diff --git a/meta-oe/recipes-core/busybox/busybox-1.23.1/inetd.conf b/meta-oe/recipes-core/busybox/busybox-1.23.1/inetd.conf index def8d3cbac1..d0e891296a8 100644 --- a/meta-oe/recipes-core/busybox/busybox-1.23.1/inetd.conf +++ b/meta-oe/recipes-core/busybox/busybox-1.23.1/inetd.conf @@ -18,4 +18,3 @@ #daytime dgram udp6 wait root internal #time stream tcp6 nowait root internal #time dgram udp6 wait root internal -ftp stream tcp6 nowait root /usr/sbin/vsftpd vsftpd diff --git a/meta-oe/recipes-core/busybox/busybox_1.23.1.bbappend b/meta-oe/recipes-core/busybox/busybox_1.23.1.bbappend index c1895a3e3e0..9315dc00723 100644 --- a/meta-oe/recipes-core/busybox/busybox_1.23.1.bbappend +++ b/meta-oe/recipes-core/busybox/busybox_1.23.1.bbappend @@ -1,4 +1,4 @@ -PR .= ".18" +PR .= ".19" PACKAGE_ARCH = "${MACHINE_ARCH}" SRC_URI += " \ diff --git a/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/ftp.service b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/ftp.service new file mode 100644 index 00000000000..d2cf37c0f66 --- /dev/null +++ b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/ftp.service @@ -0,0 +1,9 @@ + + + + FTP file server on %h + + _ftp._tcp + 21 + + diff --git a/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/init.vsftpd b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/init.vsftpd new file mode 100644 index 00000000000..c0589418c94 --- /dev/null +++ b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/init.vsftpd @@ -0,0 +1,47 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: vsftpd +# Default-Start: 2345 +# Default-Stop: 016 +# Short-Description: Very Secure Ftp Daemon +# Description: vsftpd is a Very Secure FTP daemon. It was written completely from +# scratch +### END INIT INFO + +DAEMON=/usr/sbin/vsftpd +NAME=vsftpd +DESC="FTP Server" +ARGS="" +AVAHI="/etc/avahi/services/ftp" + +test -f $DAEMON || exit 0 + +set -e + +case "$1" in + start) + echo -n "* starting $DESC: $NAME... " + start-stop-daemon -S -b -x $DAEMON -- $ARGS + [ -e ${AVAHI}.disabled ] && mv ${AVAHI}.disabled ${AVAHI}.service + echo "done." + ;; + stop) + echo -n "* stopping $DESC: $NAME... " + start-stop-daemon -K -x $DAEMON + [ -e ${AVAHI}.service ] && mv ${AVAHI}.service ${AVAHI}.disabled + echo "done." + ;; + restart) + echo "* restarting $DESC: $NAME... " + $0 stop || true + $0 start + [ -e ${AVAHI}.disabled ] && mv ${AVAHI}.disabled ${AVAHI}.service + echo "done." + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 diff --git a/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd.chroot_list b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd.chroot_list new file mode 100644 index 00000000000..d8649da39dd --- /dev/null +++ b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd.chroot_list @@ -0,0 +1 @@ +root diff --git a/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd.conf b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd.conf index 963364ffc3f..d79f52e4ded 100644 --- a/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd.conf +++ b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd.conf @@ -10,6 +10,7 @@ # run standalone listen=NO +listen_ipv6=YES # No PAM sessions to save resources session_support=NO @@ -99,9 +100,9 @@ xferlog_std_format=YES # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). -#chroot_list_enable=YES +chroot_list_enable=YES # (default follows) -#chroot_list_file=/etc/vsftpd.chroot_list +chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large @@ -135,14 +136,15 @@ use_localtime=YES # Only enable if you know what you are doing. Note that these security implications # are not vsftpd specific. They apply to all FTP daemons which offer to put # local users in chroot() jails. -chroot_local_user=NO +chroot_local_user=YES # allow_writeable_chroot=YES # tcp_wrappers=NO -local_root=/ - # Enable FXP pasv_promiscuous=YES port_promiscuous=YES + +# Allow users w/o shell access +check_shell=NO diff --git a/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd@.service b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd@.service new file mode 100644 index 00000000000..68e89d18cf4 --- /dev/null +++ b/meta-oe/recipes-daemons/vsftpd/vsftpd-3.0.2/vsftpd@.service @@ -0,0 +1,5 @@ +[Unit] + +[Service] +ExecStart=-/usr/sbin/vsftpd +StandardInput=socket diff --git a/meta-oe/recipes-daemons/vsftpd/vsftpd_3.0.2.bb b/meta-oe/recipes-daemons/vsftpd/vsftpd_3.0.2.bb index 2591771965e..66c53effda6 100644 --- a/meta-oe/recipes-daemons/vsftpd/vsftpd_3.0.2.bb +++ b/meta-oe/recipes-daemons/vsftpd/vsftpd_3.0.2.bb @@ -3,11 +3,9 @@ HOMEPAGE = "https://security.appspot.com/vsftpd.html" SECTION = "network" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=a6067ad950b28336613aed9dd47b1271" -PR = "r4" +PR = "r5" DEPENDS = "libcap openssl" -DEPENDS += "virtual/inetd" -RDEPENDS_${PN} += "virtual/inetd" SRC_URI = "https://security.appspot.com/downloads/vsftpd-${PV}.tar.gz \ file://makefile-destdir.patch \ diff --git a/meta-oe/recipes-daemons/vsftpd/vsftpd_3.0.2.bbappend b/meta-oe/recipes-daemons/vsftpd/vsftpd_3.0.2.bbappend new file mode 100755 index 00000000000..70835ba2de4 --- /dev/null +++ b/meta-oe/recipes-daemons/vsftpd/vsftpd_3.0.2.bbappend @@ -0,0 +1,66 @@ +SRC_URI += "file://vsftpd.chroot_list \ + file://init.vsftpd \ + file://ftp.service \ + " +PR .= ".1" + +inherit update-rc.d + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME_${PN} = "${PN}" +INITSCRIPT_PARAMS = "defaults" + +CONFFILES_${PN} += "${sysconfdir}/vsftpd.chroot_list" + +do_install_append() { + install -m 600 ${WORKDIR}/vsftpd.chroot_list ${D}${sysconfdir}/vsftpd.chroot_list + mkdir -p ${D}${sysconfdir}/init.d + install -m 755 ${WORKDIR}/init.vsftpd ${D}${sysconfdir}/init.d/vsftpd + mkdir -p ${D}${sysconfdir}/avahi/services + install -m 644 ${WORKDIR}/ftp.service ${D}${sysconfdir}/avahi/services + if ! test -z ${PAMLIB} ; then + grep -v 'pam_shells.so' ${D}${sysconfdir}/pam.d/vsftpd > $D/tmp/vsftpd + mv $D/tmp/vsftpd ${D}${sysconfdir}/pam.d/vsftpd + fi +} + +pkg_preinst_${PN}_prepend() { +#!/bin/sh + +# Remove ftp inetd.conf entries +if [ -z "$D" -a -f "/etc/inetd.conf" ]; then + grep -vE '^[#\s]*(21|ftp)' $D/etc/inetd.conf > $D/tmp/inetd.tmp + mv $D/tmp/inetd.tmp $D/etc/inetd.conf +fi + +if [ -z "$D" -a -f "/etc/init.d/inetd.busybox" ]; then + # Restart the internet superserver + /etc/init.d/inetd.busybox restart +fi + +if [ -z "$D" -a -f "/etc/vsftpd.conf" ]; then + echo "Existing user modified configs might make vsftpd fail to start!" + echo "Renaming config file /etc/vsftpd.conf to /etc/vsftpd.conf-user ..." + mv /etc/vsftpd.conf /etc/vsftpd.conf-user +fi +} + +pkg_postinst_${PN}_prepend() { +#!/bin/sh + +if [ -n "$D" ]; then + grep -qE '^kids:' $D/etc/passwd + if [[ $? -ne 0 ]] ; then + echo 'kids:x:500:500:Linux User,,,:/media:/bin/false' >> $D/etc/passwd + echo 'kids:!:16560:0:99999:7:::' >> $D/etc/shadow + fi +fi + +if [ -z "$D" ]; then + grep -qE '^kids:' /etc/passwd + if [[ $? -ne 0 ]] ; then + adduser -h /media -s /bin/false -H -D -u 500 kids 2>/dev/null || adduser -h /media -s /bin/false -H -D kids + fi + +fi +}