|
|
c2a259 |
From 0ea5c7fdb4be3d2f5cc45253dcafd29856fd9e33 Mon Sep 17 00:00:00 2001
|
|
|
c2a259 |
From: Jan Chaloupka <jchaloup@redhat.com>
|
|
|
c2a259 |
Date: Mon, 29 Sep 2014 21:35:56 +0200
|
|
|
c2a259 |
Subject: [PATCH] vsftpd.5 isolate_* options
|
|
|
c2a259 |
|
|
|
c2a259 |
---
|
|
|
c2a259 |
vsftpd/man5/vsftpd.conf.5 | 22 +++++++++++++++++++---
|
|
|
c2a259 |
1 file changed, 19 insertions(+), 3 deletions(-)
|
|
|
c2a259 |
|
|
|
c2a259 |
diff --git a/vsftpd/man5/vsftpd.conf.5 b/vsftpd/man5/vsftpd.conf.5
|
|
|
c2a259 |
index 08aaf81..3aed7fc 100644
|
|
|
c2a259 |
--- a/vsftpd/man5/vsftpd.conf.5
|
|
|
c2a259 |
+++ b/vsftpd/man5/vsftpd.conf.5
|
|
|
c2a259 |
@@ -644,6 +644,21 @@ change it with the setting
|
|
|
c2a259 |
.BR xferlog_file .
|
|
|
c2a259 |
|
|
|
c2a259 |
Default: NO
|
|
|
c2a259 |
+.TP
|
|
|
c2a259 |
+.B isolate_network
|
|
|
c2a259 |
+If enabled, use CLONE_NEWNET to isolate the untrusted processes so that
|
|
|
c2a259 |
+they can't do arbitrary connect() and instead have to ask the privileged
|
|
|
c2a259 |
+process for sockets (
|
|
|
c2a259 |
+.BR port_promiscuous
|
|
|
c2a259 |
+have to be disabled).
|
|
|
c2a259 |
+
|
|
|
c2a259 |
+Default: YES
|
|
|
c2a259 |
+.TP
|
|
|
c2a259 |
+.B isolate
|
|
|
c2a259 |
+If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate processes to their
|
|
|
c2a259 |
+ipc and pid namespaces. So separated processes can not interact with each other.
|
|
|
c2a259 |
+
|
|
|
c2a259 |
+Default: YES
|
|
|
c2a259 |
|
|
|
c2a259 |
.SH NUMERIC OPTIONS
|
|
|
c2a259 |
Below is a list of numeric options. A numeric option must be set to a non
|
|
|
c2a259 |
@@ -741,8 +756,9 @@ Default: 077
|
|
|
c2a259 |
.B max_clients
|
|
|
c2a259 |
If vsftpd is in standalone mode, this is the maximum number of clients which
|
|
|
c2a259 |
may be connected. Any additional clients connecting will get an error message.
|
|
|
c2a259 |
+The value 0 switches off the limit.
|
|
|
c2a259 |
|
|
|
c2a259 |
-Default: 0 (unlimited)
|
|
|
c2a259 |
+Default: 2000
|
|
|
c2a259 |
.TP
|
|
|
c2a259 |
.B max_login_fails
|
|
|
c2a259 |
After this many login failures, the session is killed.
|
|
|
c2a259 |
@@ -752,9 +768,9 @@ Default: 3
|
|
|
c2a259 |
.B max_per_ip
|
|
|
c2a259 |
If vsftpd is in standalone mode, this is the maximum number of clients which
|
|
|
c2a259 |
may be connected from the same source internet address. A client will get an
|
|
|
c2a259 |
-error message if they go over this limit.
|
|
|
c2a259 |
+error message if they go over this limit. The value 0 switches off the limit.
|
|
|
c2a259 |
|
|
|
c2a259 |
-Default: 0 (unlimited)
|
|
|
c2a259 |
+Default: 50
|
|
|
c2a259 |
.TP
|
|
|
c2a259 |
.B pasv_max_port
|
|
|
c2a259 |
The maximum port to allocate for PASV style data connections. Can be used to
|
|
|
c2a259 |
--
|
|
|
c2a259 |
1.9.3
|
|
|
c2a259 |
|