kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/net/vsftpd/patches/patch-af

98 lines
3.8 KiB
Text
Raw Normal View History

Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
$NetBSD: patch-af,v 1.4 2006/01/13 18:12:46 wiz Exp $
--- vsftpd.conf.5.orig 2006-01-07 20:35:50.000000000 +0100
+++ vsftpd.conf.5
@@ -4,7 +4,7 @@ vsftpd.conf \- config file for vsftpd
Updated to version 1.1.3. Addresses PR pkg/21410 by Jens Liebau. - honour PKG_SYSCONFDIR - rcd script, standalone mode support - tcp wrappers support - install vsftpd:vsftpd user - new HOMEPAGE and MASTER_SITES 1.1.3: ====== - Support for tcp_wrappers. - First stab at Solaris sendfilev() support. - Don't bomb out the listener on SIGHUP if the config became invalid. - End vsf_findlibs.sh with "exit 0;" - thanks Lars Hecking <lhecking@nmrc.ie>! - Integrate with tcp_wrappers - load config based on VSFTPD_LOAD_CONF environment variables. Allows per-IP configurability in standalone mode. - Fix build without tcp_wrappers. - Fix Solaris sendfilev() support - interruption via a signal returns EINTR rather than a partial byte count! - Add to EXAMPLE/ - PER_IP_CONFIG and INTERNET_SITE_NOINETD 1.1.2: ====== - Add per-IP connection limits in standalone mode. - Add logging of refused connect due to global or IP connection limits. - (Many thanks for testing and suggestions from Rob van Nieuwkerk <robn@verdi.et.tudelft.nl> and Adrian Reber <adrian@lisas.de>. - Make connection limit exceeded messages nonblocking. - Don't exit the listener if fork fails. 1.1.1: ====== - Fix port_promiscuous, oops! Thanks to Bjørn-Ove Heimsund <bjornoh@mi.uib.no>. - Fix to support umasks which create executable files. Reported by "Martin, Andreas" <AMartin@hegau-klinikum.de>. - Make the messages more.. professional :( Thanks to Steven G. Taylor <staylor@redhat.com>. - Allow anon users to append to files if they can delete files! Suggestion from Michael Leuchtenburg <michael@slashhome.org>. - Hopefully fix Solaris build (-lresolv) - Replace atoll() with a homebrew - modern FreeBSD, OpenBSD lack it. - Different solution for a umask which creates executable files: file_open_mode. - First attempt at Tru64 build, working with <Sulla17@aol.com>. - A few minor FAQ additions. - Change date format in the log from Sep 09 -> Sep 9. Avoids breaking some broken log parsers. - Make "INSTALL" better and clearer. - Fix passwd_chroot_enable, reported by James Jones <james@richland.edu>. - Finish Tru64 building :-) - Add tunable_no_anon_password as asked for by Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>. 1.1.0: ====== - large file (>2Gb) support). - Fix .spec files to use /usr/local/sbin not /usr/sbin, noted by Bill Unruh <unruh@physics.ubc.ca>. - Small doc tweaks and improvements(?) - Add COPYING, the GNU GPL version 2. - Add use_localtime config option to override the use of GMT times. - Add tunable_check_shell (default YES) so people can disable this if they are not using PAM. - AIX 5.1 build support, thanks to Jan-Frode Myklebust <janfrode@parallab.uib.no>. - Add "hide_ids" option to show user/group in directory listings as "ftp". Request from Solar. - Use the seemingly more portable setreuid() and setregid(), poxy HP. - Use status 550 instead of 500 for known but disabled commands. - Rename "dirchange.[ch]" to "banner.[ch]". - Multiline connect banner support via "banner_file" config option. - Minor error message changes. - Add more FAQ entries. - Add patch to specify PASV address - thanks to Mike McLean <mikem@redhat.com>. - Drop the 2.4.0 kernel warning file - Rudimentary standalone listener support - to be expanded in a later release. - If sendfile() returns EINVAL just fall back to normal routines - handles non-pagecache backed files. - Add "port_promiscuous" setting - should help enabling FXP. - Modify anon_root and local_root to change directory _before_ applying the chroot(). - Open all files O_NONBLOCK to avoid pipes blocking on open. - Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR. - Add SIGHUP support to new built in listener. - Per-user config overrides, via "user_config_dir" - woohoo! - Warning fixes, i.e. change "index" to "indexx" thanks to Olaf Kirch <okir@suse.de>. - Make sure the standalone daemon doesn't leak zombies! - Supposedly fix kernel messages about MSG_PEEK race - thanks to advice from Alexey <kuznet@ms2.inr.ac.ru>. - Add global client limit for standalone mode. - Add username that failed when we die with str_getpwnam. - Add a bunch of documentation under EXAMPLES.
2003-05-10 01:31:38 +02:00
.SH DESCRIPTION
vsftpd.conf may be used to control various aspects of vsftpd's behaviour. By
default, vsftpd looks for this file at the location
-.BR /etc/vsftpd.conf .
+.BR @PKG_SYSCONFDIR@/vsftpd.conf .
However, you may override this by specifying a command line argument to
vsftpd. The command line argument is the pathname of the configuration file
for vsftpd. This behaviour is useful because you may wish to use an advanced
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
@@ -136,7 +136,7 @@ chroot() jail in their home directory up
Updated to version 1.1.3. Addresses PR pkg/21410 by Jens Liebau. - honour PKG_SYSCONFDIR - rcd script, standalone mode support - tcp wrappers support - install vsftpd:vsftpd user - new HOMEPAGE and MASTER_SITES 1.1.3: ====== - Support for tcp_wrappers. - First stab at Solaris sendfilev() support. - Don't bomb out the listener on SIGHUP if the config became invalid. - End vsf_findlibs.sh with "exit 0;" - thanks Lars Hecking <lhecking@nmrc.ie>! - Integrate with tcp_wrappers - load config based on VSFTPD_LOAD_CONF environment variables. Allows per-IP configurability in standalone mode. - Fix build without tcp_wrappers. - Fix Solaris sendfilev() support - interruption via a signal returns EINTR rather than a partial byte count! - Add to EXAMPLE/ - PER_IP_CONFIG and INTERNET_SITE_NOINETD 1.1.2: ====== - Add per-IP connection limits in standalone mode. - Add logging of refused connect due to global or IP connection limits. - (Many thanks for testing and suggestions from Rob van Nieuwkerk <robn@verdi.et.tudelft.nl> and Adrian Reber <adrian@lisas.de>. - Make connection limit exceeded messages nonblocking. - Don't exit the listener if fork fails. 1.1.1: ====== - Fix port_promiscuous, oops! Thanks to Bjørn-Ove Heimsund <bjornoh@mi.uib.no>. - Fix to support umasks which create executable files. Reported by "Martin, Andreas" <AMartin@hegau-klinikum.de>. - Make the messages more.. professional :( Thanks to Steven G. Taylor <staylor@redhat.com>. - Allow anon users to append to files if they can delete files! Suggestion from Michael Leuchtenburg <michael@slashhome.org>. - Hopefully fix Solaris build (-lresolv) - Replace atoll() with a homebrew - modern FreeBSD, OpenBSD lack it. - Different solution for a umask which creates executable files: file_open_mode. - First attempt at Tru64 build, working with <Sulla17@aol.com>. - A few minor FAQ additions. - Change date format in the log from Sep 09 -> Sep 9. Avoids breaking some broken log parsers. - Make "INSTALL" better and clearer. - Fix passwd_chroot_enable, reported by James Jones <james@richland.edu>. - Finish Tru64 building :-) - Add tunable_no_anon_password as asked for by Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>. 1.1.0: ====== - large file (>2Gb) support). - Fix .spec files to use /usr/local/sbin not /usr/sbin, noted by Bill Unruh <unruh@physics.ubc.ca>. - Small doc tweaks and improvements(?) - Add COPYING, the GNU GPL version 2. - Add use_localtime config option to override the use of GMT times. - Add tunable_check_shell (default YES) so people can disable this if they are not using PAM. - AIX 5.1 build support, thanks to Jan-Frode Myklebust <janfrode@parallab.uib.no>. - Add "hide_ids" option to show user/group in directory listings as "ftp". Request from Solar. - Use the seemingly more portable setreuid() and setregid(), poxy HP. - Use status 550 instead of 500 for known but disabled commands. - Rename "dirchange.[ch]" to "banner.[ch]". - Multiline connect banner support via "banner_file" config option. - Minor error message changes. - Add more FAQ entries. - Add patch to specify PASV address - thanks to Mike McLean <mikem@redhat.com>. - Drop the 2.4.0 kernel warning file - Rudimentary standalone listener support - to be expanded in a later release. - If sendfile() returns EINVAL just fall back to normal routines - handles non-pagecache backed files. - Add "port_promiscuous" setting - should help enabling FXP. - Modify anon_root and local_root to change directory _before_ applying the chroot(). - Open all files O_NONBLOCK to avoid pipes blocking on open. - Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR. - Add SIGHUP support to new built in listener. - Per-user config overrides, via "user_config_dir" - woohoo! - Warning fixes, i.e. change "index" to "indexx" thanks to Olaf Kirch <okir@suse.de>. - Make sure the standalone daemon doesn't leak zombies! - Supposedly fix kernel messages about MSG_PEEK race - thanks to advice from Alexey <kuznet@ms2.inr.ac.ru>. - Add global client limit for standalone mode. - Add username that failed when we die with str_getpwnam. - Add a bunch of documentation under EXAMPLES.
2003-05-10 01:31:38 +02:00
different if chroot_local_user is set to YES. In this case, the list becomes
a list of users which are NOT to be placed in a chroot() jail.
By default, the file containing this list is
-/etc/vsftpd.chroot_list, but you may override this with the
+@PKG_SYSCONFDIR@/vsftpd.chroot_list, but you may override this with the
.BR chroot_list_file
setting.
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
@@ -164,7 +164,7 @@ Default: NO (but the sample config file
Updated to version 1.1.3. Addresses PR pkg/21410 by Jens Liebau. - honour PKG_SYSCONFDIR - rcd script, standalone mode support - tcp wrappers support - install vsftpd:vsftpd user - new HOMEPAGE and MASTER_SITES 1.1.3: ====== - Support for tcp_wrappers. - First stab at Solaris sendfilev() support. - Don't bomb out the listener on SIGHUP if the config became invalid. - End vsf_findlibs.sh with "exit 0;" - thanks Lars Hecking <lhecking@nmrc.ie>! - Integrate with tcp_wrappers - load config based on VSFTPD_LOAD_CONF environment variables. Allows per-IP configurability in standalone mode. - Fix build without tcp_wrappers. - Fix Solaris sendfilev() support - interruption via a signal returns EINTR rather than a partial byte count! - Add to EXAMPLE/ - PER_IP_CONFIG and INTERNET_SITE_NOINETD 1.1.2: ====== - Add per-IP connection limits in standalone mode. - Add logging of refused connect due to global or IP connection limits. - (Many thanks for testing and suggestions from Rob van Nieuwkerk <robn@verdi.et.tudelft.nl> and Adrian Reber <adrian@lisas.de>. - Make connection limit exceeded messages nonblocking. - Don't exit the listener if fork fails. 1.1.1: ====== - Fix port_promiscuous, oops! Thanks to Bjørn-Ove Heimsund <bjornoh@mi.uib.no>. - Fix to support umasks which create executable files. Reported by "Martin, Andreas" <AMartin@hegau-klinikum.de>. - Make the messages more.. professional :( Thanks to Steven G. Taylor <staylor@redhat.com>. - Allow anon users to append to files if they can delete files! Suggestion from Michael Leuchtenburg <michael@slashhome.org>. - Hopefully fix Solaris build (-lresolv) - Replace atoll() with a homebrew - modern FreeBSD, OpenBSD lack it. - Different solution for a umask which creates executable files: file_open_mode. - First attempt at Tru64 build, working with <Sulla17@aol.com>. - A few minor FAQ additions. - Change date format in the log from Sep 09 -> Sep 9. Avoids breaking some broken log parsers. - Make "INSTALL" better and clearer. - Fix passwd_chroot_enable, reported by James Jones <james@richland.edu>. - Finish Tru64 building :-) - Add tunable_no_anon_password as asked for by Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>. 1.1.0: ====== - large file (>2Gb) support). - Fix .spec files to use /usr/local/sbin not /usr/sbin, noted by Bill Unruh <unruh@physics.ubc.ca>. - Small doc tweaks and improvements(?) - Add COPYING, the GNU GPL version 2. - Add use_localtime config option to override the use of GMT times. - Add tunable_check_shell (default YES) so people can disable this if they are not using PAM. - AIX 5.1 build support, thanks to Jan-Frode Myklebust <janfrode@parallab.uib.no>. - Add "hide_ids" option to show user/group in directory listings as "ftp". Request from Solar. - Use the seemingly more portable setreuid() and setregid(), poxy HP. - Use status 550 instead of 500 for known but disabled commands. - Rename "dirchange.[ch]" to "banner.[ch]". - Multiline connect banner support via "banner_file" config option. - Minor error message changes. - Add more FAQ entries. - Add patch to specify PASV address - thanks to Mike McLean <mikem@redhat.com>. - Drop the 2.4.0 kernel warning file - Rudimentary standalone listener support - to be expanded in a later release. - If sendfile() returns EINVAL just fall back to normal routines - handles non-pagecache backed files. - Add "port_promiscuous" setting - should help enabling FXP. - Modify anon_root and local_root to change directory _before_ applying the chroot(). - Open all files O_NONBLOCK to avoid pipes blocking on open. - Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR. - Add SIGHUP support to new built in listener. - Per-user config overrides, via "user_config_dir" - woohoo! - Warning fixes, i.e. change "index" to "indexx" thanks to Olaf Kirch <okir@suse.de>. - Make sure the standalone daemon doesn't leak zombies! - Supposedly fix kernel messages about MSG_PEEK race - thanks to advice from Alexey <kuznet@ms2.inr.ac.ru>. - Add global client limit for standalone mode. - Add username that failed when we die with str_getpwnam. - Add a bunch of documentation under EXAMPLES.
2003-05-10 01:31:38 +02:00
.B deny_email_enable
If activated, you may provide a list of anonymous password e-mail responses
which cause login to be denied. By default, the file containing this list is
-/etc/vsftpd.banned_emails, but you may override this with the
+@PKG_SYSCONFDIR@/vsftpd.banned_emails, but you may override this with the
.BR banned_email_file
setting.
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
@@ -392,7 +392,7 @@ anonymous logins are prevented unless th
Update to version 1.2.1. Changes: - Apply NetBSD patch to sysdeputil.c to activate a few features. Thanks to Lubomir Sedlacik <salo@netbsd.org>. - Apply fix for broken clients that terminate commands with \r\r\n. Thanks to Andrey Chernomyrdin <andrey@excom.spb.su>. - AIX send_file support, thanks to Tomas Ogren <stric@ing.umu.se>. - Fix typos in vsftpd.conf.5, thanks to SEKINE Tatsuo <tsekine@sdri.co.jp>. - Simple -F flag support to LIST and NLST. Needed for some broken clients. - Add simple ? wildcard in pattern matching. - Make pasv_min_port and pasv_max_port work if they are the same value. Thanks to Marvin Solomon <solomon@cs.wisc.edu>. - Paranoia: ignore user_config_dir if username has a / in it. - Implement stub ALLO command to keep busybox/ftpput happy. - Implement REIN, ACCT and SMNT stubs. - Implement FEAT along with an OPTS stub. - Implement STAT (no-args version). - Implement STAT (file/dir). - Add very simple access control via hide_file and deny_file. These should NOT be used for securing content as they are very dumb! Filesystem permissions are still the recommended way for securing important content. - Allow unsetting of string values with option= (i.e. blank). - Default virtual users to being chroot()'ed to the guest_user's home directory, if virtual_use_local_privs is not set. - Add support for "user_sub_token", where you can set the home directory of guest_user to "/home/virtual/$USER", and "user_sub_token" to "$USER" to have a root directory auto generated based on username logging in, e.g. fred logs in and gets chroot()'ed in /home/virtual/fred. - Fix bug in str_replace_text if replace token matches at end of string. - Recognize P@SW as PASV; works around an SMC router bug. - Accept an async ABOR sequence if it arrives via non-urgent data. Fixes issue with Cisco routers. Thanks to Eddie Corns <E.Corns@ed.ac.uk>. - Implement simple {,} support in pattern matcher (nested not handled). Handy to use with hide_file and deny_file options. - Fix port range with pasv_min_port and pasv_max_port to use the full range (the upper limit wasn't being used very often!). - Activate SO_REUSEADDR on passive listen sockets - makes servers with restricted port ranges much more useable! - Add secure_email_list_enable, to provide simple anonymous password control. For some cases, it's better than the hassle of virtual users. Idea thanks to Malcolm O'Callaghan, <mjo@stamps.com>. - Add some FAQ entries. - Fix issue with failure to call openlog() before using tcp_wrappers. Part of RH bugzilla #89765. (The more serious part was fixed with v1.2.0).
2004-01-01 05:39:22 +01:00
file specified by the
.BR email_password_file
setting. The file format is one password per line, no extra whitespace. The
-default filename is /etc/vsftpd.email_passwords.
+default filename is @PKG_SYSCONFDIR@/vsftpd.email_passwords.
Default: NO
.TP
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
@@ -672,7 +672,7 @@ passwords which are not permitted. This
Updated to version 1.1.3. Addresses PR pkg/21410 by Jens Liebau. - honour PKG_SYSCONFDIR - rcd script, standalone mode support - tcp wrappers support - install vsftpd:vsftpd user - new HOMEPAGE and MASTER_SITES 1.1.3: ====== - Support for tcp_wrappers. - First stab at Solaris sendfilev() support. - Don't bomb out the listener on SIGHUP if the config became invalid. - End vsf_findlibs.sh with "exit 0;" - thanks Lars Hecking <lhecking@nmrc.ie>! - Integrate with tcp_wrappers - load config based on VSFTPD_LOAD_CONF environment variables. Allows per-IP configurability in standalone mode. - Fix build without tcp_wrappers. - Fix Solaris sendfilev() support - interruption via a signal returns EINTR rather than a partial byte count! - Add to EXAMPLE/ - PER_IP_CONFIG and INTERNET_SITE_NOINETD 1.1.2: ====== - Add per-IP connection limits in standalone mode. - Add logging of refused connect due to global or IP connection limits. - (Many thanks for testing and suggestions from Rob van Nieuwkerk <robn@verdi.et.tudelft.nl> and Adrian Reber <adrian@lisas.de>. - Make connection limit exceeded messages nonblocking. - Don't exit the listener if fork fails. 1.1.1: ====== - Fix port_promiscuous, oops! Thanks to Bjørn-Ove Heimsund <bjornoh@mi.uib.no>. - Fix to support umasks which create executable files. Reported by "Martin, Andreas" <AMartin@hegau-klinikum.de>. - Make the messages more.. professional :( Thanks to Steven G. Taylor <staylor@redhat.com>. - Allow anon users to append to files if they can delete files! Suggestion from Michael Leuchtenburg <michael@slashhome.org>. - Hopefully fix Solaris build (-lresolv) - Replace atoll() with a homebrew - modern FreeBSD, OpenBSD lack it. - Different solution for a umask which creates executable files: file_open_mode. - First attempt at Tru64 build, working with <Sulla17@aol.com>. - A few minor FAQ additions. - Change date format in the log from Sep 09 -> Sep 9. Avoids breaking some broken log parsers. - Make "INSTALL" better and clearer. - Fix passwd_chroot_enable, reported by James Jones <james@richland.edu>. - Finish Tru64 building :-) - Add tunable_no_anon_password as asked for by Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>. 1.1.0: ====== - large file (>2Gb) support). - Fix .spec files to use /usr/local/sbin not /usr/sbin, noted by Bill Unruh <unruh@physics.ubc.ca>. - Small doc tweaks and improvements(?) - Add COPYING, the GNU GPL version 2. - Add use_localtime config option to override the use of GMT times. - Add tunable_check_shell (default YES) so people can disable this if they are not using PAM. - AIX 5.1 build support, thanks to Jan-Frode Myklebust <janfrode@parallab.uib.no>. - Add "hide_ids" option to show user/group in directory listings as "ftp". Request from Solar. - Use the seemingly more portable setreuid() and setregid(), poxy HP. - Use status 550 instead of 500 for known but disabled commands. - Rename "dirchange.[ch]" to "banner.[ch]". - Multiline connect banner support via "banner_file" config option. - Minor error message changes. - Add more FAQ entries. - Add patch to specify PASV address - thanks to Mike McLean <mikem@redhat.com>. - Drop the 2.4.0 kernel warning file - Rudimentary standalone listener support - to be expanded in a later release. - If sendfile() returns EINVAL just fall back to normal routines - handles non-pagecache backed files. - Add "port_promiscuous" setting - should help enabling FXP. - Modify anon_root and local_root to change directory _before_ applying the chroot(). - Open all files O_NONBLOCK to avoid pipes blocking on open. - Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR. - Add SIGHUP support to new built in listener. - Per-user config overrides, via "user_config_dir" - woohoo! - Warning fixes, i.e. change "index" to "indexx" thanks to Olaf Kirch <okir@suse.de>. - Make sure the standalone daemon doesn't leak zombies! - Supposedly fix kernel messages about MSG_PEEK race - thanks to advice from Alexey <kuznet@ms2.inr.ac.ru>. - Add global client limit for standalone mode. - Add username that failed when we die with str_getpwnam. - Add a bunch of documentation under EXAMPLES.
2003-05-10 01:31:38 +02:00
.BR deny_email_enable
is enabled.
-Default: /etc/vsftpd.banned_emails
+Default: @PKG_SYSCONFDIR@/vsftpd.banned_emails
.TP
.B banner_file
This option is the name of a file containing text to display when someone
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
@@ -701,7 +701,7 @@ is enabled. If the option
Update to version 1.2.1. Changes: - Apply NetBSD patch to sysdeputil.c to activate a few features. Thanks to Lubomir Sedlacik <salo@netbsd.org>. - Apply fix for broken clients that terminate commands with \r\r\n. Thanks to Andrey Chernomyrdin <andrey@excom.spb.su>. - AIX send_file support, thanks to Tomas Ogren <stric@ing.umu.se>. - Fix typos in vsftpd.conf.5, thanks to SEKINE Tatsuo <tsekine@sdri.co.jp>. - Simple -F flag support to LIST and NLST. Needed for some broken clients. - Add simple ? wildcard in pattern matching. - Make pasv_min_port and pasv_max_port work if they are the same value. Thanks to Marvin Solomon <solomon@cs.wisc.edu>. - Paranoia: ignore user_config_dir if username has a / in it. - Implement stub ALLO command to keep busybox/ftpput happy. - Implement REIN, ACCT and SMNT stubs. - Implement FEAT along with an OPTS stub. - Implement STAT (no-args version). - Implement STAT (file/dir). - Add very simple access control via hide_file and deny_file. These should NOT be used for securing content as they are very dumb! Filesystem permissions are still the recommended way for securing important content. - Allow unsetting of string values with option= (i.e. blank). - Default virtual users to being chroot()'ed to the guest_user's home directory, if virtual_use_local_privs is not set. - Add support for "user_sub_token", where you can set the home directory of guest_user to "/home/virtual/$USER", and "user_sub_token" to "$USER" to have a root directory auto generated based on username logging in, e.g. fred logs in and gets chroot()'ed in /home/virtual/fred. - Fix bug in str_replace_text if replace token matches at end of string. - Recognize P@SW as PASV; works around an SMC router bug. - Accept an async ABOR sequence if it arrives via non-urgent data. Fixes issue with Cisco routers. Thanks to Eddie Corns <E.Corns@ed.ac.uk>. - Implement simple {,} support in pattern matcher (nested not handled). Handy to use with hide_file and deny_file options. - Fix port range with pasv_min_port and pasv_max_port to use the full range (the upper limit wasn't being used very often!). - Activate SO_REUSEADDR on passive listen sockets - makes servers with restricted port ranges much more useable! - Add secure_email_list_enable, to provide simple anonymous password control. For some cases, it's better than the hassle of virtual users. Idea thanks to Malcolm O'Callaghan, <mjo@stamps.com>. - Add some FAQ entries. - Fix issue with failure to call openlog() before using tcp_wrappers. Part of RH bugzilla #89765. (The more serious part was fixed with v1.2.0).
2004-01-01 05:39:22 +01:00
is enabled, then the list file becomes a list of users to NOT place in a
chroot() jail.
Updated to version 1.1.3. Addresses PR pkg/21410 by Jens Liebau. - honour PKG_SYSCONFDIR - rcd script, standalone mode support - tcp wrappers support - install vsftpd:vsftpd user - new HOMEPAGE and MASTER_SITES 1.1.3: ====== - Support for tcp_wrappers. - First stab at Solaris sendfilev() support. - Don't bomb out the listener on SIGHUP if the config became invalid. - End vsf_findlibs.sh with "exit 0;" - thanks Lars Hecking <lhecking@nmrc.ie>! - Integrate with tcp_wrappers - load config based on VSFTPD_LOAD_CONF environment variables. Allows per-IP configurability in standalone mode. - Fix build without tcp_wrappers. - Fix Solaris sendfilev() support - interruption via a signal returns EINTR rather than a partial byte count! - Add to EXAMPLE/ - PER_IP_CONFIG and INTERNET_SITE_NOINETD 1.1.2: ====== - Add per-IP connection limits in standalone mode. - Add logging of refused connect due to global or IP connection limits. - (Many thanks for testing and suggestions from Rob van Nieuwkerk <robn@verdi.et.tudelft.nl> and Adrian Reber <adrian@lisas.de>. - Make connection limit exceeded messages nonblocking. - Don't exit the listener if fork fails. 1.1.1: ====== - Fix port_promiscuous, oops! Thanks to Bjørn-Ove Heimsund <bjornoh@mi.uib.no>. - Fix to support umasks which create executable files. Reported by "Martin, Andreas" <AMartin@hegau-klinikum.de>. - Make the messages more.. professional :( Thanks to Steven G. Taylor <staylor@redhat.com>. - Allow anon users to append to files if they can delete files! Suggestion from Michael Leuchtenburg <michael@slashhome.org>. - Hopefully fix Solaris build (-lresolv) - Replace atoll() with a homebrew - modern FreeBSD, OpenBSD lack it. - Different solution for a umask which creates executable files: file_open_mode. - First attempt at Tru64 build, working with <Sulla17@aol.com>. - A few minor FAQ additions. - Change date format in the log from Sep 09 -> Sep 9. Avoids breaking some broken log parsers. - Make "INSTALL" better and clearer. - Fix passwd_chroot_enable, reported by James Jones <james@richland.edu>. - Finish Tru64 building :-) - Add tunable_no_anon_password as asked for by Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>. 1.1.0: ====== - large file (>2Gb) support). - Fix .spec files to use /usr/local/sbin not /usr/sbin, noted by Bill Unruh <unruh@physics.ubc.ca>. - Small doc tweaks and improvements(?) - Add COPYING, the GNU GPL version 2. - Add use_localtime config option to override the use of GMT times. - Add tunable_check_shell (default YES) so people can disable this if they are not using PAM. - AIX 5.1 build support, thanks to Jan-Frode Myklebust <janfrode@parallab.uib.no>. - Add "hide_ids" option to show user/group in directory listings as "ftp". Request from Solar. - Use the seemingly more portable setreuid() and setregid(), poxy HP. - Use status 550 instead of 500 for known but disabled commands. - Rename "dirchange.[ch]" to "banner.[ch]". - Multiline connect banner support via "banner_file" config option. - Minor error message changes. - Add more FAQ entries. - Add patch to specify PASV address - thanks to Mike McLean <mikem@redhat.com>. - Drop the 2.4.0 kernel warning file - Rudimentary standalone listener support - to be expanded in a later release. - If sendfile() returns EINVAL just fall back to normal routines - handles non-pagecache backed files. - Add "port_promiscuous" setting - should help enabling FXP. - Modify anon_root and local_root to change directory _before_ applying the chroot(). - Open all files O_NONBLOCK to avoid pipes blocking on open. - Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR. - Add SIGHUP support to new built in listener. - Per-user config overrides, via "user_config_dir" - woohoo! - Warning fixes, i.e. change "index" to "indexx" thanks to Olaf Kirch <okir@suse.de>. - Make sure the standalone daemon doesn't leak zombies! - Supposedly fix kernel messages about MSG_PEEK race - thanks to advice from Alexey <kuznet@ms2.inr.ac.ru>. - Add global client limit for standalone mode. - Add username that failed when we die with str_getpwnam. - Add a bunch of documentation under EXAMPLES.
2003-05-10 01:31:38 +02:00
-Default: /etc/vsftpd.chroot_list
+Default: @PKG_SYSCONFDIR@/vsftpd.chroot_list
.TP
Updated to 1.2.0. - take over maintainership, MAINTAINER is not reachable on his mail anymore (non-existent domain). Changes: Logging has been enhanced, including syslog support. IPv6 support has been added. STRU, MODE, STOU, HELP, and SITE HELP have been implemented. Better control of which commands to allow has been added. pam_session support has been added. Error messages have been improved. There are lots of bugfixes and new configuration options. - Eliminate crypt() not defined warning. - "grep -q" is not standard to redirect to /dev/null instead. - Make banned_email_file work second time around. - Add force_dot_files to work around broken clients. The behaviour when enabled is very wu-ftpd like. - Implement SITE HELP - should work around IE bug? - Update README, vsftpd.conf with references to read the manual page! - Log revamp: add dual_log_enable to log to xferlog AND vsftpd.log. - Log revamp: add syslog_enable to log vsftpd.log to syslog(). - Add "background" option to background the listener process. - Fix warning is vsftpd.8 man page, Bill Nottingham <notting@redhat.com>. - Fix tcp wrappers support to NOT emit loads of Bad file descriptor messages to the system log. - Add ability to make bandwidth limiter smoother by using e.g. trans_chunk_size=8192. - Add ability for virtual users to use local privs non anon privs, via virtual_use_local_privs=YES. - Fix sendfile() fallback on FreeBSD, thanks to Adam Stroud <adstro@stny.rr.com>. - Add pam_session support, as well as utmp and wtmp logging for local logins (when using a PAM build). Tested pam_limits maxlogins works. - Ensure the source IP address for PORT connects is always the same as the control connection local IP address. Previously it was not when NOT using connect_from_port_20 in the presence of multiple local IP addresses. - Oops - make max_per_ip and max_clients work with the two process model when both connect_from_port_20 and chown_uploads are false. - Initial IPv6 support (EPSV only). - Add EPRT support to IPv6. - Fix "ls .file" to list .file even if the ls -a flag is not present. Noted by and thanks to Sean Millichamp <sean@enertronllc.com>. - Better error messages for config file parse fail: include setting name. - Fix bug in str_split_text where text is greater than 1 character long! - Make it build on Solaris8 - switch from utmp to utmpx and handle missing LOG_FTP. - Always check for VSFTPD_LOAD_CONF environment variable. - Implement HELP properly (should help broken clients). - Fix FreeBSD build (no utmpx.h, so disable feature). - Fix chown_uploads. - "Guess fix" for FreeBSD reported bug. I reckon FreeBSD is returning -EINTR from a blocking close but still closing the fd, despite the error return. So cater for this. Reported by Drew Vogel <dvogel@intercarve.net>. - Add download_enable and dirlist_enable. Useful in conjunction with the per-user config stuff. - Add chmod_enable. - Implement STRU and MODE for _old_, broken clients! - Log connects. - Fix 500 OOPS with chown_uploads and an APPE command. - Improve some error messages: die -> die2 for more information. - Repair max_per_ip (problem comparing IPv4 addresses). - Make chown_uploads work with virtual users. - Chmod files to 0600 before chown_uploads kicks in. - Add STOU support. - Add cmds_allowed config parameter. - Add some FAQ entries.
2003-05-29 22:08:41 +02:00
.B cmds_allowed
This options specifies a comma separated list of allowed FTP commands (post
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
@@ -753,7 +753,7 @@ This option can be used to provide an al
Update to version 1.2.1. Changes: - Apply NetBSD patch to sysdeputil.c to activate a few features. Thanks to Lubomir Sedlacik <salo@netbsd.org>. - Apply fix for broken clients that terminate commands with \r\r\n. Thanks to Andrey Chernomyrdin <andrey@excom.spb.su>. - AIX send_file support, thanks to Tomas Ogren <stric@ing.umu.se>. - Fix typos in vsftpd.conf.5, thanks to SEKINE Tatsuo <tsekine@sdri.co.jp>. - Simple -F flag support to LIST and NLST. Needed for some broken clients. - Add simple ? wildcard in pattern matching. - Make pasv_min_port and pasv_max_port work if they are the same value. Thanks to Marvin Solomon <solomon@cs.wisc.edu>. - Paranoia: ignore user_config_dir if username has a / in it. - Implement stub ALLO command to keep busybox/ftpput happy. - Implement REIN, ACCT and SMNT stubs. - Implement FEAT along with an OPTS stub. - Implement STAT (no-args version). - Implement STAT (file/dir). - Add very simple access control via hide_file and deny_file. These should NOT be used for securing content as they are very dumb! Filesystem permissions are still the recommended way for securing important content. - Allow unsetting of string values with option= (i.e. blank). - Default virtual users to being chroot()'ed to the guest_user's home directory, if virtual_use_local_privs is not set. - Add support for "user_sub_token", where you can set the home directory of guest_user to "/home/virtual/$USER", and "user_sub_token" to "$USER" to have a root directory auto generated based on username logging in, e.g. fred logs in and gets chroot()'ed in /home/virtual/fred. - Fix bug in str_replace_text if replace token matches at end of string. - Recognize P@SW as PASV; works around an SMC router bug. - Accept an async ABOR sequence if it arrives via non-urgent data. Fixes issue with Cisco routers. Thanks to Eddie Corns <E.Corns@ed.ac.uk>. - Implement simple {,} support in pattern matcher (nested not handled). Handy to use with hide_file and deny_file options. - Fix port range with pasv_min_port and pasv_max_port to use the full range (the upper limit wasn't being used very often!). - Activate SO_REUSEADDR on passive listen sockets - makes servers with restricted port ranges much more useable! - Add secure_email_list_enable, to provide simple anonymous password control. For some cases, it's better than the hassle of virtual users. Idea thanks to Malcolm O'Callaghan, <mjo@stamps.com>. - Add some FAQ entries. - Fix issue with failure to call openlog() before using tcp_wrappers. Part of RH bugzilla #89765. (The more serious part was fixed with v1.2.0).
2004-01-01 05:39:22 +01:00
.BR secure_email_list_enable
setting.
-Default: /etc/vsftpd.email_passwords
+Default: @PKG_SYSCONFDIR@/vsftpd.email_passwords
.TP
.B ftp_username
This is the name of the user we use for handling anonymous FTP. The home
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
@@ -858,7 +858,7 @@ This option should be the name of a dire
Updated to 1.2.0. - take over maintainership, MAINTAINER is not reachable on his mail anymore (non-existent domain). Changes: Logging has been enhanced, including syslog support. IPv6 support has been added. STRU, MODE, STOU, HELP, and SITE HELP have been implemented. Better control of which commands to allow has been added. pam_session support has been added. Error messages have been improved. There are lots of bugfixes and new configuration options. - Eliminate crypt() not defined warning. - "grep -q" is not standard to redirect to /dev/null instead. - Make banned_email_file work second time around. - Add force_dot_files to work around broken clients. The behaviour when enabled is very wu-ftpd like. - Implement SITE HELP - should work around IE bug? - Update README, vsftpd.conf with references to read the manual page! - Log revamp: add dual_log_enable to log to xferlog AND vsftpd.log. - Log revamp: add syslog_enable to log vsftpd.log to syslog(). - Add "background" option to background the listener process. - Fix warning is vsftpd.8 man page, Bill Nottingham <notting@redhat.com>. - Fix tcp wrappers support to NOT emit loads of Bad file descriptor messages to the system log. - Add ability to make bandwidth limiter smoother by using e.g. trans_chunk_size=8192. - Add ability for virtual users to use local privs non anon privs, via virtual_use_local_privs=YES. - Fix sendfile() fallback on FreeBSD, thanks to Adam Stroud <adstro@stny.rr.com>. - Add pam_session support, as well as utmp and wtmp logging for local logins (when using a PAM build). Tested pam_limits maxlogins works. - Ensure the source IP address for PORT connects is always the same as the control connection local IP address. Previously it was not when NOT using connect_from_port_20 in the presence of multiple local IP addresses. - Oops - make max_per_ip and max_clients work with the two process model when both connect_from_port_20 and chown_uploads are false. - Initial IPv6 support (EPSV only). - Add EPRT support to IPv6. - Fix "ls .file" to list .file even if the ls -a flag is not present. Noted by and thanks to Sean Millichamp <sean@enertronllc.com>. - Better error messages for config file parse fail: include setting name. - Fix bug in str_split_text where text is greater than 1 character long! - Make it build on Solaris8 - switch from utmp to utmpx and handle missing LOG_FTP. - Always check for VSFTPD_LOAD_CONF environment variable. - Implement HELP properly (should help broken clients). - Fix FreeBSD build (no utmpx.h, so disable feature). - Fix chown_uploads. - "Guess fix" for FreeBSD reported bug. I reckon FreeBSD is returning -EINTR from a blocking close but still closing the fd, despite the error return. So cater for this. Reported by Drew Vogel <dvogel@intercarve.net>. - Add download_enable and dirlist_enable. Useful in conjunction with the per-user config stuff. - Add chmod_enable. - Implement STRU and MODE for _old_, broken clients! - Log connects. - Fix 500 OOPS with chown_uploads and an APPE command. - Improve some error messages: die -> die2 for more information. - Repair max_per_ip (problem comparing IPv4 addresses). - Make chown_uploads work with virtual users. - Chmod files to 0600 before chown_uploads kicks in. - Add STOU support. - Add cmds_allowed config parameter. - Add some FAQ entries.
2003-05-29 22:08:41 +02:00
directory should not be writable by the ftp user. This directory is used
as a secure chroot() jail at times vsftpd does not require filesystem access.
-Default: /usr/share/empty
+Default: /var/chroot/vsftpd
.TP
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
.B ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will allow for
@@ -876,10 +876,10 @@ the manual page, on a per-user basis. Us
Updated to version 1.1.3. Addresses PR pkg/21410 by Jens Liebau. - honour PKG_SYSCONFDIR - rcd script, standalone mode support - tcp wrappers support - install vsftpd:vsftpd user - new HOMEPAGE and MASTER_SITES 1.1.3: ====== - Support for tcp_wrappers. - First stab at Solaris sendfilev() support. - Don't bomb out the listener on SIGHUP if the config became invalid. - End vsf_findlibs.sh with "exit 0;" - thanks Lars Hecking <lhecking@nmrc.ie>! - Integrate with tcp_wrappers - load config based on VSFTPD_LOAD_CONF environment variables. Allows per-IP configurability in standalone mode. - Fix build without tcp_wrappers. - Fix Solaris sendfilev() support - interruption via a signal returns EINTR rather than a partial byte count! - Add to EXAMPLE/ - PER_IP_CONFIG and INTERNET_SITE_NOINETD 1.1.2: ====== - Add per-IP connection limits in standalone mode. - Add logging of refused connect due to global or IP connection limits. - (Many thanks for testing and suggestions from Rob van Nieuwkerk <robn@verdi.et.tudelft.nl> and Adrian Reber <adrian@lisas.de>. - Make connection limit exceeded messages nonblocking. - Don't exit the listener if fork fails. 1.1.1: ====== - Fix port_promiscuous, oops! Thanks to Bjørn-Ove Heimsund <bjornoh@mi.uib.no>. - Fix to support umasks which create executable files. Reported by "Martin, Andreas" <AMartin@hegau-klinikum.de>. - Make the messages more.. professional :( Thanks to Steven G. Taylor <staylor@redhat.com>. - Allow anon users to append to files if they can delete files! Suggestion from Michael Leuchtenburg <michael@slashhome.org>. - Hopefully fix Solaris build (-lresolv) - Replace atoll() with a homebrew - modern FreeBSD, OpenBSD lack it. - Different solution for a umask which creates executable files: file_open_mode. - First attempt at Tru64 build, working with <Sulla17@aol.com>. - A few minor FAQ additions. - Change date format in the log from Sep 09 -> Sep 9. Avoids breaking some broken log parsers. - Make "INSTALL" better and clearer. - Fix passwd_chroot_enable, reported by James Jones <james@richland.edu>. - Finish Tru64 building :-) - Add tunable_no_anon_password as asked for by Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>. 1.1.0: ====== - large file (>2Gb) support). - Fix .spec files to use /usr/local/sbin not /usr/sbin, noted by Bill Unruh <unruh@physics.ubc.ca>. - Small doc tweaks and improvements(?) - Add COPYING, the GNU GPL version 2. - Add use_localtime config option to override the use of GMT times. - Add tunable_check_shell (default YES) so people can disable this if they are not using PAM. - AIX 5.1 build support, thanks to Jan-Frode Myklebust <janfrode@parallab.uib.no>. - Add "hide_ids" option to show user/group in directory listings as "ftp". Request from Solar. - Use the seemingly more portable setreuid() and setregid(), poxy HP. - Use status 550 instead of 500 for known but disabled commands. - Rename "dirchange.[ch]" to "banner.[ch]". - Multiline connect banner support via "banner_file" config option. - Minor error message changes. - Add more FAQ entries. - Add patch to specify PASV address - thanks to Mike McLean <mikem@redhat.com>. - Drop the 2.4.0 kernel warning file - Rudimentary standalone listener support - to be expanded in a later release. - If sendfile() returns EINVAL just fall back to normal routines - handles non-pagecache backed files. - Add "port_promiscuous" setting - should help enabling FXP. - Modify anon_root and local_root to change directory _before_ applying the chroot(). - Open all files O_NONBLOCK to avoid pipes blocking on open. - Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR. - Add SIGHUP support to new built in listener. - Per-user config overrides, via "user_config_dir" - woohoo! - Warning fixes, i.e. change "index" to "indexx" thanks to Olaf Kirch <okir@suse.de>. - Make sure the standalone daemon doesn't leak zombies! - Supposedly fix kernel messages about MSG_PEEK race - thanks to advice from Alexey <kuznet@ms2.inr.ac.ru>. - Add global client limit for standalone mode. - Add username that failed when we die with str_getpwnam. - Add a bunch of documentation under EXAMPLES.
2003-05-10 01:31:38 +02:00
with an example. If you set
.BR user_config_dir
to be
-.BR /etc/vsftpd_user_conf
+.BR @PKG_SYSCONFDIR@/vsftpd_user_conf
and then log on as the user "chris", then vsftpd will apply the settings in
the file
-.BR /etc/vsftpd_user_conf/chris
+.BR @PKG_SYSCONFDIR@/vsftpd_user_conf/chris
for the duration of the session. The format of this file is as detailed in
Update to version 1.2.1. Changes: - Apply NetBSD patch to sysdeputil.c to activate a few features. Thanks to Lubomir Sedlacik <salo@netbsd.org>. - Apply fix for broken clients that terminate commands with \r\r\n. Thanks to Andrey Chernomyrdin <andrey@excom.spb.su>. - AIX send_file support, thanks to Tomas Ogren <stric@ing.umu.se>. - Fix typos in vsftpd.conf.5, thanks to SEKINE Tatsuo <tsekine@sdri.co.jp>. - Simple -F flag support to LIST and NLST. Needed for some broken clients. - Add simple ? wildcard in pattern matching. - Make pasv_min_port and pasv_max_port work if they are the same value. Thanks to Marvin Solomon <solomon@cs.wisc.edu>. - Paranoia: ignore user_config_dir if username has a / in it. - Implement stub ALLO command to keep busybox/ftpput happy. - Implement REIN, ACCT and SMNT stubs. - Implement FEAT along with an OPTS stub. - Implement STAT (no-args version). - Implement STAT (file/dir). - Add very simple access control via hide_file and deny_file. These should NOT be used for securing content as they are very dumb! Filesystem permissions are still the recommended way for securing important content. - Allow unsetting of string values with option= (i.e. blank). - Default virtual users to being chroot()'ed to the guest_user's home directory, if virtual_use_local_privs is not set. - Add support for "user_sub_token", where you can set the home directory of guest_user to "/home/virtual/$USER", and "user_sub_token" to "$USER" to have a root directory auto generated based on username logging in, e.g. fred logs in and gets chroot()'ed in /home/virtual/fred. - Fix bug in str_replace_text if replace token matches at end of string. - Recognize P@SW as PASV; works around an SMC router bug. - Accept an async ABOR sequence if it arrives via non-urgent data. Fixes issue with Cisco routers. Thanks to Eddie Corns <E.Corns@ed.ac.uk>. - Implement simple {,} support in pattern matcher (nested not handled). Handy to use with hide_file and deny_file options. - Fix port range with pasv_min_port and pasv_max_port to use the full range (the upper limit wasn't being used very often!). - Activate SO_REUSEADDR on passive listen sockets - makes servers with restricted port ranges much more useable! - Add secure_email_list_enable, to provide simple anonymous password control. For some cases, it's better than the hassle of virtual users. Idea thanks to Malcolm O'Callaghan, <mjo@stamps.com>. - Add some FAQ entries. - Fix issue with failure to call openlog() before using tcp_wrappers. Part of RH bugzilla #89765. (The more serious part was fixed with v1.2.0).
2004-01-01 05:39:22 +01:00
this manual page! PLEASE NOTE that not all settings are effective on a
per-user basis. For example, many settings only prior to the user's session
Update to 2.0.4, based on 2.0.1 update from Ove Soerensen in PR 26811. Add ssl (default off) and tcpwrappers (default on) options. Changes: - Improve logging (log deletes, renames, chmods, etc. as requested by users). - Add no_log_lock to work around Solaris / Veritas locking hangs. - Add EPRT, EPSV, PASV and TVFS to FEAT response. - Implement use of MDTM to set timestamps. - Recognize FEAT prior to login. - Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data connections! Hurrah. - Increase max size of .message files to 4000 characters, thanks to Eric Pancer for the report. - Add easy builddefs.h ability to disable PAM builds even when PAM is installed. - Report vsftpd version in STAT output. - Add REFS file. - Change parent<->child socket comms from DGRAM to STREAM for increased reliability. The main benefit is should the parent be killed (or crash out) then the child won't block on a read() that will never return. - Make str_reserve reserve space for the trailing zero as well, so we don't cause a reallocation if we exactly fill the buffer. - Optimize the sending of strings over the parent<->child comms links. - Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly compiled out. - Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin - If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring totally. Thanks to Brad - Lose Makefile.sun and README.solaris special cases. - Add SSL / TLS info to SECURITY texts. - Add README.ssl - Add documentation for new SSL options to vsftpd.conf.5. - Add support for CWD ~ (and in general support ~ at start of any filename). Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that all of this is for very very broken clients :-( - Fix compile warnings. - Update INSTALL with (recent) OS X as a working platform. At this point: v2.0.0 released! =============================== - Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson Chang - Oops; fix session bale out if an empty length password is given. - Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). - Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard - Clarify licensing: I allow linking of my GPL software with the OpenSSL libraries. Thanks to Jonas Bofjall - Add COPYRIGHT. - Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 compliant; timezone should be a variable not a function). - Fix build where PAM build is enabled but PAM headers are missing. - Fix build on RHEL3 (remove errant include from twoprocess.c). At this point: v2.0.1 released! =============================== - Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez - Emit data transfer status messages (success / failure) after flushing and waiting for the full data transfer to reach the client. This should help work around buggy FTP clients such as FlashFXP, which is known to truncate files incorrectly. (v2.0.2pre1) - Make str_empty actually allocate an empty string. - Change the ASCII receive code to ONLY rip out \r if it is just before a \n; someone finally complained about this. (v2.0.2pre2) - Enable AIX Large File Support #define from Tomas gren - Add a couple of FAQ entries. - Fix time delta code areas to cope with negative deltas, which will occur if the clock is adjusted backwards. Thanks to Andrew Anderson for a great report. - Fix "errno" checks to be robust in multiple places; previously, calls to failing library calls could be made inbetween the original library call and the "errno" reads. Thanks to Andrew Anderson for a great report. - Make bandwidth limiter work with SSL data connections. (v2.0.2pre3) - Note that the SSL / bandwidth limiter bug fixed a much more serious bug: SSL data connection dropouts after data_connection_timeout seconds. - Typo fixes. At this point: v2.0.2 released! (need to get the SSL dropout fix out) ===================================================================== - Document what regex expressions are supported in the man page. - New settings rsa_private_key_file and dsa_private_key_file to allow separate files for the certificates and private keys. - Initial, simple fix for timed out processes not exiting when SSL is in use. Better fix (which reports timeout to client properly) to follow. - Add which setsockopt option failed to die("setsockopt") calls. - Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by Ewoud van der Vliet and Ed Vazquez (v2.0.3pre1) - Fix error with IPv4 connections to IPv6 listeners and PORT type data connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported by Joe Orton, Radek Vokal and Andreas Kupfer - Remove vsf_sysutil_sockaddr_same_family (unused). - Support protocol 1 (IPv4) in EPRT. - Add ssl.c to AUDIT. - Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. - Allow "EPSV 1" to mean IPv4 EPSV. - Report dummy IP but correct port with IPv6 / PASV. - Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; fixes SSL upload failures when data timeouts are in use with some clients. Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported by Lee Lawrence (using CuteFTP and BackupEdge) and Christian DELAIR (using lftp, FileZilla and SmartFTP). Thanks to these two people for valuable help. (v2.0.3pre2) - Implicitly disable connect_from_port_20 and chown_uploads when a non-root user is using run_as_launching_user. - Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure anonymous-only solution (useful when you don't have root access and a range of acceptable anonymous passwords as credentials). - Use SSL BIO callbacks to fix data connection timeout checks; the checks weren't all occurring promply. At this point: v2.0.3 released! (need to get about three imporant fixes out) ============================================================================ - Add explicit "This FTP server does not allow anonymous logins" message. - Add paranoid checks to sysutil.c for large values / lengths. - Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. - Load per-IP config files earlier; allows more settings to be tuned on a per-IP level. Suggested by Reber Tobias - Fix MDTM on non-existant files. Reported by Ken A - {} regex fix so that {*} correctly matches everything. Reported by Tom Van de Wiele - Add "mdtm_write" option to disable MDTM being able to set file timestamps. - Fix HPUX build, thanks to Kevin Vajk - Add optional file locking support via lock_upload_files (default on). - Apply LDFLAGS patch from Mads Martin Joergensen - Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once at startup. - Apply patch to fix timezone issues (caused by chroot() interacting badly with newer glibc versions). Thanks to Dmitry V. Levin and Mads Martin Joergensen At this point: v2.0.4 released! ===============================
2006-01-13 19:12:46 +01:00
@@ -915,7 +915,7 @@ This option is the name of the file load
Updated to version 1.1.3. Addresses PR pkg/21410 by Jens Liebau. - honour PKG_SYSCONFDIR - rcd script, standalone mode support - tcp wrappers support - install vsftpd:vsftpd user - new HOMEPAGE and MASTER_SITES 1.1.3: ====== - Support for tcp_wrappers. - First stab at Solaris sendfilev() support. - Don't bomb out the listener on SIGHUP if the config became invalid. - End vsf_findlibs.sh with "exit 0;" - thanks Lars Hecking <lhecking@nmrc.ie>! - Integrate with tcp_wrappers - load config based on VSFTPD_LOAD_CONF environment variables. Allows per-IP configurability in standalone mode. - Fix build without tcp_wrappers. - Fix Solaris sendfilev() support - interruption via a signal returns EINTR rather than a partial byte count! - Add to EXAMPLE/ - PER_IP_CONFIG and INTERNET_SITE_NOINETD 1.1.2: ====== - Add per-IP connection limits in standalone mode. - Add logging of refused connect due to global or IP connection limits. - (Many thanks for testing and suggestions from Rob van Nieuwkerk <robn@verdi.et.tudelft.nl> and Adrian Reber <adrian@lisas.de>. - Make connection limit exceeded messages nonblocking. - Don't exit the listener if fork fails. 1.1.1: ====== - Fix port_promiscuous, oops! Thanks to Bjørn-Ove Heimsund <bjornoh@mi.uib.no>. - Fix to support umasks which create executable files. Reported by "Martin, Andreas" <AMartin@hegau-klinikum.de>. - Make the messages more.. professional :( Thanks to Steven G. Taylor <staylor@redhat.com>. - Allow anon users to append to files if they can delete files! Suggestion from Michael Leuchtenburg <michael@slashhome.org>. - Hopefully fix Solaris build (-lresolv) - Replace atoll() with a homebrew - modern FreeBSD, OpenBSD lack it. - Different solution for a umask which creates executable files: file_open_mode. - First attempt at Tru64 build, working with <Sulla17@aol.com>. - A few minor FAQ additions. - Change date format in the log from Sep 09 -> Sep 9. Avoids breaking some broken log parsers. - Make "INSTALL" better and clearer. - Fix passwd_chroot_enable, reported by James Jones <james@richland.edu>. - Finish Tru64 building :-) - Add tunable_no_anon_password as asked for by Stephen Quinney <stephen.quinney@computing-services.oxford.ac.uk>. 1.1.0: ====== - large file (>2Gb) support). - Fix .spec files to use /usr/local/sbin not /usr/sbin, noted by Bill Unruh <unruh@physics.ubc.ca>. - Small doc tweaks and improvements(?) - Add COPYING, the GNU GPL version 2. - Add use_localtime config option to override the use of GMT times. - Add tunable_check_shell (default YES) so people can disable this if they are not using PAM. - AIX 5.1 build support, thanks to Jan-Frode Myklebust <janfrode@parallab.uib.no>. - Add "hide_ids" option to show user/group in directory listings as "ftp". Request from Solar. - Use the seemingly more portable setreuid() and setregid(), poxy HP. - Use status 550 instead of 500 for known but disabled commands. - Rename "dirchange.[ch]" to "banner.[ch]". - Multiline connect banner support via "banner_file" config option. - Minor error message changes. - Add more FAQ entries. - Add patch to specify PASV address - thanks to Mike McLean <mikem@redhat.com>. - Drop the 2.4.0 kernel warning file - Rudimentary standalone listener support - to be expanded in a later release. - If sendfile() returns EINVAL just fall back to normal routines - handles non-pagecache backed files. - Add "port_promiscuous" setting - should help enabling FXP. - Modify anon_root and local_root to change directory _before_ applying the chroot(). - Open all files O_NONBLOCK to avoid pipes blocking on open. - Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR. - Add SIGHUP support to new built in listener. - Per-user config overrides, via "user_config_dir" - woohoo! - Warning fixes, i.e. change "index" to "indexx" thanks to Olaf Kirch <okir@suse.de>. - Make sure the standalone daemon doesn't leak zombies! - Supposedly fix kernel messages about MSG_PEEK race - thanks to advice from Alexey <kuznet@ms2.inr.ac.ru>. - Add global client limit for standalone mode. - Add username that failed when we die with str_getpwnam. - Add a bunch of documentation under EXAMPLES.
2003-05-10 01:31:38 +02:00
.BR userlist_enable
option is active.
-Default: /etc/vsftpd.user_list
+Default: @PKG_SYSCONFDIR@/vsftpd.user_list
Update to version 1.2.1. Changes: - Apply NetBSD patch to sysdeputil.c to activate a few features. Thanks to Lubomir Sedlacik <salo@netbsd.org>. - Apply fix for broken clients that terminate commands with \r\r\n. Thanks to Andrey Chernomyrdin <andrey@excom.spb.su>. - AIX send_file support, thanks to Tomas Ogren <stric@ing.umu.se>. - Fix typos in vsftpd.conf.5, thanks to SEKINE Tatsuo <tsekine@sdri.co.jp>. - Simple -F flag support to LIST and NLST. Needed for some broken clients. - Add simple ? wildcard in pattern matching. - Make pasv_min_port and pasv_max_port work if they are the same value. Thanks to Marvin Solomon <solomon@cs.wisc.edu>. - Paranoia: ignore user_config_dir if username has a / in it. - Implement stub ALLO command to keep busybox/ftpput happy. - Implement REIN, ACCT and SMNT stubs. - Implement FEAT along with an OPTS stub. - Implement STAT (no-args version). - Implement STAT (file/dir). - Add very simple access control via hide_file and deny_file. These should NOT be used for securing content as they are very dumb! Filesystem permissions are still the recommended way for securing important content. - Allow unsetting of string values with option= (i.e. blank). - Default virtual users to being chroot()'ed to the guest_user's home directory, if virtual_use_local_privs is not set. - Add support for "user_sub_token", where you can set the home directory of guest_user to "/home/virtual/$USER", and "user_sub_token" to "$USER" to have a root directory auto generated based on username logging in, e.g. fred logs in and gets chroot()'ed in /home/virtual/fred. - Fix bug in str_replace_text if replace token matches at end of string. - Recognize P@SW as PASV; works around an SMC router bug. - Accept an async ABOR sequence if it arrives via non-urgent data. Fixes issue with Cisco routers. Thanks to Eddie Corns <E.Corns@ed.ac.uk>. - Implement simple {,} support in pattern matcher (nested not handled). Handy to use with hide_file and deny_file options. - Fix port range with pasv_min_port and pasv_max_port to use the full range (the upper limit wasn't being used very often!). - Activate SO_REUSEADDR on passive listen sockets - makes servers with restricted port ranges much more useable! - Add secure_email_list_enable, to provide simple anonymous password control. For some cases, it's better than the hassle of virtual users. Idea thanks to Malcolm O'Callaghan, <mjo@stamps.com>. - Add some FAQ entries. - Fix issue with failure to call openlog() before using tcp_wrappers. Part of RH bugzilla #89765. (The more serious part was fixed with v1.2.0).
2004-01-01 05:39:22 +01:00
.TP
Updated to 1.2.0. - take over maintainership, MAINTAINER is not reachable on his mail anymore (non-existent domain). Changes: Logging has been enhanced, including syslog support. IPv6 support has been added. STRU, MODE, STOU, HELP, and SITE HELP have been implemented. Better control of which commands to allow has been added. pam_session support has been added. Error messages have been improved. There are lots of bugfixes and new configuration options. - Eliminate crypt() not defined warning. - "grep -q" is not standard to redirect to /dev/null instead. - Make banned_email_file work second time around. - Add force_dot_files to work around broken clients. The behaviour when enabled is very wu-ftpd like. - Implement SITE HELP - should work around IE bug? - Update README, vsftpd.conf with references to read the manual page! - Log revamp: add dual_log_enable to log to xferlog AND vsftpd.log. - Log revamp: add syslog_enable to log vsftpd.log to syslog(). - Add "background" option to background the listener process. - Fix warning is vsftpd.8 man page, Bill Nottingham <notting@redhat.com>. - Fix tcp wrappers support to NOT emit loads of Bad file descriptor messages to the system log. - Add ability to make bandwidth limiter smoother by using e.g. trans_chunk_size=8192. - Add ability for virtual users to use local privs non anon privs, via virtual_use_local_privs=YES. - Fix sendfile() fallback on FreeBSD, thanks to Adam Stroud <adstro@stny.rr.com>. - Add pam_session support, as well as utmp and wtmp logging for local logins (when using a PAM build). Tested pam_limits maxlogins works. - Ensure the source IP address for PORT connects is always the same as the control connection local IP address. Previously it was not when NOT using connect_from_port_20 in the presence of multiple local IP addresses. - Oops - make max_per_ip and max_clients work with the two process model when both connect_from_port_20 and chown_uploads are false. - Initial IPv6 support (EPSV only). - Add EPRT support to IPv6. - Fix "ls .file" to list .file even if the ls -a flag is not present. Noted by and thanks to Sean Millichamp <sean@enertronllc.com>. - Better error messages for config file parse fail: include setting name. - Fix bug in str_split_text where text is greater than 1 character long! - Make it build on Solaris8 - switch from utmp to utmpx and handle missing LOG_FTP. - Always check for VSFTPD_LOAD_CONF environment variable. - Implement HELP properly (should help broken clients). - Fix FreeBSD build (no utmpx.h, so disable feature). - Fix chown_uploads. - "Guess fix" for FreeBSD reported bug. I reckon FreeBSD is returning -EINTR from a blocking close but still closing the fd, despite the error return. So cater for this. Reported by Drew Vogel <dvogel@intercarve.net>. - Add download_enable and dirlist_enable. Useful in conjunction with the per-user config stuff. - Add chmod_enable. - Implement STRU and MODE for _old_, broken clients! - Log connects. - Fix 500 OOPS with chown_uploads and an APPE command. - Improve some error messages: die -> die2 for more information. - Repair max_per_ip (problem comparing IPv4 addresses). - Make chown_uploads work with virtual users. - Chmod files to 0600 before chown_uploads kicks in. - Add STOU support. - Add cmds_allowed config parameter. - Add some FAQ entries.
2003-05-29 22:08:41 +02:00
.B vsftpd_log_file
This option is the name of the file to which we write the vsftpd style
Reference in a new issue Copy permalink