Age | Commit message (Collapse) | Author |
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
* Allow sysinfo() in the seccomp sandbox otherwise
comes below OOPS: priv_sock_get_cmd as the syscall
sysinfo() not allowed
tnftp 192.168.1.1
Connected to 192.168.1.1.
220 (vsFTPd 3.0.3)
Name (192.168.1.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> prompt
Interactive mode off.
ftp> mget small*
OOPS: priv_sock_get_cmd
* use "strace -ff /usr/sbin/vsftpd" to track in both
seccomp sandbox on and seccomp sandbox off (add
seccomp_sandbox=NO in /etc/vsftpd.conf) scenarios when
type the commands at ftp client as above, the ftp
connection at server side ends up each time with SIGSYS when
call sysinfo() syscall in seccomp sandbox on case,
so we need to add sysinfo() in the seccomp sandbox if
still use seccomp sandbox for vsftpd
* The issue still exists in other distribution, Please
check https://bugzilla.redhat.com/show_bug.cgi?id=845980 for details
And check ftp://195.220.108.108/linux/fedora/linux/updates/\
24/SRPMS/p/proftpd-1.3.5b-2.fc24.src.rpm for fedora, there
is even a patch vsftpd-3.0.2-seccomp.patch as below to turn off
seccomp sandbox for vsftpd by default which also means fedora
doesn't limit the syscall any more by default.
From dd86a1c28f11fa67b1263d5dc79fa9953629d30d Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Fri, 8 Apr 2016 15:03:16 +0200
Subject: [PATCH 1/7] vsftpd-3.0.2-seccomp
---
tunables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tunables.c b/tunables.c
index 93f85b1..b024be4 100644
--- a/tunables.c
+++ b/tunables.c
@@ -232,7 +232,7 @@ tunables_load_defaults()
tunable_isolate_network = 1;
tunable_ftp_enable = 1;
tunable_http_enable = 0;
- tunable_seccomp_sandbox = 1;
+ tunable_seccomp_sandbox = 0;
tunable_allow_writeable_chroot = 0;
tunable_accept_timeout = 60;
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
* remove tabs which sneaked in since last cleanup
* meta-oe layers are using consistent indentation with 4 spaces, see
http://www.openembedded.org/wiki/Styleguide
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
base_contains() is a compatibility wrapper and may warn in the future, so
replace all instances with bb.utils.contains().
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
This recipe currently relies on EXTRA_OEMAKE having been to set to
"-e MAKEFLAGS=" in bitbake.conf to operate. It is necessary to make
this explicit so that the default in bitbake.conf can be changed.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
SECTION has been used inconsistently throughout the recipes in this layer.
Convert them to all use the same convention.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Taken Patch from fedora to fix CVE-2015-1419, deny_file parsing to do
more what is expected.
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Keep compatibility with chkconfig tool.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Add systemd service for vsftpd.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Fix pkg_postinst to not exit if "$D" is not empty.
Otherwise, postinsts from update-rc.d.bbclass would not run and the
symlinks under /etc/rc?.d/ would not be created.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
No changes other than source checksum.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
WARNING: QA Issue: vsftpd: Files/directories were installed but not shipped
/run
/run/vsftpd
/run/vsftpd/empty
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
When ntpd starts, it will create a daemon to connect this invalid server,
and fail, then ntpd will create other daemon to connect the local-only
(127.127.1.0) server.
The users should be aware that they need to configure the correct ntp
servers, a invalid server will lead to a redundant daemon, so it is better
to comment this example server to wait user to configure
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
"test -z ${PAMLIB}" in do_install() may report error if ${PAMLIB}
has space chars. This commit added double quotes to wrap it in
case of errors.
Signed-off-by: Qiang Chen <qiang.chen@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Change default value of secure_chroot_dir to /var/run/vsftpd/empty, add
volatiles entry for it, to ensure it won't fail to start with error:
"500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/var/share/empty"
This shows up in both standalone mode or started by xined.
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
|
Upgrade vsftpd to 3.0.0 with below modification:
1. more strict access limitation, like: do not allow anonymous access
2. use vsftpd.ftpusers and vsftpd.user_list to confine user access
3. enable pam if DISTRO_FEATURE includes pam
4. enable tcp-wrapper
5. install vsftpd.conf with 0600 permission, not 0755
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
|
|
* Fails without openssl in sysroot:
| i586-webos-linux-gcc -m32 -march=i586 --sysroot=/OE/sysroots/qemux86 -o vsftpd main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o tunables.o ftpdataio.o secbuf.o ls.o postprivparent.o logging.o str.o netstr.o sysstr.o strlist.o banner.o filestr.o parseconf.o secutil.o ascii.o oneprocess.o twoprocess.o privops.o standalone.o hash.o tcpwrap.o ipaddrparse.o access.o features.o readwrite.o opts.o ssl.o sslslave.o ptracesandbox.o ftppolicy.o sysutil.o sysdeputil.o -lssl -lcrypto -lnsl -lresolv -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -lcrypt -lcap
| /OE/sysroots/x86_64-linux/usr/libexec/i586-webos-linux/gcc/i586-webos-linux/4.7.2/ld: cannot find -lssl
| /OE/sysroots/x86_64-linux/usr/libexec/i586-webos-linux/gcc/i586-webos-linux/4.7.2/ld: cannot find -lcrypto
| collect2: error: ld returned 1 exit status
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
|
|
* Fix stripped file QA warning
* Add proper headers to patches (and split makefile.patch into two
parts, one of which may be upstreamable)
* Use PV in SRC_URI instead of hardcoded version
* Move SRC_URI checksums up next to SRC_URI
* Set SUMMARY instead of DESCRIPTION
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|