[PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir
@ 2013-12-02  4:44 rongqing.li
  2013-12-02  9:20 ` Rongqing Li
  0 siblings, 1 reply; 5+ messages in thread
From: rongqing.li @ 2013-12-02  4:44 UTC (permalink / raw)
  To: openembedded-devel

From: Roy Li <rongqing.li@windriver.com>

Use /bin/false as the login shell, just like what Ubuntu does,
otherwise there might be secure issue; add /var/lib/ftp as user
ftp home-dir.

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
index 6537b77..0006a2a 100644
--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
@@ -62,6 +62,7 @@ INITSCRIPT_PARAM = "defaults 85 15"
 
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system ${FTPGROUP}"
-USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} ${FTPUSER}"
+USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} --home-dir /var/lib/${FTPUSER} --no-create-home \
+                       --shell /bin/false ${FTPUSER}"
 
 FILES_${PN} += "/home/${FTPUSER}"
-- 
1.7.10.4



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir
  2013-12-02  4:44 [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir rongqing.li
@ 2013-12-02  9:20 ` Rongqing Li
  2013-12-04 13:56   ` Joe MacDonald
  0 siblings, 1 reply; 5+ messages in thread
From: Rongqing Li @ 2013-12-02  9:20 UTC (permalink / raw)
  To: openembedded-devel

Drop it, test shows it does not work since /bin/false is not valid
shell, even if set RequireValidShell to off

On 12/02/2013 12:44 PM, rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> Use /bin/false as the login shell, just like what Ubuntu does,
> otherwise there might be secure issue; add /var/lib/ftp as user
> ftp home-dir.
>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
>   meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb |    3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> index 6537b77..0006a2a 100644
> --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> @@ -62,6 +62,7 @@ INITSCRIPT_PARAM = "defaults 85 15"
>
>   USERADD_PACKAGES = "${PN}"
>   GROUPADD_PARAM_${PN} = "--system ${FTPGROUP}"
> -USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} ${FTPUSER}"
> +USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} --home-dir /var/lib/${FTPUSER} --no-create-home \
> +                       --shell /bin/false ${FTPUSER}"
>
>   FILES_${PN} += "/home/${FTPUSER}"
>

-- 
Best Reagrds,
Roy | RongQing Li


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir
  2013-12-02  9:20 ` Rongqing Li
@ 2013-12-04 13:56   ` Joe MacDonald
  0 siblings, 0 replies; 5+ messages in thread
From: Joe MacDonald @ 2013-12-04 13:56 UTC (permalink / raw)
  To: Rongqing Li, Robert Yang; +Cc: openembedded-devel

[-- Attachment #1: Type: text/plain, Size: 3161 bytes --]

[Re: [oe] [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir] On 13.12.02 (Mon 17:20) Rongqing Li wrote:

> Drop it, test shows it does not work since /bin/false is not valid
> shell, even if set RequireValidShell to off

Hmm, so, there's something else at play here, given:

------------------------------------------------------------------------
commit b613318e14a0038b4fc6d5a7378b1affb64fd471
Author: Robert Yang <liezhi.yang@windriver.com>
Date:   Wed Nov 13 05:24:24 2013 +0800

    quagga: use /bin/false as the login shell

    Use /bin/false as the login shell, just like what Ubuntu does,
    otherwise there might be secure issue.

    Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
    Signed-off-by: Joe MacDonald <joe@deserted.net>

diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc
index 2106c9b..677b1c5 100644
--- a/meta-networking/recipes-protocols/quagga/quagga.inc
+++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -148,7 +148,7 @@ INITSCRIPT_PARAMS_${PN}-watchquagga     = "defaults 90 10"
 # Add quagga's user and group
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system quagga ; --system quaggavty"
-USERADD_PARAM_${PN} = "--system --home ${localstatedir}/run/quagga/ -M -g quagga quagga"
+USERADD_PARAM_${PN} = "--system --home ${localstatedir}/run/quagga/ -M -g quagga --shell /bin/false quagga"
 
 pkg_postinst_${PN} () {
     if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then
------------------------------------------------------------------------

Is it that proftpd actually needs to spawn a shell somewhere or that
/bin/false simply isn't listed as a valid shell?  (If the latter,
something should've shown up with the quagga commit, shouldn't it?)

Can you guys sync and get back to me on this?

Thanks,
-J.

> 
> On 12/02/2013 12:44 PM, rongqing.li@windriver.com wrote:
> >From: Roy Li <rongqing.li@windriver.com>
> >
> >Use /bin/false as the login shell, just like what Ubuntu does,
> >otherwise there might be secure issue; add /var/lib/ftp as user
> >ftp home-dir.
> >
> >Signed-off-by: Roy Li <rongqing.li@windriver.com>
> >---
> >  meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb |    3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> >diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> >index 6537b77..0006a2a 100644
> >--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> >+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> >@@ -62,6 +62,7 @@ INITSCRIPT_PARAM = "defaults 85 15"
> >
> >  USERADD_PACKAGES = "${PN}"
> >  GROUPADD_PARAM_${PN} = "--system ${FTPGROUP}"
> >-USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} ${FTPUSER}"
> >+USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} --home-dir /var/lib/${FTPUSER} --no-create-home \
> >+                       --shell /bin/false ${FTPUSER}"
> >
> >  FILES_${PN} += "/home/${FTPUSER}"
> >
> 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir
@ 2013-12-06  8:34 rongqing.li
  2013-12-09 21:18 ` Joe MacDonald
  0 siblings, 1 reply; 5+ messages in thread
From: rongqing.li @ 2013-12-06  8:34 UTC (permalink / raw)
  To: openembedded-devel

From: Roy Li <rongqing.li@windriver.com>

Use /bin/false as the login shell, just like what Ubuntu does,
otherwise there might be secure issue; add /var/lib/ftp as user
ftp home-dir.

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../files/close-RequireValidShell-check.patch      |   27 ++++++++++++++++++++
 .../recipes-daemons/proftpd/proftpd_1.3.4b.bb      |    4 ++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-daemons/proftpd/files/close-RequireValidShell-check.patch

diff --git a/meta-networking/recipes-daemons/proftpd/files/close-RequireValidShell-check.patch b/meta-networking/recipes-daemons/proftpd/files/close-RequireValidShell-check.patch
new file mode 100644
index 0000000..cb73c2d
--- /dev/null
+++ b/meta-networking/recipes-daemons/proftpd/files/close-RequireValidShell-check.patch
@@ -0,0 +1,27 @@
+close RequireValidShell check
+
+Upstream-Status: Inappropriate [configuration]
+
+close RequireValidShell check since we like to make /bin/false as shell
+for ftp user
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ sample-configurations/basic.conf |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sample-configurations/basic.conf b/sample-configurations/basic.conf
+index 314eb79..abcb284 100644
+--- a/sample-configurations/basic.conf
++++ b/sample-configurations/basic.conf
+@@ -53,6 +53,7 @@ AllowOverwrite		on
+   # We want clients to be able to login with "anonymous" as well as "ftp"
+   UserAlias			anonymous ftp
+ 
++  RequireValidShell	 	off	
+   # Limit the maximum number of anonymous logins
+   MaxClients			10
+ 
+-- 
+1.7.10.4
+
diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
index 6537b77..eb502d6 100644
--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
@@ -13,6 +13,7 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
            file://proftpd-basic.init \
            file://default \
            file://move-pidfile-to-var-run.patch \
+           file://close-RequireValidShell-check.patch \
 "
 
 SRC_URI[md5sum] = "0871e0b93c9c3c88ca950b6d9a04aed2"
@@ -62,6 +63,7 @@ INITSCRIPT_PARAM = "defaults 85 15"
 
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system ${FTPGROUP}"
-USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} ${FTPUSER}"
+USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} --home-dir /var/lib/${FTPUSER} --no-create-home \
+                       --shell /bin/false ${FTPUSER}"
 
 FILES_${PN} += "/home/${FTPUSER}"
-- 
1.7.10.4



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir
  2013-12-06  8:34 rongqing.li
@ 2013-12-09 21:18 ` Joe MacDonald
  0 siblings, 0 replies; 5+ messages in thread
From: Joe MacDonald @ 2013-12-09 21:18 UTC (permalink / raw)
  To: openembedded-devel

[-- Attachment #1: Type: text/plain, Size: 3043 bytes --]

Merged, thanks.
-J.

[[oe] [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir] On 13.12.06 (Fri 16:34) rongqing.li@windriver.com wrote:

> From: Roy Li <rongqing.li@windriver.com>
> 
> Use /bin/false as the login shell, just like what Ubuntu does,
> otherwise there might be secure issue; add /var/lib/ftp as user
> ftp home-dir.
> 
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
>  .../files/close-RequireValidShell-check.patch      |   27 ++++++++++++++++++++
>  .../recipes-daemons/proftpd/proftpd_1.3.4b.bb      |    4 ++-
>  2 files changed, 30 insertions(+), 1 deletion(-)
>  create mode 100644 meta-networking/recipes-daemons/proftpd/files/close-RequireValidShell-check.patch
> 
> diff --git a/meta-networking/recipes-daemons/proftpd/files/close-RequireValidShell-check.patch b/meta-networking/recipes-daemons/proftpd/files/close-RequireValidShell-check.patch
> new file mode 100644
> index 0000000..cb73c2d
> --- /dev/null
> +++ b/meta-networking/recipes-daemons/proftpd/files/close-RequireValidShell-check.patch
> @@ -0,0 +1,27 @@
> +close RequireValidShell check
> +
> +Upstream-Status: Inappropriate [configuration]
> +
> +close RequireValidShell check since we like to make /bin/false as shell
> +for ftp user
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +---
> + sample-configurations/basic.conf |    1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/sample-configurations/basic.conf b/sample-configurations/basic.conf
> +index 314eb79..abcb284 100644
> +--- a/sample-configurations/basic.conf
> ++++ b/sample-configurations/basic.conf
> +@@ -53,6 +53,7 @@ AllowOverwrite		on
> +   # We want clients to be able to login with "anonymous" as well as "ftp"
> +   UserAlias			anonymous ftp
> + 
> ++  RequireValidShell	 	off	
> +   # Limit the maximum number of anonymous logins
> +   MaxClients			10
> + 
> +-- 
> +1.7.10.4
> +
> diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> index 6537b77..eb502d6 100644
> --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
> @@ -13,6 +13,7 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
>             file://proftpd-basic.init \
>             file://default \
>             file://move-pidfile-to-var-run.patch \
> +           file://close-RequireValidShell-check.patch \
>  "
>  
>  SRC_URI[md5sum] = "0871e0b93c9c3c88ca950b6d9a04aed2"
> @@ -62,6 +63,7 @@ INITSCRIPT_PARAM = "defaults 85 15"
>  
>  USERADD_PACKAGES = "${PN}"
>  GROUPADD_PARAM_${PN} = "--system ${FTPGROUP}"
> -USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} ${FTPUSER}"
> +USERADD_PARAM_${PN} = "--system -g ${FTPGROUP} --home-dir /var/lib/${FTPUSER} --no-create-home \
> +                       --shell /bin/false ${FTPUSER}"
>  
>  FILES_${PN} += "/home/${FTPUSER}"
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-12-09 21:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-02  4:44 [PATCH meta-networking v2] proftpd: use /bin/false as the login shell and add home-dir rongqing.li
2013-12-02  9:20 ` Rongqing Li
2013-12-04 13:56   ` Joe MacDonald
  -- strict thread matches above, loose matches on Subject: below --
2013-12-06  8:34 rongqing.li
2013-12-09 21:18 ` Joe MacDonald

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.