[pkgsrc/trunk]: pkgsrc/net/vsftpd Updated net/vsftpd to 2.0.7 - needed for re...

[abs <abs%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/43c20279c7be
branches:  trunk
changeset: 547602:43c20279c7be
user:      abs <abs%pkgsrc.org@localhost>
date:      Mon Sep 22 11:02:21 2008 +0000

description:
Updated net/vsftpd to 2.0.7 - needed for recent FileZilla to with with SSL

v2.0.5

- Apply fix for O_NONBLOCK vs. XFS DMAPI filesystem. Thanks to Sudha Srinivasan
<sudhas%sgi.com@localhost>.
- Fix build warnings exposed by my upgrade to Fedora Core 5 / GCC4.1.1.
- Be more honest in FEAT response if PORT or PASV are disabled! Reported by
Charles Honton <chas%honton.org@localhost>. Allows MS Explorer to get the transfer mode
correct.
- pam_pwdb.so -> pam_unix.so in example PAM file. Thanks to
Rhodes, Colin <colin.rhodes%airways.co.nz@localhost>.
- Add FAQ issue regarding "chroot fails with SSL" - in fact, sshd is being hit
here instead ;-)
- Minor man page doc tweaks.
- Tiny bit of paranoia in privops.c.
- Revert change to reject anonymous logins before asking for password. This
fixes complaints about IE not showing the FTP login dialog.
- Change SSL certificate load to cater for chaining too.
- Added delay_failed_login and delay_successful_login to help limit resources
taken by brute force attacks.
- Kick session after a few login fails. Allows IP blocking solutions to be more
immediately effective.
- Replace setenv() with more portable putenv(). First part of Solaris fix.
- Replace tm_gmtoff usage with timezone and daylight. Second part of Solaris
fix.
- Set PAM items TTY and RUSER if possible.
- OpenBSD build warning fixes.
- So, timezone and daylight are not available on BSD, so redo the whole TZ
thing again. Should use only very portable constructs now.

v2.0.6

- Fix delay_failed_login typo. Oops.
- Patch the getcwd and readlink sysutil helpers to reflect that they wouldn't
like a 0-sized buf. No caller is affected. Thanks Ilja van Sprundel
<ilja%suresec.org@localhost>.
- Allow a (fake) reauth as the same user as the logged in user. Should resolve
.NET related report from Sabo Jim <Jim.Sabo%thomson.net@localhost>.
- Tweak from Lucian Adrian Grijincu <lucian.grijincu%gmail.com@localhost> to take
unnecessary port calculations out of a loop.
- Fix byte I/O accounting in the error path of do_file_send_rwloop, thanks to
<echen%siac.com@localhost>.
- Don't log FireFox's attempts to RETR directories! Reported by
Nixdorf, Tim <tnixdorf%dnps.com@localhost>.
- Fix STOU sending the same 150 status line twice - oops! Reported by
<yamazaki%iij.ad.jp@localhost>.
- Fix xferlog format for virtual (guest) users, reported by Andy Fletcher
<andy%withnail.org@localhost>.
- Fix bug with empty user list file and userlist_deny=NO. Reported by
Marcin Zawadzki/GlobalVanet.com <marcin.zawadzki%globalvanet.com@localhost>.
- Pretend we have proper UTF8 support and respond positively to OPTS UTF8 ON.
Thanks Stanislav Maslovski <stanislav.maslovski%gmail.com@localhost>.
- Add control over the file permissions used in the chown()ing of anonymous
uploads: chown_upload_mode (default 0600 as before). Suggestion from
An Pham <apham%medforcetech.com@localhost>.
- Do a retry getting the active ftp socket in vsf_privop_get_ftp_port_sock();
should help buggy Solaris systems. Reported by Michael Masterson
<mjmasterson%xo.com@localhost>.
- Add debug_ssl option to dump out some SSL connection details.
- Use code 522, not 521, to indicate that the server requires an encrypted
data connection. Still does not seem to coax lftp to retry :(
- Recognize OPTS pre-login.
- A whole ton of SSL improvements, including ability to force requirement of
a client cert; data and control channel client cert cross checking. Ability
to require fully valid / authentic client certs. No cert-based auth yet.
- Change my e-mail to my GMail account.

v2.0.7

- Fix finding libcap for the link on Slackware systems, thanks to Roman
Kravchenko <roman%atech.lv@localhost>.
- Fix build on Solaris 2.8 due to non-standard C, thanks to IIDA Yosiaki
<y-iida%secom.co.jp@localhost>.
- Fix man page typo, thanks Matt Selsky <selsky%columbia.edu@localhost>.
- Bring the PASV listen() into the bind() retry loop to resolve a race under
extreme load. Thanks to Curtis Taylor <cjt%us.ibm.com@localhost>.
- Enhance logging for debug_ssl.
- Shutdown the SSL data connections properly. This prevents clients such as
recent FileZilla from complaining. Reported by various people.
- Add option to enforce proper SSL shutdown on uploads. Left it off after much
agonizing because clients are so broken in this area.
- Add option to delete failed uploads.

diffstat:

 net/vsftpd/Makefile         |   5 ++---
 net/vsftpd/distinfo         |  14 ++++++--------
 net/vsftpd/options.mk       |   5 +++--
 net/vsftpd/patches/patch-ad |  21 ++++++++++++++++-----
 net/vsftpd/patches/patch-af |  22 +++++++++++-----------
 net/vsftpd/patches/patch-ag |  19 -------------------
 6 files changed, 38 insertions(+), 48 deletions(-)

diffs (208 lines):

diff -r ebe462a4b333 -r 43c20279c7be net/vsftpd/Makefile
--- a/net/vsftpd/Makefile       Mon Sep 22 08:53:29 2008 +0000
+++ b/net/vsftpd/Makefile       Mon Sep 22 11:02:21 2008 +0000
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.28 2008/06/20 01:09:32 joerg Exp $
+# $NetBSD: Makefile,v 1.29 2008/09/22 11:02:21 abs Exp $
 #
 
-DISTNAME=      vsftpd-2.0.4
-PKGREVISION=   1
+DISTNAME=      vsftpd-2.0.7
 CATEGORIES=    net
 MASTER_SITES=  ftp://vsftpd.beasts.org/users/cevans/
 
diff -r ebe462a4b333 -r 43c20279c7be net/vsftpd/distinfo
--- a/net/vsftpd/distinfo       Mon Sep 22 08:53:29 2008 +0000
+++ b/net/vsftpd/distinfo       Mon Sep 22 11:02:21 2008 +0000
@@ -1,12 +1,10 @@
-$NetBSD: distinfo,v 1.9 2006/05/16 21:08:50 joerg Exp $
+$NetBSD: distinfo,v 1.10 2008/09/22 11:02:21 abs Exp $
 
-SHA1 (vsftpd-2.0.4.tar.gz) = 6ffbcc08a91300664d527b3ac7c515421d5cd764
-RMD160 (vsftpd-2.0.4.tar.gz) = e8f07c125c0c3a8f0d457b47fd0062d6431c480b
-Size (vsftpd-2.0.4.tar.gz) = 154857 bytes
+SHA1 (vsftpd-2.0.7.tar.gz) = 760afe849d1ebe10592ef29032b6e00e7f1bbf79
+RMD160 (vsftpd-2.0.7.tar.gz) = 8947c7ae00214fb30c9d7d2cfba5116643e1d8c7
+Size (vsftpd-2.0.7.tar.gz) = 162801 bytes
 SHA1 (patch-aa) = 323f694874777747ce525aa9ebb5d740684ec553
 SHA1 (patch-ab) = 18431ae27f53270ad4c19b0530e55348397fe143
 SHA1 (patch-ac) = 49269d863fd232d1e78cda039ae1a67368acfe1e
-SHA1 (patch-ad) = dd22f355216685fe0089addc5b1acf3b11490b06
-SHA1 (patch-ae) = 373edb952206871b0b5c3e06fd5b90e25000f284
-SHA1 (patch-af) = 895496296cfa867653f05c6f475fd5d69f21811b
-SHA1 (patch-ag) = 58bae3e8f9d70031d04642dcc9d9fa2e42743d5e
+SHA1 (patch-ad) = a6b0f1cd2e2d5168769e85b151125b7f381b7908
+SHA1 (patch-af) = 95ef9625fed7fd596a9dcd8e12c28a2de989ff4a
diff -r ebe462a4b333 -r 43c20279c7be net/vsftpd/options.mk
--- a/net/vsftpd/options.mk     Mon Sep 22 08:53:29 2008 +0000
+++ b/net/vsftpd/options.mk     Mon Sep 22 11:02:21 2008 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.5 2007/12/22 23:07:37 minskim Exp $
+# $NetBSD: options.mk,v 1.6 2008/09/22 11:02:21 abs Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.vsftpd
 PKG_SUPPORTED_OPTIONS= pam ssl tcpwrappers
@@ -20,11 +20,12 @@
 LIBS+=         ${COMPILER_RPATH_FLAG}${PAMBASE}
 LIBS+=         -lpam
 .else
+LIBS.Linux=            -lcrypt
+#
 SUBST_CLASSES+=                pam
 SUBST_FILES.pam=       builddefs.h
 SUBST_SED.pam+=                -e 's,define VSF_BUILD_PAM,undef VSF_BUILD_PAM,g'
 SUBST_STAGE.pam=       pre-configure
-LIBS.Linux=            -lcrypt
 .endif
 
 .if !empty(PKG_OPTIONS:Mssl)
diff -r ebe462a4b333 -r 43c20279c7be net/vsftpd/patches/patch-ad
--- a/net/vsftpd/patches/patch-ad       Mon Sep 22 08:53:29 2008 +0000
+++ b/net/vsftpd/patches/patch-ad       Mon Sep 22 11:02:21 2008 +0000
@@ -1,10 +1,10 @@
-$NetBSD: patch-ad,v 1.3 2006/01/13 18:12:46 wiz Exp $
+$NetBSD: patch-ad,v 1.4 2008/09/22 11:02:21 abs Exp $
 
---- tunables.c.orig    2006-01-07 20:32:44.000000000 +0100
+--- tunables.c.orig    2008-07-30 02:52:23.000000000 +0100
 +++ tunables.c
-@@ -92,19 +92,19 @@ unsigned int tunable_file_open_mode = 06
- unsigned int tunable_max_per_ip = 0;
- unsigned int tunable_trans_chunk_size = 0;
+@@ -104,19 +104,19 @@ unsigned int tunable_max_login_fails = 3
+ /* -rw------- */
+ unsigned int tunable_chown_upload_mode = 0600;
  
 -const char* tunable_secure_chroot_dir = "/usr/share/empty";
 +const char* tunable_secure_chroot_dir = "/var/chroot/vsftpd";
@@ -27,3 +27,14 @@
  const char* tunable_anon_root = 0;
  const char* tunable_local_root = 0;
  const char* tunable_banner_file = 0;
+@@ -128,8 +128,8 @@ const char* tunable_cmds_allowed = 0;
+ const char* tunable_hide_file = 0;
+ const char* tunable_deny_file = 0;
+ const char* tunable_user_sub_token = 0;
+-const char* tunable_email_password_file = "/etc/vsftpd.email_passwords";
+-const char* tunable_rsa_cert_file = "/usr/share/ssl/certs/vsftpd.pem";
++const char* tunable_email_password_file = PKG_SYSCONFDIR"/vsftpd.email_passwords";
++const char* tunable_rsa_cert_file = PKG_SYSCONFDIR"/vsftpd.pem";
+ const char* tunable_dsa_cert_file = 0;
+ const char* tunable_ssl_ciphers = "DES-CBC3-SHA";
+ const char* tunable_rsa_private_key_file = 0;
diff -r ebe462a4b333 -r 43c20279c7be net/vsftpd/patches/patch-af
--- a/net/vsftpd/patches/patch-af       Mon Sep 22 08:53:29 2008 +0000
+++ b/net/vsftpd/patches/patch-af       Mon Sep 22 11:02:21 2008 +0000
@@ -1,5 +1,5 @@
-$NetBSD: patch-af,v 1.4 2006/01/13 18:12:46 wiz Exp $
---- vsftpd.conf.5.orig 2006-01-07 20:35:50.000000000 +0100
+$NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
+--- vsftpd.conf.5.orig 2008-07-30 02:56:30.000000000 +0100
 +++ vsftpd.conf.5
 @@ -4,7 +4,7 @@ vsftpd.conf \- config file for vsftpd
  .SH DESCRIPTION
@@ -10,7 +10,7 @@
  However, you may override this by specifying a command line argument to
  vsftpd. The command line argument is the pathname of the configuration file
  for vsftpd. This behaviour is useful because you may wish to use an advanced
-@@ -136,7 +136,7 @@ chroot() jail in their home directory up
+@@ -138,7 +138,7 @@ chroot() jail in their home directory up
  different if chroot_local_user is set to YES. In this case, the list becomes
  a list of users which are NOT to be placed in a chroot() jail.
  By default, the file containing this list is
@@ -19,7 +19,7 @@
  .BR chroot_list_file
  setting.
  
-@@ -164,7 +164,7 @@ Default: NO (but the sample config file 
+@@ -177,7 +177,7 @@ Default: NO
  .B deny_email_enable
  If activated, you may provide a list of anonymous password e-mail responses
  which cause login to be denied. By default, the file containing this list is
@@ -28,7 +28,7 @@
  .BR banned_email_file
  setting.
  
-@@ -392,7 +392,7 @@ anonymous logins are prevented unless th
+@@ -416,7 +416,7 @@ anonymous logins are prevented unless th
  file specified by the
  .BR email_password_file
  setting. The file format is one password per line, no extra whitespace. The
@@ -37,7 +37,7 @@
  
  Default: NO
  .TP
-@@ -672,7 +672,7 @@ passwords which are not permitted. This 
+@@ -747,7 +747,7 @@ passwords which are not permitted. This 
  .BR deny_email_enable
  is enabled.
  
@@ -46,7 +46,7 @@
  .TP
  .B banner_file
  This option is the name of a file containing text to display when someone
-@@ -701,7 +701,7 @@ is enabled. If the option
+@@ -784,7 +784,7 @@ is enabled. If the option
  is enabled, then the list file becomes a list of users to NOT place in a
  chroot() jail.
  
@@ -55,7 +55,7 @@
  .TP
  .B cmds_allowed
  This options specifies a comma separated list of allowed FTP commands (post
-@@ -753,7 +753,7 @@ This option can be used to provide an al
+@@ -836,7 +836,7 @@ This option can be used to provide an al
  .BR secure_email_list_enable
  setting.
  
@@ -64,7 +64,7 @@
  .TP
  .B ftp_username
  This is the name of the user we use for handling anonymous FTP. The home
-@@ -858,7 +858,7 @@ This option should be the name of a dire
+@@ -941,7 +941,7 @@ This option should be the name of a dire
  directory should not be writable by the ftp user. This directory is used
  as a secure chroot() jail at times vsftpd does not require filesystem access.
  
@@ -73,7 +73,7 @@
  .TP
  .B ssl_ciphers
  This option can be used to select which SSL ciphers vsftpd will allow for
-@@ -876,10 +876,10 @@ the manual page, on a per-user basis. Us
+@@ -959,10 +959,10 @@ the manual page, on a per-user basis. Us
  with an example. If you set
  .BR user_config_dir
  to be
@@ -86,7 +86,7 @@
  for the duration of the session. The format of this file is as detailed in
  this manual page! PLEASE NOTE that not all settings are effective on a
  per-user basis. For example, many settings only prior to the user's session
-@@ -915,7 +915,7 @@ This option is the name of the file load
+@@ -998,7 +998,7 @@ This option is the name of the file load
  .BR userlist_enable
  option is active.
  
diff -r ebe462a4b333 -r 43c20279c7be net/vsftpd/patches/patch-ag
--- a/net/vsftpd/patches/patch-ag       Mon Sep 22 08:53:29 2008 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-$NetBSD: patch-ag,v 1.3 2006/05/16 21:08:51 joerg Exp $
-
---- sysutil.c.orig     2006-01-09 18:05:18.000000000 +0100
-+++ sysutil.c
-@@ -2478,7 +2478,14 @@ vsf_sysutil_tzset(void)
-   tzset();
-   the_time = time(NULL);
-   p_tm = localtime(&the_time);
-+#if defined (__SVR4) && defined (__sun) 
-+  if (daylight != 0)
-+    s_timezone = altzone;
-+  else
-+    s_timezone = timezone;
-+#else
-   s_timezone = -p_tm->tm_gmtoff;
-+#endif
- }
- 
- const char*