Upgrade vsftpd to 3.0.0

Upgrade vsftpd to 3.0.0 with below modification: 1. more strict access limitation, like: do not allow anonymous access 2. use vsftpd.ftpusers and vsftpd.user_list to confine user access 3. enable pam if DISTRO_FEATURE includes pam 4. enable tcp-wrapper 5. install vsftpd.conf with 0600 permission, not 0755 Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
author: Roy.Li <rongqing.li@windriver.com> 2013-07-19 10:19:25 +0800
committer: Joe MacDonald <joe.macdonald@windriver.com> 2013-07-19 11:00:43 -0400
commit: 441502b68d03a4ce7796436a53c5e95399724ad2 (patch)
tree: 3fb89fa557663cc7dc813090e5859ef2930d7a99 /meta-networking
parent: fe85f4980e7c7c35df8fc6b93431c125577dd643 (diff)
download: meta-openembedded-441502b68d03a4ce7796436a53c5e95399724ad2.tar.gz
11 files changed, 199 insertions, 63 deletions
diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
index 08f91e048..bb1929480 100755..100644
--- a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
@@ -12,17 +12,17 @@
 listen=YES
 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
-anonymous_enable=YES
+anonymous_enable=NO
 #
 # Uncomment this to allow local users to log in.
-#local_enable=YES
+local_enable=YES
 #
 # Uncomment this to enable any form of FTP write command.
 write_enable=YES
 #
 # Default umask for local users is 077. You may wish to change this to 022,
 # if your users expect that (022 is used by most other ftpd's)
-#local_umask=022
+local_umask=022
 #
 # Uncomment this to allow the anonymous FTP user to upload files. This only
 # has an effect if the above global write enable is activated. Also, you will
@@ -54,7 +54,7 @@ connect_from_port_20=YES
 #xferlog_file=/var/log/vsftpd.log
 #
 # If you want, you can have your log file in standard ftpd xferlog format
-#xferlog_std_format=YES
+xferlog_std_format=YES
 #
 # You may change the default value for timing out an idle session.
 #idle_session_timeout=600
@@ -64,7 +64,7 @@ connect_from_port_20=YES
 #
 # It is recommended that you define on your system a unique user which the
 # ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
+#nopriv_user=ftp
 #
 # Enable this and the server will recognise asynchronous ABOR requests. Not
 # recommended for security (the code is non-trivial). Not enabling it,
@@ -105,4 +105,35 @@ connect_from_port_20=YES
 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 # the presence of the "-R" option, so there is a strong case for enabling it.
 #ls_recurse_enable=YES
+#
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd
+#
+# This option is examined if userlist_enable is activated. If you set this
+# setting to NO, then users will be denied login  unless  they are  explicitly 
+# listed  in the file specified by userlist_file.  When login is denied, the 
+# denial is issued before the user is asked for a password.
+userlist_deny=YES
+#
+# If enabled, vsftpd will load a list of usernames, from the filename given by
+# userlist_file.  If a user tries to log in using  a  name in  this  file,  they
+# will be denied before they are asked for a password. This may be useful in 
+# preventing cleartext passwords being transmitted. See also userlist_deny.
+userlist_enable=YES
+#
+# If enabled,  vsftpd  will display directory listings with the time in your
+# local time zone. The default is to display GMT. The times returned by the
+# MDTM FTP command are also affected by this option.
+use_localtime=YES
+#
+# If set to YES, local users will be (by default) placed in a chroot() jail in
+# their home directory after login.  Warning: This  option has  security  
+# implications,  especially  if  the users have upload permission, or shell access.
+# Only enable if you know what you are doing.  Note that these security implications
+# are not vsftpd specific. They apply to all FTP daemons which offer to put 
+# local  users in chroot() jails.
+chroot_local_user=YES
+#
+allow_writeable_chroot=YES
+#
+tcp_wrappers=YES
diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers
new file mode 100644
index 000000000..096142f5d
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers
@@ -0,0 +1,15 @@
+# Users that are not allowed to login via ftp
+root
+bin
+daemon
+adm
+lp
+sync
+shutdown
+halt
+mail
+news
+uucp
+operator
+games
+nobody
diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
new file mode 100644
index 000000000..d283e3d26
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
@@ -0,0 +1,20 @@
+# vsftpd userlist
+# If userlist_deny=NO, only allow users in this file
+# If userlist_deny=YES (default), never allow users in this file, and
+# do not even prompt for a password.
+# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
+# for users that are denied.
+root
+bin
+daemon
+adm
+lp
+sync
+shutdown
+halt
+mail
+news
+uucp
+operator
+games
+nobody
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch
index ee37f26e9..1980d09fd 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch
@@ -7,8 +7,8 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
 diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
-@@ -24,21 +24,21 @@ vsftpd: $(OBJS)
+@@ -24,21 +24,21 @@
-        $(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS)
+        $(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS)
 
 install:
 -       if [ -x /usr/local/sbin ]; then \
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch
index 6a419db47..9a10f722f 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch
@@ -10,7 +10,7 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
 diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
-@@ -5,7 +5,7 @@ IFLAGS  = -idirafter dummyinc
+@@ -5,7 +5,7 @@
 #CFLAGS = -g
 CFLAGS =       -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
 
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch
index a2e0cd048..fd3160037 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch
@@ -7,11 +7,11 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
 diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
-@@ -6,7 +6,6 @@ IFLAGS  = -idirafter dummyinc
+@@ -9,7 +9,6 @@ CFLAGS  =       -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
- CFLAGS =       -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
+        #-pedantic -Wconversion
 
 LIBS   =       -lssl -lcrypto -lnsl -lresolv
 -LINK   =       -Wl,-s
+ LDFLAGS        =       -fPIE -pie -Wl,-z,relro -Wl,-z,now
 
 OBJS   =       main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
-                tunables.o ftpdataio.o secbuf.o ls.o \
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch
new file mode 100644
index 000000000..fdcf3a02b
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch
@@ -0,0 +1,17 @@
+Disable PAM
+Upstream-Status: Inappropriate [config]
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+diff -ur vsftpd-2.0.1_org/builddefs.h vsftpd-2.0.1_patch/builddefs.h
+--- vsftpd-2.0.1_org/builddefs.h        2004-07-02 16:36:59.000000000 +0200
+++ vsftpd-2.0.1_patch/builddefs.h      2004-07-21 09:34:49.044900488 +0200
+@@ -2,7 +2,7 @@
+ #define VSF_BUILDDEFS_H
+ 
+ #define VSF_BUILD_TCPWRAPPERS
+-#define VSF_BUILD_PAM
+#undef VSF_BUILD_PAM
+ #undef VSF_BUILD_SSL
+ 
+ #endif /* VSF_BUILDDEFS_H */
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch
index cf0d68e27..cf0d68e27 100644
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
new file mode 100644
index 000000000..69745b3a1
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
@@ -0,0 +1,25 @@
+Enable tcp_wrapper.
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+---
+ builddefs.h |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+diff --git a/builddefs.h b/builddefs.h
+index e908352..0106d1a 100644
+--- a/builddefs.h
+++ b/builddefs.h
+@@ -1,7 +1,7 @@
+ #ifndef VSF_BUILDDEFS_H
+ #define VSF_BUILDDEFS_H
+ 
+-#undef VSF_BUILD_TCPWRAPPERS
+#define VSF_BUILD_TCPWRAPPERS
+ #define VSF_BUILD_PAM
+ #undef VSF_BUILD_SSL
+ 
+-- 
+1.7.1
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb
deleted file mode 100644
index f14691034..000000000
--- a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb
+++ /dev/null
@@ -1,51 +0,0 @@
-SUMMARY = "Very Secure FTP server"
-HOMEPAGE = "https://security.appspot.com/vsftpd.html"
-SECTION = "network"
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271"
-DEPENDS = "libcap openssl"
-SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
-           file://makefile-destdir.patch \
-           file://makefile-libs.patch \
-           file://makefile-strip.patch \
-           file://nopam.patch \
-           file://init \
-           file://vsftpd.conf"
-SRC_URI[md5sum] = "01398a5bef8e85b6cf2c213a4b011eca"
-SRC_URI[sha256sum] = "d87ee2987df8f03e1dbe294905f7907b2798deb89c67ca965f6e2f60879e54f1"
-inherit update-rc.d useradd
-CONFFILES_${PN} = "${sysconfdir}/vsftpd.conf"
-LDFLAGS_append =" -lcrypt -lcap"
-do_configure() {
-    # Fix hardcoded /usr, /etc, /var mess.
-    cat tunables.c|sed s:\"/usr:\"${prefix}:g|sed s:\"/var:\"${localstatedir}:g \
-    |sed s:\"${prefix}/share/empty:\"${localstatedir}/share/empty:g |sed s:\"/etc:\"${sysconfdir}:g > tunables.c.new
-    mv tunables.c.new tunables.c
-}
-do_install() {
-    install -d ${D}${sbindir}
-    install -d ${D}${mandir}/man8
-    install -d ${D}${mandir}/man5
-    oe_runmake 'DESTDIR=${D}' install
-    install -d ${D}${sysconfdir}
-    install -m 0755 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
-    install -d ${D}${sysconfdir}/init.d/
-    install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd
-}
-INITSCRIPT_PACKAGES = "${PN}"
-INITSCRIPT_NAME_${PN} = "vsftpd"
-INITSCRIPT_PARAMS_${PN} = "defaults 80"
-USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "--system --home-dir /var/lib/ftp --no-create-home -g ftp \
-                       --shell /bin/false ftp "
-GROUPADD_PARAM_${PN} = "-r ftp"
diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
new file mode 100644
index 000000000..2c3e0098a
--- /dev/null
+++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
@@ -0,0 +1,79 @@
+SUMMARY = "Very Secure FTP server"
+HOMEPAGE = "https://security.appspot.com/vsftpd.html"
+SECTION = "network"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271"
+DEPENDS = "libcap openssl"
+SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
+           file://makefile-destdir.patch \
+           file://makefile-libs.patch \
+           file://makefile-strip.patch \
+           file://init \
+           file://vsftpd.conf \
+           file://vsftpd.user_list \
+           file://vsftpd.ftpusers \
+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271 \
+                        file://COPYRIGHT;md5=04251b2eb0f298dae376d92454f6f72e \
+                        file://LICENSE;md5=654df2042d44b8cac8a5654fc5be63eb"
+SRC_URI[md5sum] = "ad9fa952558c2c5b0426ccaccff0f972"
+SRC_URI[sha256sum] = "ef70205dcd0c7f03b008b9578fb44c0cbe31e66daab8cfafb9904747c17fc2a8"
+PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG[tcp-wrappers] = ",,tcp-wrappers"
+SRC_URI +="${@base_contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)}"
+DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+RDEPENDS_${PN} += "${@base_contains('DISTRO_FEATURES', 'pam', 'pam-plugin-listfile', '', d)}"
+PAMLIB = "${@base_contains('DISTRO_FEATURES', 'pam', '-L${STAGING_BASELIBDIR} -lpam', '', d)}"
+NOPAM_SRC ="${@base_contains('PACKAGECONFIG', 'tcp-wrappers', 'file://nopam-with-tcp_wrappers.patch', 'file://nopam.patch', d)}"
+SRC_URI += "${@base_contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)}"
+inherit update-rc.d useradd
+CONFFILES_${PN} = "${sysconfdir}/vsftpd.conf"
+LDFLAGS_append =" -lcrypt -lcap"
+do_configure() {
+    # Fix hardcoded /usr, /etc, /var mess.
+    cat tunables.c|sed s:\"/usr:\"${prefix}:g|sed s:\"/var:\"${localstatedir}:g \
+    |sed s:\"${prefix}/share/empty:\"${localstatedir}/share/empty:g |sed s:\"/etc:\"${sysconfdir}:g > tunables.c.new
+    mv tunables.c.new tunables.c
+}
+do_compile() {
+   oe_runmake "LIBS=-L${STAGING_LIBDIR} -lcrypt -lcap ${PAMLIB} -lwrap"
+}
+do_install() {
+    install -d ${D}${sbindir}
+    install -d ${D}${mandir}/man8
+    install -d ${D}${mandir}/man5
+    oe_runmake 'DESTDIR=${D}' install
+    install -d ${D}${sysconfdir}
+    install -m 600 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
+    install -d ${D}${sysconfdir}/init.d/
+    install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd
+    install -m 600 ${WORKDIR}/vsftpd.ftpusers ${D}${sysconfdir}/
+    install -m 600 ${WORKDIR}/vsftpd.user_list ${D}${sysconfdir}/
+    if ! test -z ${PAMLIB} ; then
+        install -d ${D}${sysconfdir}/pam.d/
+        cp ${S}/RedHat/vsftpd.pam ${D}${sysconfdir}/pam.d/vsftpd
+        sed -i "s:/lib/security:${base_libdir}/security:" ${D}${sysconfdir}/pam.d/vsftpd
+        sed -i "s:ftpusers:vsftpd.ftpusers:" ${D}${sysconfdir}/pam.d/vsftpd
+    fi
+}
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME_${PN} = "vsftpd"
+INITSCRIPT_PARAMS_${PN} = "defaults 80"
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN} = "--system --home-dir /var/lib/ftp --no-create-home -g ftp \
+                       --shell /bin/false ftp "
+GROUPADD_PARAM_${PN} = "-r ftp"
author	Roy.Li <rongqing.li@windriver.com>	2013-07-19 10:19:25 +0800
committer	Joe MacDonald <joe.macdonald@windriver.com>	2013-07-19 11:00:43 -0400
commit	441502b68d03a4ce7796436a53c5e95399724ad2 (patch)
tree	3fb89fa557663cc7dc813090e5859ef2930d7a99 /meta-networking
parent	fe85f4980e7c7c35df8fc6b93431c125577dd643 (diff)
download	meta-openembedded-441502b68d03a4ce7796436a53c5e95399724ad2.tar.gz

diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf index 08f91e048..bb1929480 100755..100644 --- a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf +++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf
@@ -12,17 +12,17 @@
12	listen=YES	12	listen=YES
13		13
14	# Allow anonymous FTP? (Beware - allowed by default if you comment this out).	14	# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
15	anonymous_enable=YES	15	anonymous_enable=NO
16	#	16	#
17	# Uncomment this to allow local users to log in.	17	# Uncomment this to allow local users to log in.
18	#local_enable=YES	18	local_enable=YES
19	#	19	#
20	# Uncomment this to enable any form of FTP write command.	20	# Uncomment this to enable any form of FTP write command.
21	write_enable=YES	21	write_enable=YES
22	#	22	#
23	# Default umask for local users is 077. You may wish to change this to 022,	23	# Default umask for local users is 077. You may wish to change this to 022,
24	# if your users expect that (022 is used by most other ftpd's)	24	# if your users expect that (022 is used by most other ftpd's)
25	#local_umask=022	25	local_umask=022
26	#	26	#
27	# Uncomment this to allow the anonymous FTP user to upload files. This only	27	# Uncomment this to allow the anonymous FTP user to upload files. This only
28	# has an effect if the above global write enable is activated. Also, you will	28	# has an effect if the above global write enable is activated. Also, you will
@@ -54,7 +54,7 @@ connect_from_port_20=YES
54	#xferlog_file=/var/log/vsftpd.log	54	#xferlog_file=/var/log/vsftpd.log
55	#	55	#
56	# If you want, you can have your log file in standard ftpd xferlog format	56	# If you want, you can have your log file in standard ftpd xferlog format
57	#xferlog_std_format=YES	57	xferlog_std_format=YES
58	#	58	#
59	# You may change the default value for timing out an idle session.	59	# You may change the default value for timing out an idle session.
60	#idle_session_timeout=600	60	#idle_session_timeout=600
@@ -64,7 +64,7 @@ connect_from_port_20=YES
64	#	64	#
65	# It is recommended that you define on your system a unique user which the	65	# It is recommended that you define on your system a unique user which the
66	# ftp server can use as a totally isolated and unprivileged user.	66	# ftp server can use as a totally isolated and unprivileged user.
67	#nopriv_user=ftpsecure	67	#nopriv_user=ftp
68	#	68	#
69	# Enable this and the server will recognise asynchronous ABOR requests. Not	69	# Enable this and the server will recognise asynchronous ABOR requests. Not
70	# recommended for security (the code is non-trivial). Not enabling it,	70	# recommended for security (the code is non-trivial). Not enabling it,
@@ -105,4 +105,35 @@ connect_from_port_20=YES
105	# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume	105	# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
106	# the presence of the "-R" option, so there is a strong case for enabling it.	106	# the presence of the "-R" option, so there is a strong case for enabling it.
107	#ls_recurse_enable=YES	107	#ls_recurse_enable=YES
108		108	#
		109	# This string is the name of the PAM service vsftpd will use.
		110	pam_service_name=vsftpd
		111	#
		112	# This option is examined if userlist_enable is activated. If you set this
		113	# setting to NO, then users will be denied login unless they are explicitly
		114	# listed in the file specified by userlist_file. When login is denied, the
		115	# denial is issued before the user is asked for a password.
		116	userlist_deny=YES
		117	#
		118	# If enabled, vsftpd will load a list of usernames, from the filename given by
		119	# userlist_file. If a user tries to log in using a name in this file, they
		120	# will be denied before they are asked for a password. This may be useful in
		121	# preventing cleartext passwords being transmitted. See also userlist_deny.
		122	userlist_enable=YES
		123	#
		124	# If enabled, vsftpd will display directory listings with the time in your
		125	# local time zone. The default is to display GMT. The times returned by the
		126	# MDTM FTP command are also affected by this option.
		127	use_localtime=YES
		128	#
		129	# If set to YES, local users will be (by default) placed in a chroot() jail in
		130	# their home directory after login. Warning: This option has security
		131	# implications, especially if the users have upload permission, or shell access.
		132	# Only enable if you know what you are doing. Note that these security implications
		133	# are not vsftpd specific. They apply to all FTP daemons which offer to put
		134	# local users in chroot() jails.
		135	chroot_local_user=YES
		136	#
		137	allow_writeable_chroot=YES
		138	#
		139	tcp_wrappers=YES


diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers new file mode 100644 index 000000000..096142f5d --- /dev/null +++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers
@@ -0,0 +1,15 @@
		1	# Users that are not allowed to login via ftp
		2	root
		3	bin
		4	daemon
		5	adm
		6	lp
		7	sync
		8	shutdown
		9	halt
		10	mail
		11	news
		12	uucp
		13	operator
		14	games
		15	nobody


diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list new file mode 100644 index 000000000..d283e3d26 --- /dev/null +++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list
@@ -0,0 +1,20 @@
		1	# vsftpd userlist
		2	# If userlist_deny=NO, only allow users in this file
		3	# If userlist_deny=YES (default), never allow users in this file, and
		4	# do not even prompt for a password.
		5	# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
		6	# for users that are denied.
		7	root
		8	bin
		9	daemon
		10	adm
		11	lp
		12	sync
		13	shutdown
		14	halt
		15	mail
		16	news
		17	uucp
		18	operator
		19	games
		20	nobody


diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch index ee37f26e9..1980d09fd 100644 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch
@@ -7,8 +7,8 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
7	diff --git a/Makefile b/Makefile	7	diff --git a/Makefile b/Makefile
8	--- a/Makefile	8	--- a/Makefile
9	+++ b/Makefile	9	+++ b/Makefile
10	@@ -24,21 +24,21 @@ vsftpd: $(OBJS)	10	@@ -24,21 +24,21 @@
11	$(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS)	11	$(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS)
12		12
13	install:	13	install:
14	- if [ -x /usr/local/sbin ]; then \	14	- if [ -x /usr/local/sbin ]; then \


diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch index 6a419db47..9a10f722f 100644 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch
@@ -10,7 +10,7 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
10	diff --git a/Makefile b/Makefile	10	diff --git a/Makefile b/Makefile
11	--- a/Makefile	11	--- a/Makefile
12	+++ b/Makefile	12	+++ b/Makefile
13	@@ -5,7 +5,7 @@ IFLAGS = -idirafter dummyinc	13	@@ -5,7 +5,7 @@
14	#CFLAGS = -g	14	#CFLAGS = -g
15	CFLAGS = -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion	15	CFLAGS = -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
16		16


diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch index a2e0cd048..fd3160037 100644 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch
@@ -7,11 +7,11 @@ Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
7	diff --git a/Makefile b/Makefile	7	diff --git a/Makefile b/Makefile
8	--- a/Makefile	8	--- a/Makefile
9	+++ b/Makefile	9	+++ b/Makefile
10	@@ -6,7 +6,6 @@ IFLAGS = -idirafter dummyinc	10	@@ -9,7 +9,6 @@ CFLAGS = -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
11	CFLAGS = -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion	11	#-pedantic -Wconversion
12		12
13	LIBS = -lssl -lcrypto -lnsl -lresolv	13	LIBS = -lssl -lcrypto -lnsl -lresolv
14	-LINK = -Wl,-s	14	-LINK = -Wl,-s
		15	LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now
15		16
16	OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \	17	OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
17	tunables.o ftpdataio.o secbuf.o ls.o \


diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch new file mode 100644 index 000000000..fdcf3a02b --- /dev/null +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam-with-tcp_wrappers.patch
@@ -0,0 +1,17 @@
		1	Disable PAM
		2
		3	Upstream-Status: Inappropriate [config]
		4
		5	Signed-off-by: Roy.Li <rongqing.li@windriver.com>
		6	diff -ur vsftpd-2.0.1_org/builddefs.h vsftpd-2.0.1_patch/builddefs.h
		7	--- vsftpd-2.0.1_org/builddefs.h 2004-07-02 16:36:59.000000000 +0200
		8	+++ vsftpd-2.0.1_patch/builddefs.h 2004-07-21 09:34:49.044900488 +0200
		9	@@ -2,7 +2,7 @@
		10	#define VSF_BUILDDEFS_H
		11
		12	#define VSF_BUILD_TCPWRAPPERS
		13	-#define VSF_BUILD_PAM
		14	+#undef VSF_BUILD_PAM
		15	#undef VSF_BUILD_SSL
		16
		17	#endif /* VSF_BUILDDEFS_H */


diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch index cf0d68e27..cf0d68e27 100644 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch


diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch new file mode 100644 index 000000000..69745b3a1 --- /dev/null +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch
@@ -0,0 +1,25 @@
		1	Enable tcp_wrapper.
		2
		3	Upstream-Status: Inappropriate [configuration]
		4
		5	Signed-off-by: Roy.Li <rongqing.li@windriver.com>
		6	---
		7	builddefs.h \| 2 +-
		8	1 files changed, 1 insertions(+), 1 deletions(-)
		9
		10	diff --git a/builddefs.h b/builddefs.h
		11	index e908352..0106d1a 100644
		12	--- a/builddefs.h
		13	+++ b/builddefs.h
		14	@@ -1,7 +1,7 @@
		15	#ifndef VSF_BUILDDEFS_H
		16	#define VSF_BUILDDEFS_H
		17
		18	-#undef VSF_BUILD_TCPWRAPPERS
		19	+#define VSF_BUILD_TCPWRAPPERS
		20	#define VSF_BUILD_PAM
		21	#undef VSF_BUILD_SSL
		22
		23	--
		24	1.7.1
		25


diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb deleted file mode 100644 index f14691034..000000000 --- a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb +++ /dev/null
@@ -1,51 +0,0 @@
1	SUMMARY = "Very Secure FTP server"
2	HOMEPAGE = "https://security.appspot.com/vsftpd.html"
3	SECTION = "network"
4	LICENSE = "GPLv2"
5	LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271"
6
7	DEPENDS = "libcap openssl"
8
9	SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
10	file://makefile-destdir.patch \
11	file://makefile-libs.patch \
12	file://makefile-strip.patch \
13	file://nopam.patch \
14	file://init \
15	file://vsftpd.conf"
16
17	SRC_URI[md5sum] = "01398a5bef8e85b6cf2c213a4b011eca"
18	SRC_URI[sha256sum] = "d87ee2987df8f03e1dbe294905f7907b2798deb89c67ca965f6e2f60879e54f1"
19
20	inherit update-rc.d useradd
21
22	CONFFILES_${PN} = "${sysconfdir}/vsftpd.conf"
23	LDFLAGS_append =" -lcrypt -lcap"
24
25	do_configure() {
26	# Fix hardcoded /usr, /etc, /var mess.
27	cat tunables.c\|sed s:\"/usr:\"${prefix}:g\|sed s:\"/var:\"${localstatedir}:g \
28	\|sed s:\"${prefix}/share/empty:\"${localstatedir}/share/empty:g \|sed s:\"/etc:\"${sysconfdir}:g > tunables.c.new
29	mv tunables.c.new tunables.c
30	}
31
32	do_install() {
33	install -d ${D}${sbindir}
34	install -d ${D}${mandir}/man8
35	install -d ${D}${mandir}/man5
36	oe_runmake 'DESTDIR=${D}' install
37	install -d ${D}${sysconfdir}
38	install -m 0755 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
39	install -d ${D}${sysconfdir}/init.d/
40	install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd
41	}
42
43	INITSCRIPT_PACKAGES = "${PN}"
44	INITSCRIPT_NAME_${PN} = "vsftpd"
45	INITSCRIPT_PARAMS_${PN} = "defaults 80"
46
47	USERADD_PACKAGES = "${PN}"
48	USERADD_PARAM_${PN} = "--system --home-dir /var/lib/ftp --no-create-home -g ftp \
49	--shell /bin/false ftp "
50	GROUPADD_PARAM_${PN} = "-r ftp"
51


diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb new file mode 100644 index 000000000..2c3e0098a --- /dev/null +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
@@ -0,0 +1,79 @@
		1	SUMMARY = "Very Secure FTP server"
		2	HOMEPAGE = "https://security.appspot.com/vsftpd.html"
		3	SECTION = "network"
		4	LICENSE = "GPLv2"
		5	LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271"
		6
		7	DEPENDS = "libcap openssl"
		8
		9	SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
		10	file://makefile-destdir.patch \
		11	file://makefile-libs.patch \
		12	file://makefile-strip.patch \
		13	file://init \
		14	file://vsftpd.conf \
		15	file://vsftpd.user_list \
		16	file://vsftpd.ftpusers \
		17	"
		18
		19	LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271 \
		20	file://COPYRIGHT;md5=04251b2eb0f298dae376d92454f6f72e \
		21	file://LICENSE;md5=654df2042d44b8cac8a5654fc5be63eb"
		22	SRC_URI[md5sum] = "ad9fa952558c2c5b0426ccaccff0f972"
		23	SRC_URI[sha256sum] = "ef70205dcd0c7f03b008b9578fb44c0cbe31e66daab8cfafb9904747c17fc2a8"
		24
		25	PACKAGECONFIG ??= "tcp-wrappers"
		26	PACKAGECONFIG[tcp-wrappers] = ",,tcp-wrappers"
		27	SRC_URI +="${@base_contains('PACKAGECONFIG', 'tcp-wrappers', 'file://vsftpd-tcp_wrappers-support.patch', '', d)}"
		28
		29	DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
		30	RDEPENDS_${PN} += "${@base_contains('DISTRO_FEATURES', 'pam', 'pam-plugin-listfile', '', d)}"
		31	PAMLIB = "${@base_contains('DISTRO_FEATURES', 'pam', '-L${STAGING_BASELIBDIR} -lpam', '', d)}"
		32	NOPAM_SRC ="${@base_contains('PACKAGECONFIG', 'tcp-wrappers', 'file://nopam-with-tcp_wrappers.patch', 'file://nopam.patch', d)}"
		33	SRC_URI += "${@base_contains('DISTRO_FEATURES', 'pam', '', '${NOPAM_SRC}', d)}"
		34
		35	inherit update-rc.d useradd
		36
		37	CONFFILES_${PN} = "${sysconfdir}/vsftpd.conf"
		38	LDFLAGS_append =" -lcrypt -lcap"
		39
		40	do_configure() {
		41	# Fix hardcoded /usr, /etc, /var mess.
		42	cat tunables.c\|sed s:\"/usr:\"${prefix}:g\|sed s:\"/var:\"${localstatedir}:g \
		43	\|sed s:\"${prefix}/share/empty:\"${localstatedir}/share/empty:g \|sed s:\"/etc:\"${sysconfdir}:g > tunables.c.new
		44	mv tunables.c.new tunables.c
		45	}
		46
		47	do_compile() {
		48	oe_runmake "LIBS=-L${STAGING_LIBDIR} -lcrypt -lcap ${PAMLIB} -lwrap"
		49	}
		50
		51	do_install() {
		52	install -d ${D}${sbindir}
		53	install -d ${D}${mandir}/man8
		54	install -d ${D}${mandir}/man5
		55	oe_runmake 'DESTDIR=${D}' install
		56	install -d ${D}${sysconfdir}
		57	install -m 600 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
		58	install -d ${D}${sysconfdir}/init.d/
		59	install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd
		60
		61	install -m 600 ${WORKDIR}/vsftpd.ftpusers ${D}${sysconfdir}/
		62	install -m 600 ${WORKDIR}/vsftpd.user_list ${D}${sysconfdir}/
		63	if ! test -z ${PAMLIB} ; then
		64	install -d ${D}${sysconfdir}/pam.d/
		65	cp ${S}/RedHat/vsftpd.pam ${D}${sysconfdir}/pam.d/vsftpd
		66	sed -i "s:/lib/security:${base_libdir}/security:" ${D}${sysconfdir}/pam.d/vsftpd
		67	sed -i "s:ftpusers:vsftpd.ftpusers:" ${D}${sysconfdir}/pam.d/vsftpd
		68	fi
		69	}
		70
		71	INITSCRIPT_PACKAGES = "${PN}"
		72	INITSCRIPT_NAME_${PN} = "vsftpd"
		73	INITSCRIPT_PARAMS_${PN} = "defaults 80"
		74
		75	USERADD_PACKAGES = "${PN}"
		76	USERADD_PARAM_${PN} = "--system --home-dir /var/lib/ftp --no-create-home -g ftp \
		77	--shell /bin/false ftp "
		78	GROUPADD_PARAM_${PN} = "-r ftp"
		79