From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail1.windriver.com (mail1.windriver.com [147.11.146.13]) by mail.openembedded.org (Postfix) with ESMTP id 987FC6AFF1 for ; Thu, 18 Jul 2013 08:22:46 +0000 (UTC) Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail1.windriver.com (8.14.5/8.14.3) with ESMTP id r6I8Mmv1018336 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 18 Jul 2013 01:22:48 -0700 (PDT) Received: from [128.224.162.159] (128.224.162.159) by ALA-HCA.corp.ad.wrs.com (147.11.189.50) with Microsoft SMTP Server id 14.2.342.3; Thu, 18 Jul 2013 01:22:46 -0700 Message-ID: <51E7A5D5.90403@windriver.com> Date: Thu, 18 Jul 2013 16:22:45 +0800 From: Rongqing Li User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7 MIME-Version: 1.0 To: Joe MacDonald References: <1373979075-15576-1-git-send-email-rongqing.li@windriver.com> <20130717184315.GA31259@windriver.com> In-Reply-To: <20130717184315.GA31259@windriver.com> Cc: openembedded-devel@lists.openembedded.org Subject: Re: [meta-networking][PATCH v2] Upgrade vsftpd to 3.0.0 X-BeenThere: openembedded-devel@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: openembedded-devel@lists.openembedded.org List-Id: Using the OpenEmbedded metadata to build Distributions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jul 2013 08:22:47 -0000 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit On 07/18/2013 02:43 AM, Joe MacDonald wrote: > Hi Roy, > > I merged this into my tree yesterday and on review it turns out I did > have a question for you (and for anyone else on the list with an > opinion) and a bit of feedback. > > This adds (unconditional) support for tcp-wrappers and makes it a > requirement for the upgraded vsftp. Is this something we could make > conditional based on tcp-wrappers being present? Or does anyone think > this is something worth doing? tcp-wrappers is coming from oe-core and > I don't have any systems where the new requirement would be a problem, > but does anyone else have a system they'd want vsftp without > tcp-wrappers? > > A couple of other things below ... > > [[meta-networking][PATCH v2] Upgrade vsftpd to 3.0.0] On 13.07.16 (Tue 20:51) rongqing.li@windriver.com wrote: > >> From: "Roy.Li" >> >> Upgrade vsftpd to 3.0.0 with below modification: >> 1. more strict access limitation, like: do not allow anonymous access >> 2. use vsftpd.ftpusers and vsftpd.user_list to confine user access >> 3. enable pam if DISTRO_FEATURE includes pam >> 4. enable tcp-wrapper >> 5. install vsftpd.conf with 0600 permission, not 0755 >> >> Signed-off-by: Roy.Li >> --- >> .../recipes-daemons/vsftpd/files/vsftpd.conf | 43 +++++++++++++++++--- >> .../recipes-daemons/vsftpd/files/vsftpd.ftpusers | 15 +++++++ >> .../recipes-daemons/vsftpd/files/vsftpd.user_list | 20 +++++++++ >> .../makefile-destdir.patch | 4 +- >> .../makefile-libs.patch | 2 +- >> .../makefile-strip.patch | 6 +-- >> .../{vsftpd-2.3.5 => vsftpd-3.0.0}/nopam.patch | 0 >> .../vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch | 25 ++++++++++++ >> .../vsftpd/{vsftpd_2.3.5.bb => vsftpd_3.0.0.bb} | 36 +++++++++++++--- >> 9 files changed, 133 insertions(+), 18 deletions(-) >> mode change 100755 => 100644 meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf >> create mode 100644 meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers >> create mode 100644 meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list >> rename meta-networking/recipes-daemons/vsftpd/{vsftpd-2.3.5 => vsftpd-3.0.0}/makefile-destdir.patch (95%) >> rename meta-networking/recipes-daemons/vsftpd/{vsftpd-2.3.5 => vsftpd-3.0.0}/makefile-libs.patch (92%) >> rename meta-networking/recipes-daemons/vsftpd/{vsftpd-2.3.5 => vsftpd-3.0.0}/makefile-strip.patch (68%) >> rename meta-networking/recipes-daemons/vsftpd/{vsftpd-2.3.5 => vsftpd-3.0.0}/nopam.patch (100%) >> create mode 100644 meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch >> rename meta-networking/recipes-daemons/vsftpd/{vsftpd_2.3.5.bb => vsftpd_3.0.0.bb} (48%) >> >> diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf >> old mode 100755 >> new mode 100644 >> index 08f91e0..bb19294 >> --- a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf >> +++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.conf >> @@ -12,17 +12,17 @@ >> listen=YES >> >> # Allow anonymous FTP? (Beware - allowed by default if you comment this out). >> -anonymous_enable=YES >> +anonymous_enable=NO >> # >> # Uncomment this to allow local users to log in. >> -#local_enable=YES >> +local_enable=YES >> # >> # Uncomment this to enable any form of FTP write command. >> write_enable=YES >> # >> # Default umask for local users is 077. You may wish to change this to 022, >> # if your users expect that (022 is used by most other ftpd's) >> -#local_umask=022 >> +local_umask=022 >> # >> # Uncomment this to allow the anonymous FTP user to upload files. This only >> # has an effect if the above global write enable is activated. Also, you will >> @@ -54,7 +54,7 @@ connect_from_port_20=YES >> #xferlog_file=/var/log/vsftpd.log >> # >> # If you want, you can have your log file in standard ftpd xferlog format >> -#xferlog_std_format=YES >> +xferlog_std_format=YES >> # >> # You may change the default value for timing out an idle session. >> #idle_session_timeout=600 >> @@ -64,7 +64,7 @@ connect_from_port_20=YES >> # >> # It is recommended that you define on your system a unique user which the >> # ftp server can use as a totally isolated and unprivileged user. >> -#nopriv_user=ftpsecure >> +#nopriv_user=ftp >> # >> # Enable this and the server will recognise asynchronous ABOR requests. Not >> # recommended for security (the code is non-trivial). Not enabling it, >> @@ -105,4 +105,35 @@ connect_from_port_20=YES >> # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume >> # the presence of the "-R" option, so there is a strong case for enabling it. >> #ls_recurse_enable=YES >> - >> +# >> +# This string is the name of the PAM service vsftpd will use. >> +pam_service_name=vsftpd > > I haven't tried this, does it do the right thing when PAM is not present > on the system? In particular, what's it do when nopam.patch is applied? > In that same vein: > Yes, it works well when no pam. It only tells vsftpd should find which files to apply pam library. like: /etc/pam.d/vsftpd > ERROR: Command Error: exit status: 1 Output: > Applying patch nopam.patch > patching file builddefs.h > Hunk #1 FAILED at 2. > 1 out of 1 hunk FAILED -- rejects in file builddefs.h > Patch nopam.patch does not apply (enforce with -f) > ERROR: Function failed: patch_do_patch > ERROR: Logfile of failure stored in: /home/jjm/yocto/yocto-build/tmp/work/core2-poky-linux/vsftpd/3.0.0-r0/temp/log.do_patch.26623 > ERROR: Task 1 (/home/jjm/yocto/meta-oe/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb, do_patch) failed with exit code '1' > > I had to refresh nopam.patch. Can you send an updated version with a > sign-off on it? OK. >> +# >> +# This option is examined if userlist_enable is activated. If you set this >> +# setting to NO, then users will be denied login unless they are explicitly >> +# listed in the file specified by userlist_file. When login is denied, the >> +# denial is issued before the user is asked for a password. >> +userlist_deny=YES >> +# >> +# If enabled, vsftpd will load a list of usernames, from the filename given by >> +# userlist_file. If a user tries to log in using a name in this file, they >> +# will be denied before they are asked for a password. This may be useful in >> +# preventing cleartext passwords being transmitted. See also userlist_deny. >> +userlist_enable=YES > > I've always disliked these options in vsftpd. They are confusing and > lead to inconsistent configurations. That said, the behaviour is > predictable right up until we factor in the (unused?) vsftp.ftpusers > file. I think that was intended to be a whitelist and I think it's a > redhatism, but I really don't know. Can you confirm (a) it's needed and > (b) it does something when we already have vsftp.user_list? Or dump it > from the commit? I'd really rather not install both unless both are > absolutely necessary. The configuration you have with userlist_deny=YES > is okay, though what's the behaviour of userlist_deny=NO, have an empty > file and allow PAM logins? That seems to be the safest default > configuration here, since you also are disabling anonymous logins > (something I think is a good plan). > > -J. > I think vsftpd.user_list has given a good comments. >> +++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list >> @@ -0,0 +1,20 @@ >> +# vsftpd userlist >> +# If userlist_deny=NO, only allow users in this file >> +# If userlist_deny=YES (default), never allow users in this file, and >> +# do not even prompt for a password. >> +# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers >> +# for users that are denied. They are not necessary, but I am keeping these configurations are same as Fedora Core. -Roy >> +# >> +# If enabled, vsftpd will display directory listings with the time in your >> +# local time zone. The default is to display GMT. The times returned by the >> +# MDTM FTP command are also affected by this option. >> +use_localtime=YES >> +# >> +# If set to YES, local users will be (by default) placed in a chroot() jail in >> +# their home directory after login. Warning: This option has security >> +# implications, especially if the users have upload permission, or shell access. >> +# Only enable if you know what you are doing. Note that these security implications >> +# are not vsftpd specific. They apply to all FTP daemons which offer to put >> +# local users in chroot() jails. >> +chroot_local_user=YES >> +# >> +allow_writeable_chroot=YES >> +# >> +tcp_wrappers=YES >> diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers >> new file mode 100644 >> index 0000000..096142f >> --- /dev/null >> +++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.ftpusers >> @@ -0,0 +1,15 @@ >> +# Users that are not allowed to login via ftp >> +root >> +bin >> +daemon >> +adm >> +lp >> +sync >> +shutdown >> +halt >> +mail >> +news >> +uucp >> +operator >> +games >> +nobody >> diff --git a/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list >> new file mode 100644 >> index 0000000..3e2760f >> --- /dev/null >> +++ b/meta-networking/recipes-daemons/vsftpd/files/vsftpd.user_list >> @@ -0,0 +1,20 @@ >> +# vsftpd userlist >> +# If userlist_deny=NO, only allow users in this file >> +# If userlist_deny=YES (default), never allow users in this file, and >> +# do not even prompt for a password. >> +# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers >> +# for users that are denied. >> +root >> +bin >> +daemon >> +adm >> +lp >> +sync >> +shutdown >> +halt >> +mail >> +news >> +uucp >> +operator >> +games >> +nobody >> diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch >> similarity index 95% >> rename from meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch >> rename to meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch >> index ee37f26..1980d09 100644 >> --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-destdir.patch >> +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-destdir.patch >> @@ -7,8 +7,8 @@ Signed-off-by: Paul Eggleton >> diff --git a/Makefile b/Makefile >> --- a/Makefile >> +++ b/Makefile >> -@@ -24,21 +24,21 @@ vsftpd: $(OBJS) >> - $(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS) >> +@@ -24,21 +24,21 @@ >> + $(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) >> >> install: >> - if [ -x /usr/local/sbin ]; then \ >> diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch >> similarity index 92% >> rename from meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch >> rename to meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch >> index 6a419db..9a10f72 100644 >> --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-libs.patch >> +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-libs.patch >> @@ -10,7 +10,7 @@ Signed-off-by: Paul Eggleton >> diff --git a/Makefile b/Makefile >> --- a/Makefile >> +++ b/Makefile >> -@@ -5,7 +5,7 @@ IFLAGS = -idirafter dummyinc >> +@@ -5,7 +5,7 @@ >> #CFLAGS = -g >> CFLAGS = -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion >> >> diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch >> similarity index 68% >> rename from meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch >> rename to meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch >> index a2e0cd0..fd31600 100644 >> --- a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/makefile-strip.patch >> +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/makefile-strip.patch >> @@ -7,11 +7,11 @@ Signed-off-by: Paul Eggleton >> diff --git a/Makefile b/Makefile >> --- a/Makefile >> +++ b/Makefile >> -@@ -6,7 +6,6 @@ IFLAGS = -idirafter dummyinc >> - CFLAGS = -O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion >> +@@ -9,7 +9,6 @@ CFLAGS = -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \ >> + #-pedantic -Wconversion >> >> LIBS = -lssl -lcrypto -lnsl -lresolv >> -LINK = -Wl,-s >> + LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now >> >> OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \ >> - tunables.o ftpdataio.o secbuf.o ls.o \ >> diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch >> similarity index 100% >> rename from meta-networking/recipes-daemons/vsftpd/vsftpd-2.3.5/nopam.patch >> rename to meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/nopam.patch >> diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch >> new file mode 100644 >> index 0000000..69745b3 >> --- /dev/null >> +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.0/vsftpd-tcp_wrappers-support.patch >> @@ -0,0 +1,25 @@ >> +Enable tcp_wrapper. >> + >> +Upstream-Status: Inappropriate [configuration] >> + >> +Signed-off-by: Roy.Li >> +--- >> + builddefs.h | 2 +- >> + 1 files changed, 1 insertions(+), 1 deletions(-) >> + >> +diff --git a/builddefs.h b/builddefs.h >> +index e908352..0106d1a 100644 >> +--- a/builddefs.h >> ++++ b/builddefs.h >> +@@ -1,7 +1,7 @@ >> + #ifndef VSF_BUILDDEFS_H >> + #define VSF_BUILDDEFS_H >> + >> +-#undef VSF_BUILD_TCPWRAPPERS >> ++#define VSF_BUILD_TCPWRAPPERS >> + #define VSF_BUILD_PAM >> + #undef VSF_BUILD_SSL >> + >> +-- >> +1.7.1 >> + >> diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb >> similarity index 48% >> rename from meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb >> rename to meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb >> index f146910..0ea1359 100644 >> --- a/meta-networking/recipes-daemons/vsftpd/vsftpd_2.3.5.bb >> +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb >> @@ -4,18 +4,29 @@ SECTION = "network" >> LICENSE = "GPLv2" >> LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271" >> >> -DEPENDS = "libcap openssl" >> +DEPENDS = "libcap openssl tcp-wrappers" >> >> SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \ >> file://makefile-destdir.patch \ >> file://makefile-libs.patch \ >> file://makefile-strip.patch \ >> - file://nopam.patch \ >> file://init \ >> - file://vsftpd.conf" >> + file://vsftpd.conf \ >> + file://vsftpd-tcp_wrappers-support.patch \ >> + file://vsftpd.user_list \ >> + file://vsftpd.ftpusers \ >> +" >> >> -SRC_URI[md5sum] = "01398a5bef8e85b6cf2c213a4b011eca" >> -SRC_URI[sha256sum] = "d87ee2987df8f03e1dbe294905f7907b2798deb89c67ca965f6e2f60879e54f1" >> +LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271 \ >> + file://COPYRIGHT;md5=04251b2eb0f298dae376d92454f6f72e \ >> + file://LICENSE;md5=654df2042d44b8cac8a5654fc5be63eb" >> +SRC_URI[md5sum] = "ad9fa952558c2c5b0426ccaccff0f972" >> +SRC_URI[sha256sum] = "ef70205dcd0c7f03b008b9578fb44c0cbe31e66daab8cfafb9904747c17fc2a8" >> + >> +DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" >> +RDEPENDS_${PN} += "${@base_contains('DISTRO_FEATURES', 'pam', 'pam-plugin-listfile', '', d)}" >> +SRC_URI += "${@base_contains('DISTRO_FEATURES', 'pam', '', 'file://nopam.patch', d)}" >> +PAMLIB = "${@base_contains('DISTRO_FEATURES', 'pam', '-L${STAGING_BASELIBDIR} -lpam', '', d)}" >> >> inherit update-rc.d useradd >> >> @@ -29,15 +40,28 @@ do_configure() { >> mv tunables.c.new tunables.c >> } >> >> +do_compile() { >> + oe_runmake "LIBS=-L${STAGING_LIBDIR} -lcrypt -lcap ${PAMLIB} -lwrap" >> +} >> + >> do_install() { >> install -d ${D}${sbindir} >> install -d ${D}${mandir}/man8 >> install -d ${D}${mandir}/man5 >> oe_runmake 'DESTDIR=${D}' install >> install -d ${D}${sysconfdir} >> - install -m 0755 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf >> + install -m 600 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf >> install -d ${D}${sysconfdir}/init.d/ >> install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd >> + >> + install -m 600 ${WORKDIR}/vsftpd.ftpusers ${D}${sysconfdir}/ >> + install -m 600 ${WORKDIR}/vsftpd.user_list ${D}${sysconfdir}/ >> + if ! test -z ${PAMLIB} ; then >> + install -d ${D}${sysconfdir}/pam.d/ >> + cp ${S}/RedHat/vsftpd.pam ${D}${sysconfdir}/pam.d/vsftpd >> + sed -i "s:/lib/security:${base_libdir}/security:" ${D}${sysconfdir}/pam.d/vsftpd >> + sed -i "s:ftpusers:vsftpd.ftpusers:" ${D}${sysconfdir}/pam.d/vsftpd >> + fi >> } >> >> INITSCRIPT_PACKAGES = "${PN}" -- Best Reagrds, Roy | RongQing Li