All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ming Liu <ming.liu@windriver.com>
To: Martin Jansa <martin.jansa@gmail.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [oe][meta-oe][PATCH] vsftpd: change default secure_chroot_dir
Date: Wed, 18 Sep 2013 09:40:26 +0800	[thread overview]
Message-ID: <5239048A.9040905@windriver.com> (raw)
In-Reply-To: <20130917103621.GB7313@jama>

On 09/17/2013 06:36 PM, Martin Jansa wrote:
> On Tue, Sep 17, 2013 at 04:56:14PM +0800, Ming Liu wrote:
>> Change default value of secure_chroot_dir to /var/run/vsftpd/empty, add
>> volatiles entry for it, to ensure it won't fail to start with error:
>> "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/var/share/empty"
>>
>> This shows up in both standalone mode or started by xined.
> This belongs to openembedded-devel ML with [meta-networking] tag in
> subject.
Yes, thanks for telling me. I will send it to that ML.

Regards,
Ming Liu

>
>> Signed-off-by: Ming Liu <ming.liu@windriver.com>
>> ---
>>   .../vsftpd/files/change-secure_chroot_dir.patch    | 55 ++++++++++++++++++++++
>>   .../vsftpd/files/volatiles.99_vsftpd               |  1 +
>>   .../recipes-daemons/vsftpd/vsftpd_3.0.0.bb         |  6 ++-
>>   3 files changed, 61 insertions(+), 1 deletion(-)
>>   create mode 100644 meta-networking/recipes-daemons/vsftpd/files/change-secure_chroot_dir.patch
>>   create mode 100644 meta-networking/recipes-daemons/vsftpd/files/volatiles.99_vsftpd
>>
>> diff --git a/meta-networking/recipes-daemons/vsftpd/files/change-secure_chroot_dir.patch b/meta-networking/recipes-daemons/vsftpd/files/change-secure_chroot_dir.patch
>> new file mode 100644
>> index 0000000..5f2860e
>> --- /dev/null
>> +++ b/meta-networking/recipes-daemons/vsftpd/files/change-secure_chroot_dir.patch
>> @@ -0,0 +1,55 @@
>> +vsftpd: change default value of secure_chroot_dir
>> +
>> +Upstream-Status: Pending
>> +
>> +Change secure_chroot_dir pointing to a volatile directory.
>> +
>> +Signed-off-by: Ming Liu <ming.liu@windriver.com>
>> +---
>> + INSTALL       |    6 +++---
>> + tunables.c    |    2 +-
>> + vsftpd.conf.5 |    2 +-
>> + 3 files changed, 5 insertions(+), 5 deletions(-)
>> +
>> +diff -urpN a/INSTALL b/INSTALL
>> +--- a/INSTALL	2013-09-13 10:23:57.504972397 +0800
>> ++++ b/INSTALL	2013-09-13 10:25:25.664971779 +0800
>> +@@ -27,11 +27,11 @@ user in case it does not already exist.
>> + [root@localhost root]# useradd nobody
>> + useradd: user nobody exists
>> +
>> +-2b) vsftpd needs the (empty) directory /usr/share/empty in the default
>> ++2b) vsftpd needs the (empty) directory /var/run/vsftpd/empty in the default
>> + configuration. Add this directory in case it does not already exist. e.g.:
>> +
>> +-[root@localhost root]# mkdir /usr/share/empty/
>> +-mkdir: cannot create directory `/usr/share/empty': File exists
>> ++[root@localhost root]# mkdir /var/run/vsftpd/empty/
>> ++mkdir: cannot create directory `/var/run/vsftpd/empty': File exists
>> +
>> + 2c) For anonymous FTP, you will need the user "ftp" to exist, and have a
>> + valid home directory (which is NOT owned or writable by the user "ftp").
>> +diff -urpN a/tunables.c b/tunables.c
>> +--- a/tunables.c	2013-09-13 10:26:29.554972817 +0800
>> ++++ b/tunables.c	2013-09-13 10:27:18.104972210 +0800
>> +@@ -254,7 +254,7 @@ tunables_load_defaults()
>> +   /* -rw------- */
>> +   tunable_chown_upload_mode = 0600;
>> +
>> +-  install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
>> ++  install_str_setting("/var/run/vsftpd/empty", &tunable_secure_chroot_dir);
>> +   install_str_setting("ftp", &tunable_ftp_username);
>> +   install_str_setting("root", &tunable_chown_username);
>> +   install_str_setting("/var/log/xferlog", &tunable_xferlog_file);
>> +diff -urpN a/vsftpd.conf.5 b/vsftpd.conf.5
>> +--- a/vsftpd.conf.5	2013-09-13 10:09:33.774972462 +0800
>> ++++ b/vsftpd.conf.5	2013-09-13 10:10:41.914971989 +0800
>> +@@ -969,7 +969,7 @@ This option should be the name of a dire
>> + directory should not be writable by the ftp user. This directory is used
>> + as a secure chroot() jail at times vsftpd does not require filesystem access.
>> +
>> +-Default: /usr/share/empty
>> ++Default: /var/run/vsftpd/empty
>> + .TP
>> + .B ssl_ciphers
>> + This option can be used to select which SSL ciphers vsftpd will allow for
>> diff --git a/meta-networking/recipes-daemons/vsftpd/files/volatiles.99_vsftpd b/meta-networking/recipes-daemons/vsftpd/files/volatiles.99_vsftpd
>> new file mode 100644
>> index 0000000..8a602ba
>> --- /dev/null
>> +++ b/meta-networking/recipes-daemons/vsftpd/files/volatiles.99_vsftpd
>> @@ -0,0 +1 @@
>> +d root root 0755 /var/run/vsftpd/empty none
>> diff --git a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
>> index 2c3e009..49d5d2a 100644
>> --- a/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
>> +++ b/meta-networking/recipes-daemons/vsftpd/vsftpd_3.0.0.bb
>> @@ -14,6 +14,8 @@ SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \
>>              file://vsftpd.conf \
>>              file://vsftpd.user_list \
>>              file://vsftpd.ftpusers \
>> +           file://change-secure_chroot_dir.patch \
>> +           file://volatiles.99_vsftpd \
>>   "
>>   
>>   LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271 \
>> @@ -40,7 +42,7 @@ LDFLAGS_append =" -lcrypt -lcap"
>>   do_configure() {
>>       # Fix hardcoded /usr, /etc, /var mess.
>>       cat tunables.c|sed s:\"/usr:\"${prefix}:g|sed s:\"/var:\"${localstatedir}:g \
>> -    |sed s:\"${prefix}/share/empty:\"${localstatedir}/share/empty:g |sed s:\"/etc:\"${sysconfdir}:g > tunables.c.new
>> +    |sed s:\"/etc:\"${sysconfdir}:g > tunables.c.new
>>       mv tunables.c.new tunables.c
>>   }
>>   
>> @@ -57,6 +59,8 @@ do_install() {
>>       install -m 600 ${WORKDIR}/vsftpd.conf ${D}${sysconfdir}/vsftpd.conf
>>       install -d ${D}${sysconfdir}/init.d/
>>       install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/vsftpd
>> +    install -d ${D}/${sysconfdir}/default/volatiles
>> +    install -m 644 ${WORKDIR}/volatiles.99_vsftpd ${D}/${sysconfdir}/default/volatiles/99_vsftpd
>>   
>>       install -m 600 ${WORKDIR}/vsftpd.ftpusers ${D}${sysconfdir}/
>>       install -m 600 ${WORKDIR}/vsftpd.user_list ${D}${sysconfdir}/
>> -- 
>> 1.8.3.3
>>
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core



      reply	other threads:[~2013-09-18  1:40 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-17  8:56 [oe][meta-oe][PATCH] vsftpd: change default secure_chroot_dir Ming Liu
2013-09-17 10:36 ` Martin Jansa
2013-09-18  1:40   ` Ming Liu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5239048A.9040905@windriver.com \
    --to=ming.liu@windriver.com \
    --cc=martin.jansa@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.