• Registered: 2012-01-14
  • Posts: 35

Topic: Request for inclusion of vsftpd

Hi, I would like to request the latest version of vsftpd to be included in your repository if possible.
Version 2.2.2 is included by default in RHEL v6 but in v2.3.5 an important security fix was implemented.

Now I doubt that Red Hat will backport it since it breaks the default conf and requires some actual work by the sysadmin
Something we all know Red Hat is very afraid of smile

Below is a nice video showing the reason to prefer security over backwards compatibility...
Following that a full disclosure link showing the problem in detail.
(I had to post it on code tags due to URL limit of 1 link...)

youtube.com/watch?v=10uedlgNEJA

seclists.org/fulldisclosure/2010/Oct/257
  • Remi
  • Remi
  • Administrateur
  • Offline
  • From: Champagne...
  • Registered: 2009-04-28
  • Posts: 3,836

Re: Request for inclusion of vsftpd

I think Red Hat will fix this issue (they must).

I don't want to maintain too much new things, especially stuff I doesn't use (and I really hate ftp..., such an awful protocol, so I prefer SSH solution)

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Remi's Website

  • Remi
  • Remi
  • Administrateur
  • Offline
  • From: Champagne...
  • Registered: 2009-04-28
  • Posts: 3,836

Re: Request for inclusion of vsftpd

AFAIK, this vulnerability is fixed by Red Hat for a very long time
See https://access.redhat.com/security/cve/CVE-2010-3847

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Remi's Website

  • Registered: 2012-01-14
  • Posts: 35

Re: Request for inclusion of vsftpd

Thank you for your quick reply Remi!
Yes it seems you are indeed correct, Red Hat did fix the vulnerability in glibc.
I still think it's better to fix it in vsftpd though, but I fully understand your decision to not want to maintain vsftpd aswell!

Also I fully agree with you on the hating FTP part smile
May I ask how you setup SSH instead?
My reason for originally using FTP is because I have a few users that should be able to upload files to a specific directory.

I solved this using vsftpd and chrooted ftp accounts.
In those I then "bind mount" the directory I want them able to upload files to, like /var/www/html/somedir > /home/someuser/http

This way they only see that specific directory, and can't login via SSH.
Have you solved this using SCP somehow? I know that it should be possible but I've never been able to get it to work.
We are switching from RHEL5 to RHEL6 now so maybe you could give us some pointers to how you setup your system, if it is anything similar to what I described?

Thank you in advance smile

  • Remi
  • Remi
  • Administrateur
  • Offline
  • From: Champagne...
  • Registered: 2009-04-28
  • Posts: 3,836

Re: Request for inclusion of vsftpd

Try http://www.howtoforge.com/chrooted-ssh- … bian-lenny

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Remi's Website

6 Reply by Per Hansson (edited by Per Hansson 2012-02-20 18:34:19)

  • Registered: 2012-01-14
  • Posts: 35

Re: Request for inclusion of vsftpd

Thank you for the link Remi.
It did not work but I found this one which did: http://www.thisisnotsupported.com/sftp- … n-centos6/

I had to disable selinux in /etc/selinux/config otherwise I would just get permission denied after successfully logging in...
I used this config in my /etc/ssh/sshd_config:

# override default of no subsystems
Subsystem       sftp    internal-sftp

Match User SomeUserName,AnotherUserName
        ChrootDirectory /home
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

It works great, the users "SomeUserName" & "AnotherUserName" is able to login via SFTP, but not SCP, and they also can't get a shell via SSH.
I set their user shells to /sbin/nologin