf); -- putenv(envtz); - s_timezone = ((tzbuf[1] - '0') * 10 + (tzbuf[2] - '0')) * 60 * 60; -- s_timezone += ((tzbuf[4] - '0') * 10 + (tzbuf[5] - '0')) * 60; -- if (tzbuf[0] == '-') -+ s_timezone += ((tzbuf[3] - '0') * 10 + (tzbuf[4] - '0')) * 60; -+ if (tzbuf[0] == '+') - { - s_timezone *= -1; - } --- -2.5.0 - diff --git a/vsftpd-3.0.0-xferlog.patch b/vsftpd-3.0.0-xferlog.patch deleted file mode 100644 index 9c8c669..0000000 --- a/vsftpd-3.0.0-xferlog.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 26d555a940faf7c7c90d8a8a2b5d5e0d9988f714 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 17/26] Applied vsftpd-3.0.0-xferlog.patch - ---- - vsftpd.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/vsftpd.conf b/vsftpd.conf -index ae6c6c9..39d1955 100644 ---- a/vsftpd.conf -+++ b/vsftpd.conf -@@ -50,7 +50,7 @@ connect_from_port_20=YES - # - # You may override where the log file goes if you like. The default is shown - # below. --#xferlog_file=/var/log/vsftpd.log -+#xferlog_file=/var/log/xferlog - # - # If you want, you can have your log file in standard ftpd xferlog format. - # Note that the default log file location is /var/log/xferlog in this case. --- -2.5.0 - diff --git a/vsftpd-3.0.2-del-upl.patch b/vsftpd-3.0.2-del-upl.patch deleted file mode 100644 index e1216a8..0000000 --- a/vsftpd-3.0.2-del-upl.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 9be8a4188420bba2075eacf9aea8fa26b6ebdcc5 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Fri, 8 Apr 2016 15:03:16 +0200 -Subject: [PATCH 4/7] vsftpd-3.0.2-del-upl - ---- - ftpcodes.h | 3 ++- - ftpdataio.c | 8 ++++++++ - main.c | 2 +- - postlogin.c | 9 ++++++++- - session.h | 1 + - sysutil.c | 10 ++++++++++ - sysutil.h | 1 + - 7 files changed, 31 insertions(+), 3 deletions(-) - -diff --git a/ftpcodes.h b/ftpcodes.h -index 3950f92..97801f3 100644 ---- a/ftpcodes.h -+++ b/ftpcodes.h -@@ -15,7 +15,8 @@ - #define FTP_PBSZOK 200 - #define FTP_PROTOK 200 - #define FTP_OPTSOK 200 --#define FTP_ALLOOK 202 -+#define FTP_ALLOOK 200 -+#define FTP_ALLOIGN 202 - #define FTP_FEAT 211 - #define FTP_STATOK 211 - #define FTP_SIZEOK 213 -diff --git a/ftpdataio.c b/ftpdataio.c -index 00f9021..c859d80 100644 ---- a/ftpdataio.c -+++ b/ftpdataio.c -@@ -242,6 +242,10 @@ init_data_sock_params(struct vsf_session* p_sess, int sock_fd) - /* Start the timeout monitor */ - vsf_sysutil_install_io_handler(handle_io, p_sess); - start_data_alarm(p_sess); -+ if(tunable_delete_failed_uploads) -+ { -+ vsf_sysutil_rcvtimeo(sock_fd); -+ } - } - - static void -@@ -615,6 +619,10 @@ do_file_recv(struct vsf_session* p_sess, int file_fd, int is_ascii) - else if (retval == 0 && !prev_cr) - { - /* Transfer done, nifty */ -+ if (tunable_delete_failed_uploads && -+ !is_ascii && p_sess->upload_size > 0 && -+ p_sess->upload_size != ret_struct.transferred) -+ ret_struct.retval = -2; - return ret_struct; - } - num_to_write = (unsigned int) retval; -diff --git a/main.c b/main.c -index f1e2f69..f039081 100644 ---- a/main.c -+++ b/main.c -@@ -44,7 +44,7 @@ main(int argc, const char* argv[]) - /* Login */ - 1, 0, INIT_MYSTR, INIT_MYSTR, - /* Protocol state */ -- 0, 1, INIT_MYSTR, 0, 0, -+ 0, 0, 1, INIT_MYSTR, 0, 0, - /* HTTP hacks */ - 0, INIT_MYSTR, - /* Session state */ -diff --git a/postlogin.c b/postlogin.c -index 154c16a..8363c9c 100644 ---- a/postlogin.c -+++ b/postlogin.c -@@ -358,7 +358,14 @@ process_post_login(struct vsf_session* p_sess) - } - else if (str_equal_text(&p_sess->ftp_cmd_str, "ALLO")) - { -- vsf_cmdio_write(p_sess, FTP_ALLOOK, "ALLO command ignored."); -+ if (tunable_delete_failed_uploads && !p_sess->is_ascii) -+ { -+ p_sess->upload_size = (filesize_t)vsf_sysutil_atoi(str_getbuf(&p_sess->ftp_cmd_str)+5); -+ vsf_cmdio_write(p_sess, FTP_ALLOOK, "The filesize has been allocated."); -+ } -+ else { -+ vsf_cmdio_write(p_sess, FTP_ALLOIGN, "ALLO command ignored."); -+ } - } - else if (str_equal_text(&p_sess->ftp_cmd_str, "REIN")) - { -diff --git a/session.h b/session.h -index 3e8fdd5..4eccf46 100644 ---- a/session.h -+++ b/session.h -@@ -41,6 +41,7 @@ struct vsf_session - struct mystr anon_pass_str; - - /* Details of the FTP protocol state */ -+ filesize_t upload_size; - filesize_t restart_pos; - int is_ascii; - struct mystr rnfr_filename_str; -diff --git a/sysutil.c b/sysutil.c -index 61d9f28..3c4a337 100644 ---- a/sysutil.c -+++ b/sysutil.c -@@ -681,6 +681,16 @@ vsf_sysutil_activate_keepalive(int fd) - } - - void -+vsf_sysutil_rcvtimeo(int fd) -+{ -+ struct timeval tv; -+ -+ tv.tv_sec = tunable_data_connection_timeout; -+ tv.tv_usec = 0; -+ setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(struct timeval)); -+} -+ -+void - vsf_sysutil_activate_reuseaddr(int fd) - { - int reuseaddr = 1; -diff --git a/sysutil.h b/sysutil.h -index d341b5d..be727f5 100644 ---- a/sysutil.h -+++ b/sysutil.h -@@ -267,6 +267,7 @@ void vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr, - const char* p_name); - /* Option setting on sockets */ - void vsf_sysutil_activate_keepalive(int fd); -+void vsf_sysutil_rcvtimeo(int fd); - void vsf_sysutil_set_iptos_throughput(int fd); - void vsf_sysutil_activate_reuseaddr(int fd); - void vsf_sysutil_set_nodelay(int fd); --- -2.5.5 - diff --git a/vsftpd-3.0.2-dh.patch b/vsftpd-3.0.2-dh.patch deleted file mode 100644 index 397ad0d..0000000 --- a/vsftpd-3.0.2-dh.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 1c4cb55ed61ca962a051c7de7cca866af8e2b2fa Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 21/26] Applied vsftpd-3.0.2-dh.patch - ---- - parseconf.c | 1 + - ssl.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- - tunables.c | 5 +++- - tunables.h | 1 + - vsftpd.conf.5 | 6 ++++ - 5 files changed, 104 insertions(+), 2 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index 3e0dba4..38e3182 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -176,6 +176,7 @@ parseconf_str_array[] = - { "email_password_file", &tunable_email_password_file }, - { "rsa_cert_file", &tunable_rsa_cert_file }, - { "dsa_cert_file", &tunable_dsa_cert_file }, -+ { "dh_param_file", &tunable_dh_param_file }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff --git a/ssl.c b/ssl.c -index c362983..22b69b3 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -28,6 +28,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - -@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); - static long bio_callback( - BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); -+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); - static int ssl_cert_digest( - SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); - static void maybe_log_shutdown_state(struct vsf_session* p_sess); -@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess, - static int ssl_inited; - static struct mystr debug_str; - -+ -+// Grab prime number from OpenSSL; -+// (get_rfc*) for all available primes. -+// wraps selection of comparable algorithm strength -+#if !defined(match_dh_bits) -+ #define match_dh_bits(keylen) \ -+ keylen >= 8191 ? 8192 : \ -+ keylen >= 6143 ? 6144 : \ -+ keylen >= 4095 ? 4096 : \ -+ keylen >= 3071 ? 3072 : \ -+ keylen >= 2047 ? 2048 : \ -+ keylen >= 1535 ? 1536 : \ -+ keylen >= 1023 ? 1024 : 768 -+#endif -+ -+#if !defined(DH_get_prime) -+ BIGNUM * -+ DH_get_prime(int bits) -+ { -+ switch (bits) { -+ case 768: return get_rfc2409_prime_768(NULL); -+ case 1024: return get_rfc2409_prime_1024(NULL); -+ case 1536: return get_rfc3526_prime_1536(NULL); -+ case 2048: return get_rfc3526_prime_2048(NULL); -+ case 3072: return get_rfc3526_prime_3072(NULL); -+ case 4096: return get_rfc3526_prime_4096(NULL); -+ case 6144: return get_rfc3526_prime_6144(NULL); -+ case 8192: return get_rfc3526_prime_8192(NULL); -+ // shouldn't happen when used match_dh_bits; strict compiler -+ default: return NULL; -+ } -+} -+#endif -+ -+#if !defined(DH_get_dh) -+ // Grab DH parameters -+ DH * -+ DH_get_dh(int size) -+ { -+ DH *dh = DH_new(); -+ if (!dh) { -+ return NULL; -+ } -+ dh->p = DH_get_prime(match_dh_bits(size)); -+ BN_dec2bn(&dh->g, "2"); -+ if (!dh->p || !dh->g) -+ { -+ DH_free(dh); -+ return NULL; -+ } -+ return dh; -+ } -+#endif -+ - void - ssl_init(struct vsf_session* p_sess) - { -@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) - { - die("SSL: could not allocate SSL context"); - } -- options = SSL_OP_ALL; -+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; - if (!tunable_sslv2) - { - options |= SSL_OP_NO_SSLv2; -@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess) - die("SSL: cannot load DSA private key"); - } - } -+ if (tunable_dh_param_file) -+ { -+ BIO *bio; -+ DH *dhparams = NULL; -+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) -+ { -+ die("SSL: cannot load custom DH params"); -+ } -+ else -+ { -+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ -+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams)) -+ { -+ die("SSL: setting custom DH params failed"); -+ } -+ } -+ } - if (tunable_ssl_ciphers && - SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) - { -@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) - /* Ensure cached session doesn't expire */ - SSL_CTX_set_timeout(p_ctx, INT_MAX); - } -+ -+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); -+ - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; - } -@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx) - return 1; - } - -+#define UNUSED(x) ( (void)(x) ) -+ -+static DH * -+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) -+{ -+ // strict compiler bypassing -+ UNUSED(ssl); -+ UNUSED(is_export); -+ -+ return DH_get_dh(keylength); -+} -+ - void - ssl_add_entropy(struct vsf_session* p_sess) - { -diff --git a/tunables.c b/tunables.c -index c737465..1ea7227 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -140,6 +140,7 @@ const char* tunable_user_sub_token; - const char* tunable_email_password_file; - const char* tunable_rsa_cert_file; - const char* tunable_dsa_cert_file; -+const char* tunable_dh_param_file; - const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -288,7 +289,9 @@ tunables_load_defaults() - install_str_setting("/usr/share/ssl/certs/vsftpd.pem", - &tunable_rsa_cert_file); - install_str_setting(0, &tunable_dsa_cert_file); -- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); -+ install_str_setting(0, &tunable_dh_param_file); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", -+ &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff --git a/tunables.h b/tunables.h -index 9553038..3995472 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -142,6 +142,7 @@ extern const char* tunable_user_sub_token; - extern const char* tunable_email_password_file; - extern const char* tunable_rsa_cert_file; - extern const char* tunable_dsa_cert_file; -+extern const char* tunable_dh_param_file; - extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index fb6324e..ff94eca 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -893,6 +893,12 @@ to be in the same file as the certificate. - - Default: (none) - .TP -+.B dh_param_file -+This option specifies the location of the custom parameters used for -+ephemeral Diffie-Hellman key exchange in SSL. -+ -+Default: (none - use built in parameters appropriate for certificate key size) -+.TP - .B email_password_file - This option can be used to provide an alternate file for usage by the - .BR secure_email_list_enable --- -2.5.0 - diff --git a/vsftpd-3.0.2-docupd.patch b/vsftpd-3.0.2-docupd.patch deleted file mode 100644 index 612552d..0000000 --- a/vsftpd-3.0.2-docupd.patch +++ /dev/null @@ -1,61 +0,0 @@ -From f7fb4f5c91ab132982c78f1b34f7fe1493fd1372 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:46 +0100 -Subject: [PATCH 23/26] Applied vsftpd-3.0.2-docupd.patch - ---- - vsftpd.conf.5 | 22 +++++++++++++++++++--- - 1 file changed, 19 insertions(+), 3 deletions(-) - -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index e242873..7a8f130 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -652,6 +652,21 @@ change it with the setting - .BR xferlog_file . - - Default: NO -+.TP -+.B isolate_network -+If enabled, use CLONE_NEWNET to isolate the untrusted processes so that -+they can't do arbitrary connect() and instead have to ask the privileged -+process for sockets ( -+.BR port_promiscuous -+have to be disabled). -+ -+Default: YES -+.TP -+.B isolate -+If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate processes to their -+ipc and pid namespaces. So separated processes can not interact with each other. -+ -+Default: YES - - .SH NUMERIC OPTIONS - Below is a list of numeric options. A numeric option must be set to a non -@@ -749,8 +764,9 @@ Default: 077 - .B max_clients - If vsftpd is in standalone mode, this is the maximum number of clients which - may be connected. Any additional clients connecting will get an error message. -+The value 0 switches off the limit. - --Default: 0 (unlimited) -+Default: 2000 - .TP - .B max_login_fails - After this many login failures, the session is killed. -@@ -760,9 +776,9 @@ Default: 3 - .B max_per_ip - If vsftpd is in standalone mode, this is the maximum number of clients which - may be connected from the same source internet address. A client will get an --error message if they go over this limit. -+error message if they go over this limit. The value 0 switches off the limit. - --Default: 0 (unlimited) -+Default: 50 - .TP - .B pasv_max_port - The maximum port to allocate for PASV style data connections. Can be used to --- -2.5.0 - diff --git a/vsftpd-3.0.2-ecdh.patch b/vsftpd-3.0.2-ecdh.patch deleted file mode 100644 index fa68fb3..0000000 --- a/vsftpd-3.0.2-ecdh.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 400bd7cd3fc7478a668862cfba4b79e84a5034e9 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 22/26] Applied vsftpd-3.0.2-ecdh.patch - ---- - parseconf.c | 1 + - ssl.c | 37 ++++++++++++++++++++++++++++++++++++- - tunables.c | 4 +++- - tunables.h | 1 + - vsftpd.conf.5 | 8 ++++++++ - 5 files changed, 49 insertions(+), 2 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index 38e3182..a2c715b 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -177,6 +177,7 @@ parseconf_str_array[] = - { "rsa_cert_file", &tunable_rsa_cert_file }, - { "dsa_cert_file", &tunable_dsa_cert_file }, - { "dh_param_file", &tunable_dh_param_file }, -+ { "ecdh_param_file", &tunable_ecdh_param_file }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff --git a/ssl.c b/ssl.c -index 22b69b3..96bf8ad 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) - { - die("SSL: could not allocate SSL context"); - } -- options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; -+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE; - if (!tunable_sslv2) - { - options |= SSL_OP_NO_SSLv2; -@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess) - - SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); - -+ if (tunable_ecdh_param_file) -+ { -+ BIO *bio; -+ int nid; -+ EC_GROUP *ecparams = NULL; -+ EC_KEY *eckey; -+ -+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL) -+ die("SSL: cannot load custom ec params"); -+ else -+ { -+ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); -+ BIO_free(bio); -+ -+ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) && -+ (eckey = EC_KEY_new_by_curve_name(nid))) -+ { -+ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey)) -+ die("SSL: setting custom EC params failed"); -+ } -+ else -+ { -+ die("SSL: getting ec group or key failed"); -+ } -+ } -+ } -+ else -+ { -+#if defined(SSL_CTX_set_ecdh_auto) -+ SSL_CTX_set_ecdh_auto(p_ctx, 1); -+#else -+ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); -+#endif -+ } -+ - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; - } -diff --git a/tunables.c b/tunables.c -index 1ea7227..93f85b1 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -141,6 +141,7 @@ const char* tunable_email_password_file; - const char* tunable_rsa_cert_file; - const char* tunable_dsa_cert_file; - const char* tunable_dh_param_file; -+const char* tunable_ecdh_param_file; - const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -290,7 +291,8 @@ tunables_load_defaults() - &tunable_rsa_cert_file); - install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting(0, &tunable_dh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", -+ install_str_setting(0, &tunable_ecdh_param_file); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", - &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); -diff --git a/tunables.h b/tunables.h -index 3995472..3e2d40c 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file; - extern const char* tunable_rsa_cert_file; - extern const char* tunable_dsa_cert_file; - extern const char* tunable_dh_param_file; -+extern const char* tunable_ecdh_param_file; - extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index ff94eca..e242873 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL. - - Default: (none - use built in parameters appropriate for certificate key size) - .TP -+.B ecdh_param_file -+This option specifies the location of custom parameters for ephemeral -+Elliptic Curve Diffie-Hellman (ECDH) key exchange. -+ -+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and -+automatically selected curve based on client preferences with OpenSSL 1.0.2 -+and later) -+.TP - .B email_password_file - This option can be used to provide an alternate file for usage by the - .BR secure_email_list_enable --- -2.5.0 - diff --git a/vsftpd-3.0.2-lookup.patch b/vsftpd-3.0.2-lookup.patch deleted file mode 100644 index 553f6c3..0000000 --- a/vsftpd-3.0.2-lookup.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 341ecdb33ac371d0efcfe428719fdf627ab253c2 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 19/26] Applied vsftpd-3.0.2-lookup.patch - ---- - parseconf.c | 1 + - sysdeputil.c | 14 +++++++++----- - tunables.c | 2 ++ - tunables.h | 1 + - vsftpd.conf.5 | 9 +++++++++ - 5 files changed, 22 insertions(+), 5 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index 30df598..3e0dba4 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -91,6 +91,7 @@ parseconf_bool_array[] = - { "mdtm_write", &tunable_mdtm_write }, - { "lock_upload_files", &tunable_lock_upload_files }, - { "pasv_addr_resolve", &tunable_pasv_addr_resolve }, -+ { "reverse_lookup_enable", &tunable_reverse_lookup_enable }, - { "userlist_log", &tunable_userlist_log }, - { "debug_ssl", &tunable_debug_ssl }, - { "require_cert", &tunable_require_cert }, -diff --git a/sysdeputil.c b/sysdeputil.c -index 3bbabaa..2063c87 100644 ---- a/sysdeputil.c -+++ b/sysdeputil.c -@@ -354,12 +354,16 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, - return 0; - } - #ifdef PAM_RHOST -- sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); -- host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); -- if (host != (struct hostent*)0) -- retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); -- else -+ if (tunable_reverse_lookup_enable) { -+ sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host)); -+ host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET); -+ if (host != (struct hostent*)0) -+ retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name); -+ else -+ retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); -+ } else { - retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host)); -+ } - if (retval != PAM_SUCCESS) - { - (void) pam_end(s_pamh, retval); -diff --git a/tunables.c b/tunables.c -index b30fca1..c737465 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl; - int tunable_mdtm_write; - int tunable_lock_upload_files; - int tunable_pasv_addr_resolve; -+int tunable_reverse_lookup_enable; - int tunable_userlist_log; - int tunable_debug_ssl; - int tunable_require_cert; -@@ -213,6 +214,7 @@ tunables_load_defaults() - tunable_mdtm_write = 1; - tunable_lock_upload_files = 1; - tunable_pasv_addr_resolve = 0; -+ tunable_reverse_lookup_enable = 1; - tunable_userlist_log = 0; - tunable_debug_ssl = 0; - tunable_require_cert = 0; -diff --git a/tunables.h b/tunables.h -index e44d64c..9553038 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ - extern int tunable_mdtm_write; /* Allow MDTM to set timestamps */ - extern int tunable_lock_upload_files; /* Lock uploading files */ - extern int tunable_pasv_addr_resolve; /* DNS resolve pasv_addr */ -+extern int tunable_reverse_lookup_enable; /* Get hostname before pam auth */ - extern int tunable_userlist_log; /* Log every failed login attempt */ - extern int tunable_debug_ssl; /* Verbose SSL logging */ - extern int tunable_require_cert; /* SSL client cert required */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 72bb86f..fb6324e 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -425,6 +425,15 @@ http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html - - Default: YES - .TP -+.B reverse_lookup_enable -+Set to YES if you want vsftpd to transform the ip address into the hostname, -+before pam authentication. This is useful if you use pam_access including the -+hostname. If you want vsftpd to run on the environment where the reverse lookup -+for some hostname is available and the name server doesn't respond for a while, -+you should set this to NO to avoid a performance issue. -+ -+Default: YES -+.TP - .B run_as_launching_user - Set to YES if you want vsftpd to run as the user which launched vsftpd. This is - useful where root access is not available. MASSIVE WARNING! Do NOT enable this --- -2.5.0 - diff --git a/vsftpd-3.0.2-mrate.patch b/vsftpd-3.0.2-mrate.patch deleted file mode 100644 index a3622a2..0000000 --- a/vsftpd-3.0.2-mrate.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 4700495a07fe9423c8411a018cde4de413407f42 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Fri, 8 Apr 2016 15:03:16 +0200 -Subject: [PATCH 2/7] vsftpd-3.0.2-mrate - ---- - ftpdataio.c | 14 +++++++------- - main.c | 2 +- - session.h | 3 ++- - 3 files changed, 10 insertions(+), 9 deletions(-) - -diff --git a/ftpdataio.c b/ftpdataio.c -index 3e4e9c9..00f9021 100644 ---- a/ftpdataio.c -+++ b/ftpdataio.c -@@ -249,7 +249,7 @@ handle_io(int retval, int fd, void* p_private) - { - long curr_sec; - long curr_usec; -- unsigned int bw_rate; -+ unsigned long bw_rate; - double elapsed; - double pause_time; - double rate_ratio; -@@ -276,19 +276,16 @@ handle_io(int retval, int fd, void* p_private) - { - elapsed = (double) 0.01; - } -- bw_rate = (unsigned int) ((double) retval / elapsed); -- if (bw_rate <= p_sess->bw_rate_max) -+ p_sess->bw_retval += retval; -+ bw_rate = (unsigned long) ((double) p_sess->bw_retval / elapsed); -+ if (bw_rate <= p_sess->bw_rate_max || p_sess->bw_retval < (unsigned long)(10*retval)) - { -- p_sess->bw_send_start_sec = curr_sec; -- p_sess->bw_send_start_usec = curr_usec; - return; - } - /* Tut! Rate exceeded, calculate a pause to bring things back into line */ - rate_ratio = (double) bw_rate / (double) p_sess->bw_rate_max; - pause_time = (rate_ratio - (double) 1) * elapsed; - vsf_sysutil_sleep(pause_time); -- p_sess->bw_send_start_sec = vsf_sysutil_get_time_sec(); -- p_sess->bw_send_start_usec = vsf_sysutil_get_time_usec(); - } - - int -@@ -441,6 +438,9 @@ struct vsf_transfer_ret - vsf_ftpdataio_transfer_file(struct vsf_session* p_sess, int remote_fd, - int file_fd, int is_recv, int is_ascii) - { -+ p_sess->bw_send_start_sec = vsf_sysutil_get_time_sec(); -+ p_sess->bw_send_start_usec = vsf_sysutil_get_time_usec(); -+ p_sess->bw_retval = 0; - if (!is_recv) - { - if (is_ascii || p_sess->data_use_ssl) -diff --git a/main.c b/main.c -index eaba265..f1e2f69 100644 ---- a/main.c -+++ b/main.c -@@ -40,7 +40,7 @@ main(int argc, const char* argv[]) - /* Control connection */ - 0, 0, 0, 0, 0, - /* Data connection */ -- -1, 0, -1, 0, 0, 0, 0, -+ -1, 0, -1, 0, 0, 0, 0, 0, - /* Login */ - 1, 0, INIT_MYSTR, INIT_MYSTR, - /* Protocol state */ -diff --git a/session.h b/session.h -index 956bfb7..3e8fdd5 100644 ---- a/session.h -+++ b/session.h -@@ -29,9 +29,10 @@ struct vsf_session - struct vsf_sysutil_sockaddr* p_port_sockaddr; - int data_fd; - int data_progress; -- unsigned int bw_rate_max; -+ unsigned long bw_rate_max; - long bw_send_start_sec; - long bw_send_start_usec; -+ unsigned long bw_retval; - - /* Details of the login */ - int is_anonymous; --- -2.5.5 - diff --git a/vsftpd-3.0.2-rc450.patch b/vsftpd-3.0.2-rc450.patch deleted file mode 100644 index 8435446..0000000 --- a/vsftpd-3.0.2-rc450.patch +++ /dev/null @@ -1,75 +0,0 @@ -From e8c21dbd87c5e46c246c2d08c1abc84bb649fc02 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:46 +0100 -Subject: [PATCH 24/26] Applied vsftpd-3.0.2-rc450.patch - ---- - ftpcodes.h | 1 + - postlogin.c | 9 ++++++++- - sysutil.c | 3 +++ - sysutil.h | 3 ++- - 4 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/ftpcodes.h b/ftpcodes.h -index 93290c0..81e25c5 100644 ---- a/ftpcodes.h -+++ b/ftpcodes.h -@@ -52,6 +52,7 @@ - #define FTP_TLS_FAIL 421 - #define FTP_BADSENDCONN 425 - #define FTP_BADSENDNET 426 -+#define FTP_FILETMPFAIL 450 - #define FTP_BADSENDFILE 451 - - #define FTP_BADCMD 500 -diff --git a/postlogin.c b/postlogin.c -index bf12970..29958c0 100644 ---- a/postlogin.c -+++ b/postlogin.c -@@ -679,7 +679,14 @@ handle_retr(struct vsf_session* p_sess, int is_http) - opened_file = str_open(&p_sess->ftp_arg_str, kVSFSysStrOpenReadOnly); - if (vsf_sysutil_retval_is_error(opened_file)) - { -- vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file."); -+ if (kVSFSysUtilErrAGAIN == vsf_sysutil_get_error()) -+ { -+ vsf_cmdio_write(p_sess, FTP_FILETMPFAIL, "Temporarily failed to open file"); -+ } -+ else -+ { -+ vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file."); -+ } - return; - } - /* Lock file if required */ -diff --git a/sysutil.c b/sysutil.c -index 62d833d..a924edf 100644 ---- a/sysutil.c -+++ b/sysutil.c -@@ -1632,6 +1632,9 @@ vsf_sysutil_get_error(void) - case ENOENT: - retval = kVSFSysUtilErrNOENT; - break; -+ case EAGAIN: -+ retval = kVSFSysUtilErrAGAIN; -+ break; - default: - break; - } -diff --git a/sysutil.h b/sysutil.h -index 79b5514..c145bdf 100644 ---- a/sysutil.h -+++ b/sysutil.h -@@ -18,7 +18,8 @@ enum EVSFSysUtilError - kVSFSysUtilErrINVAL, - kVSFSysUtilErrOPNOTSUPP, - kVSFSysUtilErrACCES, -- kVSFSysUtilErrNOENT -+ kVSFSysUtilErrNOENT, -+ kVSFSysUtilErrAGAIN - }; - enum EVSFSysUtilError vsf_sysutil_get_error(void); - --- -2.5.0 - diff --git a/vsftpd-3.0.2-seccomp.patch b/vsftpd-3.0.2-seccomp.patch deleted file mode 100644 index ebf2a64..0000000 --- a/vsftpd-3.0.2-seccomp.patch +++ /dev/null @@ -1,25 +0,0 @@ -From dd86a1c28f11fa67b1263d5dc79fa9953629d30d Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Fri, 8 Apr 2016 15:03:16 +0200 -Subject: [PATCH 1/7] vsftpd-3.0.2-seccomp - ---- - tunables.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tunables.c b/tunables.c -index 93f85b1..b024be4 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -232,7 +232,7 @@ tunables_load_defaults() - tunable_isolate_network = 1; - tunable_ftp_enable = 1; - tunable_http_enable = 0; -- tunable_seccomp_sandbox = 1; -+ tunable_seccomp_sandbox = 0; - tunable_allow_writeable_chroot = 0; - - tunable_accept_timeout = 60; --- -2.5.5 - diff --git a/vsftpd-3.0.2-uint-uidgid.patch b/vsftpd-3.0.2-uint-uidgid.patch deleted file mode 100644 index ef87284..0000000 --- a/vsftpd-3.0.2-uint-uidgid.patch +++ /dev/null @@ -1,250 +0,0 @@ -From 24a1132cfe48d4c8bd799494ca802c918ac9132b Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 20/26] Applied vsftpd-3.0.2-uint-uidgid.patch - ---- - ls.c | 4 ++-- - privops.c | 3 +-- - session.h | 6 +++--- - sysutil.c | 44 ++++++++++++++------------------------------ - sysutil.h | 20 ++++++++++---------- - 5 files changed, 30 insertions(+), 47 deletions(-) - -diff --git a/ls.c b/ls.c -index 0ad7f54..f18791d 100644 ---- a/ls.c -+++ b/ls.c -@@ -503,7 +503,7 @@ build_dir_line(struct mystr* p_str, const struct mystr* p_filename_str, - } - else - { -- int uid = vsf_sysutil_statbuf_get_uid(p_stat); -+ unsigned int uid = vsf_sysutil_statbuf_get_uid(p_stat); - struct vsf_sysutil_user* p_user = 0; - if (tunable_text_userdb_names) - { -@@ -528,7 +528,7 @@ build_dir_line(struct mystr* p_str, const struct mystr* p_filename_str, - } - else - { -- int gid = vsf_sysutil_statbuf_get_gid(p_stat); -+ unsigned int gid = vsf_sysutil_statbuf_get_gid(p_stat); - struct vsf_sysutil_group* p_group = 0; - if (tunable_text_userdb_names) - { -diff --git a/privops.c b/privops.c -index 21d7267..f27c5c4 100644 ---- a/privops.c -+++ b/privops.c -@@ -236,8 +236,7 @@ vsf_privop_do_file_chown(struct vsf_session* p_sess, int fd) - /* Drop it like a hot potato unless it's a regular file owned by - * the the anonymous ftp user - */ -- if (p_sess->anon_upload_chown_uid == -1 || -- !vsf_sysutil_statbuf_is_regfile(s_p_statbuf) || -+ if (!vsf_sysutil_statbuf_is_regfile(s_p_statbuf) || - (vsf_sysutil_statbuf_get_uid(s_p_statbuf) != p_sess->anon_ftp_uid && - vsf_sysutil_statbuf_get_uid(s_p_statbuf) != p_sess->guest_user_uid)) - { -diff --git a/session.h b/session.h -index 27a488f..956bfb7 100644 ---- a/session.h -+++ b/session.h -@@ -54,9 +54,9 @@ struct vsf_session - struct mystr_list* p_visited_dir_list; - - /* Details of userids which are interesting to us */ -- int anon_ftp_uid; -- int guest_user_uid; -- int anon_upload_chown_uid; -+ unsigned int anon_ftp_uid; -+ unsigned int guest_user_uid; -+ unsigned int anon_upload_chown_uid; - - /* Things we need to cache before we chroot() */ - struct mystr banned_email_str; -diff --git a/sysutil.c b/sysutil.c -index 497d670..62d833d 100644 ---- a/sysutil.c -+++ b/sysutil.c -@@ -1454,14 +1454,14 @@ vsf_sysutil_statbuf_get_size(const struct vsf_sysutil_statbuf* p_statbuf) - return p_stat->st_size; - } - --int -+unsigned int - vsf_sysutil_statbuf_get_uid(const struct vsf_sysutil_statbuf* p_statbuf) - { - const struct stat* p_stat = (const struct stat*) p_statbuf; - return p_stat->st_uid; - } - --int -+unsigned int - vsf_sysutil_statbuf_get_gid(const struct vsf_sysutil_statbuf* p_statbuf) - { - const struct stat* p_stat = (const struct stat*) p_statbuf; -@@ -1502,7 +1502,7 @@ vsf_sysutil_statbuf_get_sortkey_mtime( - } - - void --vsf_sysutil_fchown(const int fd, const int uid, const int gid) -+vsf_sysutil_fchown(const int fd, const unsigned int uid, const unsigned int gid) - { - if (fchown(fd, uid, gid) != 0) - { -@@ -2320,13 +2320,9 @@ vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr, - } - - struct vsf_sysutil_user* --vsf_sysutil_getpwuid(const int uid) -+vsf_sysutil_getpwuid(const unsigned int uid) - { -- if (uid < 0) -- { -- bug("negative uid in vsf_sysutil_getpwuid"); -- } -- return (struct vsf_sysutil_user*) getpwuid((unsigned int) uid); -+ return (struct vsf_sysutil_user*) getpwuid(uid); - } - - struct vsf_sysutil_user* -@@ -2349,14 +2345,14 @@ vsf_sysutil_user_get_homedir(const struct vsf_sysutil_user* p_user) - return p_passwd->pw_dir; - } - --int -+unsigned int - vsf_sysutil_user_getuid(const struct vsf_sysutil_user* p_user) - { - const struct passwd* p_passwd = (const struct passwd*) p_user; - return p_passwd->pw_uid; - } - --int -+unsigned int - vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user) - { - const struct passwd* p_passwd = (const struct passwd*) p_user; -@@ -2364,13 +2360,9 @@ vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user) - } - - struct vsf_sysutil_group* --vsf_sysutil_getgrgid(const int gid) -+vsf_sysutil_getgrgid(const unsigned int gid) - { -- if (gid < 0) -- { -- die("negative gid in vsf_sysutil_getgrgid"); -- } -- return (struct vsf_sysutil_group*) getgrgid((unsigned int) gid); -+ return (struct vsf_sysutil_group*) getgrgid(gid); - } - - const char* -@@ -2445,25 +2437,17 @@ vsf_sysutil_setgid_numeric(int gid) - } - } - --int -+unsigned int - vsf_sysutil_geteuid(void) - { -- int retval = geteuid(); -- if (retval < 0) -- { -- die("geteuid"); -- } -+ unsigned int retval = geteuid(); - return retval; - } - --int -+unsigned int - vsf_sysutil_getegid(void) - { -- int retval = getegid(); -- if (retval < 0) -- { -- die("getegid"); -- } -+ unsigned int retval = getegid(); - return retval; - } - -@@ -2854,7 +2838,7 @@ vsf_sysutil_ftruncate(int fd) - } - } - --int -+unsigned int - vsf_sysutil_getuid(void) - { - return getuid(); -diff --git a/sysutil.h b/sysutil.h -index bfc92cb..79b5514 100644 ---- a/sysutil.h -+++ b/sysutil.h -@@ -129,15 +129,15 @@ const char* vsf_sysutil_statbuf_get_numeric_date( - const struct vsf_sysutil_statbuf* p_stat, int use_localtime); - unsigned int vsf_sysutil_statbuf_get_links( - const struct vsf_sysutil_statbuf* p_stat); --int vsf_sysutil_statbuf_get_uid(const struct vsf_sysutil_statbuf* p_stat); --int vsf_sysutil_statbuf_get_gid(const struct vsf_sysutil_statbuf* p_stat); -+unsigned int vsf_sysutil_statbuf_get_uid(const struct vsf_sysutil_statbuf* p_stat); -+unsigned int vsf_sysutil_statbuf_get_gid(const struct vsf_sysutil_statbuf* p_stat); - int vsf_sysutil_statbuf_is_readable_other( - const struct vsf_sysutil_statbuf* p_stat); - const char* vsf_sysutil_statbuf_get_sortkey_mtime( - const struct vsf_sysutil_statbuf* p_stat); - - int vsf_sysutil_chmod(const char* p_filename, unsigned int mode); --void vsf_sysutil_fchown(const int fd, const int uid, const int gid); -+void vsf_sysutil_fchown(const int fd, const unsigned int uid, const unsigned int gid); - void vsf_sysutil_fchmod(const int fd, unsigned int mode); - int vsf_sysutil_readlink(const char* p_filename, char* p_dest, - unsigned int bufsiz); -@@ -290,15 +290,15 @@ int vsf_sysutil_inet_aton( - struct vsf_sysutil_user; - struct vsf_sysutil_group; - --struct vsf_sysutil_user* vsf_sysutil_getpwuid(const int uid); -+struct vsf_sysutil_user* vsf_sysutil_getpwuid(const unsigned int uid); - struct vsf_sysutil_user* vsf_sysutil_getpwnam(const char* p_user); - const char* vsf_sysutil_user_getname(const struct vsf_sysutil_user* p_user); - const char* vsf_sysutil_user_get_homedir( - const struct vsf_sysutil_user* p_user); --int vsf_sysutil_user_getuid(const struct vsf_sysutil_user* p_user); --int vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user); -+unsigned int vsf_sysutil_user_getuid(const struct vsf_sysutil_user* p_user); -+unsigned int vsf_sysutil_user_getgid(const struct vsf_sysutil_user* p_user); - --struct vsf_sysutil_group* vsf_sysutil_getgrgid(const int gid); -+struct vsf_sysutil_group* vsf_sysutil_getgrgid(const unsigned int gid); - const char* vsf_sysutil_group_getname(const struct vsf_sysutil_group* p_group); - - /* More random things */ -@@ -316,7 +316,7 @@ void vsf_sysutil_qsort(void* p_base, unsigned int num_elem, - char* vsf_sysutil_getenv(const char* p_var); - typedef void (*exitfunc_t)(void); - void vsf_sysutil_set_exit_func(exitfunc_t exitfunc); --int vsf_sysutil_getuid(void); -+unsigned int vsf_sysutil_getuid(void); - - /* Syslogging (bah) */ - void vsf_sysutil_openlog(int force); -@@ -329,8 +329,8 @@ void vsf_sysutil_setuid(const struct vsf_sysutil_user* p_user); - void vsf_sysutil_setgid(const struct vsf_sysutil_user* p_user); - void vsf_sysutil_setuid_numeric(int uid); - void vsf_sysutil_setgid_numeric(int gid); --int vsf_sysutil_geteuid(void); --int vsf_sysutil_getegid(void); -+unsigned int vsf_sysutil_geteuid(void); -+unsigned int vsf_sysutil_getegid(void); - void vsf_sysutil_seteuid(const struct vsf_sysutil_user* p_user); - void vsf_sysutil_setegid(const struct vsf_sysutil_user* p_user); - void vsf_sysutil_seteuid_numeric(int uid); --- -2.5.0 - diff --git a/vsftpd-3.0.2-wnohang.patch b/vsftpd-3.0.2-wnohang.patch deleted file mode 100644 index a4dd4d1..0000000 --- a/vsftpd-3.0.2-wnohang.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 1a14b13a1684f71ecfd5ed94b1aae7541b1a77a8 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Fri, 8 Apr 2016 15:03:16 +0200 -Subject: [PATCH 3/7] vsftpd-3.0.2-wnohang - ---- - sysutil.c | 4 ++-- - sysutil.h | 2 +- - twoprocess.c | 13 +++++++++++-- - 3 files changed, 14 insertions(+), 5 deletions(-) - -diff --git a/sysutil.c b/sysutil.c -index 6dfe350..61d9f28 100644 ---- a/sysutil.c -+++ b/sysutil.c -@@ -608,13 +608,13 @@ vsf_sysutil_exit(int exit_code) - } - - struct vsf_sysutil_wait_retval --vsf_sysutil_wait(void) -+vsf_sysutil_wait(int hang) - { - struct vsf_sysutil_wait_retval retval; - vsf_sysutil_memclr(&retval, sizeof(retval)); - while (1) - { -- int sys_ret = wait(&retval.exit_status); -+ int sys_ret = waitpid(-1, &retval.exit_status, hang ? 0 : WNOHANG); - if (sys_ret < 0 && errno == EINTR) - { - vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0); -diff --git a/sysutil.h b/sysutil.h -index 26698cd..d341b5d 100644 ---- a/sysutil.h -+++ b/sysutil.h -@@ -178,7 +178,7 @@ struct vsf_sysutil_wait_retval - int PRIVATE_HANDS_OFF_syscall_retval; - int PRIVATE_HANDS_OFF_exit_status; - }; --struct vsf_sysutil_wait_retval vsf_sysutil_wait(void); -+struct vsf_sysutil_wait_retval vsf_sysutil_wait(int hang); - int vsf_sysutil_wait_reap_one(void); - int vsf_sysutil_wait_get_retval( - const struct vsf_sysutil_wait_retval* p_waitret); -diff --git a/twoprocess.c b/twoprocess.c -index 33d84dc..b1891e7 100644 ---- a/twoprocess.c -+++ b/twoprocess.c -@@ -47,8 +47,17 @@ static void - handle_sigchld(void* duff) - { - -- struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait(); -+ struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait(0); - (void) duff; -+ if (!vsf_sysutil_wait_get_exitcode(&wait_retval) && -+ !vsf_sysutil_wait_get_retval(&wait_retval)) -+ /* There was nobody to wait for, possibly caused by underlying library -+ * which created a new process through fork()/vfork() and already picked -+ * it up, e.g. by pam_exec.so or integrity check routines for libraries -+ * when FIPS mode is on (nss freebl), which can lead to calling prelink -+ * if the prelink package is installed. -+ */ -+ return; - /* Child died, so we'll do the same! Report it as an error unless the child - * exited normally with zero exit code - */ -@@ -390,7 +399,7 @@ common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str, - priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK); - if (!p_sess->control_use_ssl) - { -- (void) vsf_sysutil_wait(); -+ (void) vsf_sysutil_wait(1); - } - else - { --- -2.5.5 - diff --git a/vsftpd-close-std-fds.patch b/vsftpd-close-std-fds.patch deleted file mode 100644 index 4811651..0000000 --- a/vsftpd-close-std-fds.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 883736a0ad3b521c8210cc7e6cbc2cb302aca43c Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Mar 2016 11:44:45 +0100 -Subject: [PATCH 06/26] Applied vsftpd-close-std-fds.patch - ---- - standalone.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/standalone.c b/standalone.c -index ba01ab1..e0f2d5b 100644 ---- a/standalone.c -+++ b/standalone.c -@@ -130,6 +130,9 @@ vsf_standalone_main(void) - die("could not bind listening IPv6 socket"); - } - } -+ vsf_sysutil_close(0); -+ vsf_sysutil_close(1); -+ vsf_sysutil_close(2); - retval = vsf_sysutil_listen(listen_sock, VSFTP_LISTEN_BACKLOG); - if (vsf_sysutil_retval_is_error(retval)) - { --- -2.5.0 - diff --git a/vsftpd.spec b/vsftpd.spec index a8e95be..d6ca350 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -1,123 +1,77 @@ -%{!?tcp_wrappers:%define tcp_wrappers 1} -%define _generatorsdir %{_prefix}/lib/systemd/system-generators +%global _generatorsdir %{_prefix}/lib/systemd/system-generators -Name: vsftpd +Name: vsftpd Version: 3.0.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Very Secure Ftp Daemon -Group: System Environment/Daemons +Group: System Environment/Daemons # OpenSSL link exception -License: GPLv2 with exceptions -URL: https://security.appspot.com/vsftpd.html -Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz -Source1: vsftpd.xinetd -Source2: vsftpd.pam -Source3: vsftpd.ftpusers -Source4: vsftpd.user_list -Source6: vsftpd_conf_migrate.sh -Source7: vsftpd.service -Source8: vsftpd@.service -Source9: vsftpd.target +License: GPLv2 with exceptions +URL: https://security.appspot.com/vsftpd.html +Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz +Source1: vsftpd.xinetd +Source2: vsftpd.pam +Source3: vsftpd.ftpusers +Source4: vsftpd.user_list +Source6: vsftpd_conf_migrate.sh +Source7: vsftpd.service +Source8: vsftpd@.service +Source9: vsftpd.target Source10: vsftpd-generator -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - BuildRequires: pam-devel BuildRequires: libcap-devel BuildRequires: openssl-devel BuildRequires: systemd -%if %{tcp_wrappers} BuildRequires: tcp_wrappers-devel -%endif +BuildRequires: git Requires: logrotate -# Build patches -Patch1: vsftpd-2.1.0-libs.patch -Patch2: vsftpd-2.1.0-build_ssl.patch -Patch3: vsftpd-2.1.0-tcp_wrappers.patch - -# Use /etc/vsftpd/ instead of /etc/ -Patch4: vsftpd-2.1.0-configuration.patch - -# These need review -Patch5: vsftpd-2.1.0-pam_hostname.patch -Patch6: vsftpd-close-std-fds.patch -Patch7: vsftpd-2.1.0-filter.patch -Patch9: vsftpd-2.1.0-userlist_log.patch - -Patch10: vsftpd-2.1.0-trim.patch -Patch12: vsftpd-2.1.1-daemonize_plus.patch -Patch14: vsftpd-2.2.0-wildchar.patch - -Patch16: vsftpd-2.2.2-clone.patch -Patch19: vsftpd-2.3.4-sd.patch -Patch20: vsftpd-2.3.4-sqb.patch -Patch21: vsftpd-2.3.4-listen_ipv6.patch -Patch22: vsftpd-2.3.5-aslim.patch -Patch23: vsftpd-3.0.0-tz.patch -Patch24: vsftpd-3.0.0-xferlog.patch -Patch25: vsftpd-3.0.0-logrotate.patch -Patch26: vsftpd-3.0.2-lookup.patch -Patch27: vsftpd-3.0.2-uint-uidgid.patch -Patch28: vsftpd-3.0.2-dh.patch -Patch29: vsftpd-3.0.2-ecdh.patch -Patch30: vsftpd-3.0.2-docupd.patch -Patch31: vsftpd-3.0.2-rc450.patch -Patch32: vsftpd-3.0.2-seccomp.patch -Patch33: vsftpd-3.0.2-mrate.patch -Patch34: vsftpd-3.0.2-wnohang.patch -Patch35: vsftpd-3.0.2-del-upl.patch -Patch36: vsftpd-2.2.2-man-pages.patch -Patch37: vsftpd-2.2.2-blank-chars-overflow.patch -Patch38: vsftpd-2.2.2-syslog.patch +Patch1: 0001-Don-t-use-the-provided-script-to-locate-libraries.patch +Patch2: 0002-Enable-build-with-SSL.patch +Patch3: 0003-Enable-build-with-TCP-Wrapper.patch +Patch4: 0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch +Patch5: 0005-Use-hostname-when-calling-PAM-authentication-module.patch +Patch6: 0006-Close-stdin-out-err-before-listening-for-incoming-co.patch +Patch7: 0007-Make-filename-filters-smarter.patch +Patch8: 0008-Write-denied-logins-into-the-log.patch +Patch9: 0009-Trim-whitespaces-when-reading-configuration.patch +Patch10: 0010-Improve-daemonizing.patch +Patch11: 0011-Fix-listing-with-more-than-one-star.patch +Patch12: 0012-Replace-syscall-__NR_clone-.-with-clone.patch +Patch13: 0013-Extend-man-pages-with-systemd-info.patch +Patch14: 0014-Add-support-for-square-brackets-in-ls.patch +Patch15: 0015-Listen-on-IPv6-by-default.patch +Patch16: 0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch +Patch17: 0017-Fix-an-issue-with-timestamps-during-DST.patch +Patch18: 0018-Change-the-default-log-file-in-configuration.patch +Patch19: 0019-Introduce-reverse_lookup_enable-option.patch +Patch20: 0020-Use-unsigned-int-for-uid-and-gid-representation.patch +Patch21: 0021-Introduce-support-for-DHE-based-cipher-suites.patch +Patch22: 0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +Patch23: 0023-Add-documentation-for-isolate_-options.-Correct-defa.patch +Patch24: 0024-Introduce-new-return-value-450.patch +Patch25: 0025-Improve-local_max_rate-option.patch +Patch26: 0026-Prevent-hanging-in-SIGCHLD-handler.patch +Patch27: 0027-Delete-files-when-upload-fails.patch +Patch28: 0028-Fix-man-page-rendering.patch +Patch29: 0029-Fix-segfault-in-config-file-parser.patch +Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch +Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch +Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch +Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch +Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch %description vsftpd is a Very Secure FTP daemon. It was written completely from scratch. %prep -%setup -q -n %{name}-%{version} +%autosetup -S git cp %{SOURCE1} . -%patch1 -p1 -b .libs -%patch2 -p1 -b .build_ssl -%if %{tcp_wrappers} -%patch3 -p1 -b .tcp_wrappers -%endif -%patch4 -p1 -b .configuration -%patch5 -p1 -b .pam_hostname -%patch6 -p1 -b .close_fds -%patch7 -p1 -b .filter -%patch9 -p1 -b .userlist_log -%patch10 -p1 -b .trim -%patch12 -p1 -b .daemonize_plus -%patch14 -p1 -b .wildchar -%patch16 -p1 -b .clone -%patch19 -p1 -b .sd -%patch20 -p1 -b .sqb -%patch21 -p1 -b .listen_ipv6 -%patch22 -p1 -b .aslim -%patch23 -p1 -b .tz -%patch24 -p1 -b .xferlog -%patch25 -p1 -b .logrotate -%patch26 -p1 -b .lookup -%patch27 -p1 -b .uint-uidgid -%patch28 -p1 -b .dh -%patch29 -p1 -b .ecdh -%patch30 -p1 -b .docupd -%patch31 -p1 -b .rc450 -%patch32 -p1 -b .seccomp -%patch33 -p1 -b .mrate -%patch34 -p1 -b .wnohang -%patch35 -p1 -b .del-upl -%patch36 -p1 -b .man_pages -%patch37 -p1 -b .blank-char-overflow -%patch38 -p1 -b .syslog - - - %build %ifarch s390x sparcv9 sparc64 make CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \ @@ -126,9 +80,7 @@ make CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \ %endif LINK="-pie -lssl" %{?_smp_mflags} - %install -rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{_sysconfdir} mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{vsftpd,pam.d,logrotate.d} @@ -151,9 +103,6 @@ install -m 755 %{SOURCE10} $RPM_BUILD_ROOT%{_generatorsdir} mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub -%clean -rm -rf $RPM_BUILD_ROOT - %post %systemd_post vsftpd.service @@ -183,6 +132,12 @@ rm -rf $RPM_BUILD_ROOT %{_var}/ftp %changelog +* Thu Nov 17 2016 Martin Sehnoutka - 3.0.3-3 +- Review patches +- Add TLSv1.{1,2} options +- Fix question mark wildcard within a file name +- Seccomp patch removed + * Fri Apr 08 2016 Martin Sehnoutka - 3.0.3-2 - Applied patches: - Readd seccomp disabled by default