ports/opt (2.4): vsftpd: update to 2.0.7
commit 33d9fe4702b77f76a60f2bcec047bcd4b31d4d3b Author: Juergen Daubert <jue@jue.li> Date: Wed Jul 30 22:24:24 2008 +0200 vsftpd: update to 2.0.7 diff --git a/vsftpd/.md5sum b/vsftpd/.md5sum index c08257d..b995179 100644 --- a/vsftpd/.md5sum +++ b/vsftpd/.md5sum @@ -1,4 +1,4 @@ 7a0ece0af8aefad4313270a8786e041e vsftpd -f7a742690d7f86e356fb66d3840079c7 vsftpd-2.0.6.tar.gz -42228defa4d54bdc280c1e885944942c vsftpd-config.patch +3e39cb7b0bee306ad7df8e3552e15297 vsftpd-2.0.7.tar.gz +d69ea2c7fe28d63a586f47deb5ea7726 vsftpd-config.patch 50909902ac4ee17700ae9f3cc712485b vsftpd-syscall.patch diff --git a/vsftpd/Pkgfile b/vsftpd/Pkgfile index 91356b4..5b57c8b 100644 --- a/vsftpd/Pkgfile +++ b/vsftpd/Pkgfile @@ -4,7 +4,7 @@ # Depends on: openssl name=vsftpd -version=2.0.6 +version=2.0.7 release=1 source=(ftp://vsftpd.beasts.org/users/cevans/$name-$version.tar.gz \ $name-config.patch $name-syscall.patch vsftpd) diff --git a/vsftpd/vsftpd-config.patch b/vsftpd/vsftpd-config.patch index 52c2002..b5bbc8c 100644 --- a/vsftpd/vsftpd-config.patch +++ b/vsftpd/vsftpd-config.patch @@ -1,6 +1,6 @@ -diff -Nru vsftpd-2.0.6.orig/Makefile vsftpd-2.0.6/Makefile ---- vsftpd-2.0.6.orig/Makefile 2008-02-14 11:06:23.000000000 +0100 -+++ vsftpd-2.0.6/Makefile 2008-02-14 11:06:37.000000000 +0100 +diff -Nru vsftpd-2.0.7.orig/Makefile vsftpd-2.0.7/Makefile +--- vsftpd-2.0.7.orig/Makefile 2008-07-30 22:19:12.000000000 +0200 ++++ vsftpd-2.0.7/Makefile 2008-07-30 22:19:26.000000000 +0200 @@ -3,7 +3,7 @@ INSTALL = install IFLAGS = -idirafter dummyinc @@ -36,9 +36,9 @@ diff -Nru vsftpd-2.0.6.orig/Makefile vsftpd-2.0.6/Makefile clean: rm -f *.o *.swp vsftpd -diff -Nru vsftpd-2.0.6.orig/builddefs.h vsftpd-2.0.6/builddefs.h ---- vsftpd-2.0.6.orig/builddefs.h 2008-02-14 11:06:23.000000000 +0100 -+++ vsftpd-2.0.6/builddefs.h 2008-02-14 11:06:37.000000000 +0100 +diff -Nru vsftpd-2.0.7.orig/builddefs.h vsftpd-2.0.7/builddefs.h +--- vsftpd-2.0.7.orig/builddefs.h 2008-07-30 22:19:12.000000000 +0200 ++++ vsftpd-2.0.7/builddefs.h 2008-07-30 22:19:26.000000000 +0200 @@ -1,9 +1,9 @@ #ifndef VSF_BUILDDEFS_H #define VSF_BUILDDEFS_H @@ -52,10 +52,10 @@ diff -Nru vsftpd-2.0.6.orig/builddefs.h vsftpd-2.0.6/builddefs.h #endif /* VSF_BUILDDEFS_H */ -diff -Nru vsftpd-2.0.6.orig/tunables.c vsftpd-2.0.6/tunables.c ---- vsftpd-2.0.6.orig/tunables.c 2008-02-14 11:06:23.000000000 +0100 -+++ vsftpd-2.0.6/tunables.c 2008-02-14 11:06:37.000000000 +0100 -@@ -100,7 +100,7 @@ +diff -Nru vsftpd-2.0.7.orig/tunables.c vsftpd-2.0.7/tunables.c +--- vsftpd-2.0.7.orig/tunables.c 2008-07-30 22:19:12.000000000 +0200 ++++ vsftpd-2.0.7/tunables.c 2008-07-30 22:19:26.000000000 +0200 +@@ -104,7 +104,7 @@ /* -rw------- */ unsigned int tunable_chown_upload_mode = 0600; @@ -64,7 +64,7 @@ diff -Nru vsftpd-2.0.6.orig/tunables.c vsftpd-2.0.6/tunables.c const char* tunable_ftp_username = "ftp"; const char* tunable_chown_username = "root"; const char* tunable_xferlog_file = "/var/log/xferlog"; -@@ -125,10 +125,10 @@ +@@ -129,10 +129,10 @@ const char* tunable_deny_file = 0; const char* tunable_user_sub_token = 0; const char* tunable_email_password_file = "/etc/vsftpd.email_passwords"; @@ -77,9 +77,9 @@ diff -Nru vsftpd-2.0.6.orig/tunables.c vsftpd-2.0.6/tunables.c const char* tunable_dsa_private_key_file = 0; const char* tunable_ca_certs_file = 0; -diff -Nru vsftpd-2.0.6.orig/vsftpd.conf vsftpd-2.0.6/vsftpd.conf ---- vsftpd-2.0.6.orig/vsftpd.conf 2008-02-14 11:06:23.000000000 +0100 -+++ vsftpd-2.0.6/vsftpd.conf 2008-02-14 11:06:37.000000000 +0100 +diff -Nru vsftpd-2.0.7.orig/vsftpd.conf vsftpd-2.0.7/vsftpd.conf +--- vsftpd-2.0.7.orig/vsftpd.conf 2008-07-30 22:19:12.000000000 +0200 ++++ vsftpd-2.0.7/vsftpd.conf 2008-07-30 22:19:26.000000000 +0200 @@ -8,11 +8,25 @@ # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. @@ -106,10 +106,10 @@ diff -Nru vsftpd-2.0.6.orig/vsftpd.conf vsftpd-2.0.6/vsftpd.conf # # Uncomment this to enable any form of FTP write command. #write_enable=YES -diff -Nru vsftpd-2.0.6.orig/vsftpd.conf.5 vsftpd-2.0.6/vsftpd.conf.5 ---- vsftpd-2.0.6.orig/vsftpd.conf.5 2008-02-14 11:06:23.000000000 +0100 -+++ vsftpd-2.0.6/vsftpd.conf.5 2008-02-14 11:06:37.000000000 +0100 -@@ -897,21 +897,21 @@ +diff -Nru vsftpd-2.0.7.orig/vsftpd.conf.5 vsftpd-2.0.7/vsftpd.conf.5 +--- vsftpd-2.0.7.orig/vsftpd.conf.5 2008-07-30 22:19:12.000000000 +0200 ++++ vsftpd-2.0.7/vsftpd.conf.5 2008-07-30 22:19:26.000000000 +0200 +@@ -927,21 +927,21 @@ This option specifies the location of the RSA certificate to use for SSL encrypted connections. @@ -134,1007 +134,3 @@ diff -Nru vsftpd-2.0.6.orig/vsftpd.conf.5 vsftpd-2.0.6/vsftpd.conf.5 .TP .B ssl_ciphers This option can be used to select which SSL ciphers vsftpd will allow for -diff -Nru vsftpd-2.0.6.orig/vsftpd.conf.5~ vsftpd-2.0.6/vsftpd.conf.5~ ---- vsftpd-2.0.6.orig/vsftpd.conf.5~ 1970-01-01 01:00:00.000000000 +0100 -+++ vsftpd-2.0.6/vsftpd.conf.5~ 2008-02-12 05:56:32.000000000 +0100 -@@ -0,0 +1,1000 @@ -+.TH VSFTPD.CONF 5 -+.SH NAME -+vsftpd.conf \- config file for vsftpd -+.SH DESCRIPTION -+vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By -+default, vsftpd looks for this file at the location -+.BR /etc/vsftpd.conf . -+However, you may override this by specifying a command line argument to -+vsftpd. The command line argument is the pathname of the configuration file -+for vsftpd. This behaviour is useful because you may wish to use an advanced -+inetd such as -+.BR xinetd -+to launch vsftpd with different configuration files on a per virtual host -+basis. -+ -+.SH FORMAT -+The format of vsftpd.conf is very simple. Each line is either a comment or -+a directive. Comment lines start with a # and are ignored. A directive line -+has the format: -+ -+option=value -+ -+It is important to note that it is an error to put any space between the -+option, = and value. -+ -+Each setting has a compiled in default which may be modified in the -+configuration file. -+ -+.SH BOOLEAN OPTIONS -+Below is a list of boolean options. The value for a boolean option may be set -+to -+.BR YES -+or -+.BR NO . -+ -+.TP -+.B allow_anon_ssl -+Only applies if -+.BR ssl_enable -+is active. If set to YES, anonymous users will be allowed to use secured SSL -+connections. -+ -+Default: NO -+.TP -+.B anon_mkdir_write_enable -+If set to YES, anonymous users will be permitted to create new directories -+under certain conditions. For this to work, the option -+.BR write_enable -+must be activated, and the anonymous ftp user must have write permission on -+the parent directory. -+ -+Default: NO -+.TP -+.B anon_other_write_enable -+If set to YES, anonymous users will be permitted to perform write operations -+other than upload and create directory, such as deletion and renaming. This -+is generally not recommended but included for completeness. -+ -+Default: NO -+.TP -+.B anon_upload_enable -+If set to YES, anonymous users will be permitted to upload files under certain -+conditions. For this to work, the option -+.BR write_enable -+must be activated, and the anonymous ftp user must have write permission on -+desired upload locations. This setting is also required for virtual users to -+upload; by default, virtual users are treated with anonymous (i.e. maximally -+restricted) privilege. -+ -+Default: NO -+.TP -+.B anon_world_readable_only -+When enabled, anonymous users will only be allowed to download files which -+are world readable. This is recognising that the ftp user may own files, -+especially in the presence of uploads. -+ -+Default: YES -+.TP -+.B anonymous_enable -+Controls whether anonymous logins are permitted or not. If enabled, -+both the usernames -+.BR ftp -+and -+.BR anonymous -+are recognised as anonymous logins. -+ -+Default: YES -+.TP -+.B ascii_download_enable -+When enabled, ASCII mode data transfers will be honoured on downloads. -+ -+Default: NO -+.TP -+.B ascii_upload_enable -+When enabled, ASCII mode data transfers will be honoured on uploads. -+ -+Default: NO -+.TP -+.B async_abor_enable -+When enabled, a special FTP command known as "async ABOR" will be enabled. -+Only ill advised FTP clients will use this feature. Additionally, this feature -+is awkward to handle, so it is disabled by default. Unfortunately, some FTP -+clients will hang when cancelling a transfer unless this feature is available, -+so you may wish to enable it. -+ -+Default: NO -+.TP -+.B background -+When enabled, and vsftpd is started in "listen" mode, vsftpd will background -+the listener process. i.e. control will immediately be returned to the shell -+which launched vsftpd. -+ -+Default: NO -+.TP -+.B check_shell -+Note! This option only has an effect for non-PAM builds of vsftpd. If disabled, -+vsftpd will not check /etc/shells for a valid user shell for local logins. -+ -+Default: YES -+.TP -+.B chmod_enable -+When enables, allows use of the SITE CHMOD command. NOTE! This only applies -+to local users. Anonymous users never get to use SITE CHMOD. -+ -+Default: YES -+.TP -+.B chown_uploads -+If enabled, all anonymously uploaded files will have the ownership changed -+to the user specified in the setting -+.BR chown_username . -+This is useful from an administrative, and perhaps security, standpoint. -+ -+Default: NO -+.TP -+.B chroot_list_enable -+If activated, you may provide a list of local users who are placed in a -+chroot() jail in their home directory upon login. The meaning is slightly -+different if chroot_local_user is set to YES. In this case, the list becomes -+a list of users which are NOT to be placed in a chroot() jail. -+By default, the file containing this list is -+/etc/vsftpd.chroot_list, but you may override this with the -+.BR chroot_list_file -+setting. -+ -+Default: NO -+.TP -+.B chroot_local_user -+If set to YES, local users will be (by default) placed in a chroot() jail in -+their home directory after login. -+.BR Warning: -+This option has security implications, especially if the users have upload -+permission, or shell access. Only enable if you know what you are doing. -+Note that these security implications are not vsftpd specific. They apply to -+all FTP daemons which offer to put local users in chroot() jails. -+ -+Default: NO -+.TP -+.B connect_from_port_20 -+This controls whether PORT style data connections use port 20 (ftp-data) on -+the server machine. For security reasons, some clients may insist that this -+is the case. Conversely, disabling this option enables vsftpd to run with -+slightly less privilege. -+ -+Default: NO (but the sample config file enables it) -+.TP -+.B debug_ssl -+If true, OpenSSL connection diagnostics are dumped to the vsftpd log file. -+(Added in v2.0.6). -+ -+Default: NO -+.TP -+.B deny_email_enable -+If activated, you may provide a list of anonymous password e-mail responses -+which cause login to be denied. By default, the file containing this list is -+/etc/vsftpd.banned_emails, but you may override this with the -+.BR banned_email_file -+setting. -+ -+Default: NO -+.TP -+.B dirlist_enable -+If set to NO, all directory list commands will give permission denied. -+ -+Default: YES -+.TP -+.B dirmessage_enable -+If enabled, users of the FTP server can be shown messages when they first -+enter a new directory. By default, a directory is scanned for the -+file .message, but that may be overridden with the configuration setting -+.BR message_file . -+ -+Default: NO (but the sample config file enables it) -+.TP -+.B download_enable -+If set to NO, all download requests will give permission denied. -+ -+Default: YES -+.TP -+.B dual_log_enable -+If enabled, two log files are generated in parallel, going by default to -+.BR /var/log/xferlog -+and -+.BR /var/log/vsftpd.log . -+The former is a wu-ftpd style transfer log, parseable by standard tools. The -+latter is vsftpd's own style log. -+ -+Default: NO -+.TP -+.B force_dot_files -+If activated, files and directories starting with . will be shown in directory -+listings even if the "a" flag was not used by the client. This override -+excludes the "." and ".." entries. -+ -+Default: NO -+.TP -+.B force_anon_data_ssl -+Only applies if -+.BR ssl_enable -+is activated. If activated, all anonymous logins are forced to use a secure -+SSL connection in order to send and receive data on data connections. -+ -+Default: NO -+.TP -+.B force_anon_logins_ssl -+Only applies if -+.BR ssl_enable -+is activated. If activated, all anonymous logins are forced to use a secure -+SSL connection in order to send the password. -+ -+Default: NO -+.TP -+.B force_local_data_ssl -+Only applies if -+.BR ssl_enable -+is activated. If activated, all non-anonymous logins are forced to use a secure -+SSL connection in order to send and receive data on data connections. -+ -+Default: YES -+.TP -+.B force_local_logins_ssl -+Only applies if -+.BR ssl_enable -+is activated. If activated, all non-anonymous logins are forced to use a secure -+SSL connection in order to send the password. -+ -+Default: YES -+.TP -+.B guest_enable -+If enabled, all non-anonymous logins are classed as "guest" logins. A guest -+login is remapped to the user specified in the -+.BR guest_username -+setting. -+ -+Default: NO -+.TP -+.B hide_ids -+If enabled, all user and group information in directory listings will be -+displayed as "ftp". -+ -+Default: NO -+.TP -+.B listen -+If enabled, vsftpd will run in standalone mode. This means that vsftpd must -+not be run from an inetd of some kind. Instead, the vsftpd executable is -+run once directly. vsftpd itself will then take care of listening for and -+handling incoming connections. -+ -+Default: NO -+.TP -+.B listen_ipv6 -+Like the listen parameter, except vsftpd will listen on an IPv6 socket instead -+of an IPv4 one. This parameter and the listen parameter are mutually -+exclusive. -+ -+Default: NO -+.TP -+.B local_enable -+Controls whether local logins are permitted or not. If enabled, normal -+user accounts in /etc/passwd (or wherever your PAM config references) may be -+used to log in. This must be enable for any non-anonymous login to work, -+including virtual users. -+ -+Default: NO -+.TP -+.B lock_upload_files -+When enabled, all uploads proceed with a write lock on the upload file. All -+downloads proceed with a shared read lock on the download file. WARNING! -+Before enabling this, be aware that malicious readers could starve a writer -+wanting to e.g. append a file. -+ -+Default: YES -+.TP -+.B log_ftp_protocol -+When enabled, all FTP requests and responses are logged, providing the option -+xferlog_std_format is not enabled. Useful for debugging. -+ -+Default: NO -+.TP -+.B ls_recurse_enable -+When enabled, this setting will allow the use of "ls -R". This is a minor -+security risk, because a ls -R at the top level of a large site may consume -+a lot of resources. -+ -+Default: NO -+.TP -+.B mdtm_write -+When enabled, this setting will allow MDTM to set file modification times -+(subject to the usual access checks). -+ -+Default: YES -+.TP -+.B no_anon_password -+When enabled, this prevents vsftpd from asking for an anonymous password - -+the anonymous user will log straight in. -+ -+Default: NO -+.TP -+.B no_log_lock -+When enabled, this prevents vsftpd from taking a file lock when writing to log -+files. This option should generally not be enabled. It exists to workaround -+operating system bugs such as the Solaris / Veritas filesystem combination -+which has been observed to sometimes exhibit hangs trying to lock log files. -+ -+Default: NO -+.TP -+.B one_process_model -+If you have a Linux 2.4 kernel, it is possible to use a different security -+model which only uses one process per connection. It is a less pure security -+model, but gains you performance. You really don't want to enable this unless -+you know what you are doing, and your site supports huge numbers of -+simultaneously connected users. -+ -+Default: NO -+.TP -+.B passwd_chroot_enable -+If enabled, along with -+.BR chroot_local_user -+, then a chroot() jail location may be specified on a per-user basis. Each -+user's jail is derived from their home directory string in /etc/passwd. The -+occurrence of /./ in the home directory string denotes that the jail is at that -+particular location in the path. -+ -+Default: NO -+.TP -+.B pasv_addr_resolve -+Set to YES if you want to use a hostname (as opposed to IP address) in the -+.BR pasv_address -+option. -+ -+Default: NO -+.TP -+.B pasv_enable -+Set to NO if you want to disallow the PASV method of obtaining a data -+connection. -+ -+Default: YES -+.TP -+.B pasv_promiscuous -+Set to YES if you want to disable the PASV security check that ensures the -+data connection originates from the same IP address as the control connection. -+Only enable if you know what you are doing! The only legitimate use for this -+is in some form of secure tunnelling scheme, or perhaps to facilitate FXP -+support. -+ -+Default: NO -+.TP -+.B port_enable -+Set to NO if you want to disallow the PORT method of obtaining a data -+connection. -+ -+Default: YES -+.TP -+.B port_promiscuous -+Set to YES if you want to disable the PORT security check that ensures that -+outgoing data connections can only connect to the client. Only enable if -+you know what you are doing! -+ -+Default: NO -+.TP -+.B require_cert -+If set to yes, all SSL client connections are required to present a client -+certificate. The degree of validation applied to this certificate is -+controlled by -+.BR validate_cert -+(Added in v2.0.6). -+ -+Default: NO -+.TP -+.B run_as_launching_user -+Set to YES if you want vsftpd to run as the user which launched vsftpd. This is -+useful where root access is not available. MASSIVE WARNING! Do NOT enable this -+option unless you totally know what you are doing, as naive use of this option -+can create massive security problems. Specifically, vsftpd does not / cannot -+use chroot technology to restrict file access when this option is set (even if -+launched by root). A poor substitute could be to use a -+.BR deny_file -+setting such as {/*,*..*}, but the reliability of this cannot compare to -+chroot, and should not be relied on. -+If using this option, many restrictions on other options -+apply. For example, options requiring privilege such as non-anonymous logins, -+upload ownership changing, connecting from port 20 and listen ports less than -+1024 are not expected to work. Other options may be impacted. -+ -+Default: NO -+.TP -+.B secure_email_list_enable -+Set to YES if you want only a specified list of e-mail passwords for anonymous -+logins to be accepted. This is useful as a low-hassle way of restricting -+access to low-security content without needing virtual users. When enabled, -+anonymous logins are prevented unless the password provided is listed in the -+file specified by the -+.BR email_password_file -+setting. The file format is one password per line, no extra whitespace. The -+default filename is /etc/vsftpd.email_passwords. -+ -+Default: NO -+.TP -+.B session_support -+This controls whether vsftpd attempts to maintain sessions for logins. If -+vsftpd is maintaining sessions, it will try and update utmp and wtmp. It -+will also open a pam_session if using PAM to authenticate, and only close -+this upon logout. You may wish to disable this if you do not need session -+logging, and you wish to give vsftpd more opportunity to run with less -+processes and / or less privilege. NOTE - utmp and wtmp support is only -+provided with PAM enabled builds. -+ -+Default: NO -+.TP -+.B setproctitle_enable -+If enabled, vsftpd will try and show session status information in the system -+process listing. In other words, the reported name of the process will change -+to reflect what a vsftpd session is doing (idle, downloading etc). You -+probably want to leave this off for security purposes. -+ -+Default: NO -+.TP -+.B ssl_enable -+If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support secure -+connections via SSL. This applies to the control connection (including login) -+and also data connections. You'll need a client with SSL support too. NOTE!! -+Beware enabling this option. Only enable it if you need it. vsftpd can make no -+guarantees about the security of the OpenSSL libraries. By enabling this -+option, you are declaring that you trust the security of your installed -+OpenSSL library. -+ -+Default: NO -+.TP -+.B ssl_sslv2 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit SSL v2 protocol connections. -+TLS v1 connections are preferred. -+ -+Default: NO -+.TP -+.B ssl_sslv3 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit SSL v3 protocol connections. -+TLS v1 connections are preferred. -+ -+Default: NO -+.TP -+.B ssl_tlsv1 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1 protocol connections. -+TLS v1 connections are preferred. -+ -+Default: YES -+.TP -+.B syslog_enable -+If enabled, then any log output which would have gone to /var/log/vsftpd.log -+goes to the system log instead. Logging is done under the FTPD facility. -+ -+Default: NO -+.TP -+.B tcp_wrappers -+If enabled, and vsftpd was compiled with tcp_wrappers support, incoming -+connections will be fed through tcp_wrappers access control. Furthermore, -+there is a mechanism for per-IP based configuration. If tcp_wrappers sets -+the VSFTPD_LOAD_CONF environment variable, then the vsftpd session will try -+and load the vsftpd configuration file specified in this variable. -+ -+Default: NO -+.TP -+.B text_userdb_names -+By default, numeric IDs are shown in the user and group fields of directory -+listings. You can get textual names by enabling this parameter. It is off -+by default for performance reasons. -+ -+Default: NO -+.TP -+.B tilde_user_enable -+If enabled, vsftpd will try and resolve pathnames such as ~chris/pics, i.e. a -+tilde followed by a username. Note that vsftpd will always resolve the -+pathnames ~ and ~/something (in this case the ~ resolves to the initial -+login directory). Note that ~user paths will only resolve if the file -+.BR /etc/passwd -+may be found within the _current_ chroot() jail. -+ -+Default: NO -+.TP -+.B use_localtime -+If enabled, vsftpd will display directory listings with the time in your -+local time zone. The default is to display GMT. The times returned by the -+MDTM FTP command are also affected by this option. -+ -+Default: NO -+.TP -+.B use_sendfile -+An internal setting used for testing the relative benefit of using the -+sendfile() system call on your platform. -+ -+Default: YES -+.TP -+.B userlist_deny -+This option is examined if -+.B userlist_enable -+is activated. If you set this setting to NO, then users will be denied login -+unless they are explicitly listed in the file specified by -+.BR userlist_file . -+When login is denied, the denial is issued before the user is asked for a -+password. -+ -+Default: YES -+.TP -+.B userlist_enable -+If enabled, vsftpd will load a list of usernames, from the filename given by -+.BR userlist_file . -+If a user tries to log in using a name in this file, they will be denied -+before they are asked for a password. This may be useful in preventing -+cleartext passwords being transmitted. See also -+.BR userlist_deny . -+ -+Default: NO -+.TP -+.B validate_cert -+If set to yes, all SSL client certificates received must validate OK. -+Self-signed certs do not constitute OK validation. (New in v2.0.6). -+ -+Default: NO -+.TP -+.B virtual_use_local_privs -+If enabled, virtual users will use the same privileges as local users. By -+default, virtual users will use the same privileges as anonymous users, which -+tends to be more restrictive (especially in terms of write access). -+ -+Default: NO -+.TP -+.B write_enable -+This controls whether any FTP commands which change the filesystem are allowed -+or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE. -+ -+Default: NO -+.TP -+.B xferlog_enable -+If enabled, a log file will be maintained detailling uploads and downloads. -+By default, this file will be placed at /var/log/vsftpd.log, but this location -+may be overridden using the configuration setting -+.BR vsftpd_log_file . -+ -+Default: NO (but the sample config file enables it) -+.TP -+.B xferlog_std_format -+If enabled, the transfer log file will be written in standard xferlog format, -+as used by wu-ftpd. This is useful because you can reuse existing transfer -+statistics generators. The default format is more readable, however. The -+default location for this style of log file is /var/log/xferlog, but you may -+change it with the setting -+.BR xferlog_file . -+ -+Default: NO -+ -+.SH NUMERIC OPTIONS -+Below is a list of numeric options. A numeric option must be set to a non -+negative integer. Octal numbers are supported, for convenience of the umask -+options. To specify an octal number, use 0 as the first digit of the number. -+ -+.TP -+.B accept_timeout -+The timeout, in seconds, for a remote client to establish connection with -+a PASV style data connection. -+ -+Default: 60 -+.TP -+.B anon_max_rate -+The maximum data transfer rate permitted, in bytes per second, for anonymous -+clients. -+ -+Default: 0 (unlimited) -+.TP -+.B anon_umask -+The value that the umask for file creation is set to for anonymous users. NOTE! If you want to specify octal values, remember the "0" prefix otherwise the -+value will be treated as a base 10 integer! -+ -+Default: 077 -+.TP -+.B chown_upload_mode -+The file mode to force for chown()ed anonymous uploads. (Added in v2.0.6). -+ -+Default: 0600 -+.TP -+.B connect_timeout -+The timeout, in seconds, for a remote client to respond to our PORT style -+data connection. -+ -+Default: 60 -+.TP -+.B data_connection_timeout -+The timeout, in seconds, which is roughly the maximum time we permit data -+transfers to stall for with no progress. If the timeout triggers, the remote -+client is kicked off. -+ -+Default: 300 -+.TP -+.B delay_failed_login -+The number of seconds to pause prior to reporting a failed login. -+ -+Default: 1 -+.TP -+.B delay_successful_login -+The number of seconds to pause prior to allowing a successful login. -+ -+Default: 0 -+.TP -+.B file_open_mode -+The permissions with which uploaded files are created. Umasks are applied -+on top of this value. You may wish to change to 0777 if you want uploaded -+files to be executable. -+ -+Default: 0666 -+.TP -+.B ftp_data_port -+The port from which PORT style connections originate (as long as the poorly -+named -+.BR connect_from_port_20 -+is enabled). -+ -+Default: 20 -+.TP -+.B idle_session_timeout -+The timeout, in seconds, which is the maximum time a remote client may spend -+between FTP commands. If the timeout triggers, the remote client is kicked -+off. -+ -+Default: 300 -+.TP -+.B listen_port -+If vsftpd is in standalone mode, this is the port it will listen on for -+incoming FTP connections. -+ -+Default: 21 -+.TP -+.B local_max_rate -+The maximum data transfer rate permitted, in bytes per second, for local -+authenticated users. -+ -+Default: 0 (unlimited) -+.TP -+.B local_umask -+The value that the umask for file creation is set to for local users. NOTE! If -+you want to specify octal values, remember the "0" prefix otherwise the value -+will be treated as a base 10 integer! -+ -+Default: 077 -+.TP -+.B max_clients -+If vsftpd is in standalone mode, this is the maximum number of clients which -+may be connected. Any additional clients connecting will get an error message. -+ -+Default: 0 (unlimited) -+.TP -+.B max_login_fails -+After this many login failures, the session is killed. -+ -+Default: 3 -+.TP -+.B max_per_ip -+If vsftpd is in standalone mode, this is the maximum number of clients which -+may be connected from the same source internet address. A client will get an -+error message if they go over this limit. -+ -+Default: 0 (unlimited) -+.TP -+.B pasv_max_port -+The maximum port to allocate for PASV style data connections. Can be used to -+specify a narrow port range to assist firewalling. -+ -+Default: 0 (use any port) -+.TP -+.B pasv_min_port -+The minimum port to allocate for PASV style data connections. Can be used to -+specify a narrow port range to assist firewalling. -+ -+Default: 0 (use any port) -+.TP -+.B trans_chunk_size -+You probably don't want to change this, but try setting it to something like -+8192 for a much smoother bandwidth limiter. -+ -+Default: 0 (let vsftpd pick a sensible setting) -+ -+.SH STRING OPTIONS -+Below is a list of string options. -+ -+.TP -+.B anon_root -+This option represents a directory which vsftpd will try to change into -+after an anonymous login. Failure is silently ignored. -+ -+Default: (none) -+.TP -+.B banned_email_file -+This option is the name of a file containing a list of anonymous e-mail -+passwords which are not permitted. This file is consulted if the option -+.BR deny_email_enable -+is enabled. -+ -+Default: /etc/vsftpd.banned_emails -+.TP -+.B banner_file -+This option is the name of a file containing text to display when someone -+connects to the server. If set, it overrides the banner string provided by -+the -+.BR ftpd_banner -+option. -+ -+Default: (none) -+.TP -+.B ca_certs_file -+This option is the name of a file to load Certificate Authority certs from, for -+the purpose of validating client certs. Regrettably, the default SSL CA cert -+paths are not used, because of vsftpd's use of restricted filesystem spaces -+(chroot). (Added in v2.0.6). -+ -+Default: (none) -+.TP -+.B chown_username -+This is the name of the user who is given ownership of anonymously uploaded -+files. This option is only relevant if another option, -+.BR chown_uploads , -+is set. -+ -+Default: root -+.TP -+.B chroot_list_file -+The option is the name of a file containing a list of local users which -+will be placed in a chroot() jail in their home directory. This option is -+only relevant if the option -+.BR chroot_list_enable -+is enabled. If the option -+.BR chroot_local_user -+is enabled, then the list file becomes a list of users to NOT place in a -+chroot() jail. -+ -+Default: /etc/vsftpd.chroot_list -+.TP -+.B cmds_allowed -+This options specifies a comma separated list of allowed FTP commands (post -+login. USER, PASS and QUIT are always allowed pre-login). Other -+commands are rejected. This is a powerful method of really locking down an -+FTP server. Example: cmds_allowed=PASV,RETR,QUIT -+ -+Default: (none) -+.TP -+.B deny_file -+This option can be used to set a pattern for filenames (and directory names -+etc.) which should not be accessible in any way. The affected items are not -+hidden, but any attempt to do anything to them (download, change into -+directory, affect something within directory etc.) will be denied. This option -+is very simple, and should not be used for serious access control - the -+filesystem's permissions should be used in preference. However, this option -+may be useful in certain virtual user setups. In particular aware that if -+a filename is accessible by a variety of names (perhaps due to symbolic -+links or hard links), then care must be taken to deny access to all the names. -+Access will be denied to items if their name contains the string given by -+hide_file, or if they match the regular expression specified by hide_file. -+Note that vsftpd's regular expression matching code is a simple implementation -+which is a subset of full regular expression functionality. Because of this, -+you will need to carefully and exhaustively test any application of this -+option. And you are recommended to use filesystem permissions for any -+important security policies due to their greater reliability. Supported -+regex syntax is any number of *, ? and unnested {,} operators. Regex -+matching is only supported on the last component of a path, e.g. a/b/? is -+supported but a/?/c is not. -+Example: deny_file={*.mp3,*.mov,.private} -+ -+Default: (none) -+.TP -+.B dsa_cert_file -+This option specifies the location of the DSA certificate to use for SSL -+encrypted connections. -+ -+Default: (none - an RSA certificate suffices) -+.TP -+.B dsa_private_key_file -+This option specifies the location of the DSA private key to use for SSL -+encrypted connections. If this option is not set, the private key is expected -+to be in the same file as the certificate. -+ -+Default: (none) -+.TP -+.B email_password_file -+This option can be used to provide an alternate file for usage by the -+.BR secure_email_list_enable -+setting. -+ -+Default: /etc/vsftpd.email_passwords -+.TP -+.B ftp_username -+This is the name of the user we use for handling anonymous FTP. The home -+directory of this user is the root of the anonymous FTP area. -+ -+Default: ftp -+.TP -+.B ftpd_banner -+This string option allows you to override the greeting banner displayed -+by vsftpd when a connection first comes in. -+ -+Default: (none - default vsftpd banner is displayed) -+.TP -+.B guest_username -+See the boolean setting -+.BR guest_enable -+for a description of what constitutes a guest login. This setting is the -+real username which guest users are mapped to. -+ -+Default: ftp -+.TP -+.B hide_file -+This option can be used to set a pattern for filenames (and directory names -+etc.) which should be hidden from directory listings. Despite being hidden, -+the files / directories etc. are fully accessible to clients who know what -+names to actually use. Items will be hidden if their names contain the string -+given by hide_file, or if they match the regular expression specified by -+hide_file. Note that vsftpd's regular expression matching code is a simple -+implementation which is a subset of full regular expression functionality. -+See -+.BR deny_file -+for details of exactly what regex syntax is supported. -+Example: hide_file={*.mp3,.hidden,hide*,h?} -+ -+Default: (none) -+.TP -+.B listen_address -+If vsftpd is in standalone mode, the default listen address (of all local -+interfaces) may be overridden by this setting. Provide a numeric IP address. -+ -+Default: (none) -+.TP -+.B listen_address6 -+Like listen_address, but specifies a default listen address for the IPv6 -+listener (which is used if listen_ipv6 is set). Format is standard IPv6 -+address format. -+ -+Default: (none) -+.TP -+.B local_root -+This option represents a directory which vsftpd will try to change into -+after a local (i.e. non-anonymous) login. Failure is silently ignored. -+ -+Default: (none) -+.TP -+.B message_file -+This option is the name of the file we look for when a new directory is -+entered. The contents are displayed to the remote user. This option is -+only relevant if the option -+.BR dirmessage_enable -+is enabled. -+ -+Default: .message -+.TP -+.B nopriv_user -+This is the name of the user that is used by vsftpd when it wants to be -+totally unprivileged. Note that this should be a dedicated user, rather -+than nobody. The user nobody tends to be used for rather a lot of important -+things on most machines. -+ -+Default: nobody -+.TP -+.B pam_service_name -+This string is the name of the PAM service vsftpd will use. -+ -+Default: ftp -+.TP -+.B pasv_address -+Use this option to override the IP address that vsftpd will advertise in -+response to the PASV command. Provide a numeric IP address, unless -+.BR pasv_addr_resolve -+is enabled, in which case you can provide a hostname which will be DNS -+resolved for you at startup. -+ -+Default: (none - the address is taken from the incoming connected socket) -+.TP -+.B rsa_cert_file -+This option specifies the location of the RSA certificate to use for SSL -+encrypted connections. -+ -+Default: /usr/share/ssl/certs/vsftpd.pem -+.TP -+.B rsa_private_key_file -+This option specifies the location of the RSA private key to use for SSL -+encrypted connections. If this option is not set, the private key is expected -+to be in the same file as the certificate. -+ -+Default: (none) -+.TP -+.B secure_chroot_dir -+This option should be the name of a directory which is empty. Also, the -+directory should not be writable by the ftp user. This directory is used -+as a secure chroot() jail at times vsftpd does not require filesystem access. -+ -+Default: /usr/share/empty -+.TP -+.B ssl_ciphers -+This option can be used to select which SSL ciphers vsftpd will allow for -+encrpyted SSL connections. See the -+.BR ciphers -+man page for further details. Note that restricting ciphers can be a useful -+security precaution as it prevents malicious remote parties forcing a cipher -+which they have found problems with. -+ -+Default: DES-CBC3-SHA -+.TP -+.B user_config_dir -+This powerful option allows the override of any config option specified in -+the manual page, on a per-user basis. Usage is simple, and is best illustrated -+with an example. If you set -+.BR user_config_dir -+to be -+.BR /etc/vsftpd_user_conf -+and then log on as the user "chris", then vsftpd will apply the settings in -+the file -+.BR /etc/vsftpd_user_conf/chris -+for the duration of the session. The format of this file is as detailed in -+this manual page! PLEASE NOTE that not all settings are effective on a -+per-user basis. For example, many settings only prior to the user's session -+being started. Examples of settings which will not affect any behviour on -+a per-user basis include listen_address, banner_file, max_per_ip, max_clients, -+xferlog_file, etc. -+ -+Default: (none) -+.TP -+.B user_sub_token -+This option is useful is conjunction with virtual users. It is used to -+automatically generate a home directory for each virtual user, based on a -+template. For example, if the home directory of the real user specified via -+.BR guest_username -+is -+.BR /home/virtual/$USER , -+and -+.BR user_sub_token -+is set to -+.BR $USER , -+then when virtual user fred logs in, he will end up (usually chroot()'ed) in -+the directory -+.BR /home/virtual/fred . -+This option also takes affect if -+.BR local_root -+contains -+.BR user_sub_token . -+ -+Default: (none) -+.TP -+.B userlist_file -+This option is the name of the file loaded when the -+.BR userlist_enable -+option is active. -+ -+Default: /etc/vsftpd.user_list -+.TP -+.B vsftpd_log_file -+This option is the name of the file to which we write the vsftpd style -+log file. This log is only written if the option -+.BR xferlog_enable -+is set, and -+.BR xferlog_std_format -+is NOT set. Alternatively, it is written if you have set the option -+.BR dual_log_enable . -+One further complication - if you have set -+.BR syslog_enable , -+then this file is not written and output is sent to the system log instead. -+ -+Default: /var/log/vsftpd.log -+.TP -+.B xferlog_file -+This option is the name of the file to which we write the wu-ftpd style -+transfer log. The transfer log is only written if the option -+.BR xferlog_enable -+is set, along with -+.BR xferlog_std_format . -+Alternatively, it is written if you have set the option -+.BR dual_log_enable . -+ -+Default: /var/log/xferlog -+ -+.SH AUTHOR -+scarybeasts@gmail.com -+
participants (1)
-
crux@crux.nu