1 /*
2 * Part of Very Secure FTPd
3 * Licence: GPL v2
4 * Author: Chris Evans
5 * tunables.c
6 */
7
8 #include "tunables.h"
9 #include "sysutil.h"
10 #include "builddefs.h"
11
12 int tunable_anonymous_enable;
13 int tunable_local_enable;
14 int tunable_pasv_enable;
15 int tunable_port_enable;
16 int tunable_chroot_local_user;
17 int tunable_write_enable;
18 int tunable_anon_upload_enable;
19 int tunable_anon_mkdir_write_enable;
20 int tunable_anon_other_write_enable;
21 int tunable_chown_uploads;
22 int tunable_connect_from_port_20;
23 int tunable_xferlog_enable;
24 int tunable_dirmessage_enable;
25 int tunable_anon_world_readable_only;
26 int tunable_async_abor_enable;
27 int tunable_ascii_upload_enable;
28 int tunable_ascii_download_enable;
29 int tunable_one_process_model;
30 int tunable_xferlog_std_format;
31 int tunable_pasv_promiscuous;
32 int tunable_deny_email_enable;
33 int tunable_chroot_list_enable;
34 int tunable_setproctitle_enable;
35 int tunable_text_userdb_names;
36 int tunable_ls_recurse_enable;
37 int tunable_log_ftp_protocol;
38 int tunable_guest_enable;
39 int tunable_userlist_enable;
40 int tunable_ssl_userlist_enable;
41 int tunable_userlist_deny;
42 int tunable_use_localtime;
43 int tunable_check_shell;
44 int tunable_hide_ids;
45 int tunable_listen;
46 int tunable_port_promiscuous;
47 int tunable_passwd_chroot_enable;
48 int tunable_no_anon_password;
49 int tunable_tcp_wrappers;
50 int tunable_use_sendfile;
51 int tunable_force_dot_files;
52 int tunable_listen_ipv6;
53 int tunable_dual_log_enable;
54 int tunable_syslog_enable;
55 int tunable_background;
56 int tunable_virtual_use_local_privs;
57 int tunable_session_support;
58 int tunable_download_enable;
59 int tunable_dirlist_enable;
60 int tunable_chmod_enable;
61 int tunable_secure_email_list_enable;
62 int tunable_run_as_launching_user;
63 int tunable_no_log_lock;
64 int tunable_ssl_enable;
65 int tunable_allow_anon_ssl;
66 int tunable_force_local_logins_ssl;
67 int tunable_force_local_data_ssl;
68 int tunable_sslv2;
69 int tunable_sslv3;
70 int tunable_tlsv1;
71 int tunable_tilde_user_enable;
72 int tunable_force_anon_logins_ssl;
73 int tunable_force_anon_data_ssl;
74 int tunable_mdtm_write;
75 int tunable_lock_upload_files;
76 int tunable_pasv_addr_resolve;
77 int tunable_userlist_log;
78 int tunable_debug_ssl;
79 int tunable_require_cert;
80 int tunable_validate_cert;
81 int tunable_strict_ssl_read_eof;
82 int tunable_strict_ssl_write_shutdown;
83 int tunable_ssl_request_cert;
84 int tunable_delete_failed_uploads;
85 int tunable_implicit_ssl;
86 int tunable_ptrace_sandbox;
87 int tunable_require_ssl_reuse;
88 int tunable_isolate;
89 int tunable_isolate_network;
90 int tunable_ftp_enable;
91 int tunable_http_enable;
92 int tunable_http_browse;
93 int tunable_convert_charset_enable;
94 int tunable_local_codepage;
95 int tunable_remote_codepage;
96 int tunable_anon_delete_enable;
97 int tunable_add_default_rule;
98 int tunable_chown_by_ip;
99 int tunable_tpm_allow_anon_root_access;
100 int tunable_double_377;
101 int tunable_anon_rxtx_rate;
102 int tunable_local_rxtx_rate;
103 int tunable_chown_group;
104 int tunable_anti_bruteforce;
105 int tunable_users_access_ip_deny;
106 int tunable_seccomp_sandbox;
107 int tunable_allow_writeable_chroot;
108
109 unsigned int tunable_accept_timeout;
110 unsigned int tunable_connect_timeout;
111 unsigned int tunable_local_umask;
112 unsigned int tunable_anon_umask;
113 unsigned int tunable_ftp_data_port;
114 unsigned int tunable_idle_session_timeout;
115 unsigned int tunable_data_connection_timeout;
116 unsigned int tunable_pasv_min_port;
117 unsigned int tunable_pasv_max_port;
118 unsigned int tunable_anon_max_rate;
119 unsigned int tunable_anon_max_rate_rx;
120 unsigned int tunable_anon_max_rate_tx;
121 unsigned int tunable_local_max_rate;
122 unsigned int tunable_local_max_rate_rx;
123 unsigned int tunable_local_max_rate_tx;
124 unsigned int tunable_listen_port;
125 unsigned int tunable_max_clients;
126 unsigned int tunable_file_open_mode;
127 unsigned int tunable_max_per_ip;
128 unsigned int tunable_trans_chunk_size;
129 unsigned int tunable_delay_failed_login;
130 unsigned int tunable_delay_successful_login;
131 unsigned int tunable_max_login_fails;
132 unsigned int tunable_chown_upload_mode;
133
134 const char* tunable_secure_chroot_dir;
135 const char* tunable_ftp_username;
136 const char* tunable_chown_username;
137 const char* tunable_xferlog_file;
138 const char* tunable_vsftpd_log_file;
139 const char* tunable_message_file;
140 const char* tunable_nopriv_user;
141 const char* tunable_ftpd_banner;
142 const char* tunable_banned_email_file;
143 const char* tunable_chroot_list_file;
144 const char* tunable_pam_service_name;
145 const char* tunable_guest_username;
146 const char* tunable_userlist_file;
147 const char* tunable_ssl_userlist_file;
148 const char* tunable_anon_root;
149 const char* tunable_local_root;
150 const char* tunable_banner_file;
151 const char* tunable_pasv_address;
152 const char* tunable_listen_address;
153 const char* tunable_user_config_dir;
154 const char* tunable_listen_address6;
155 const char* tunable_cmds_allowed;
156 const char* tunable_cmds_denied;
157 const char* tunable_hide_file;
158 const char* tunable_deny_file;
159 const char* tunable_user_sub_token;
160 const char* tunable_email_password_file;
161 const char* tunable_rsa_cert_file;
162 const char* tunable_dsa_cert_file;
163 const char* tunable_ssl_ciphers;
164 const char* tunable_rsa_private_key_file;
165 const char* tunable_dsa_private_key_file;
166 const char* tunable_ca_certs_file;
167 const char* tunable_local_charset;
168 const char* tunable_remote_charset;
169 const char* tunable_pasv_addr_rules;
170 const char* tunable_users_access_ip;
171 const char* tunable_anti_bruteforce_banner;
172 const char* tunable_http_error_403_server_tpl;
173 const char* tunable_http_error_403_tpl;
174 const char* tunable_http_error_404_tpl;
175 const char* tunable_http_browse_tpl;
176 const char* tunable_http_browse_line_tpl;
177 const char* tunable_http_default_index;
178
179 static void install_str_setting(const char* p_value, const char** p_storage);
180
181 void
tunables_load_defaults()182 tunables_load_defaults()
183 {
184 tunable_anonymous_enable = 1;
185 tunable_local_enable = 0;
186 tunable_pasv_enable = 1;
187 tunable_port_enable = 1;
188 tunable_chroot_local_user = 0;
189 tunable_write_enable = 0;
190 tunable_anon_upload_enable = 0;
191 tunable_anon_mkdir_write_enable = 0;
192 tunable_anon_other_write_enable = 0;
193 tunable_chown_uploads = 0;
194 tunable_connect_from_port_20 = 0;
195 tunable_xferlog_enable = 0;
196 tunable_dirmessage_enable = 0;
197 tunable_anon_world_readable_only = 1;
198 tunable_async_abor_enable = 0;
199 tunable_ascii_upload_enable = 0;
200 tunable_ascii_download_enable = 0;
201 tunable_one_process_model = 0;
202 tunable_xferlog_std_format = 0;
203 tunable_pasv_promiscuous = 0;
204 tunable_deny_email_enable = 0;
205 tunable_chroot_list_enable = 0;
206 tunable_setproctitle_enable = 0;
207 tunable_text_userdb_names = 0;
208 tunable_ls_recurse_enable = 0;
209 tunable_log_ftp_protocol = 0;
210 tunable_guest_enable = 0;
211 tunable_userlist_enable = 0;
212 tunable_ssl_userlist_enable = 0;
213 tunable_userlist_deny = 1;
214 tunable_use_localtime = 0;
215 tunable_check_shell = 1;
216 tunable_hide_ids = 0;
217 tunable_listen = 1;
218 tunable_port_promiscuous = 0;
219 tunable_passwd_chroot_enable = 0;
220 tunable_no_anon_password = 0;
221 tunable_tcp_wrappers = 0;
222 tunable_use_sendfile = 1;
223 tunable_force_dot_files = 0;
224 tunable_listen_ipv6 = 0;
225 tunable_dual_log_enable = 0;
226 tunable_syslog_enable = 0;
227 tunable_background = 1;
228 tunable_virtual_use_local_privs = 0;
229 tunable_session_support = 0;
230 tunable_download_enable = 1;
231 tunable_dirlist_enable = 1;
232 tunable_chmod_enable = 1;
233 tunable_secure_email_list_enable = 0;
234 tunable_run_as_launching_user = 0;
235 tunable_no_log_lock = 0;
236 tunable_ssl_enable = 0;
237 tunable_allow_anon_ssl = 0;
238 tunable_force_local_logins_ssl = 1;
239 tunable_force_local_data_ssl = 1;
240 tunable_sslv2 = 0;
241 tunable_sslv3 = 0;
242 tunable_tlsv1 = 1;
243 tunable_tilde_user_enable = 0;
244 tunable_force_anon_logins_ssl = 0;
245 tunable_force_anon_data_ssl = 0;
246 tunable_mdtm_write = 1;
247 tunable_lock_upload_files = 1;
248 tunable_pasv_addr_resolve = 0;
249 tunable_userlist_log = 0;
250 tunable_debug_ssl = 0;
251 tunable_require_cert = 0;
252 tunable_validate_cert = 0;
253 tunable_strict_ssl_read_eof = 1;
254 tunable_strict_ssl_write_shutdown = 0;
255 tunable_ssl_request_cert = 1;
256 tunable_delete_failed_uploads = 0;
257 tunable_implicit_ssl = 0;
258 tunable_ptrace_sandbox = 0;
259 tunable_require_ssl_reuse = 1;
260 tunable_isolate = 1;
261 tunable_isolate_network = 1;
262 tunable_ftp_enable = 1;
263 tunable_http_enable = 0;
264 tunable_http_browse = 0;
265 tunable_convert_charset_enable = 0;
266 tunable_local_codepage = 0;
267 tunable_remote_codepage = 0;
268 tunable_anon_delete_enable = 1;
269 tunable_add_default_rule = 0;
270 tunable_chown_by_ip = 0;
271 tunable_tpm_allow_anon_root_access = 0;
272 tunable_double_377 = 1;
273 tunable_anon_rxtx_rate = 0;
274 tunable_local_rxtx_rate = 0;
275 tunable_chown_group = 0;
276 tunable_anti_bruteforce = 0;
277 tunable_users_access_ip_deny = 0;
278 tunable_seccomp_sandbox = 1;
279 tunable_allow_writeable_chroot = 0;
280
281 tunable_accept_timeout = 60;
282 tunable_connect_timeout = 60;
283 tunable_local_umask = 077;
284 tunable_anon_umask = 077;
285 tunable_ftp_data_port = 20;
286 tunable_idle_session_timeout = 300;
287 tunable_data_connection_timeout = 300;
288 /* IPPORT_USERRESERVED + 1 */
289 tunable_pasv_min_port = 5001;
290 tunable_pasv_max_port = 0;
291 tunable_anon_max_rate = 0;
292 tunable_anon_max_rate_rx = 0;
293 tunable_anon_max_rate_tx = 0;
294 tunable_local_max_rate = 0;
295 tunable_local_max_rate_rx = 0;
296 tunable_local_max_rate_tx = 0;
297 /* IPPORT_FTP */
298 tunable_listen_port = 21;
299 tunable_max_clients = 2000;
300 /* -rw-rw-rw- */
301 tunable_file_open_mode = 0666;
302 tunable_max_per_ip = 50;
303 tunable_trans_chunk_size = 0;
304 tunable_delay_failed_login = 1;
305 tunable_delay_successful_login = 0;
306 tunable_max_login_fails = 3;
307 /* -rw------- */
308 tunable_chown_upload_mode = 0666;
309
310 install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
311 install_str_setting("ftp", &tunable_ftp_username);
312 install_str_setting("root", &tunable_chown_username);
313 install_str_setting("/var/log/xferlog", &tunable_xferlog_file);
314 install_str_setting("/var/log/vsftpd.log", &tunable_vsftpd_log_file);
315 install_str_setting(".message", &tunable_message_file);
316 install_str_setting("nobody", &tunable_nopriv_user);
317 install_str_setting(0, &tunable_ftpd_banner);
318 install_str_setting(VSF_CONFIG_PATH VSF_CONFIG_PREFIX "banned_emails", &tunable_banned_email_file);
319 install_str_setting(VSF_CONFIG_PATH VSF_CONFIG_PREFIX "chroot_list", &tunable_chroot_list_file);
320 install_str_setting("vsftpd", &tunable_pam_service_name);
321 install_str_setting("ftp", &tunable_guest_username);
322 install_str_setting(VSF_CONFIG_PATH VSF_CONFIG_PREFIX "user_list", &tunable_userlist_file);
323 install_str_setting(VSF_CONFIG_PATH VSF_CONFIG_PREFIX "ssl_user_list", &tunable_ssl_userlist_file);
324 install_str_setting(0, &tunable_anon_root);
325 install_str_setting(0, &tunable_local_root);
326 install_str_setting(0, &tunable_banner_file);
327 install_str_setting(0, &tunable_pasv_address);
328 install_str_setting(0, &tunable_listen_address);
329 install_str_setting(0, &tunable_user_config_dir);
330 install_str_setting(0, &tunable_listen_address6);
331 install_str_setting(0, &tunable_cmds_allowed);
332 install_str_setting(0, &tunable_cmds_denied);
333 install_str_setting(0, &tunable_hide_file);
334 install_str_setting(0, &tunable_deny_file);
335 install_str_setting(0, &tunable_user_sub_token);
336 install_str_setting(VSF_CONFIG_PATH VSF_CONFIG_PREFIX "email_passwords",
337 &tunable_email_password_file);
338 install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
339 &tunable_rsa_cert_file);
340 install_str_setting(0, &tunable_dsa_cert_file);
341 install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
342 install_str_setting(0, &tunable_rsa_private_key_file);
343 install_str_setting(0, &tunable_dsa_private_key_file);
344 install_str_setting(0, &tunable_ca_certs_file);
345 install_str_setting("NONE", &tunable_local_charset);
346 install_str_setting("NONE", &tunable_remote_charset);
347 install_str_setting(VSF_CONFIG_PATH VSF_CONFIG_PREFIX "pasv_rules", &tunable_pasv_addr_rules);
348 install_str_setting(VSF_CONFIG_PATH VSF_CONFIG_PREFIX "users_ip", &tunable_users_access_ip);
349 install_str_setting(0, &tunable_anti_bruteforce_banner);
350 install_str_setting(0, &tunable_http_error_403_server_tpl);
351 install_str_setting(0, &tunable_http_error_403_tpl);
352 install_str_setting(0, &tunable_http_error_404_tpl);
353 install_str_setting(0, &tunable_http_browse_tpl);
354 install_str_setting(0, &tunable_http_browse_line_tpl);
355 install_str_setting(0, &tunable_http_default_index);
356 }
357
358 void
install_str_setting(const char * p_value,const char ** p_storage)359 install_str_setting(const char* p_value, const char** p_storage)
360 {
361 char* p_curr_val = (char*) *p_storage;
362 if (p_curr_val != 0)
363 {
364 vsf_sysutil_free(p_curr_val);
365 }
366 if (p_value != 0)
367 {
368 p_value = vsf_sysutil_strdup(p_value);
369 }
370 *p_storage = p_value;
371 }
372