Upgrade vsftpd to 3.0.0

Upgrade vsftpd to 3.0.0 with below modification: 1. more strict access limitation, like: do not allow anonymous access 2. use vsftpd.ftpusers and vsftpd.user_list to confine user access 3. enable pam if DISTRO_FEATURE includes pam 4. enable tcp-wrapper 5. install vsftpd.conf with 0600 permission, not 0755 Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
author: Roy.Li <rongqing.li@windriver.com> 2013-07-19 10:19:25 +0800
committer: Joe MacDonald <joe.macdonald@windriver.com> 2013-07-19 11:00:43 -0400
commit: 441502b68d03a4ce7796436a53c5e95399724ad2 (patch)
tree: 3fb89fa557663cc7dc813090e5859ef2930d7a99 /meta-networking/recipes-daemons/vsftpd
parent: fe85f4980e7c7c35df8fc6b93431c125577dd643 (diff)
download: meta-openembedded-contrib-441502b68d03a4ce7796436a53c5e95399724ad2.tar.gz
11 files changed, 199 insertions, 63 deletions
diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
index 08f91e048d..bb1929480d 100755..100644
--- a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
@@ -12,17 +12,17 @@
 listen=YES
 
 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
-anonymous_enable=YES
+anonymous_enable=NO
 #
 # Uncomment this to allow local users to log in.
-#local_enable=YES
+local_enable=YES
 #
 # Uncomment this to enable any form of FTP write command.
 write_enable=YES
 #
 # Default umask for local users is 077. You may wish to change this to 022,
 # if your users expect that (022 is used by most other ftpd's)
-#local_umask=022
+local_umask=022
 #
 # Uncomment this to allow the anonymous FTP user to upload files. This only
 # has an effect if the above global write enable is activated. Also, you will
@@ -54,7 +54,7 @@ connect_from_port_20=YES
 #xferlog_file=/var/log/vsftpd.log
 #
 # If you want, you can have your log file in standard ftpd xferlog format
-#xferlog_std_format=YES
+xferlog_std_format=YES
 #
 # You may change the default value for timing out an idle session.
 #idle_session_timeout=600
@@ -64,7 +64,7 @@ connect_from_port_20=YES
 #
 # It is recommended that you define on your system a unique user which the
 # ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
+#nopriv_user=ftp
 #
 # Enable this and the server will recognise asynchronous ABOR requests. Not
 # recommended for security (the code is non-trivial). Not enabling it,
@@ -105,4 +105,35 @@ connect_from_port_20=YES
 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 # the presence of the "-R" option, so there is a strong case for enabling it.
 #ls_recurse_enable=YES
-
+#
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd
+#
+# This option is examined if userlist_enable is activated. If you set this
+# setting to NO, then users will be denied login  unless  they are  explicitly 
+# listed  in the file specified by userlist_file.  When login is denied, the 
+# denial is issued before the user is asked for a password.
+userlist_deny=YES
+#
+# If enabled, vsftpd will load a list of usernames, from the filename given by
+# userlist_file.  If a user tries to log in using  a  name in  this  file,  they
+# will be denied before they are asked for a password. This may be useful in 
+# preventing cleartext passwords being transmitted. See also userlist_deny.
+userlist_enable=YES
+#
+# If enabled,  vsftpd  will display directory listings with the time in your
+# local time zone. The default is to display GMT. The times returned by the
+# MDTM FTP command are also affected by this option.
+use_localtime=YES
+#
+# If set to YES, local users will be (by default) placed in a chroot() jail in
+# their home directory after login.  Warning: This  option has  security  
+# implications,  especially  if  the users have upload permission, or shell access.
+# Only enable if you know what you are doing.  Note that these security implications
+# are not vsftpd specific. They apply to all FTP daemons which offer to put 
+# local  users in chroot() jails.
+chroot_local_user=YES
+#
+allow_writeable_chroot=YES
+#
+tcp_wrappers=YES
diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers
new file mode 100644
index 0000000000..096142f5df
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers
@@ -0,0 +1,15 @@
+# Users that are not allowed to login via ftp
+root
+bin
+daemon
+adm
+lp
+sync
+shutdown
+halt
+mail
+news
+uucp
+operator
+games
+nobody
diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
new file mode 100644
index 0000000000..d283e3d260
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
@@ -0,0 +1,20 @@
+# vsftpd userlist
+# If userlist_deny=NO, only allow users in this file
+# If userlist_deny=YES (default), never allow users in this file, and
+# do not even prompt for a password.
+# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
+# for users that are denied.
+root
+bin
+daemon
+adm
+lp
+sync
+shutdown
+halt
+mail
+news
+uucp
+operator
+games
+nobody
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch
index ee37f26e9f..1980d09fd4 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch
@@ -7,8 +7,8 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
 diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
-@@ -24,21 +24,21 @@ vsftpd: $(OBJS)
- 	$(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS)
+@@ -24,21 +24,21 @@
+ 	$(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS)
  
  install:
 -	if [ -x /usr/local/sbin ]; then \
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch
index 6a419db477..9a10f722f4 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch
@@ -10,7 +10,7 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
 diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
-@@ -5,7 +5,7 @@ IFLAGS  = -idirafter dummyinc
+@@ -5,7 +5,7 @@
  #CFLAGS = -g
  CFLAGS	=	-O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
  
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch
index a2e0cd048f..fd3160037f 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch
@@ -7,11 +7,11 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
 diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
-@@ -6,7 +6,6 @@ IFLAGS  = -idirafter dummyinc
- CFLAGS	=	-O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
+@@ -9,7 +9,6 @@ CFLAGS	=	-O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
+ 	#-pedantic -Wconversion
  
  LIBS	=	-lssl -lcrypto -lnsl -lresolv
 -LINK	=	-Wl,-s
+ LDFLAGS	=	-fPIE -pie -Wl,-z,relro -Wl,-z,now
  
  OBJS	=	main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
- 		tunables.o ftpdataio.o secbuf.o ls.o \
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch
new file mode 100644
index 0000000000..fdcf3a02b6
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch
@@ -0,0 +1,17 @@
+Disable PAM
+
+Upstream-Status: Inappropriate [config]
+
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+diff -ur vsftpd-2.0.1_org/builddefs.h vsftpd-2.0.1_patch/builddefs.h
+--- vsftpd-2.0.1_org/builddefs.h	2004-07-02 16:36:59.000000000 +0200
++++ vsftpd-2.0.1_patch/builddefs.h	2004-07-21 09:34:49.044900488 +0200
+@@ -2,7 +2,7 @@
+ #define VSF_BUILDDEFS_H
+ 
+ #define VSF_BUILD_TCPWRAPPERS
+-#define VSF_BUILD_PAM
++#undef VSF_BUILD_PAM
+ #undef VSF_BUILD_SSL
+ 
+ #endif /* VSF_BUILDDEFS_H */
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch
index cf0d68e272..cf0d68e272 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
new file mode 100644
index 0000000000..69745b3a10
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
@@ -0,0 +1,25 @@
+Enable tcp_wrapper.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+---
+ builddefs.h |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/builddefs.h b/builddefs.h
+index e908352..0106d1a 100644
+--- a/builddefs.h
++++ b/builddefs.h
+@@ -1,7 +1,7 @@
+ #ifndef VSF_BUILDDEFS_H
+ #define VSF_BUILDDEFS_H
+ 
+-#undef VSF_BUILD_TCPWRAPPERS
++#define VSF_BUILD_TCPWRAPPERS
+ #define VSF_BUILD_PAM
+ #undef VSF_BUILD_SSL
+ 
+-- 
+1.7.1
+
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb
deleted file mode 100644
index f146910349..0000000000
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb
+++ /dev/null
@@ -1,51 +0,0 @@
-SUMMARY = "Very Secure FTP server"
-HOMEPAGE = "https://security.appspot.com/vsftpd.html"
-SECTION = "network"
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271"
-
-DEPENDS = "libcap openssl"
-
-SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
-           file://makefile-destdir.patch \
-           file://makefile-libs.patch \
-           file://makefile-strip.patch \
-           file://nopam.patch \
-           file://init \
-           file://vsftpd.conf"
-
-SRC_URI[md5sum] = "01398a5bef8e85b6cf2c213a4b011eca"
-SRC_URI[sha256sum] = "d87ee2987df8f03e1dbe294905f7907b2798deb89c67ca965f6e2f60879e54f1"
-
-inherit update-rc.d useradd
-
-CONFFILES_${PN} = "${sysconfdir}/vsftpd.conf"
-LDFLAGS_append =" -lcrypt -lcap"
-
-do_configure() {
-    # Fix hardcoded /usr, /etc, /var mess.
-    cat tunables.c|sed s:\"/usr:\"${prefix}:g|sed s:\"/var:\"${localstatedir}:g \
-    |sed s:\"${prefix}/share/empty:\"${localstatedir}/share/empty:g |sed s:\"/etc:\"${sysconfdir}:g > tunables.c.new
-    mv tunables.c.new tunables.c
-}
-
-do_install() {
-    install -d ${D}${sbindir}
-    install -d ${D}${mandir}/man8
-    install -d ${D}${mandir}/man5
-    oe_runmake 'DESTDIR=${D}' install
-    install -d ${D}${sysconfdir}
-    install -m 0755 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
-    install -d ${D}${sysconfdir}/init.d/
-    install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd
-}
-
-INITSCRIPT_PACKAGES = "${PN}"
-INITSCRIPT_NAME_${PN} = "vsftpd"
-INITSCRIPT_PARAMS_${PN} = "defaults 80"
-
-USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "--system --home-dir /var/lib/ftp --no-create-home -g ftp \
-                       --shell /bin/false ftp "
-GROUPADD_PARAM_${PN} = "-r ftp"
-
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
new file mode 100644
index 0000000000..2c3e0098ae
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
@@ -0,0 +1,79 @@
+SUMMARY = "Very Secure FTP server"
+HOMEPAGE = "https://security.appspot.com/vsftpd.html"
+SECTION = "network"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271"
+
+DEPENDS = "libcap openssl"
+
+SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
+           file://makefile-destdir.patch \
+           file://makefile-libs.patch \
+           file://makefile-strip.patch \
+           file://init \
+           file://vsftpd.conf \
+           file://vsftpd.user_list \
+           file://vsftpd.ftpusers \
+"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271 \
+                        file://COPYRIGHT;md5=04251b2eb0f298dae376d92454f6f72e \
+                        file://LICENSE;md5=654df2042d44b8cac8a5654fc5be63eb"
+SRC_URI[md5sum] = "ad9fa952558c2c5b0426ccaccff0f972"
+SRC_URI[sha256sum] = "ef70205dcd0c7f03b008b9578fb44c0cbe31e66daab8cfafb9904747c17fc2a8"
+
+PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG[tcp-wrappers] = ",,tcp-wrappers"
+SRC_URI +="${@base_contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)}"
+
+DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+RDEPENDS_${PN} += "${@base_contains('DISTRO_FEATURES', 'pam', 'pam-plugin-listfile', '', d)}"
+PAMLIB = "${@base_contains('DISTRO_FEATURES', 'pam', '-L${STAGING_BASELIBDIR} -lpam', '', d)}"
+NOPAM_SRC ="${@base_contains('PACKAGECONFIG', 'tcp-wrappers', 'file://nopam-with-tcp_wrappers.patch', 'file://nopam.patch', d)}"
+SRC_URI += "${@base_contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)}"
+
+inherit update-rc.d useradd
+
+CONFFILES_${PN} = "${sysconfdir}/vsftpd.conf"
+LDFLAGS_append =" -lcrypt -lcap"
+
+do_configure() {
+    # Fix hardcoded /usr, /etc, /var mess.
+    cat tunables.c|sed s:\"/usr:\"${prefix}:g|sed s:\"/var:\"${localstatedir}:g \
+    |sed s:\"${prefix}/share/empty:\"${localstatedir}/share/empty:g |sed s:\"/etc:\"${sysconfdir}:g > tunables.c.new
+    mv tunables.c.new tunables.c
+}
+
+do_compile() {
+   oe_runmake "LIBS=-L${STAGING_LIBDIR} -lcrypt -lcap ${PAMLIB} -lwrap"
+}
+
+do_install() {
+    install -d ${D}${sbindir}
+    install -d ${D}${mandir}/man8
+    install -d ${D}${mandir}/man5
+    oe_runmake 'DESTDIR=${D}' install
+    install -d ${D}${sysconfdir}
+    install -m 600 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
+    install -d ${D}${sysconfdir}/init.d/
+    install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd
+
+    install -m 600 ${WORKDIR}/vsftpd.ftpusers ${D}${sysconfdir}/
+    install -m 600 ${WORKDIR}/vsftpd.user_list ${D}${sysconfdir}/
+    if ! test -z ${PAMLIB} ; then
+        install -d ${D}${sysconfdir}/pam.d/
+        cp ${S}/RedHat/vsftpd.pam ${D}${sysconfdir}/pam.d/vsftpd
+        sed -i "s:/lib/security:${base_libdir}/security:" ${D}${sysconfdir}/pam.d/vsftpd
+        sed -i "s:ftpusers:vsftpd.ftpusers:" ${D}${sysconfdir}/pam.d/vsftpd
+    fi
+}
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME_${PN} = "vsftpd"
+INITSCRIPT_PARAMS_${PN} = "defaults 80"
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN} = "--system --home-dir /var/lib/ftp --no-create-home -g ftp \
+                       --shell /bin/false ftp "
+GROUPADD_PARAM_${PN} = "-r ftp"
+
author	Roy.Li <rongqing.li@windriver.com>	2013-07-19 10:19:25 +0800
committer	Joe MacDonald <joe.macdonald@windriver.com>	2013-07-19 11:00:43 -0400
commit	441502b68d03a4ce7796436a53c5e95399724ad2 (patch)
tree	3fb89fa557663cc7dc813090e5859ef2930d7a99 /meta-networking/recipes-daemons/vsftpd
parent	fe85f4980e7c7c35df8fc6b93431c125577dd643 (diff)
download	meta-openembedded-contrib-441502b68d03a4ce7796436a53c5e95399724ad2.tar.gz