Detailed analysis of compiling and installing vsFTP 3.0.3

Vulnerability Details

VSFTP is a set of FTP server software used on Unix-like systems released based on GPL. The software supports virtual users, two authentication methods (PAP or xinetd/tcp_wrappers), bandwidth limitation, etc.

A security vulnerability exists in VSFTP because the program does not properly handle the 'deny_file' option. A remote attacker could exploit this vulnerability to bypass access restrictions.

The following products and versions are affected: VSFTP 3.0.2 and earlier versions, OpenSUSE 13.1 and 13.2 versions.

Affected Products

Vsftpd Vsftpd 3.0.2

There are generally three ways to log in to FTP:
Anonymous user mode: In the default installation, the system only provides anonymous user access. You only need to enter the user anonymous/ftp and use your email as the password to log in.
Local user mode: The user name in /etc/passwd is used as the authentication method.
Virtual user mode: supports saving user names and passwords in files or databases, and mapping logged-in users to specified system accounts (/sbin/nologin) to access resources. These virtual users are FTP users.
Experimental environment: CentOS 7.5 192.168.2.3
Firewalld, iptables and SElinux are all disabled
The following experiment uses a virtual user based on PAM. You need to use yum to install the PAM components first:
Need to use epel source
yum -y install epel-release && yum -y install pam pam-devel db4-utils
In the default configuration, vsftpd needs to use the nobody user.
Download from the official website https://www.linuxfromscratch.org/blfs/view/svn/server/vsftpd.html
wget https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
tar xf vsftpd-3.0.3.tar.gz
cd vsftpd-3.0.3/

There is no configure file in the source package of vsftpd, so compile and install it directly
make clean && make -j 4 && make install
If an error occurs during compilation
/usr/bin/ld: cannot find -lcap
Find the .so file
find / -name "*libcap.so*"
/usr/lib64/libcap.so.2.22
/usr/lib64/libcap.so.2
ln -sv /usr/lib64/libcap.so.2 /usr/lib64/libcap.so

Default configuration:
Default configuration:
Main program file: /usr/local/sbin/vsftpd
Main configuration file: /etc/vsfptd.conf
PAM authentication file: /etc/pam.d/vsftpd
Anonymous user home directory: /var/ftp
Download directory for anonymous users: /var/ftp/pub
There are two main security principles of vsftpd:
Only virtual users are allowed to log in, and local users and anonymous users are disabled.
Running with root privileges is not allowed.
Create a directory to store configuration files
mkdir /etc/vsftpd
Copy the new configuration file to the /etc/vsftpd directory

Create users and shared directories and directory permissions

Create a plain text file for the virtual user password and use the db4-utils component installed earlier to generate a password authentication file:
vim /etc/vsftpd/access.txt

zhangsan #Username
123456 #password
lisi
123456 usage

The db4-utils component installed earlier generates the password authentication file:
db_load -T -t hash -f /etc/vsftpd/access.txt /etc/vsftpd/access.db

Edit the PAM authentication file for vsftpd:
vim /etc/pam.d/vsftpd

auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/access
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/access

Edit the main configuration file /etc/vsftpd/vsftpd.conf
cp /etc/vsftpd/vsftpd.conf{,.bak}
vim /etc/vsftpd/vsftpd.conf
#Disallow anonymous users

anonymous_enable=NO
local_enable=YES
write_enable=YES

#Do not start the lock user list. All users will be locked and not allowed to access the parent directory. They are only allowed to access their home directory. chroot_local_user=YES
chroot_list_enable=NO

#Start log
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/etc/vsftpd/vsftpd.log

# Enable virtual user guest_enable=YES
#FTP virtual user corresponding to the system user guest_username = vsftpd
#PAM authentication file /etc/pam.d/vsftpd
pam_service_name=vsftpd

virtual_use_local_privs=YES

Write the vsftpd startup script: /etc/init.d/vsftpd

#!/bin/bash
#
# vsftpd This shell script takes care of starting and stopping
# standalone vsftpd.
#
# chkconfig: -60 50
# description: Vsftpd is a ftp daemon, which is the program
# that answers incoming ftp service requests.
# processname: vsftpd
# config: /etc/vsftpd/vsftpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -x /usr/local/sbin/vsftpd ] || exit 0
RETVAL=0
prog="vsftpd"
start() {
        # Start daemons.
        if [ -d /etc/vsftpd ] ; then
                for i in `ls /etc/vsftpd/*.conf`; do
                        site=`basename $i .conf`
                        echo -n $"Starting $prog for $site: "
                        /usr/local/sbin/vsftpd $i &
                        RETVAL=$?
                        [ $RETVAL -eq 0 ] && {
                           touch /var/lock/subsys/$prog
                           success $"$prog $site"
                        }
                        echo
                done
        else
                RETVAL=1
        fi
        return $RETVAL
}
stop() {
        # Stop daemons.
        echo -n $"Shutting down $prog: "
        killproc $prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
        return $RETVAL
}
# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart|reload)
        stop
        start
        RETVAL=$?
        ;;
  condrestart)
        if [ -f /var/lock/subsys/$prog ]; then
            stop
            start
            RETVAL=$?
        fi
        ;;
  status)
        status $prog
        RETVAL=$?
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|status}"
        exit 1
esac
exit $RETVAL

Add execution permissions

Modify the file /etc/xinetd.d/vsftpd to start vsftpd without using the xinetd daemon
sed -in 's/disable.*=.*/disable = yes/g' /etc/xinetd.d/vsftpd
sed -in 's/disable.*=.*/disable = yes/g' /etc/xinetd.d/vsftpdn

Start vsftpd
servicevsftpd start

Start the machine and restart the test
chkconfig vsftpd on

The above is the detailed content of compiling and installing vsFTP 3.0.3. For more information about compiling and installing vsFTP 3.0.3, please pay attention to other related articles on 123WORDPRESS.COM!

You may also be interested in: