[arch-commits] Commit in vsftpd/trunk (4 files)
Levente Polyak
anthraxx at archlinux.org
Wed Jul 3 19:20:22 UTC 2019
Date: Wednesday, July 3, 2019 @ 19:20:22
Author: anthraxx
Revision: 487369
upgpkg: vsftpd 3.0.3-5
Added:
vsftpd/trunk/vsftpd-conf-pam.patch
vsftpd/trunk/vsftpd-disable-anonymous-access-by-default.patch
vsftpd/trunk/vsftpd-fix-seccomp.patch
Modified:
vsftpd/trunk/PKGBUILD
--------------------------------------------------+
PKGBUILD | 49 ++++++++++++---------
vsftpd-conf-pam.patch | 12 +++++
vsftpd-disable-anonymous-access-by-default.patch | 26 +++++++++++
vsftpd-fix-seccomp.patch | 37 +++++++++++++++
4 files changed, 103 insertions(+), 21 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2019-07-03 19:01:06 UTC (rev 487368)
+++ PKGBUILD 2019-07-03 19:20:22 UTC (rev 487369)
@@ -6,7 +6,7 @@
pkgname=vsftpd
pkgver=3.0.3
-pkgrel=4
+pkgrel=5
pkgdesc='Very Secure FTP daemon'
url='https://security.appspot.com/vsftpd.html'
arch=('x86_64')
@@ -15,14 +15,17 @@
optdepends=('logrotate')
backup=('etc/vsftpd.conf'
'etc/xinetd.d/vsftpd'
- "etc/logrotate.d/${pkgname}")
+ "etc/logrotate.d/vsftpd")
source=(https://security.appspot.com/downloads/${pkgname}-${pkgver}.tar.gz{,.asc}
- ${pkgname}-ssl.socket
- ${pkgname}.socket
- ${pkgname}.service
- ${pkgname}@.service
- ${pkgname}-ssl.service
- ${pkgname}-ssl at .service)
+ vsftpd-ssl.socket
+ vsftpd.socket
+ vsftpd.service
+ vsftpd at .service
+ vsftpd-ssl.service
+ vsftpd-ssl at .service
+ vsftpd-fix-seccomp.patch
+ vsftpd-conf-pam.patch
+ vsftpd-disable-anonymous-access-by-default.patch)
sha256sums=('9d4d2bf6e6e2884852ba4e69e157a2cecd68c5a7635d66a3a8cf8d898c955ef7'
'SKIP'
'd5185e48fffc6253499a55e0fe0f90a3424fc639640af11a9d38df33fb145afe'
@@ -30,7 +33,10 @@
'0597e571718ba0f4dc4b32a4ddd148103758c48c7d65dcb8bbedafc9e810e83d'
'd7b8e4827d4f6bafcbf52f9d2d7380958c7b08bb3f757806aa89d4bc06c9671c'
'b88a50fc68b3bf746d13c9a777df77791cd3eac6eb7c2df655418071c2adf422'
- '4a55c2468b08d858f71bacf1f4885847bec8e548b0e92088068d9bdd3884af84')
+ '4a55c2468b08d858f71bacf1f4885847bec8e548b0e92088068d9bdd3884af84'
+ '8bb7e4e4640137d38a2944859c2f443eea559ecb7f594c0fa4e962539107af66'
+ '751715726c4b888d5c96846ac0bd0d64238cceb28ef3c2ef447af85cdc2b79f1'
+ '4baa5a2db122974fa2a9603d335aed59dee5ad4217615fbe247301d129281d20')
validpgpkeys=('8660FD3291B184CDBC2F6418AA62EC463C0E751C') # Chris Evans
prepare() {
@@ -41,6 +47,10 @@
# fix linking to openssl 1.1
sed -e 's|SSL_library_init|SSL_CTX_new|' -i vsf_findlibs.sh
+
+ patch -Np1 < ../vsftpd-fix-seccomp.patch
+ patch -Np1 < ../vsftpd-conf-pam.patch
+ patch -Np1 < ../vsftpd-disable-anonymous-access-by-default.patch
}
build() {
@@ -52,22 +62,19 @@
cd ${pkgname}-${pkgver}
install -Dm 755 ${pkgname} -t "${pkgdir}/usr/bin"
+ install -dm 755 "${pkgdir}/var/empty"
+ install -Dm 644 "${srcdir}"/{*.service,*.socket} -t "${pkgdir}/usr/lib/systemd/system"
+
install -Dm 644 ${pkgname}.conf -t "${pkgdir}/etc"
+ install -Dm 644 EXAMPLE/INTERNET_SITE/${pkgname}.xinetd "${pkgdir}/etc/xinetd.d/${pkgname}"
+ install -Dm 644 RedHat/vsftpd.log "${pkgdir}/etc/logrotate.d/${pkgname}"
+ install -Dm 644 RedHat/vsftpd.pam "${pkgdir}/etc/pam.d/${pkgname}"
+ # TODO: check pam /etc/ftpusers files from debian and redhat, its linked
+
install -Dm 644 ${pkgname}.8 -t "${pkgdir}/usr/share/man/man8"
install -Dm 644 ${pkgname}.conf.5 -t "${pkgdir}/usr/share/man/man5"
- install -Dm 644 EXAMPLE/INTERNET_SITE/${pkgname}.xinetd "${pkgdir}/etc/xinetd.d/${pkgname}"
- install -Dm 644 RedHat/${pkgname}.log "${pkgdir}/etc/logrotate.d/${pkgname}"
-
- install -Dm 644 "${srcdir}"/${pkgname}.service "${pkgdir}"/usr/lib/systemd/system/${pkgname}.service
- install -Dm 644 "${srcdir}"/${pkgname}@.service "${pkgdir}"/usr/lib/systemd/system/${pkgname}@.service
- install -Dm 644 "${srcdir}"/${pkgname}-ssl.service "${pkgdir}"/usr/lib/systemd/system/${pkgname}-ssl.service
- install -Dm 644 "${srcdir}"/${pkgname}-ssl at .service "${pkgdir}"/usr/lib/systemd/system/${pkgname}-ssl at .service
- install -Dm 644 "${srcdir}"/${pkgname}.socket "${pkgdir}"/usr/lib/systemd/system/${pkgname}.socket
- install -Dm 644 "${srcdir}"/${pkgname}-ssl.socket "${pkgdir}"/usr/lib/systemd/system/${pkgname}-ssl.socket
-
- install -dm 755 "${pkgdir}/var/empty"
install -Dm 644 BENCHMARKS BUGS Changelog FAQ INSTALL README README.ssl REFS \
- REWARD SPEED TODO TUNING -t "${pkgdir}/usr/share/doc/${pkgname}"
+ REWARD SPEED TODO TUNING -t "${pkgdir}/usr/share/doc/${pkgname}"
}
# vim: ts=2 sw=2 et:
Added: vsftpd-conf-pam.patch
===================================================================
--- vsftpd-conf-pam.patch (rev 0)
+++ vsftpd-conf-pam.patch 2019-07-03 19:20:22 UTC (rev 487369)
@@ -0,0 +1,12 @@
+diff --git a/vsftpd.conf b/vsftpd.conf
+index 5868675..9543536 100644
+--- a/vsftpd.conf
++++ b/vsftpd.conf
+@@ -127,3 +127,7 @@ listen=NO
+ # sockets, you must run two copies of vsftpd with two configuration files.
+ # Make sure, that one of the listen options is commented !!
+ #listen_ipv6=YES
++
++# Set own PAM service name to detect authentication settings specified
++# for vsftpd by the system package.
++pam_service_name=vsftpd
Added: vsftpd-disable-anonymous-access-by-default.patch
===================================================================
--- vsftpd-disable-anonymous-access-by-default.patch (rev 0)
+++ vsftpd-disable-anonymous-access-by-default.patch 2019-07-03 19:20:22 UTC (rev 487369)
@@ -0,0 +1,26 @@
+From ffaeebcfdb56ba75392af21c68c0bac78a226b55 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek at redhat.com>
+Date: Tue, 2 Jan 2018 09:54:43 +0100
+Subject: [PATCH 44/44] Disable anonymous_enable in default config file
+
+Resolves: rhbz#1338637
+---
+ vsftpd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vsftpd.conf b/vsftpd.conf
+index 39d1955..4626c1b 100644
+--- a/vsftpd.conf
++++ b/vsftpd.conf
+@@ -9,7 +9,7 @@
+ # capabilities.
+ #
+ # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+-anonymous_enable=YES
++anonymous_enable=NO
+ #
+ # Uncomment this to allow local users to log in.
+ # When SELinux is enforcing check for SE bool ftp_home_dir
+--
+2.14.3
+
Added: vsftpd-fix-seccomp.patch
===================================================================
--- vsftpd-fix-seccomp.patch (rev 0)
+++ vsftpd-fix-seccomp.patch 2019-07-03 19:20:22 UTC (rev 487369)
@@ -0,0 +1,37 @@
+From ecaa07c31a68bca0e4c8159d447e0b9ef7c5b350 Mon Sep 17 00:00:00 2001
+From: Olivier Brunel <jjk at jjacky.com>
+Date: Fri, 14 Apr 2017 22:50:31 +0200
+Subject: [PATCH] Fix unable to list dirs w/ more than 31 items
+
+Trying to list directories with more than 31 items would fail due to seccomp
+filter being too strict:
+
+ftp> ls dir
+200 PORT command successful. Consider using PASV.
+150 Here comes the directory listing.
+500 OOPS: 421 Service not available, remote server has closed connection
+
+This was due to vsftpd calling qsort() and glibc in turn calling
+sysinfo(), which wasn't allowed, hence SIGSYS.
+
+Signed-off-by: Olivier Brunel <jjk at jjacky.com>
+---
+ seccompsandbox.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/seccompsandbox.c b/seccompsandbox.c
+index 2c350a9..13c8c78 100644
+--- a/seccompsandbox.c
++++ b/seccompsandbox.c
+@@ -297,6 +297,8 @@ seccomp_sandbox_setup_base()
+ allow_nr_1_arg_mask(__NR_mprotect, 3, PROT_READ);
+ allow_nr(__NR_munmap);
+ allow_nr(__NR_brk);
++ allow_nr(__NR_sysinfo);
++ allow_nr(__NR_getdents64);
+ /* glibc falls back gracefully if mremap() fails during realloc(). */
+ reject_nr(__NR_mremap, ENOSYS);
+
+--
+2.12.2
+
More information about the arch-commits
mailing list