Updated net/vsftpd to 2.3.2

Changes since 2.0.7

- Remove .postlogin.c.swp (thanks Kaibin Li <kbli@fortinet.com>)!
- findlibs repairs for libcap; builds on my Ubuntu 6.06 again.
- Apply patch to fix "error: assignment of read-only member '__in'" build
error on broken systems where the WIFEXITED() etc. macros write to their
argument. Thanks Ingo Terpelle <it@exanto.de>.
- Replace spaces in xferlog with underscores, report from
Michael Wittauer <michael.wittauer@sonydadc.com>.
- Reload default config values before re-parsing config file on SIGHUP. This
makes the values correct in the case a setting was removed from the file.
- Do not issue an FTP response for a blank line on the control channel. Fixes
issues with some broken NAT devices. ProFTPd does the same, so hopefully
nothing will break. Report from Frank Bulk <fbulk@mypremieronline.com>.
- Replace usage of broken _syscall() with syscall(). Fixes build errors for
those without libcap-devel installed.
- Add implicit SSL support with implicit_ssl option.
- Remove arbitrary restriction on one process model + SSL.
- Set a session ID on the SSL context.
- Add the skeleton of a built-in ptrace sandbox. Not yet useful for anything
other than catching compile errors. Yes, I'm crazy :P
- Use PR_SET_PDEATHSIG all over the place so that when the listener is killed,
existing sessions are booted too.
- Use SSL_peek; makes SSL pipelining work. Note that I never found any SSL
client that need it, but still a nice code clean-up.
- Change ASCII download behaviour so \r\n does not become \r\r\n. This mirrors
proftpd behaviour instead of wu-ftpd. Thanks Paul Abel <pabel@fexcodcc.com>.
- Switch all sighandlers to the synchronous ones. Prevents us having to
block and unblock signals all the time.
- Add a "use alarm" option to synchronous signal handlers, to ensure the race
condition against a blocking call does not result in a permanent
non-delivery.
- Use SIGTERM for privileged parent process shutdown, so they can still update
u/wtmp properly.
- Do RAND_load_file from /dev/urandom in the child context because I don't
trust the OpenSSL API vs. fork(). Different children do have different RNG
state; this is defense in depth.
- More thoroughly close the remote ends of the priv_sock, ensuring that child
death results in no blocking in the parent. This is a matter of tidyness; the
SIGCHLD handler will reliably tear down the parent.
- Do the same for the SSL slave / consumer channels.
- Fix OpenBSD build.
- Move SSL data handling into the SSL slave process. Incurs some extra
overhead in terms of context switches and copies, but it enables this next
item:
- By default, require SSL data connections to exhibit SSL session re-use of
the control channel. Unlike the cert thing, this _is_ something we can turn
on by default as most clients seem to do reuse. Yay.
- Change 522 response for SSL connection fail to note when session reuse is
required.
(v2.1.0pre1 here)
- More work on the inbuilt ptrace()-sandbox support.
- Clear the idle alarm when starting data transfer if there is no data alarm.
- Fix syslog format; don't embed 2nd copy of date, pid. Thanks to
Ren
- Lock file before truncating it for upload. Fixes various simultaneous
upload corruption issues.
- Make sure to give 426 error code on uploads if ABOR was received.
- Add cmds_denied option to complement cmds_allowed.
- Ignore lines in config file containing only white space.
- Require write_enable / anon_upload_enable / etc. to process STOU.
- FC10 patch (vsftpd-1.0.1-missingok.patch): tweak to logrotate file.
- FC10 patch (vsftpd-1.2.1-nonrootconf.patch): bail if the config file is not
owned by the currently running user.
- FC10 patch (vsftpd-2.0.1-tcp_wrappers.patch): explicitly call openlog() to
avoid syslog() bug where some settings are not initialized.
- FC10 patch (vsftpd-2.0.3-daemonize_fds.patch): when backgrounding, replace
fd 0,1,2 with /dev/null fd.
- FC10 patch (vsftpd-2.0.5-correct_comments.patch): comment tweaks in the
sample config file.
- FC10 patch (vsftpd-2.0.5-fix_unique.patch): use the default filename given
by STOU if it is available.
- FC10 patch (vsftpd-2.0.5-pam_end.patch): call pam_end() properly so modules
can act on errors if they want.
- FC10 patch (vsftpd-2.0.5-pasv_dot.patch): Strict RFC compliance for PASV
command; add a trailing period.
- FC10 patch (vsftpd-2.0.5-uname_size.patch): allow longer usernames. It's not
1990 any more, so trust PAM etc. to not stack-buffer-overflow.
- FC10 patch (vsftpd-2.0.5-underscore_uname.patch): permit username to start
with underscore or period.
- FC10 patch (vsftpd-2.0.6-listen.patch): default listen to YES.
- Fix crash on SIGHUP introduced in 2.1.0pre1. Oops.
- FC10 patch (vsftpd-2.0.5-bind_denied.patch): retry PASV bind() on EACCES
too, which can happen on SELinux systems.
- Default resource limit for child processes: 100MB address space.
- Finishing touches to the initial sandbox policy; only permit connect() to
the host on the control channel being the nicest touch.
(v2.1.0pre2 here)
- Fix 64-bit build (oops)! Thanks Martin Nagy <mnagy@redhat.com>.
- Fix config of SSL built in; not enabled; two process model. Report from
Martin.
- Shutdown the command connection in the priv parent's SIGTERM handler; kills
of children where the PR_SET_PDEATHSIG cannot due to different user ids.
(v2.1.0pre3 here)
- Fix build on FC10.
- Some FAQ tweaks.
- Permit fcntl(F_GETFD) in sandbox policy. Needed for FC10. Not sure where it
comes from but it is harmless. (My guess would be glibc-2.9's new support for
using O_CLOEXEC more).
- Fix build warning on 64-bit.
- Fix build on OpenBSD again.
(v2.1.0pre4 here)
- Bring userlist_deny handling inside the max_login_fail accounting.

At this point: v2.1.0 released!
===============================

- Apply Tavis' RLIMIT_NOFILE trick in the twoprocess model's initial
unprivileged child.
- Fix build error due to __NR_utimes.
- Ugh. Can't use RLIMIT_NOFILE in the SSL case because the process later
receives data transfer fd's via recvmsg(). It's a total shame because doing
the SSL handshake under even lower privs would be a real boost.
(v2.1.1pre1 here)
- Fix some declarations occuring in the middle of a block; broke older more
strict compilers.
- Handle the case where libcap is now libcap.so.2; fixes build on my new
Ubuntu 9.04.
- Enhance 522 error message to point to require_ssl_reuse option.
- Fix NASTY regression whereby data transfer timeouts would fire incorrectly
under SSL transfers. In addition, the transfer rate caps were not working
under SSL transfers. Reported by several people.
- Use the login delay machinery for userlist-based denials too. Thanks to
Tomas Hoger <thoger@redhat.com> for the patch.
- Fix another tedious regression whereby absent per-user config files were
causing a session fail rather than being gracefully ignored.
- Use the somewhat new CLONE_NEWPID / CLONE_NEWIPC to provide more isolation
in the vsftpd low-priv processes (CLONE_NEWNET pending).
- Use RLIMIT_NPROC to disallow fork()ing etc. in processes that do not need
to create new ones.
- Add "isolate" config flag to disable the new weird clone() flags if
necessary.

At this point: v2.1.1 released!
===============================

- Fix compile error in sysdeputil.c on some Linux systems.

At this point: v2.1.2 released!
===============================

- Fix compile on systems with no RLIMIT_NPROC, oops.
- Change some unsigned int to socklen_t's to avoid warnings on various
platforms, e.g. AIX.
- Add some syscall constants to ptracesandbox.c to fix the build on systems
with 2.4 kernel headers.
- Look for libs in /lib64 and /usr/lib64 too (Fixes Fedora 11 x86_64 compile).
- Fix EACCES mapping, thanks Solar Designer <solar@openwall.com>.
- Dont emit a bogus "OOPS: " message upon a QUIT, report from Solar Designer
<solar@openwall.com>.
- Tweak example vsftpd.conf to add commented out chroot_local_user=YES,
from Ivan I. Grushin <mcgru@intrice.ru>.
- Where available, use CLONE_NEWNET to isolate the untrusted processes so that
they can't do arbitrary connect() and instead have to ask the privileged
process for sockets. Moderate code disturbance - hope for no breakage :-/
- Disable implicit activation of one_process_model so that an anonymous setup
can benefit from the no-network isolation of the unprivileged process (where
available).
(vsftpd-2.2.0pre1)
- Call pam_get_item(PAM_USER) after authentication in case a PAM module
remapped the username. Based on a patch from John McNair <john.mcnair@ihg.com>.
- Apply a couple of IPv6 fixes from Corinna Schultz <corinna.schultz@gmail.com>,
particularly when MS operating systems are talking on link local addresses.
- Handle the error case for accepting a PASV connection in the two process
model properly.
- Pull in a couple of minor tidyup patches from Openwall.
- Add "-o" command line option to specify option, e.g. vsftpd -olisten=NO. Also
respect ordering with respect config files, e.g.
vsftpd -olisten=NO /etc/vsftpd.conf -olocal_enable=NO
Inspiration from Solar / Openwall.
(vsftpd-2.2.0pre2)
- Revert listen to be "NO" by default and also set max_per_ip / max_clients
to 2000 / 50 as a default. Thanks to Solar.
- Sanity check for admin: check config files are regular files.
- Error out if opening the per-user config file gives an error other than
ENOENT. Thanks Solar (who is on fire today ;-)
(vsftpd-2.2.0pre3)
- Apply some typo fixes from Solar.
- Error out on read() errors when reading config files.
(vsftpd-2.2.0pre4)
- Add tunable_isolate_network to parseconf.c, thanks Stefan Pfetzing
<dreamind@dreamind.de>.
- Don't try and use CLONE_NEWPID etc. if we get EPERM -- may happen even to
root if using linux-vserver. Also thanks to Stefan Pfetzing
<dreamind@dreamind.de>.
- Couple of typo tweaks from Cristi Terpea <cristi.terpea@fortech.ro>.
- Change // style comments to /* style.
- Fix pointer aliasing issue in new PAM_USER item support, thanks to Solar.

At this point: v2.2.0 released!
===============================

- Apply patch to set SSL context timeout to maximum, from Tim Kosse
<tim.kosse@filezilla-project.org>. Should prevent data connection failures
after a long transfer or idle period.
- Apply async-safety signal tweaks from Solar.
- Fix crash regression with the pasv_address option enabled.
- Typo fix and look for libnsl in /lib64, from Robby Workman
<rworkman@slackware.com>.
- When asking the client to send us a cert, make sure we broadcast some suitable
certificates. Fixes compatibility with the z/OS FTP client when
tunable_ssl_request_cert=YES.
- Rip out the silly "cached time" concept. Simplifies things and fixes
incorrect transfer time bug reported by Rajeev V. Pillai. Explicitly pass around
the cached current time in seconds in the one place that needs to avoid
repeated gettimeofday() calls (directory listing).
- Do the login fail delay in the parent process for cases where we checked
a username / password.

At this point: v2.2.1 released!
===============================

- Change "File receive OK." to "Transfer complete." to placate some broken
clients. Thanks Holger Kiehl <Holger.Kiehl@dwd.de>.
- Fix erroneous "child died" upon FTP client connect, when under load. Awesome
thanks to Holger Kiehl <Holger.Kiehl@dwd.de> for running diagnostic tests on
his live server.
- Boot the session if an overly long line is encountered.
(vsftpd-2.2.2pre1)

At this point: v2.2.2 released!
===============================

- Add extremely simply HTTP support. It's very experimental, ignorant of HTTP
protocol and headers, and likely has all sorts of other issues. The use case
it might satisfy is if you need to serve simple static unathenticated content
with large levels of paranoia.
- Fix port_promiscuous breakage. Report from Soeren <soeren84@fastmail.net>.
(v2.3.0pre1)
- Minor FAQ update.
- Use a larger address space limit if using text_userdb_names=YES
- Always use CLONE_NEWNET if possible when in HTTP mode.
- Change REST + STOR so that it's possible to overwrite part of file without
truncating it.
(v2.3.0pre2)
- Boot the session if we see a USER where encryption was required. May prevent
the transmission of plaintext passwords by buggy clients. Idea from
Marcin Hlybin <marcin@rootnode.net>.
- Fix failure to transmit a large ASCII file over SSL, if it contains \n -> \r\n
fixups.

At this point: v2.3.0 released!
===============================

- Fix silly regression re: log files being overwritten from the start.
- Rename a few file-open functions to make it clearer what they do.

At this point: v2.3.1 released!
===============================

- Argh! Fix version number.

At this point: v2.3.2 released!
===============================

8 files changed, 120 insertions, 95 deletions

diff --git a/net/vsftpd/Makefile b/net/vsftpd/Makefile
index 8770f07f2ad..02d3cb2d24d 100644
--- a/net/vsftpd/Makefile
+++ b/net/vsftpd/Makefile
@@ -1,13 +1,14 @@
-# $NetBSD: Makefile,v 1.31 2009/11/15 08:03:19 snj Exp $
+# $NetBSD: Makefile,v 1.32 2010/11/08 17:10:55 abs Exp $
 #
 
-DISTNAME=	vsftpd-2.0.7
+DISTNAME=	vsftpd-2.3.2
 CATEGORIES=	net
 MASTER_SITES=	ftp://vsftpd.beasts.org/users/cevans/
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://vsftpd.beasts.org/
 COMMENT=	FTP server that aims to be very secure
+LICENSE=	gnu-gpl-v2
 
 PKG_DESTDIR_SUPPORT=	user-destdir
 
@@ -16,13 +17,7 @@ PKG_SYSCONFSUBDIR=	vsftpd
 BUILD_TARGET=	vsftpd
 RCD_SCRIPTS=	vsftpd
 
-PKG_GROUPS_VARS+=	VSFTPD_GROUP
-PKG_USERS_VARS+=	VSFTPD_USER
-
-VSFTPD_USER?=	vsftpd
-VSFTPD_GROUP?=	vsftpd
-PKG_GROUPS=	${VSFTPD_GROUP}
-PKG_USERS=	${VSFTPD_USER}:${VSFTPD_GROUP}
+BUILD_DEFS+=	VARBASE
 
 DOCDIR=		${PREFIX}/share/doc/vsftpd
 EGDIR=		${PREFIX}/share/examples/vsftpd
@@ -39,10 +34,18 @@ SUBST_FILES.paths=	vsftpd.8 vsftpd.conf.5 vsftpd.conf
 SUBST_SED.paths+=	-e 's,@PKG_SYSCONFDIR@,${PKG_SYSCONFDIR},g'
 SUBST_STAGE.paths=	post-patch
 
-MAKE_ENV+=		LIBS=${LIBS:M*:Q}
+MAKE_ENV+=		LIBS=${LIBS:Q}
 
 .include "../../mk/bsd.prefs.mk"
 
+VSFTPD_USER?=	vsftpd
+VSFTPD_GROUP?=	vsftpd
+PKG_GROUPS=	${VSFTPD_GROUP}
+PKG_USERS=	${VSFTPD_USER}:${VSFTPD_GROUP}
+
+PKG_GROUPS_VARS+=	VSFTPD_GROUP
+PKG_USERS_VARS+=	VSFTPD_USER
+
 CFLAGS+=	-DPKG_SYSCONFDIR="\"${PKG_SYSCONFDIR}\""
 LIBS.SunOS=	-lsocket -lnsl -lrt -lsendfile -lresolv
 
diff --git a/net/vsftpd/distinfo b/net/vsftpd/distinfo
index 4a7c0dcb95e..421d2ce03a2 100644
--- a/net/vsftpd/distinfo
+++ b/net/vsftpd/distinfo
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.11 2008/11/03 05:29:29 obache Exp $
+$NetBSD: distinfo,v 1.12 2010/11/08 17:10:55 abs Exp $
 
-SHA1 (vsftpd-2.0.7.tar.gz) = 760afe849d1ebe10592ef29032b6e00e7f1bbf79
-RMD160 (vsftpd-2.0.7.tar.gz) = 8947c7ae00214fb30c9d7d2cfba5116643e1d8c7
-Size (vsftpd-2.0.7.tar.gz) = 162801 bytes
-SHA1 (patch-aa) = 323f694874777747ce525aa9ebb5d740684ec553
-SHA1 (patch-ab) = 18431ae27f53270ad4c19b0530e55348397fe143
-SHA1 (patch-ac) = 49269d863fd232d1e78cda039ae1a67368acfe1e
-SHA1 (patch-ad) = a6b0f1cd2e2d5168769e85b151125b7f381b7908
-SHA1 (patch-ae) = 373edb952206871b0b5c3e06fd5b90e25000f284
-SHA1 (patch-af) = 95ef9625fed7fd596a9dcd8e12c28a2de989ff4a
+SHA1 (vsftpd-2.3.2.tar.gz) = d525974514ecf61cbbf9cb51066aa68d5a52033b
+RMD160 (vsftpd-2.3.2.tar.gz) = 27bdc9d3065390a9dc85b3ef5926ad16d3544d2d
+Size (vsftpd-2.3.2.tar.gz) = 187229 bytes
+SHA1 (patch-aa) = ed5c8834137c28c63cf12505969e0500985d5909
+SHA1 (patch-ab) = df9252f99d06a4742713c36ce6bff8908da171f7
+SHA1 (patch-ac) = 2dcfae2eb16b2053f07eb3ee8f6d4af4b30d9799
+SHA1 (patch-ad) = 8b09a8fbc84f51c7334d6ab08e0a98b2e31c4fa0
+SHA1 (patch-ae) = ba770387570d202b440593d6c7cbd8d53d411a41
+SHA1 (patch-af) = 3ac549f091e6285298f9508a5fec40bd97b7d9d1
diff --git a/net/vsftpd/patches/patch-aa b/net/vsftpd/patches/patch-aa
index 740e01eb715..22e1e54314a 100644
--- a/net/vsftpd/patches/patch-aa
+++ b/net/vsftpd/patches/patch-aa
@@ -1,6 +1,8 @@
-$NetBSD: patch-aa,v 1.4 2006/05/16 21:08:50 joerg Exp $
+$NetBSD: patch-aa,v 1.5 2010/11/08 17:10:55 abs Exp $
 
---- Makefile.orig	2005-06-29 00:24:03.000000000 +0200
+Remove unconditional Makefile variable definitions
+
+--- Makefile.orig	2009-05-22 19:44:52.000000000 +0000
 +++ Makefile
 @@ -1,12 +1,6 @@
  # Makefile for systems with GNU tools
diff --git a/net/vsftpd/patches/patch-ab b/net/vsftpd/patches/patch-ab
index 84794351449..a5ed8e982e5 100644
--- a/net/vsftpd/patches/patch-ab
+++ b/net/vsftpd/patches/patch-ab
@@ -1,7 +1,9 @@
-$NetBSD: patch-ab,v 1.1 2003/05/09 23:31:40 salo Exp $
+$NetBSD: patch-ab,v 1.2 2010/11/08 17:10:55 abs Exp $
 
---- defs.h.orig	2002-07-10 00:51:57.000000000 +0200
-+++ defs.h	2003-05-09 23:54:18.000000000 +0200
+Use PKG_SYSCONFDIR instead of hardcoding /etc
+
+--- defs.h.orig	2010-08-06 00:43:50.000000000 +0000
++++ defs.h
 @@ -1,7 +1,7 @@
  #ifndef VSF_DEFS_H
  #define VSF_DEFS_H
diff --git a/net/vsftpd/patches/patch-ac b/net/vsftpd/patches/patch-ac
index 8be96b06f0b..f624ba5b668 100644
--- a/net/vsftpd/patches/patch-ac
+++ b/net/vsftpd/patches/patch-ac
@@ -1,6 +1,8 @@
-$NetBSD: patch-ac,v 1.3 2006/01/13 18:12:46 wiz Exp $
+$NetBSD: patch-ac,v 1.4 2010/11/08 17:10:55 abs Exp $
 
---- vsftpd.conf.orig	2005-05-21 00:52:54.000000000 +0200
+Use PKG_SYSCONFDIR instead of hardcoding /etc
+
+--- vsftpd.conf.orig	2009-10-19 02:04:23.000000000 +0000
 +++ vsftpd.conf
 @@ -1,4 +1,4 @@
 -# Example config file /etc/vsftpd.conf
@@ -8,7 +10,7 @@ $NetBSD: patch-ac,v 1.3 2006/01/13 18:12:46 wiz Exp $
  #
  # The default compiled in settings are fairly paranoid. This sample file
  # loosens things up a bit, to make the ftp daemon more usable.
-@@ -86,14 +86,14 @@ connect_from_port_20=YES
+@@ -87,7 +87,7 @@ connect_from_port_20=YES
  # useful for combatting certain DoS attacks.
  #deny_email_enable=YES
  # (default follows)
@@ -17,7 +19,8 @@ $NetBSD: patch-ac,v 1.3 2006/01/13 18:12:46 wiz Exp $
  #
  # You may specify an explicit list of local users to chroot() to their home
  # directory. If chroot_local_user is YES, then this list becomes a list of
- # users to NOT chroot().
+@@ -95,7 +95,7 @@ connect_from_port_20=YES
+ #chroot_local_user=YES
  #chroot_list_enable=YES
  # (default follows)
 -#chroot_list_file=/etc/vsftpd.chroot_list
@@ -25,15 +28,3 @@ $NetBSD: patch-ac,v 1.3 2006/01/13 18:12:46 wiz Exp $
  #
  # You may activate the "-R" option to the builtin ls. This is disabled by
  # default to avoid remote users being able to cause excessive I/O on large
-@@ -101,3 +101,11 @@ connect_from_port_20=YES
- # the presence of the "-R" option, so there is a strong case for enabling it.
- #ls_recurse_enable=YES
- 
-+# By default the server will run standalone. Comment out the option below if
-+# running from inetd.
-+listen=YES
-+
-+# Like the listen parameter, except vsftpd will listen on an IPv6 socket
-+# instead of an IPv4 one. This parameter and the listen parameter are mutually
-+# exlusive.
-+#listen_ipv6=YES
diff --git a/net/vsftpd/patches/patch-ad b/net/vsftpd/patches/patch-ad
index f1d61f450f6..ff56ae205c1 100644
--- a/net/vsftpd/patches/patch-ad
+++ b/net/vsftpd/patches/patch-ad
@@ -1,40 +1,43 @@
-$NetBSD: patch-ad,v 1.4 2008/09/22 11:02:21 abs Exp $
+$NetBSD: patch-ad,v 1.5 2010/11/08 17:10:55 abs Exp $
 
---- tunables.c.orig	2008-07-30 02:52:23.000000000 +0100
+Use PKG_SYSCONFDIR instead of hardcoding /etc
+
+--- tunables.c.orig	2010-03-17 02:44:31.000000000 +0000
 +++ tunables.c
-@@ -104,19 +104,19 @@ unsigned int tunable_max_login_fails = 3
- /* -rw------- */
- unsigned int tunable_chown_upload_mode = 0600;
+@@ -250,19 +250,19 @@ tunables_load_defaults()
+   /* -rw------- */
+   tunable_chown_upload_mode = 0600;
  
--const char* tunable_secure_chroot_dir = "/usr/share/empty";
-+const char* tunable_secure_chroot_dir = "/var/chroot/vsftpd";
- const char* tunable_ftp_username = "ftp";
- const char* tunable_chown_username = "root";
- const char* tunable_xferlog_file = "/var/log/xferlog";
- const char* tunable_vsftpd_log_file = "/var/log/vsftpd.log";
- const char* tunable_message_file = ".message";
--const char* tunable_nopriv_user = "nobody";
-+const char* tunable_nopriv_user = "vsftpd";
- const char* tunable_ftpd_banner = 0;
--const char* tunable_banned_email_file = "/etc/vsftpd.banned_emails";
--const char* tunable_chroot_list_file = "/etc/vsftpd.chroot_list";
-+const char* tunable_banned_email_file = PKG_SYSCONFDIR"/vsftpd.banned_emails";
-+const char* tunable_chroot_list_file = PKG_SYSCONFDIR"/vsftpd.chroot_list";
- const char* tunable_pam_service_name = "ftp";
- const char* tunable_guest_username = "ftp";
--const char* tunable_userlist_file = "/etc/vsftpd.user_list";
-+const char* tunable_userlist_file = PKG_SYSCONFDIR"/vsftpd.user_list";
- const char* tunable_anon_root = 0;
- const char* tunable_local_root = 0;
- const char* tunable_banner_file = 0;
-@@ -128,8 +128,8 @@ const char* tunable_cmds_allowed = 0;
- const char* tunable_hide_file = 0;
- const char* tunable_deny_file = 0;
- const char* tunable_user_sub_token = 0;
--const char* tunable_email_password_file = "/etc/vsftpd.email_passwords";
--const char* tunable_rsa_cert_file = "/usr/share/ssl/certs/vsftpd.pem";
-+const char* tunable_email_password_file = PKG_SYSCONFDIR"/vsftpd.email_passwords";
-+const char* tunable_rsa_cert_file = PKG_SYSCONFDIR"/vsftpd.pem";
- const char* tunable_dsa_cert_file = 0;
- const char* tunable_ssl_ciphers = "DES-CBC3-SHA";
- const char* tunable_rsa_private_key_file = 0;
+-  install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
++  install_str_setting("/var/chroot/vsftpd", &tunable_secure_chroot_dir);
+   install_str_setting("ftp", &tunable_ftp_username);
+   install_str_setting("root", &tunable_chown_username);
+   install_str_setting("/var/log/xferlog", &tunable_xferlog_file);
+   install_str_setting("/var/log/vsftpd.log", &tunable_vsftpd_log_file);
+   install_str_setting(".message", &tunable_message_file);
+-  install_str_setting("nobody", &tunable_nopriv_user);
++  install_str_setting("vsftpd", &tunable_nopriv_user);
+   install_str_setting(0, &tunable_ftpd_banner);
+-  install_str_setting("/etc/vsftpd.banned_emails", &tunable_banned_email_file);
+-  install_str_setting("/etc/vsftpd.chroot_list", &tunable_chroot_list_file);
++  install_str_setting(PKG_SYSCONFDIR"/vsftpd.banned_emails", &tunable_banned_email_file);
++  install_str_setting(PKG_SYSCONFDIR"/vsftpd.chroot_list", &tunable_chroot_list_file);
+   install_str_setting("ftp", &tunable_pam_service_name);
+   install_str_setting("ftp", &tunable_guest_username);
+-  install_str_setting("/etc/vsftpd.user_list", &tunable_userlist_file);
++  install_str_setting(PKG_SYSCONFDIR"/vsftpd.user_list", &tunable_userlist_file);
+   install_str_setting(0, &tunable_anon_root);
+   install_str_setting(0, &tunable_local_root);
+   install_str_setting(0, &tunable_banner_file);
+@@ -275,9 +275,9 @@ tunables_load_defaults()
+   install_str_setting(0, &tunable_hide_file);
+   install_str_setting(0, &tunable_deny_file);
+   install_str_setting(0, &tunable_user_sub_token);
+-  install_str_setting("/etc/vsftpd.email_passwords",
++  install_str_setting(PKG_SYSCONFDIR"/vsftpd.email_passwords",
+                       &tunable_email_password_file);
+-  install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
++  install_str_setting(PKG_SYSCONFDIR"/vsftpd.pem",
+                       &tunable_rsa_cert_file);
+   install_str_setting(0, &tunable_dsa_cert_file);
+   install_str_setting("DES-CBC3-SHA", &tunable_ssl_ciphers);
diff --git a/net/vsftpd/patches/patch-ae b/net/vsftpd/patches/patch-ae
index a85d8941173..48da54cbe19 100644
--- a/net/vsftpd/patches/patch-ae
+++ b/net/vsftpd/patches/patch-ae
@@ -1,6 +1,8 @@
-$NetBSD: patch-ae,v 1.4 2006/01/13 18:12:46 wiz Exp $
+$NetBSD: patch-ae,v 1.5 2010/11/08 17:10:55 abs Exp $
 
---- vsftpd.8.orig	2003-08-29 00:34:54.000000000 +0200
+Use PKG_SYSCONFDIR instead of hardcoding /etc
+
+--- vsftpd.8.orig	2009-07-17 20:56:23.000000000 +0000
 +++ vsftpd.8
 @@ -21,7 +21,7 @@ itself will listen on the network. This 
  recommended. It is activated by setting
@@ -11,11 +13,30 @@ $NetBSD: patch-ae,v 1.4 2006/01/13 18:12:46 wiz Exp $
  Direct execution of the
  .Nm vsftpd
  binary will then launch the FTP service ready for immediate client connections.
-@@ -29,6 +29,6 @@ binary will then launch the FTP service 
- An optional
- .Op configuration file
- may be given on the command line.  The default configuration file is
--.Pa /etc/vsftpd.conf .
-+.Pa @PKG_SYSCONFDIR@/vsftpd.conf .
+@@ -33,7 +33,7 @@ as root. Any command line option not sta
+ as a config file that will be loaded. Note that config files are loaded in the
+ strict order that they are encountered on the command line.
+ If no config files are specified, the default configuration file of
+-.Pa /etc/vsftpd.conf
++.Pa @PKG_SYSCONFDIR@/vsftpd.conf
+ will be loaded, after all other command line options are processed.
+ .Pp
+ Supported options are:
+@@ -47,14 +47,14 @@ their appearance on the command line, in
+ config files.
+ .El
+ .Sh EXAMPLES
+-vsftpd -olisten=NO /etc/vsftpd.conf -oftpd_banner=blah
++vsftpd -olisten=NO @PKG_SYSCONFDIR@/vsftpd.conf -oftpd_banner=blah
+ .Pp
+ That example overrides vsftpd's built-in default for the "listen" option to be
+-NO, but then loads /etc/vsftpd.conf which may override that setting. Finally,
++NO, but then loads @PKG_SYSCONFDIR@/vsftpd.conf which may override that setting. Finally,
+ the "ftpd_banner" setting is set to "blah", which overrides any default vsftpd
+ setting and any identical setting that was in the config file.
+ .Sh FILES
+-.Pa /etc/vsftpd.conf
++.Pa @PKG_SYSCONFDIR@/vsftpd.conf
  .Sh SEE ALSO
  .Xr vsftpd.conf 5
+ .end
diff --git a/net/vsftpd/patches/patch-af b/net/vsftpd/patches/patch-af
index 11927434461..0c74bb4ce2d 100644
--- a/net/vsftpd/patches/patch-af
+++ b/net/vsftpd/patches/patch-af
@@ -1,5 +1,8 @@
-$NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
---- vsftpd.conf.5.orig	2008-07-30 02:56:30.000000000 +0100
+$NetBSD: patch-af,v 1.6 2010/11/08 17:10:55 abs Exp $
+
+Use PKG_SYSCONFDIR instead of hardcoding /etc
+
+--- vsftpd.conf.5.orig	2009-10-19 02:46:30.000000000 +0000
 +++ vsftpd.conf.5
 @@ -4,7 +4,7 @@ vsftpd.conf \- config file for vsftpd
  .SH DESCRIPTION
@@ -28,7 +31,7 @@ $NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
  .BR banned_email_file
  setting.
  
-@@ -416,7 +416,7 @@ anonymous logins are prevented unless th
+@@ -433,7 +433,7 @@ anonymous logins are prevented unless th
  file specified by the
  .BR email_password_file
  setting. The file format is one password per line, no extra whitespace. The
@@ -37,7 +40,7 @@ $NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
  
  Default: NO
  .TP
-@@ -747,7 +747,7 @@ passwords which are not permitted. This 
+@@ -764,7 +764,7 @@ passwords which are not permitted. This 
  .BR deny_email_enable
  is enabled.
  
@@ -46,7 +49,7 @@ $NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
  .TP
  .B banner_file
  This option is the name of a file containing text to display when someone
-@@ -784,7 +784,7 @@ is enabled. If the option
+@@ -803,7 +803,7 @@ is enabled. If the option
  is enabled, then the list file becomes a list of users to NOT place in a
  chroot() jail.
  
@@ -55,7 +58,7 @@ $NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
  .TP
  .B cmds_allowed
  This options specifies a comma separated list of allowed FTP commands (post
-@@ -836,7 +836,7 @@ This option can be used to provide an al
+@@ -864,7 +864,7 @@ This option can be used to provide an al
  .BR secure_email_list_enable
  setting.
  
@@ -64,7 +67,7 @@ $NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
  .TP
  .B ftp_username
  This is the name of the user we use for handling anonymous FTP. The home
-@@ -941,7 +941,7 @@ This option should be the name of a dire
+@@ -969,7 +969,7 @@ This option should be the name of a dire
  directory should not be writable by the ftp user. This directory is used
  as a secure chroot() jail at times vsftpd does not require filesystem access.
  
@@ -73,7 +76,7 @@ $NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
  .TP
  .B ssl_ciphers
  This option can be used to select which SSL ciphers vsftpd will allow for
-@@ -959,10 +959,10 @@ the manual page, on a per-user basis. Us
+@@ -987,10 +987,10 @@ the manual page, on a per-user basis. Us
  with an example. If you set
  .BR user_config_dir
  to be
@@ -86,7 +89,7 @@ $NetBSD: patch-af,v 1.5 2008/09/22 11:02:21 abs Exp $
  for the duration of the session. The format of this file is as detailed in
  this manual page! PLEASE NOTE that not all settings are effective on a
  per-user basis. For example, many settings only prior to the user's session
-@@ -998,7 +998,7 @@ This option is the name of the file load
+@@ -1026,7 +1026,7 @@ This option is the name of the file load
  .BR userlist_enable
  option is active.