From e2edfce7a8ce61b769136b766b0611cd85d35483 Mon Sep 17 00:00:00 2001 From: coolsnowwolf Date: Mon, 8 Oct 2018 17:24:51 +0800 Subject: [PATCH] re-add vsftpd and luci --- package/lean/luci-app-vsftpd/Makefile | 17 ++ .../luasrc/controller/vsftpd.lua | 47 ++++ .../luasrc/model/cbi/vsftpd/anonymous.lua | 44 +++ .../luasrc/model/cbi/vsftpd/general.lua | 114 ++++++++ .../luasrc/model/cbi/vsftpd/item.lua | 70 +++++ .../luasrc/model/cbi/vsftpd/log.lua | 29 ++ .../luasrc/model/cbi/vsftpd/users.lua | 54 ++++ .../lean/luci-app-vsftpd/po/zh-cn/vsftpd.po | 229 ++++++++++++++++ .../root/etc/uci-defaults/luci-vsftpd | 11 + package/lean/vsftpd-alt/Makefile | 113 ++++++++ package/lean/vsftpd-alt/files/vsftpd-uci.init | 14 + package/lean/vsftpd-alt/files/vsftpd.conf | 30 +++ package/lean/vsftpd-alt/files/vsftpd.init | 13 + package/lean/vsftpd-alt/files/vsftpd.uci | 50 ++++ package/lean/vsftpd-alt/files/vsftpd_prepare | 253 ++++++++++++++++++ package/lean/vsftpd-alt/files/vsftpd_wrapper | 49 ++++ .../lean/vsftpd-alt/patches/001-destdir.patch | 47 ++++ .../vsftpd-alt/patches/002-find_libs.patch | 13 + .../lean/vsftpd-alt/patches/003-chroot.patch | 11 + .../patches/004-disable-capabilities.patch | 12 + .../vsftpd-alt/patches/005-disable-pam.patch | 11 + .../patches/006-musl-compatibility.patch | 13 + .../patches/007-CVE-2015-1419.patch | 98 +++++++ .../patches/100-add-uci-auth-support.patch | 127 +++++++++ .../101-enable-chroot-on-writable-dir.patch | 14 + .../patches/102-keep-local-user-rights.patch | 11 + 26 files changed, 1494 insertions(+) create mode 100644 package/lean/luci-app-vsftpd/Makefile create mode 100644 package/lean/luci-app-vsftpd/luasrc/controller/vsftpd.lua create mode 100644 package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/anonymous.lua create mode 100644 package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/general.lua create mode 100644 package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/item.lua create mode 100644 package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/log.lua create mode 100644 package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/users.lua create mode 100644 package/lean/luci-app-vsftpd/po/zh-cn/vsftpd.po create mode 100755 package/lean/luci-app-vsftpd/root/etc/uci-defaults/luci-vsftpd create mode 100644 package/lean/vsftpd-alt/Makefile create mode 100644 package/lean/vsftpd-alt/files/vsftpd-uci.init create mode 100644 package/lean/vsftpd-alt/files/vsftpd.conf create mode 100644 package/lean/vsftpd-alt/files/vsftpd.init create mode 100644 package/lean/vsftpd-alt/files/vsftpd.uci create mode 100755 package/lean/vsftpd-alt/files/vsftpd_prepare create mode 100755 package/lean/vsftpd-alt/files/vsftpd_wrapper create mode 100644 package/lean/vsftpd-alt/patches/001-destdir.patch create mode 100644 package/lean/vsftpd-alt/patches/002-find_libs.patch create mode 100644 package/lean/vsftpd-alt/patches/003-chroot.patch create mode 100644 package/lean/vsftpd-alt/patches/004-disable-capabilities.patch create mode 100644 package/lean/vsftpd-alt/patches/005-disable-pam.patch create mode 100644 package/lean/vsftpd-alt/patches/006-musl-compatibility.patch create mode 100644 package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch create mode 100644 package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch create mode 100644 package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch create mode 100644 package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch diff --git a/package/lean/luci-app-vsftpd/Makefile b/package/lean/luci-app-vsftpd/Makefile new file mode 100644 index 000000000..97d181f01 --- /dev/null +++ b/package/lean/luci-app-vsftpd/Makefile @@ -0,0 +1,17 @@ +# Copyright (C) 2016 Openwrt.org +# +# This is free software, licensed under the Apache License, Version 2.0 . +# + +include $(TOPDIR)/rules.mk + +LUCI_TITLE:=LuCI support for VSFTPD +LUCI_DEPENDS:=+vsftpd-alt +LUCI_PKGARCH:=all +PKG_VERSION:=1.0 +PKG_RELEASE:=2 + +include $(TOPDIR)/feeds/luci/luci.mk + +# call BuildPackage - OpenWrt buildroot signature + diff --git a/package/lean/luci-app-vsftpd/luasrc/controller/vsftpd.lua b/package/lean/luci-app-vsftpd/luasrc/controller/vsftpd.lua new file mode 100644 index 000000000..de44711dc --- /dev/null +++ b/package/lean/luci-app-vsftpd/luasrc/controller/vsftpd.lua @@ -0,0 +1,47 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2016 Weijie Gao + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +require("luci.sys") + +module("luci.controller.vsftpd", package.seeall) + +function index() + if not nixio.fs.access("/etc/config/vsftpd") then + return + end + + entry({"admin", "nas"}, firstchild(), "NAS", 44).dependent = false + entry({"admin", "nas", "vsftpd"}, + alias("admin", "nas", "vsftpd", "general"), + _("FTP Server")) + + entry({"admin", "nas", "vsftpd", "general"}, + cbi("vsftpd/general"), + _("General Settings"), 10).leaf = true + + entry({"admin", "nas", "vsftpd", "users"}, + cbi("vsftpd/users"), + _("Virtual Users"), 20).leaf = true + + entry({"admin", "nas", "vsftpd", "anonymous"}, + cbi("vsftpd/anonymous"), + _("Anonymous User"), 30).leaf = true + + entry({"admin", "nas", "vsftpd", "log"}, + cbi("vsftpd/log"), + _("Log Settings"), 40).leaf = true + + entry({"admin", "nas", "vsftpd", "item"}, + cbi("vsftpd/item"), nil).leaf = true +end diff --git a/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/anonymous.lua b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/anonymous.lua new file mode 100644 index 000000000..3ebbb4ba9 --- /dev/null +++ b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/anonymous.lua @@ -0,0 +1,44 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2016 Weijie Gao + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map("vsftpd", translate("FTP Server - Anonymous Settings")) + +sa = m:section(NamedSection, "anonymous", "anonymous", translate("Anonymous Settings")) + +o = sa:option(Flag, "enabled", translate("Enabled")) +o.default = false + +o = sa:option(Value, "username", translate("Username"), translate("An actual local user to handle anonymous user")) +o.default = "ftp" + +o = sa:option(Value, "root", translate("Root directory")) +o.default = "/home/ftp" + +o = sa:option(Value, "umask", translate("File mode umask")) +o.default = "022" + +o = sa:option(Value, "maxrate", translate("Max transmit rate"), translate("0 means no limitation")) +o.default = "0" + +o = sa:option(Flag, "writemkdir", translate("Enable write/mkdir")) +o.default = false + +o = sa:option(Flag, "upload", translate("Enable upload")) +o.default = false + +o = sa:option(Flag, "others", translate("Enable other rights"), translate("Include rename, deletion ...")) +o.default = false + + +return m diff --git a/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/general.lua b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/general.lua new file mode 100644 index 000000000..74dbcad6e --- /dev/null +++ b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/general.lua @@ -0,0 +1,114 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2016 Weijie Gao + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map("vsftpd", translate("FTP Server - General Settings")) + +sl = m:section(NamedSection, "listen", "listen", translate("Listening Settings")) + +o = sl:option(Flag, "enable4", translate("Enable IPv4")) +o.rmempty = false +o.default = true + +o = sl:option(Value, "ipv4", translate("IPv4 Address")) +o.datatype = "ip4addr" +o.default = "0.0.0.0" + +o = sl:option(Flag, "enable6", translate("Enable IPv6")) +o.rmempty = false + +o = sl:option(Value, "ipv6", translate("IPv6 Address")) +o.datatype = "ip6addr" +o.default = "::" + +o = sl:option(Value, "port", translate("Listen Port")) +o.datatype = "uinteger" +o.default = "21" + +o = sl:option(Value, "dataport", translate("Data Port")) +o.datatype = "uinteger" +o.default = "20" + + +sg = m:section(NamedSection, "global", "global", translate("Global Settings")) + +o = sg:option(Flag, "write", translate("Enable write"), translate("When disabled, all write request will give permission denied.")); +o.default = true + +o = sg:option(Flag, "download", translate("Enable download"), translate("When disabled, all download request will give permission denied.")); +o.default = true + +o = sg:option(Flag, "dirlist", translate("Enable directory list"), translate("When disabled, list commands will give permission denied.")) +o.default = true + +o = sg:option(Flag, "lsrecurse", translate("Allow directory recursely list")) + +o = sg:option(Flag, "dotfile", translate("Show dot files"), translate(". and .. are excluded.")); +o.default = true + +o = sg:option(Value, "umask", translate("File mode umask"), translate("Uploaded file mode will be 666 - <umask>; directory mode will be 777 - <umask>.")) +o.default = "022" + +o = sg:option(Value, "banner", translate("FTP Banner")) + +o = sg:option(Flag, "dirmessage", translate("Enable directory message"), translate("A message will be displayed when entering a directory.")) + +o = sg:option(Value, "dirmsgfile", translate("Directory message filename")) +o.default = ".message" + + +sl = m:section(NamedSection, "local", "local", translate("Local Users")) + +o = sl:option(Flag, "enabled", translate("Enable local user")) +o.rmempty = false + +o = sl:option(Value, "root", translate("Root directory"), translate("Leave empty will use user's home directory")) +o.default = "" + + +sc = m:section(NamedSection, "connection", "connection", translate("Connection Settings")) + +o = sc:option(Flag, "portmode", translate("Enable PORT mode")) +o = sc:option(Flag, "pasvmode", translate("Enable PASV mode")) + +o = sc:option(ListValue, "ascii", translate("ASCII mode")) +o:value("disabled", translate("Disabled")) +o:value("download", translate("Download only")) +o:value("upload", translate("Upload only")) +o:value("both", translate("Both download and upload")) +o.default = "both" + +o = sc:option(Value, "idletimeout", translate("Idle session timeout"), translate("in seconds")) +o.datatype = "uinteger" +o.default = "1800" +o = sc:option(Value, "conntimeout", translate("Connection timeout"), translate("in seconds")) +o.datatype = "uinteger" +o.default = "120" +o = sc:option(Value, "dataconntimeout", translate("Data connection timeout"), translate("in seconds")) +o.datatype = "uinteger" +o.default = "120" +o = sc:option(Value, "maxclient", translate("Max clients"), translate("0 means no limitation")) +o.datatype = "uinteger" +o.default = "0" +o = sc:option(Value, "maxperip", translate("Max clients per IP"), translate("0 means no limitation")) +o.datatype = "uinteger" +o.default = "0" +o = sc:option(Value, "maxrate", translate("Max transmit rate"), translate("in KB/s, 0 means no limitation")) +o.datatype = "uinteger" +o.default = "0" +o = sc:option(Value, "maxretry", translate("Max login fail count"), translate("Can not be zero, default is 3")) +o.datatype = "uinteger" +o.default = "3" + + +return m diff --git a/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/item.lua b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/item.lua new file mode 100644 index 000000000..2a0003c8b --- /dev/null +++ b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/item.lua @@ -0,0 +1,70 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2016 Weijie Gao + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +local sid = arg[1] +local utl = require "luci.util" + +m = Map("vsftpd", translate("FTP Server - Virtual User <new>")) + +m.redirect = luci.dispatcher.build_url("admin/nas/vsftpd/users") + +if m.uci:get("vsftpd", sid) ~= "user" then + luci.http.redirect(m.redirect) + return +end + +m.uci:foreach("vsftpd", "user", + function(s) + if s['.name'] == sid and s.username then + m.title = translatef("FTP Server - Virtual User %q", s.username) + return false + end + end) + +s = m:section(NamedSection, sid, "settings", translate("User Settings")) +s.addremove = false + +o = s:option(Value, "username", translate("Username")) +o.rmempty = false + +function o.validate(self, value) + if value == "" then + return nil, translate("Username cannot be empty") + end + return value +end + +o = s:option(Value, "password", translate("Password")) +o.password = true + +o = s:option(Value, "home", translate("Home directory")) +o.default = "/home/ftp" + +o = s:option(Value, "umask", translate("File mode umask")) +o.default = "022" + +o = s:option(Value, "maxrate", translate("Max transmit rate"), translate("0 means no limitation")) +o.default = "0" + +o = s:option(Flag, "writemkdir", translate("Enable write/mkdir")) +o.default = false + +o = s:option(Flag, "upload", translate("Enable upload")) +o.default = false + +o = s:option(Flag, "others", translate("Enable other rights"), translate("Include rename, deletion ...")) +o.default = false + + +return m diff --git a/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/log.lua b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/log.lua new file mode 100644 index 000000000..969ce817c --- /dev/null +++ b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/log.lua @@ -0,0 +1,29 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2016 Weijie Gao + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map("vsftpd", translate("FTP Server - Log Settings")) + +sl = m:section(NamedSection, "log", "log", translate("Log Settings")) + +o = sl:option(Flag, "syslog", translate("Enable syslog")) +o.default = false + +o = sl:option(Flag, "xreflog", translate("Enable file log")) +o.default = true + +o = sl:option(Value, "file", translate("Log file")) +o.default = "/var/log/vsftpd.log" + + +return m diff --git a/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/users.lua b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/users.lua new file mode 100644 index 000000000..2ffaf759d --- /dev/null +++ b/package/lean/luci-app-vsftpd/luasrc/model/cbi/vsftpd/users.lua @@ -0,0 +1,54 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2016 Weijie Gao + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map("vsftpd", translate("FTP Server - Virtual User Settings")) + +sv = m:section(NamedSection, "vuser", "vuser", translate("Settings")) + +o = sv:option(Flag, "enabled", translate("Enabled")) +o.default = false + +o = sv:option(Value, "username", translate("Username"), translate("An actual local user to handle virtual users")) +o.default = "ftp" + +s = m:section(TypedSection, "user", translate("User lists")) +s.template = "cbi/tblsection" +s.extedit = luci.dispatcher.build_url("admin/nas/vsftpd/item/%s") +s.addremove = true +s.anonymous = true + +function s.create(...) + local id = TypedSection.create(...) + luci.http.redirect(s.extedit % id) +end + +function s.remove(self, section) + return TypedSection.remove(self, section) +end + +o = s:option(DummyValue, "username", translate("Username")) +function o.cfgvalue(...) + local v = Value.cfgvalue(...) or ("<%s>" % translate("Unknown")) + return v +end +o.rmempty = false + +o = s:option(DummyValue, "home", translate("Home directory")) +function o.cfgvalue(...) + local v = Value.cfgvalue(...) or ("/home/ftp") + return v +end +o.rmempty = false + +return m diff --git a/package/lean/luci-app-vsftpd/po/zh-cn/vsftpd.po b/package/lean/luci-app-vsftpd/po/zh-cn/vsftpd.po new file mode 100644 index 000000000..f8e3ba64a --- /dev/null +++ b/package/lean/luci-app-vsftpd/po/zh-cn/vsftpd.po @@ -0,0 +1,229 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2016-02-17 18:00+0800\n"\ +"Last-Translator: Weijie Gao \n" +"Language-Team: \n" +"Language: zh_CN\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: Pootle 2.0.6\n" + +msgid "NAS" +msgstr "网络存储" + +msgid ". and .. are excluded." +msgstr ". 和 .. 将被忽略。" + +msgid "0 means no limitation" +msgstr "0 表明不限制" + +msgid "A message will be displayed when entering a directory." +msgstr "在进入一个新目录时将显示的消息" + +msgid "ASCII mode" +msgstr "ASCII 模式" + +msgid "Allow directory recursely list" +msgstr "允许递归列目录" + +msgid "An actual local user to handle anonymous user" +msgstr "承载匿名用户的本地用户" + +msgid "An actual local user to handle virtual users" +msgstr "承载虚拟用户的本地用户" + +msgid "Anonymous Settings" +msgstr "匿名用户设置" + +msgid "Anonymous User" +msgstr "匿名用户" + +msgid "Both download and upload" +msgstr "下载和上传" + +msgid "Can not be zero, default is 3" +msgstr "不能为 0,默认为 3" + +msgid "Connection Settings" +msgstr "连接设置" + +msgid "Connection timeout" +msgstr "连接超时" + +msgid "Data Port" +msgstr "数据端口" + +msgid "Data connection timeout" +msgstr "数据连接超时" + +msgid "Directory message filename" +msgstr "目录消息文件名" + +msgid "Download only" +msgstr "仅下载" + +msgid "Enable IPv4" +msgstr "启用 IPv4" + +msgid "Enable IPv6" +msgstr "启用 IPv6" + +msgid "Enable PASV mode" +msgstr "启用 PASV 模式" + +msgid "Enable PORT mode" +msgstr "启用 PORT 模式" + +msgid "Enable directory list" +msgstr "允许列目录" + +msgid "Enable directory message" +msgstr "启用目录消息" + +msgid "Enable download" +msgstr "允许下载" + +msgid "Enable file log" +msgstr "启用文件日志" + +msgid "Enable local user" +msgstr "启用本地用户" + +msgid "Enable other rights" +msgstr "允许其它权限" + +msgid "Enable syslog" +msgstr "启用系统日志" + +msgid "Enable upload" +msgstr "允许上传" + +msgid "Enable write" +msgstr "允许写" + +msgid "Enable write/mkdir" +msgstr "允许写/创建目录" + +msgid "FTP Banner" +msgstr "FTP 欢迎提示" + +msgid "FTP Server" +msgstr "FTP 服务器" + +msgid "FTP Server - Anonymous Settings" +msgstr "FTP 服务器 - 匿名用户设置" + +msgid "FTP Server - General Settings" +msgstr "FTP 服务器 - 常规设置" + +msgid "FTP Server - Log Settings" +msgstr "FTP 服务器 - 日志设置" + +msgid "FTP Server - Virtual User %q" +msgstr "FTP 服务器 - 虚拟用户 %q" + +msgid "FTP Server - Virtual User <new>" +msgstr "FTP 服务器 - 虚拟用户 <新用户>" + +msgid "FTP Server - Virtual User Settings" +msgstr "FTP 服务器 - 虚拟用户设置" + +msgid "File mode umask" +msgstr "文件权限掩码" + +msgid "General Settings" +msgstr "常规设置" + +msgid "Global Settings" +msgstr "全局设置" + +msgid "Home directory" +msgstr "主目录" + +msgid "IPv4 Address" +msgstr "IPv4 地址" + +msgid "IPv6 Address" +msgstr "IPv6 地址" + +msgid "Idle session timeout" +msgstr "空闲回话超时" + +msgid "Include rename, deletion ..." +msgstr "包括重命名、删除 ..." + +msgid "Leave empty will use user's home directory" +msgstr "留空将使用用户主目录" + +msgid "Listen Port" +msgstr "监听端口" + +msgid "Listening Settings" +msgstr "监听设置" + +msgid "Local Users" +msgstr "本地用户" + +msgid "Log Settings" +msgstr "日志设置" + +msgid "Log file" +msgstr "日志文件" + +msgid "Max clients" +msgstr "最大连接数" + +msgid "Max clients per IP" +msgstr "同一 IP 的最大连接数" + +msgid "Max login fail count" +msgstr "最大登录尝试数" + +msgid "Max transmit rate" +msgstr "最大传输速率" + +msgid "Root directory" +msgstr "根目录" + +msgid "Settings" +msgstr "设置" + +msgid "Show dot files" +msgstr "显示以点开头的文件 (隐藏文件)" + +msgid "Upload only" +msgstr "仅上传" + +msgid "Uploaded file mode will be 666 - <umask>; directory mode will be 777 - <umask>." +msgstr "上传的文件权限将被设置为 666 - <掩码>;目录权限将被设置为 777 - <掩码>。" + +msgid "User Settings" +msgstr "用户设置" + +msgid "User lists" +msgstr "用户列表" + +msgid "Username cannot be empty" +msgstr "用户名不能为空" + +msgid "When disabled, all download request will give permission denied." +msgstr "如果禁止,所有的下载请求都将被拒绝。" + +msgid "When disabled, all write request will give permission denied." +msgstr "如果禁止,所有的写类型请求都将被拒绝。" + +msgid "When disabled, list commands will give permission denied." +msgstr "如果禁止,列目录命令将被拒绝。" + +msgid "Virtual Users" +msgstr "虚拟用户" + +msgid "in seconds" +msgstr "单位为秒" + +msgid "in KB/s, 0 means no limitation" +msgstr "单位为 KB/s,0 表明不限制" diff --git a/package/lean/luci-app-vsftpd/root/etc/uci-defaults/luci-vsftpd b/package/lean/luci-app-vsftpd/root/etc/uci-defaults/luci-vsftpd new file mode 100755 index 000000000..aa2f71a36 --- /dev/null +++ b/package/lean/luci-app-vsftpd/root/etc/uci-defaults/luci-vsftpd @@ -0,0 +1,11 @@ +#!/bin/sh + +uci -q batch <<-EOF >/dev/null + delete ucitrack.@vsftpd[-1] + add ucitrack vsftpd + set ucitrack.@vsftpd[-1].init=vsftpd + commit ucitrack +EOF + +rm -f /tmp/luci-vsftpd +exit 0 diff --git a/package/lean/vsftpd-alt/Makefile b/package/lean/vsftpd-alt/Makefile new file mode 100644 index 000000000..d94026d85 --- /dev/null +++ b/package/lean/vsftpd-alt/Makefile @@ -0,0 +1,113 @@ +# +# Copyright (C) 2006-2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=vsftpd-alt +PKG_VERSION:=3.0.3 +PKG_RELEASE:=5 + +PKG_SOURCE:=vsftpd-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://security.appspot.com/downloads/ +PKG_MD5SUM:=da119d084bd3f98664636ea05b5bb398 +PKG_LICENSE:=GPLv2 + +BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_BUILD_DIR:=$(BUILD_DIR)/vsftpd-$(PKG_VERSION) + +include $(INCLUDE_DIR)/package.mk + +define Package/vsftpd-alt/Default + SUBMENU:=File Transfer + SECTION:=net + CATEGORY:=Network + TITLE:=A fast and secure FTP server (with aio support) + URL:=http://vsftpd.beasts.org/ + MAINTAINER:=Cezary Jackiewicz + DEPENDS=+libuci + #+PACKAGE_libpam:libpam +endef + +define Package/vsftpd-alt/conffiles +/etc/vsftpd.conf +endef + +#EXTRA_LDFLAGS:= -lcrypt -lcrypto -lssl + +define Package/vsftpd-alt/config +config VSFTPD_USE_UCI_SCRIPTS + bool "Uses UCI scripts" + depends on PACKAGE_vsftpd-alt + default y +#config VSFTPD_ENABLE_AIO +# bool "Enable async I/O (Currently Buggy)" +# depends on PACKAGE_vsftpd-alt +# default n +endef + +ifneq ($(CONFIG_USE_MUSL),) + NLSSTRING:=-lcrypt +else + NLSSTRING:=-lcrypt -lnsl +endif + +TARGET_CFLAGS += -D_GNU_SOURCE -include fcntl.h + +#ifdef CONFIG_PACKAGE_libpam +# EXTRA_LDFLAGS += -lpam +#endif + +#ifeq ($(CONFIG_VSFTPD_ENABLE_AIO),y) +#define Package/vsftpd-alt +#$(call Package/vsftpd-alt/Default) +# DEPENDS=+PACKAGE_libpam:libpam +libopenssl +libuci +libaio +#endef +# EXTRA_LDFLAGS += -laio +# EXTRA_CFLAGS += -DVSFTPD_ASYNC_IO +#else +define Package/vsftpd-alt +$(call Package/vsftpd-alt/Default) +endef +#endif + + +define Build/Compile + $(SED) 's/-lcrypt -lnsl/$(NLSSTRING)/' $(PKG_BUILD_DIR)/Makefile + $(MAKE) -C $(PKG_BUILD_DIR) \ + CC="$(TARGET_CC)" \ + CFLAGS="$(TARGET_CFLAGS)" \ + LDFLAGS="$(TARGET_LDFLAGS)" \ + vsftpd +endef + +ifeq ($(CONFIG_VSFTPD_USE_UCI_SCRIPTS),y) +define Package/vsftpd-alt/install +$(call Package/vsftpd-alt/install/default, $(1)) + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/config +ifdef CONFIG_PACKAGE_libpam + $(INSTALL_DIR) $(1)/etc/pam.d +endif + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/vsftpd $(1)/usr/sbin + $(INSTALL_BIN) ./files/vsftpd-uci.init $(1)/etc/init.d/vsftpd + $(INSTALL_BIN) ./files/vsftpd.uci $(1)/etc/config/vsftpd + $(INSTALL_BIN) ./files/vsftpd_wrapper $(1)/usr/sbin + $(INSTALL_BIN) ./files/vsftpd_prepare $(1)/usr/sbin +endef +else +define Package/vsftpd-alt/install +$(call Package/vsftpd-alt/install/default, $(1)) + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_CONF) ./files/vsftpd.conf $(1)/etc/vsftpd.conf + $(INSTALL_BIN) ./files/vsftpd.init $(1)/etc/init.d/vsftpd + $(INSTALL_BIN) $(PKG_BUILD_DIR)/vsftpd $(1)/usr/sbin +endef +endif + +$(eval $(call BuildPackage,vsftpd-alt)) diff --git a/package/lean/vsftpd-alt/files/vsftpd-uci.init b/package/lean/vsftpd-alt/files/vsftpd-uci.init new file mode 100644 index 000000000..a5af8b79b --- /dev/null +++ b/package/lean/vsftpd-alt/files/vsftpd-uci.init @@ -0,0 +1,14 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006-2011 OpenWrt.org + +START=50 + +start() { + /usr/sbin/vsftpd_prepare + service_start /usr/sbin/vsftpd_wrapper ipv4 + service_start /usr/sbin/vsftpd_wrapper ipv6 +} + +stop() { + service_stop /usr/sbin/vsftpd +} diff --git a/package/lean/vsftpd-alt/files/vsftpd.conf b/package/lean/vsftpd-alt/files/vsftpd.conf new file mode 100644 index 000000000..7d46506e9 --- /dev/null +++ b/package/lean/vsftpd-alt/files/vsftpd.conf @@ -0,0 +1,30 @@ +background=YES +listen=YES +anonymous_enable=NO +local_enable=YES +write_enable=YES +local_umask=022 +check_shell=NO +#dirmessage_enable=YES +#ftpd_banner=Welcome to blah FTP service. +session_support=NO +#syslog_enable=YES +#userlist_enable=YES +#userlist_deny=NO +#userlist_file=/etc/vsftpd.users +#xferlog_enable=YES +#xferlog_file=/var/log/vsftpd.log +#xferlog_std_format=YES +### +### TLS/SSL options +### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/config/vsftpd_privkey.pem -out /etc/config/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt" +#ssl_enable=YES +#allow_anon_ssl=NO +#force_local_data_ssl=NO +#force_local_logins_ssl=NO +#ssl_tlsv1=YES +#ssl_sslv2=NO +#ssl_sslv3=NO +#rsa_cert_file=/etc/config/vsftpd_cert.pem +#rsa_private_key_file=/etc/config/vsftpd_privkey.pem + diff --git a/package/lean/vsftpd-alt/files/vsftpd.init b/package/lean/vsftpd-alt/files/vsftpd.init new file mode 100644 index 000000000..ad3e23da5 --- /dev/null +++ b/package/lean/vsftpd-alt/files/vsftpd.init @@ -0,0 +1,13 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006-2011 OpenWrt.org + +START=50 + +start() { + mkdir -m 0755 -p /var/run/vsftpd + service_start /usr/sbin/vsftpd +} + +stop() { + service_stop /usr/sbin/vsftpd +} diff --git a/package/lean/vsftpd-alt/files/vsftpd.uci b/package/lean/vsftpd-alt/files/vsftpd.uci new file mode 100644 index 000000000..e856c16dc --- /dev/null +++ b/package/lean/vsftpd-alt/files/vsftpd.uci @@ -0,0 +1,50 @@ + +config listen 'listen' + option enable4 '1' + option ipv4 '0.0.0.0' + option enable6 '0' + option ipv6 '::1' + option port '21' + option dataport '20' + +config local 'local' + option enabled '1' + +config global 'global' + option write '1' + option download '1' + option dotfile '0' + option umask '022' + option dirlist '1' + option dirmsgfile '.message' + +config connection 'connection' + option portmode '1' + option pasvmode '1' + option ascii 'both' + option idletimeout '1800' + option conntimeout '120' + option dataconntimeout '120' + option maxclient '0' + option maxperip '0' + option maxrate '0' + option maxretry '3' + +config anonymous 'anonymous' + option enabled '0' + option username 'ftp' + option root '/home/ftp' + option umask '022' + option writemkdir '0' + option upload '0' + option others '0' + option maxrate '0' + +config log 'log' + option syslog '0' + option xreflog '1' + option file '/var/log/vsftpd.log' + +config vuser 'vuser' + option enabled '0' + option username 'ftp' diff --git a/package/lean/vsftpd-alt/files/vsftpd_prepare b/package/lean/vsftpd-alt/files/vsftpd_prepare new file mode 100755 index 000000000..622671966 --- /dev/null +++ b/package/lean/vsftpd-alt/files/vsftpd_prepare @@ -0,0 +1,253 @@ +#!/bin/sh +# Copyright (C) 2005-2016 Weijie Gao + +. $IPKG_INSTROOT/lib/functions.sh + +output_field() +{ + local UCI_SECTION=$1 + local KEY=$2 + local INIFIELD=$3 + local DEFVALUE=$4 + local value + + if [ -z "$INIFIELD" ]; then INIFIELD=$KEY; fi + + config_get value "$UCI_SECTION" "$KEY" + if [ -z "$value" ]; then value=$DEFVALUE; fi + + echo "$INIFIELD=$value" >> $CONF +} + +output_bool() +{ + local UCI_SECTION=$1 + local KEY=$2 + local INIFIELD=$3 + local DEFVALUE=$4 + local value + + if [ -z "$INIFIELD" ]; then INIFIELD=$KEY; fi + + config_get value "$UCI_SECTION" "$KEY" + if [ -z "$value" ]; then value=$DEFVALUE; fi + if [ x"$value" != x0 ] && [ x"$value" != x1 ]; then value=0; fi + + if [ "$value" == 0 ]; then + value=NO + else + value=YES + fi + + echo "$INIFIELD=$value" >> $CONF +} + +output_const() +{ + local INIFIELD=$1 + local value=$2 + + echo "$INIFIELD=$value" >> $CONF +} + +get_value() +{ + local UCI_SECTION=$1 + local KEY=$2 + local value + + config_get value "$UCI_SECTION" "$KEY" + + echo $value +} + +vusers_iterate() +{ + local config=$1 + local name + local password + local owner + local home + local _umask + local maxrate + local write_enable + local upload_enable + local mkdir_enable + local others_enable + + config_get name "$config" username + config_get password "$config" password + config_get home "$config" home + config_get _umask "$config" "umask" + config_get maxrate "$config" maxrate + config_get write_enable "$config" writemkdir + config_get upload_enable "$config" upload + config_get others_enable "$config" others + + config_get owner "vuser" username + + rm -f $VUSER_CONF_DIR/$name + touch $VUSER_CONF_DIR/$name + + if [ -z $home ]; then home=$CHROOT_DIR; fi + + echo "local_root=$home" >> $VUSER_CONF_DIR/$name + + if [ x$write_enable = x1 ]; then write_enable=YES; else write_enable=NO; fi + if [ x$upload_enable = x1 ]; then upload_enable=YES; else upload_enable=NO; fi + if [ x$others_enable = x1 ]; then others_enable=YES; else others_enable=NO; fi + if [ -z $_umask ]; then _umask=022; fi + if [ -z $maxrate ]; then maxrate=0; fi + + echo "anon_world_readable_only=NO" >> $VUSER_CONF_DIR/$name + echo "anon_mkdir_write_enable=$write_enable" >> $VUSER_CONF_DIR/$name + echo "write_enable=$write_enable" >> $VUSER_CONF_DIR/$name + echo "anon_upload_enable=$upload_enable" >> $VUSER_CONF_DIR/$name + echo "anon_other_write_enable=$others_enable" >> $VUSER_CONF_DIR/$name + echo "anon_umask=$_umask" >> $VUSER_CONF_DIR/$name + echo "anon_max_rate=$maxrate" >> $VUSER_CONF_DIR/$name + + if ! [ -d "$home" ]; then + mkdir -p $home + chown $owner:$owner $home + chmod -R a+w $home + fi +} + +VAR=/var/run/vsftpd +CONF=$VAR/vsftpd.conf +VUSER_DB=$VAR/vusers +VUSER_CONF_DIR=$VAR/users +CHROOT_DIR=$VAR/empty + +rm -f $CONF +rm -rf $VUSER_CONF_DIR $CHROOT_DIR + +mkdir -m 0755 -p $VAR +mkdir -p $VUSER_CONF_DIR +mkdir -p $CHROOT_DIR + +config_load vsftpd + +# listen +output_const "background" YES +output_field listen port "listen_port" 21 +output_field listen dataport "ftp_data_port" 20 + +# global +output_bool global 'write' "write_enable" 1 +output_bool global download "download_enable" 1 +output_bool global dirlist "dirlist_enable" 1 +output_bool global lsrecurse "ls_recurse_enable" +output_bool global dotfile "force_dot_files" +output_field global 'umask' "local_umask" 022 + +ftpd_banner=`get_value global ftpd_banner` +if ! [ -z $ftpd_banner ]; then + output_const "ftpd_banner" $ftpd_banner +fi + +output_bool global dirmessage "dirmessage_enable" +output_field global dirmsgfile "message_file" ".message" + +# connection +output_bool connection portmode "port_enable" 1 +output_bool connection pasvmode "pasv_enable" 1 + +ascii_download_enable=NO +ascii_upload_enable=NO +case `get_value connection ascii` in +download) + ascii_download_enable=YES +;; +upload) + ascii_upload_enable=YES +;; +both) + ascii_download_enable=YES + ascii_upload_enable=YES +esac +output_const "ascii_download_enable" $ascii_download_enable +output_const "ascii_upload_enable" $ascii_upload_enable + +output_field connection idletimeout "idle_session_timeout" 1800 +output_field connection conntimeout "connect_timeout" 120 +output_field connection dataconntimeout "data_connection_timeout" 120 +output_field connection maxclient "max_clients" 0 +output_field connection maxperip "max_per_ip" 0 +output_field connection maxrate "local_max_rate" 0 + +max_login_fails=`get_value connection maxretry` +if [ -z $max_login_fails ] || [ $max_login_fails -lt 1 ]; then max_login_fails=3; fi +output_const "max_login_fails" $max_login_fails + +# anonymous +ftp_username=`get_value anonymous ftp_username` +if [ -z $ftp_username ]; then ftp_username="ftp"; fi +output_const "ftp_username" $ftp_username + +mkdir -m 0755 -p /home/$ftp_username +chown $ftp_username:$ftp_username /home/$ftp_username + +output_const "anon_world_readable_only" NO + +anon_enable=`get_value anonymous enabled` +if [ x$anon_enable = x1 ]; then + anon_root=`get_value anonymous root` + if [ -z $anon_root ]; then anon_root="/home/ftp"; fi + + output_const "anonymous_enable" YES + output_const "no_anon_password" YES + output_const "anon_root" $anon_root + output_field anonymous 'umask' "anon_umask" 022 + output_field anonymous maxrate "anon_max_rate" 0 + output_bool anonymous writemkdir "anon_mkdir_write_enable" 0 + output_bool anonymous upload "anon_upload_enable" 0 + output_bool anonymous others "anon_other_write_enable" 0 + + mkdir -p $anon_root + chown -R $ftp_username:$ftp_username $anon_root +else + output_const "anonymous_enable" NO +fi + +# log +output_bool log syslog "syslog_enable" 0 +output_bool log xreflog "xferlog_enable" 0 +output_field log 'file' "vsftpd_log_file" 0 + +# users +vuser_enabled=0 +if [ x`get_value vuser enabled` = x1 ]; then + vuser_enabled=1 + + output_const "guest_enable" YES + output_field vuser username "guest_username" ftp + + output_const "uci_config_name" vsftpd + output_const "user_config_dir" "/var/run/vsftpd/users" + + config_foreach vusers_iterate user +fi + +# local user +output_const "allow_writeable_chroot" YES +output_const "secure_chroot_dir" $CHROOT_DIR + +local_root=$(get_value 'local' root) +if ! [ -z $local_root ]; then + output_const "local_root" $local_root +fi + +local_enable=`get_value 'local' enabled` +if [ x$local_enable = x1 ]; then + output_const "local_enable" YES +else + if [ $vuser_enabled = 1 ]; then + output_const "local_enable" YES + else + output_const "local_enable" NO + fi +fi + +exit 0 diff --git a/package/lean/vsftpd-alt/files/vsftpd_wrapper b/package/lean/vsftpd-alt/files/vsftpd_wrapper new file mode 100755 index 000000000..73a2ef4ea --- /dev/null +++ b/package/lean/vsftpd-alt/files/vsftpd_wrapper @@ -0,0 +1,49 @@ +#!/bin/sh +# Copyright (C) 2005-2016 Weijie Gao + +. $IPKG_INSTROOT/lib/functions.sh + +VAR=/var/run/vsftpd +CONF=$VAR/vsftpd.conf +listen_addr= +enabled= +param="" +listen4= +listen6= +protocol=$1 + +config_load vsftpd + +if ! [ -f $CONF ]; then + echo "/usr/bin/vsftpd_prepare must be executed before this script" + exit 1 +fi + +case $protocol in +ipv6) + config_get enabled listen enable6 + + if [ x$enabled != x1 ]; then exit 0; fi + + config_get listen_addr listen ipv6 + param="6" + listen4="-olisten=NO" + listen6="-olisten_ipv6=YES" + + if [ -z $listen_addr ]; then listen_addr="::"; fi +;; +*) + config_get enabled listen enable4 + + if [ x$enabled != x1 ]; then exit 0; fi + + config_get listen_addr listen ipv4 + listen4="-olisten=YES" + listen6="-olisten_ipv6=NO" + + if [ -z $listen_addr ]; then listen_addr="0.0.0.0"; fi +esac + +exec /usr/sbin/vsftpd "-olisten_address${param}=${listen_addr}" ${listen4} ${listen6} $CONF + +exit 1 diff --git a/package/lean/vsftpd-alt/patches/001-destdir.patch b/package/lean/vsftpd-alt/patches/001-destdir.patch new file mode 100644 index 000000000..b0274ac86 --- /dev/null +++ b/package/lean/vsftpd-alt/patches/001-destdir.patch @@ -0,0 +1,47 @@ +--- a/Makefile ++++ b/Makefile +@@ -22,6 +22,8 @@ OBJS = main.o utility.o prelogin.o ftpcm + seccompsandbox.o + + ++DESTDIR = ++ + .c.o: + $(CC) -c $*.c $(CFLAGS) $(IFLAGS) + +@@ -29,21 +31,20 @@ vsftpd: $(OBJS) + $(CC) -o vsftpd $(OBJS) $(LINK) $(LDFLAGS) $(LIBS) + + install: +- if [ -x /usr/local/sbin ]; then \ +- $(INSTALL) -m 755 vsftpd /usr/local/sbin/vsftpd; \ +- else \ +- $(INSTALL) -m 755 vsftpd /usr/sbin/vsftpd; fi +- if [ -x /usr/local/man ]; then \ +- $(INSTALL) -m 644 vsftpd.8 /usr/local/man/man8/vsftpd.8; \ +- $(INSTALL) -m 644 vsftpd.conf.5 /usr/local/man/man5/vsftpd.conf.5; \ +- elif [ -x /usr/share/man ]; then \ +- $(INSTALL) -m 644 vsftpd.8 /usr/share/man/man8/vsftpd.8; \ +- $(INSTALL) -m 644 vsftpd.conf.5 /usr/share/man/man5/vsftpd.conf.5; \ +- else \ +- $(INSTALL) -m 644 vsftpd.8 /usr/man/man8/vsftpd.8; \ +- $(INSTALL) -m 644 vsftpd.conf.5 /usr/man/man5/vsftpd.conf.5; fi +- if [ -x /etc/xinetd.d ]; then \ +- $(INSTALL) -m 644 xinetd.d/vsftpd /etc/xinetd.d/vsftpd; fi ++ mkdir -p $(DESTDIR)/usr/sbin ++ $(INSTALL) -m 755 vsftpd $(DESTDIR)/usr/sbin/ ++ mkdir -p $(DESTDIR)/usr/share/man/man8 ++ $(INSTALL) -m 644 vsftpd.8 $(DESTDIR)/usr/share/man/man8/ ++ mkdir -p $(DESTDIR)/usr/share/man/man5 ++ $(INSTALL) -m 644 vsftpd.conf.5 $(DESTDIR)/usr/share/man/man5/ ++ mkdir -p $(DESTDIR)/etc/xinetd.d ++ $(INSTALL) -m 644 xinetd.d/vsftpd $(DESTDIR)/etc/xinetd.d/ ++ ++uninstall: ++ rm -f $(DESTDIR)/usr/sbin/vsftpd ++ rm -f $(DESTDIR)/usr/share/man/man8/vsftpd.8 ++ rm -f $(DESTDIR)/usr/share/man/man5/vsftpd.conf.5 ++ rm -f $(DESTDIR)/etc/xinetd.d/vsftpd + + clean: + rm -f *.o *.swp vsftpd diff --git a/package/lean/vsftpd-alt/patches/002-find_libs.patch b/package/lean/vsftpd-alt/patches/002-find_libs.patch new file mode 100644 index 000000000..4e95248ce --- /dev/null +++ b/package/lean/vsftpd-alt/patches/002-find_libs.patch @@ -0,0 +1,13 @@ +--- a/Makefile ++++ b/Makefile +@@ -8,8 +8,8 @@ CFLAGS = -O2 -fPIE -fstack-protector --p + -D_FORTIFY_SOURCE=2 \ + #-pedantic -Wconversion + +-LIBS = `./vsf_findlibs.sh` +-LINK = -Wl,-s ++LIBS = -lcrypt -lnsl -luci ++LINK = + LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now + + OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \ diff --git a/package/lean/vsftpd-alt/patches/003-chroot.patch b/package/lean/vsftpd-alt/patches/003-chroot.patch new file mode 100644 index 000000000..8965da417 --- /dev/null +++ b/package/lean/vsftpd-alt/patches/003-chroot.patch @@ -0,0 +1,11 @@ +--- a/tunables.c ++++ b/tunables.c +@@ -254,7 +254,7 @@ tunables_load_defaults() + /* -rw------- */ + tunable_chown_upload_mode = 0600; + +- install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir); ++ install_str_setting("/var/run/vsftpd", &tunable_secure_chroot_dir); + install_str_setting("ftp", &tunable_ftp_username); + install_str_setting("root", &tunable_chown_username); + install_str_setting("/var/log/xferlog", &tunable_xferlog_file); diff --git a/package/lean/vsftpd-alt/patches/004-disable-capabilities.patch b/package/lean/vsftpd-alt/patches/004-disable-capabilities.patch new file mode 100644 index 000000000..7aa6330b8 --- /dev/null +++ b/package/lean/vsftpd-alt/patches/004-disable-capabilities.patch @@ -0,0 +1,12 @@ +--- a/sysdeputil.c ++++ b/sysdeputil.c +@@ -165,6 +165,9 @@ + #endif + /* END config */ + ++#undef VSF_SYSDEP_HAVE_CAPABILITIES ++#undef VSF_SYSDEP_HAVE_LIBCAP ++ + /* PAM support - we include our own dummy version if the system lacks this */ + #include + diff --git a/package/lean/vsftpd-alt/patches/005-disable-pam.patch b/package/lean/vsftpd-alt/patches/005-disable-pam.patch new file mode 100644 index 000000000..ebb72447f --- /dev/null +++ b/package/lean/vsftpd-alt/patches/005-disable-pam.patch @@ -0,0 +1,11 @@ +--- a/builddefs.h ++++ b/builddefs.h +@@ -2,7 +2,7 @@ + #define VSF_BUILDDEFS_H + + #undef VSF_BUILD_TCPWRAPPERS +-#define VSF_BUILD_PAM ++#undef VSF_BUILD_PAM + #undef VSF_BUILD_SSL + + #endif /* VSF_BUILDDEFS_H */ diff --git a/package/lean/vsftpd-alt/patches/006-musl-compatibility.patch b/package/lean/vsftpd-alt/patches/006-musl-compatibility.patch new file mode 100644 index 000000000..9eefec79d --- /dev/null +++ b/package/lean/vsftpd-alt/patches/006-musl-compatibility.patch @@ -0,0 +1,13 @@ +--- a/sysdeputil.c ++++ b/sysdeputil.c +@@ -58,7 +58,9 @@ + #define VSF_SYSDEP_HAVE_SHADOW + #define VSF_SYSDEP_HAVE_USERSHELL + #define VSF_SYSDEP_HAVE_LIBCAP +-#define VSF_SYSDEP_HAVE_UTMPX ++#if defined(__GLIBC__) || defined(__UCLIBC__) ++ #define VSF_SYSDEP_HAVE_UTMPX ++#endif + + #define __USE_GNU + #include diff --git a/package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch b/package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch new file mode 100644 index 000000000..173027a1d --- /dev/null +++ b/package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch @@ -0,0 +1,98 @@ +Description: CVE-2015-1419: config option deny_file is not handled correctly +Author: Marcus Meissner +Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922 +Last-Update: 2015-02-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/ls.c ++++ b/ls.c +@@ -7,6 +7,7 @@ + * Would you believe, code to handle directory listing. + */ + ++#include + #include "ls.h" + #include "access.h" + #include "defs.h" +@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct + struct mystr temp_str = INIT_MYSTR; + struct mystr brace_list_str = INIT_MYSTR; + struct mystr new_filter_str = INIT_MYSTR; ++ struct mystr normalize_filename_str = INIT_MYSTR; ++ const char *normname; ++ const char *path; + int ret = 0; + char last_token = 0; + int must_match_at_current_pos = 1; ++ + str_copy(&filter_remain_str, p_filter_str); +- str_copy(&name_remain_str, p_filename_str); ++ ++ /* normalize filepath */ ++ path = str_strdup(p_filename_str); ++ normname = realpath(path, NULL); ++ if (normname == NULL) ++ goto out; ++ str_alloc_text(&normalize_filename_str, normname); ++ ++ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) { ++ if (str_get_char_at(p_filter_str, 0) == '/') { ++ if (str_get_char_at(&normalize_filename_str, 0) != '/') { ++ str_getcwd (&name_remain_str); ++ ++ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */ ++ str_append_char (&name_remain_str, '/'); ++ ++ str_append_str (&name_remain_str, &normalize_filename_str); ++ } ++ else ++ str_copy (&name_remain_str, &normalize_filename_str); ++ } else { ++ if (str_get_char_at(p_filter_str, 0) != '{') ++ str_basename (&name_remain_str, &normalize_filename_str); ++ else ++ str_copy (&name_remain_str, &normalize_filename_str); ++ } ++ } else ++ str_copy(&name_remain_str, &normalize_filename_str); + + while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) + { +@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct + ret = 0; + } + out: ++ free(normname); ++ free(path); ++ str_free(&normalize_filename_str); + str_free(&filter_remain_str); + str_free(&name_remain_str); + str_free(&temp_str); +--- a/str.c ++++ b/str.c +@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_ + } + } + ++void ++str_basename (struct mystr* d_str, const struct mystr* path) ++{ ++ static struct mystr tmp; ++ ++ str_copy (&tmp, path); ++ str_split_char_reverse(&tmp, d_str, '/'); ++ ++ if (str_isempty(d_str)) ++ str_copy (d_str, path); ++} +--- a/str.h ++++ b/str.h +@@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst + int str_atoi(const struct mystr* p_str); + filesize_t str_a_to_filesize_t(const struct mystr* p_str); + unsigned int str_octal_to_uint(const struct mystr* p_str); ++void str_basename (struct mystr* d_str, const struct mystr* path); + + /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string + * buffer, starting at character position 'p_pos'. The extracted line will diff --git a/package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch b/package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch new file mode 100644 index 000000000..3b805645d --- /dev/null +++ b/package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch @@ -0,0 +1,127 @@ +--- a/parseconf.c ++++ b/parseconf.c +@@ -178,6 +178,7 @@ + { "rsa_private_key_file", &tunable_rsa_private_key_file }, + { "dsa_private_key_file", &tunable_dsa_private_key_file }, + { "ca_certs_file", &tunable_ca_certs_file }, ++ { "uci_config_name", &tunable_uci_config_name }, + { "cmds_denied", &tunable_cmds_denied }, + { 0, 0 } + }; +--- a/sysdeputil.c ++++ b/sysdeputil.c +@@ -175,6 +175,8 @@ + #include + #include + #include ++/* Include uci headers */ ++#include + #endif + + /* Prefer libcap based capabilities over raw syscall capabilities */ +@@ -237,14 +239,24 @@ + void vsf_remove_uwtmp(void); + + #ifndef VSF_SYSDEP_HAVE_PAM ++static int ++vsf_sysdep_check_auth_uci(struct mystr* p_user_str, ++ const struct mystr* p_pass_str); ++ + int + vsf_sysdep_check_auth(struct mystr* p_user_str, + const struct mystr* p_pass_str, + const struct mystr* p_remote_host) + { + const char* p_crypted; +- const struct passwd* p_pwd = getpwnam(str_getbuf(p_user_str)); ++ const struct passwd* p_pwd; + (void) p_remote_host; ++ ++ /* Try UCI first */ ++ if (vsf_sysdep_check_auth_uci(p_user_str, p_pass_str)) ++ return 1; ++ ++ p_pwd = getpwnam(str_getbuf(p_user_str)); + if (p_pwd == NULL) + { + return 0; +@@ -300,6 +312,51 @@ + return 0; + } + ++static int ++vsf_sysdep_check_auth_uci(struct mystr* p_user_str, ++ const struct mystr* p_pass_str) ++{ ++ struct uci_context *uctx; ++ struct uci_package *pkg = NULL; ++ struct uci_element *e = NULL; ++ struct uci_section *s; ++ const char *user, *passwd; ++ int ret = 0; ++ ++ if (!tunable_uci_config_name) ++ return 0; ++ ++ uctx = uci_alloc_context(); ++ if (!uctx) ++ return 0; ++ ++ if (uci_load(uctx, tunable_uci_config_name, &pkg) != UCI_OK) ++ goto cleanup; ++ ++ uci_foreach_element(&pkg->sections, e) ++ { ++ s = uci_to_section(e); ++ if (!(user = uci_lookup_option_string(uctx, s, "username"))) ++ continue; ++ if (vsf_sysutil_strcmp(user, str_getbuf(p_user_str))) ++ continue; ++ if (!(passwd = uci_lookup_option_string(uctx, s, "password"))) ++ continue; ++ if (!vsf_sysutil_strcmp(passwd, str_getbuf(p_pass_str))) ++ { ++ ret = 1; ++ break; ++ } ++ } ++ ++cleanup: ++ if (pkg) ++ uci_unload(uctx, pkg); ++ uci_free_context(uctx); ++ ++ return ret; ++} ++ + #else /* VSF_SYSDEP_HAVE_PAM */ + + #if (defined(__sun) || defined(__hpux)) && \ +--- a/tunables.c ++++ b/tunables.c +@@ -142,6 +142,7 @@ + const char* tunable_rsa_private_key_file; + const char* tunable_dsa_private_key_file; + const char* tunable_ca_certs_file; ++const char* tunable_uci_config_name; + + static void install_str_setting(const char* p_value, const char** p_storage); + +@@ -288,6 +289,7 @@ + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); ++ install_str_setting(0, &tunable_uci_config_name); + } + + void +--- a/tunables.h ++++ b/tunables.h +@@ -144,6 +144,7 @@ + extern const char* tunable_rsa_private_key_file; + extern const char* tunable_dsa_private_key_file; + extern const char* tunable_ca_certs_file; ++extern const char* tunable_uci_config_name; + extern const char* tunable_cmds_denied; + + #endif /* VSF_TUNABLES_H */ diff --git a/package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch b/package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch new file mode 100644 index 000000000..c7a6b05fd --- /dev/null +++ b/package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch @@ -0,0 +1,14 @@ +--- a/secutil.c ++++ b/secutil.c +@@ -135,10 +135,12 @@ + if ((options & VSF_SECUTIL_OPTION_CHROOT) && + !(options & VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT)) + { ++ /* + if (vsf_sysutil_write_access("/")) + { + die("vsftpd: refusing to run with writable root inside chroot()"); + } ++ */ + } + } diff --git a/package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch b/package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch new file mode 100644 index 000000000..f5ee25d76 --- /dev/null +++ b/package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch @@ -0,0 +1,11 @@ +--- a/twoprocess.c ++++ b/twoprocess.c +@@ -426,7 +426,7 @@ + */ + vsf_set_die_if_parent_dies(); + priv_sock_set_child_context(p_sess); +- if (tunable_guest_enable && !anon) ++ if (tunable_guest_enable && !anon && !str_getpwnam(p_user_str)) + { + p_sess->is_guest = 1; + /* Remap to the guest user */