Browse code

add proftpd security update

Hanno Böck authored on 13/11/2011 21:09:01
Showing 5 changed files
1 1
new file mode 100644
... ...
@@ -0,0 +1,10 @@
1
+AUX proftpd.conf.sample 1275 RMD160 199b8cced06d347ef8a2033b68850fd9dd922ccd SHA1 e58e5e7856bc77e159a628717ad1c73e20c5b883 SHA256 a214b3937f319c70976d29cfcd47c2cd937d1d70b7274c2b241b1e97606e89c0
2
+AUX proftpd.initd 1565 RMD160 efa4d3a98202666ba55e91c711fa03832ad5e320 SHA1 18ff1ec4d34d7442d06ab2201deea40548116d51 SHA256 52ee854ddd402b251b483450a26001a4d8d72706870040d0a866347440e0c395
3
+AUX proftpd.xinetd 295 RMD160 c5c829319e901f478fe58b920347cc1b8706a366 SHA1 3f1bd8d6cbb1488301b9aa0346e02b571fd0783a SHA256 150a5701f5c2788ecdf2c6ec228ce674963c9dc7bc1c511ad1eba8dfe05e2d5d
4
+DIST mod_clamav-0.11rc.tar.gz 5115 RMD160 1b7f0bf94ed4664f873848e0fedee493f18726b8 SHA1 26fa4a8106fbb3266e7c94f50f12ed74fb2f3fec SHA256 87630eb1866066d6320ee711897d8998b8f4915c0498b2e78cc0464abd34855a
5
+DIST mod_gss-1.3.3.tar.gz 115098 RMD160 6a772ea215db7af94223fbb3bbb84614d1f7cf30 SHA1 b17015a49e41ee643f1891940f9f3f8a7d77e522 SHA256 24702cf0333720730cc269eb30529061365b1384fdce274bc3d46ccfc300934e
6
+DIST proftpd-1.3.3g.tar.bz2 4204504 RMD160 29bdade06f63ace05811e809b0a3600ea6ed61fe SHA1 70489c2b32c87b3637fd0cf2520773c5229f4ae3 SHA256 b1104a91e5e4dfafb0aa876492c073cf24b7d00b3e8528fa4443c108d963ae15
7
+DIST proftpd-mod-case-0.4.tar.gz 4849 RMD160 fdf579587461c0ad2136f6cc1e3064efe31f2eb6 SHA1 01631d4545d9a4995d452278caa2ef94b84e6a1f SHA256 5c724a2a57a00048529bfab6c5672e16c7c0ecb2eb4e2bedd05bb3a1a5bf97fa
8
+DIST proftpd-mod-deflate-0.5.4.tar.gz 55219678 RMD160 0d9ac70d076de3be521492d0c79089291a1b6dfd SHA1 292ba9dd301a010c46906ec09b5d455ff2b8ee4f SHA256 6ae753608ad126067bd48da8d4ea6ac3ef8eaf339ae924ffdbe30d1819a5e5db
9
+DIST proftpd-mod-vroot-0.9.2.tar.gz 22438 RMD160 8d8620a346b422e57cd775fdde0241a3c0ca144d SHA1 13ec52c688bbb91eaae76a8e4814bfd49e0bc597 SHA256 b0ea7af760ab7a54a62ac294656b5a34a5339665c0227ade0d2f206cc54a10bf
10
+EBUILD proftpd-1.3.3g.ebuild 7187 RMD160 10d00838dc9840d6632674c2cd7ee9db0636a678 SHA1 1c554d29d90275d5fa307e5a6a8282296f98e259 SHA256 f71b0593ff70248b834bf006e062dd7b62090f32b847d53dfadd6d63a9943db3
0 11
new file mode 100644
... ...
@@ -0,0 +1,53 @@
1
+# This is a sample ProFTPD configuration file for Gentoo Linux (rename
2
+# it to 'proftpd.conf' for actual use). It establishes a single server
3
+# and a single anonymous login.
4
+
5
+ServerName "ProFTPD Default Server"
6
+ServerType standalone
7
+DefaultServer on
8
+RequireValidShell off
9
+AuthPAM off
10
+AuthPAMConfig ftp
11
+
12
+# Listen on the standard FTP port 21.
13
+Port 21
14
+
15
+# New directories and files should not be group or world writable.
16
+Umask 022
17
+
18
+# To prevent DoS attacks set the maximum number of child processes
19
+# to 30. If you need to allow more than 30 concurrent connections
20
+# at once simply increase this value.
21
+MaxInstances 30
22
+
23
+# The server will run under ftp/ftp.
24
+User ftp
25
+Group ftp
26
+
27
+# Every FTP sessions is "jailed" into the user's home directory.
28
+DefaultRoot ~
29
+
30
+# Generally files are overwritable.
31
+AllowOverwrite on
32
+
33
+# Disallow the use of the SITE CHMOD command.
34
+<Limit SITE_CHMOD>
35
+  DenyAll
36
+</Limit>
37
+
38
+# A basic anonymous FTP account without an upload directory.
39
+<Anonymous ~ftp>
40
+  User ftp
41
+  Group ftp
42
+
43
+  # Clients can login with the username "anonymous" and "ftp".
44
+  UserAlias anonymous ftp
45
+
46
+  # Limit the maximum number of parallel anonymous logins to 10.
47
+  MaxClients 10
48
+
49
+  # Prohibit the WRITE command for the anonymous users.
50
+  <Limit WRITE>
51
+    DenyAll
52
+  </Limit>
53
+</Anonymous>
0 54
new file mode 100644
... ...
@@ -0,0 +1,52 @@
1
+#!/sbin/runscript
2
+# Copyright 1999-2011 Gentoo Foundation
3
+# Distributed under the terms of the GNU General Public License v2
4
+# $Header: /var/cvsroot/gentoo-x86/net-ftp/proftpd/files/proftpd.initd,v 1.4 2011/09/28 09:47:22 voyageur Exp $
5
+
6
+extra_started_commands="reload"
7
+
8
+depend() {
9
+	need net
10
+	use logger dns mysql postgresql antivirus
11
+}
12
+
13
+check_configuration() {
14
+	if [ ! -e /etc/proftpd/proftpd.conf ] ; then
15
+		eerror "To execute the ProFTPD server you need a /etc/proftpd/proftpd.conf configuration"
16
+		eerror "file. In /etc/proftpd you can find a sample configuration."
17
+		return 1
18
+	fi
19
+	/usr/sbin/proftpd -t &>/dev/null
20
+	if [ $? -ne 0 ] ; then
21
+		eerror "The ProFTPD configuration file /etc/proftpd/proftpd.conf is invalid! You have to"
22
+		eerror "fix your configuration in order to run the ProFTPD server. For more information"
23
+		eerror "you may execute the ProFTPD configuration check '/usr/sbin/proftpd -t'."
24
+		return 2
25
+	fi
26
+}
27
+
28
+start() {
29
+	[ -d /var/run/proftpd ] || mkdir /var/run/proftpd
30
+	[ "${RC_CMD}" = "restart" ] || check_configuration || return 1
31
+	ebegin "Starting ProFTPD"
32
+	start-stop-daemon --start --quiet \
33
+		--exec /usr/sbin/proftpd \
34
+		--pidfile /var/run/proftpd/proftpd.pid
35
+	eend $?
36
+}
37
+
38
+stop() {
39
+	[ "${RC_CMD}" != "restart" ] || check_configuration || return 1
40
+	ebegin "Stopping ProFTPD"
41
+	start-stop-daemon --stop --quiet --retry 20 \
42
+		--pidfile /var/run/proftpd/proftpd.pid
43
+	eend $?
44
+}
45
+
46
+reload() {
47
+	check_configuration || return 1
48
+	ebegin "Reloading ProFTPD"
49
+	start-stop-daemon --quiet --signal HUP \
50
+		--pidfile /var/run/proftpd/proftpd.pid
51
+	eend $?
52
+}
0 53
new file mode 100644
... ...
@@ -0,0 +1,15 @@
1
+#
2
+# ProFTPd FTP daemon - http://www.proftpd.org
3
+#
4
+service ftp
5
+{
6
+       flags		= REUSE
7
+       socket_type	= stream
8
+       instances	= 30
9
+       wait		= no
10
+       user		= root
11
+       server		= /usr/sbin/proftpd
12
+       log_on_success	= HOST PID
13
+       log_on_failure	= HOST
14
+       disable		= yes
15
+}
0 16
new file mode 100644
... ...
@@ -0,0 +1,220 @@
1
+# Copyright 1999-2011 Gentoo Foundation
2
+# Distributed under the terms of the GNU General Public License v2
3
+# $Header: /var/cvsroot/gentoo-x86/net-ftp/proftpd/proftpd-1.3.3f.ebuild,v 1.4 2011/11/07 12:23:58 voyageur Exp $
4
+
5
+EAPI="2"
6
+inherit eutils autotools
7
+
8
+CASE_VER="0.4"
9
+CLAMAV_VER="0.11rc"
10
+DEFLATE_VER="0.5.4"
11
+GSS_VER="1.3.3"
12
+VROOT_VER="0.9.2"
13
+
14
+DESCRIPTION="An advanced and very configurable FTP server."
15
+HOMEPAGE="http://www.proftpd.org/
16
+	http://www.castaglia.org/proftpd/
17
+	http://www.thrallingpenguin.com/resources/mod_clamav.htm
18
+	http://gssmod.sourceforge.net/"
19
+SRC_URI="ftp://ftp.proftpd.org/distrib/source/${P/_/}.tar.bz2
20
+	case? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-case-${CASE_VER}.tar.gz )
21
+	clamav? ( https://secure.thrallingpenguin.com/redmine/attachments/download/1/mod_clamav-${CLAMAV_VER}.tar.gz )
22
+	deflate? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-deflate-${DEFLATE_VER}.tar.gz )
23
+	kerberos? ( mirror://sourceforge/gssmod/mod_gss-${GSS_VER}.tar.gz )
24
+	vroot? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-vroot-${VROOT_VER}.tar.gz )"
25
+LICENSE="GPL-2"
26
+
27
+SLOT="0"
28
+KEYWORDS="~alpha amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
29
+IUSE="acl authfile ban +caps case clamav +ctrls deflate doc exec ifsession ident ipv6 kerberos ldap mysql ncurses nls pam postgres radius ratio readme rewrite selinux sftp shaper sitemisc softquota ssl tcpd trace vroot xinetd"
30
+
31
+DEPEND="acl? ( sys-apps/acl sys-apps/attr )
32
+	caps? ( sys-libs/libcap )
33
+	clamav? ( app-antivirus/clamav )
34
+	kerberos? ( virtual/krb5 )
35
+	ldap? ( net-nds/openldap )
36
+	mysql? ( virtual/mysql )
37
+	ncurses? ( sys-libs/ncurses )
38
+	pam? ( virtual/pam )
39
+	postgres? ( dev-db/postgresql-base )
40
+	sftp? ( dev-libs/openssl )
41
+	ssl? ( dev-libs/openssl )
42
+	tcpd? ( sys-apps/tcp-wrappers )
43
+	xinetd? ( virtual/inetd )"
44
+RDEPEND="${DEPEND}
45
+	net-ftp/ftpbase
46
+	selinux? ( sec-policy/selinux-ftpd )"
47
+
48
+S="${WORKDIR}/${P/_/}"
49
+
50
+__prepare_module() {
51
+	mv "${WORKDIR}"/$1/$1.c contrib
52
+	mv "${WORKDIR}"/$1/$1.html doc/contrib
53
+	rm -rf "${WORKDIR}"/$1
54
+}
55
+
56
+pkg_setup() {
57
+	if [ -f "${ROOT}"/var/run/proftpd.pid ] ; then
58
+		eerror "Your ProFTPD server is running. In order to install this update"
59
+		eerror "you have to stop the running server. If you are using ProFTPD in"
60
+		eerror "the standalone mode you can stop the server by executing:"
61
+		eerror "  /etc/init.d/proftpd stop"
62
+		eerror "If you are sure that ProFTPD is not running anymore you have to"
63
+		eerror "delete the /var/run/proftpd.pid file."
64
+		die "This update requires to stop the ProFTPD server!"
65
+	fi
66
+}
67
+
68
+src_prepare() {
69
+	use case && __prepare_module mod_case
70
+	if use clamav ; then
71
+		mv "${WORKDIR}"/mod_clamav-${CLAMAV_VER}/mod_clamav.{c,h} contrib
72
+		epatch "${WORKDIR}"/mod_clamav-${CLAMAV_VER}/${PN}.patch
73
+		rm -rf "${WORKDIR}"/mod_clamav-${CLAMAV_VER}
74
+	fi
75
+	use deflate && __prepare_module mod_deflate
76
+	use vroot && __prepare_module mod_vroot
77
+
78
+	# Fix MySQL includes
79
+	sed -i -e "s/<mysql.h>/<mysql\/mysql.h>/g" contrib/mod_sql_mysql.c
80
+
81
+	# Manipulate build system
82
+	sed -i -e "s/utils install-conf install/utils install/g" Makefile.in
83
+	sed -i -e "s/ @INSTALL_STRIP@//g" Make.rules.in
84
+
85
+	# Support new versions of mit-krb5 (Gentoo Bugs #284853, #324903)
86
+	if use kerberos ; then
87
+		cd "${WORKDIR}"/mod_gss-${GSS_VER}
88
+		sed -i -e "s/krb5_principal2principalname/_\0/" mod_auth_gss.c.in
89
+		sed -i -e "/ac_gss_libs/s/\-ldes425\ //" configure.in
90
+		eautoreconf
91
+	fi
92
+}
93
+
94
+src_configure() {
95
+	local myc myl mym
96
+
97
+	use acl && mym="${mym}:mod_facl"
98
+	use ban && mym="${mym}:mod_ban"
99
+	use case && mym="${mym}:mod_case"
100
+	use clamav && mym="${mym}:mod_clamav"
101
+	if use ctrls || use ban || use shaper ; then
102
+		myc="${myc} --enable-ctrls"
103
+		mym="${mym}:mod_ctrls_admin"
104
+	fi
105
+	use deflate && mym="${mym}:mod_deflate"
106
+	use exec && mym="${mym}:mod_exec"
107
+	if use kerberos ; then
108
+		cd "${WORKDIR}"/mod_gss-${GSS_VER}
109
+		if has_version app-crypt/mit-krb5 ; then
110
+			econf --enable-mit
111
+		else
112
+			econf --enable-heimdal
113
+		fi
114
+		mv mod_{auth_gss,gss}.c "${S}"/contrib
115
+		mv mod_gss.h "${S}"/include
116
+		mv README.mod_{auth_gss,gss} "${S}"
117
+		mv mod_gss.html "${S}"/doc/contrib
118
+		mv rfc{1509,2228}.txt "${S}"/doc/rfc
119
+		cd "${S}"
120
+		rm -rf "${WORKDIR}"/mod_gss-${GSS_VER}
121
+		mym="${mym}:mod_gss:mod_auth_gss"
122
+	fi
123
+	if use ldap ; then
124
+		myl="${myl} -lresolv"
125
+		mym="${mym}:mod_ldap"
126
+	fi
127
+	if use mysql || use postgres ; then
128
+		mym="${mym}:mod_sql:mod_sql_passwd"
129
+		if use mysql ; then
130
+			myc="${myc} --with-includes=/usr/include/mysql"
131
+			mym="${mym}:mod_sql_mysql"
132
+		fi
133
+		if use postgres ; then
134
+			myc="${myc} --with-includes=/usr/include/postgresql"
135
+			mym="${mym}:mod_sql_postgres"
136
+		fi
137
+	fi
138
+	if use sftp || use ssl ; then
139
+		CFLAGS="${CFLAGS} -DHAVE_OPENSSL"
140
+		myc="${myc} --enable-openssl --with-includes=/usr/include/openssl"
141
+		myl="${myl} -lcrypto"
142
+	fi
143
+	use radius && mym="${mym}:mod_radius"
144
+	use ratio && mym="${mym}:mod_ratio"
145
+	use readme && mym="${mym}:mod_readme"
146
+	use rewrite && mym="${mym}:mod_rewrite"
147
+	if use sftp ; then
148
+		mym="${mym}:mod_sftp"
149
+		use pam && mym="${mym}:mod_sftp_pam"
150
+		if use mysql || use postgres ; then
151
+			mym="${mym}:mod_sftp_sql"
152
+		fi
153
+	fi
154
+	use shaper && mym="${mym}:mod_shaper"
155
+	use sitemisc && mym="${mym}:mod_site_misc"
156
+	if use softquota ; then
157
+		mym="${mym}:mod_quotatab:mod_quotatab_file"
158
+		use ldap && mym="${mym}:mod_quotatab_ldap"
159
+		use radius && mym="${mym}:mod_quotatab_radius"
160
+		if use mysql || use postgres ; then
161
+			mym="${mym}:mod_quotatab_sql"
162
+		fi
163
+	fi
164
+	use ssl && mym="${mym}:mod_tls:mod_tls_shmcache"
165
+	use tcpd && mym="${mym}:mod_wrap"
166
+	use vroot && mym="${mym}:mod_vroot"
167
+	# mod_ifsession needs to be the last module in the mym list.
168
+	use ifsession && mym="${mym}:mod_ifsession"
169
+
170
+	[ -z ${mym} ] || myc="${myc} --with-modules=${mym:1}"
171
+	LIBS="${myl:1}" econf --sbindir=/usr/sbin --localstatedir=/var/run/proftpd \
172
+		--sysconfdir=/etc/proftpd --enable-shadow --enable-autoshadow ${myc:1} \
173
+		$(use_enable acl facl) \
174
+		$(use_enable authfile auth-file) \
175
+		$(use_enable caps cap) \
176
+		$(use_enable ident) \
177
+		$(use_enable ipv6) \
178
+		$(use_enable ncurses) \
179
+		$(use_enable nls) \
180
+		$(use_enable trace) \
181
+		$(use_enable pam auth-pam)
182
+}
183
+
184
+src_install() {
185
+	emake DESTDIR="${D}" install || die "install failed"
186
+
187
+	insinto /etc/proftpd
188
+	doins "${FILESDIR}"/proftpd.conf.sample
189
+	newinitd "${FILESDIR}"/proftpd.initd proftpd
190
+	if use xinetd ; then
191
+		insinto /etc/xinetd.d
192
+		newins "${FILESDIR}"/proftpd.xinetd proftpd
193
+	fi
194
+
195
+	dodoc ChangeLog CREDITS INSTALL NEWS README* RELEASE_NOTES
196
+	if use doc ; then
197
+		dohtml doc/*.html doc/contrib/*.html doc/howto/*.html doc/modules/*.html
198
+		docinto rfc
199
+		dodoc doc/rfc/*.txt
200
+	fi
201
+}
202
+
203
+pkg_postinst() {
204
+	if use mysql && use postgres ; then
205
+		elog
206
+		elog "ProFTPD has been built with the MySQL and PostgreSQL modules."
207
+		elog "You can use the 'SQLBackend' directive to specify the used SQL"
208
+		elog "backend. Without this directive the default backend is MySQL."
209
+		elog
210
+	fi
211
+	if use exec ; then
212
+		ewarn
213
+		ewarn "ProFTPD has been built with the mod_exec module. This module"
214
+		ewarn "can be a security risk for your server as it executes external"
215
+		ewarn "programs. Vulnerables in these external programs may disclose"
216
+		ewarn "information or even compromise your server."
217
+		ewarn "You have been warned! Use this module at your own risk!"
218
+		ewarn
219
+	fi
220
+}