Accepting request 162591 from network

- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1)
  * this enabled a sendto on /dev/log socket when syslog is enabled
- provide more verbose explanation about isolate_network and seccomp_sanbox in
  config file template
- don't install init file on openSUSE 13.1+
- drop a build support for SL 10 and older

- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38)
  * drop CLONE_NEWPID from clone to enable audit system
- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406)
  * unconditionally enable F_SETFL patch - might be safe to do (forwarded request 162590 from mvyskocil)

OBS-URL: https://build.opensuse.org/request/show/162591
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=39

vsftpd-2.3.5-conf.patch

@@ -174,7 +174,7 @@ Index: vsftpd.conf
  # Enable this and the server will recognise asynchronous ABOR requests. Not
  # recommended for security (the code is non-trivial). Not enabling it,
  # however, may confuse older FTP clients.
-@@ -77,41 +164,34 @@ connect_from_port_20=YES
+@@ -77,41 +164,46 @@ connect_from_port_20=YES
  # predicted this attack and has always been safe, reporting the size of the
  # raw file.
  # ASCII mangling is a horrible feature of the protocol.
@@ -232,7 +232,19 @@ Index: vsftpd.conf
 +pasv_min_port=30000
 +pasv_max_port=30100
 +
-+# security features that are incompatible with some other settings. Try to
++### security features that are incompatible with some other settings. ###
-+# uncomment if vsftpd dies with weird errors.
++
++# isolate_network ensures the vsftpd subprocess is started in own network
++# namespace (see CLONE_NEWNET in clone(2)). It however disables the
++# authentication methods needs the network access (LDAP, NIS, ...).
 +#isolate_network=NO
++
++# seccomp_sanbox add an aditional security layer limiting the number of a
++# syscalls can be performed via vsftpd. However it might happen that a
++# whitelist don't allow a legitimate call (usually indirectly triggered by
++# third-party library like pam, or openssl) and the process is being killed by kernel.
++#
++# Therefor if your server dies on common situations (file download, upload),
++# uncomment following line and don't forget to open  bug at
++# https://bugzilla.novell.com
 +#seccomp_sandbox=NO

vsftpd-drop-newpid-from-clone.patch

@@ -0,0 +1,35 @@
+From: Michal Vyskocil <mvyskocil@suse.cz>
+Subject: Drop CLONE_NEWPID from clone call
+
+Kernel autid system prohibits the processes created with CLONE_NEWPID, so an
+attempt to log into ftp server ends with
+
+audit_log_acct_message() failed: Operation not permitted
+
+https://bugzilla.novell.com/show_bug.cgi?id=786024#c38
+
+identified-by: Tony Jones <tonyj@suse.com>
+fixes: bnc#786024
+
+Index: vsftpd-3.0.2/sysdeputil.c
+===================================================================
+--- vsftpd-3.0.2.orig/sysdeputil.c
++++ vsftpd-3.0.2/sysdeputil.c
+@@ -1272,7 +1272,7 @@ vsf_sysutil_fork_isolate_all_failok()
+   if (cloneflags_work)
+   {
+     int ret = syscall(__NR_clone,
+-                      CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD,
++                      CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD,
+                       NULL);
+     if (ret != -1 || (errno != EINVAL && errno != EPERM))
+     {
+@@ -1295,7 +1295,7 @@ vsf_sysutil_fork_isolate_failok()
+   static int cloneflags_work = 1;
+   if (cloneflags_work)
+   {
+-    int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL);
++    int ret = syscall(__NR_clone, CLONE_NEWIPC | SIGCHLD, NULL);
+     if (ret != -1 || (errno != EINVAL && errno != EPERM))
+     {
+       if (ret == 0)

vsftpd-enable-dev-log-sendto.patch

@@ -0,0 +1,33 @@
+From: mvyskocil@suse.com
+Subject: enable sendto to /dev/log
+
+vsftpd is killed once a file is downloaded and it try to log the success to
+/dev/log. This patch enables a sendto on fd 4, in a case the syslog logging is
+enabled.
+
+Fixes: https://bugzilla.novell.com/show_bug.cgi?id=812406
+
+---
+ seccompsandbox.c |   17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+Index: vsftpd-3.0.2/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.2.orig/seccompsandbox.c
++++ vsftpd-3.0.2/seccompsandbox.c
+@@ -503,6 +501,15 @@ seccomp_sandbox_setup_postlogin(const st
+       allow_nr(__NR_chmod);
+     }
+   }
++
++  /*
++   * MV: this enables logging to the syslog - the vsf_log_do_log are in postlogin.c and privops.c, but hopefully this is enough
++   */
++  if (tunable_syslog_enable)
++  {
++    allow_nr_1_arg_mask(__NR_sendto, 1, 4);
++  }
++
+ }
+ 
+ void

vsftpd-enable-fcntl-f_setfl.patch

@@ -0,0 +1,44 @@
+From: Michal Vyskocil <mvyskocil@suse.cz>
+Subject: Enable fcntl F_SETFL
+
+The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add
+it unconditionally to seccomp sandbox. I've failed to limit it more, however
+most arguments of F_SETFL are ignored on Linux and the remaining set seems to be
+safe.
+
+fixes: bnc#786024
+
+---
+ seccompsandbox.c |   22 ++++++++++++++++++++++
+ 5 files changed, 45 insertions(+), 6 deletions(-)
+
+Index: vsftpd-3.0.2/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.2.orig/seccompsandbox.c
++++ vsftpd-3.0.2/seccompsandbox.c
+@@ -306,6 +306,25 @@ seccomp_sandbox_setup_base()
+ 
+   /* Always need to be able to exit ! */
+   allow_nr(__NR_exit_group);
++
++  /* 
++   * MV: this is needed for
++   * vsf_sysutil_activate_noblock
++   * vsf_sysutil_deactivate_noblock
++   * 
++   * both called from various places (like all those die, bug in utilities),
++   * so lets enable it by default
++   */
++  allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
++  allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL);
++
++  /*
++   * MV: this form have newer worked, neither with O_RDWR, O_RDWR|O_NONBLOCK
++   * however fcntl(2) says that most of arguments to fcntl are ignored on Linux
++   * thus this might be safe to do
++   */
++  //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR);
++
+ }
+ 
+ void

vsftpd.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Thu Apr  4 08:35:40 UTC 2013 - mvyskocil@suse.com
+
+- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1)
+  * this enabled a sendto on /dev/log socket when syslog is enabled
+- provide more verbose explanation about isolate_network and seccomp_sanbox in
+  config file template
+- don't install init file on openSUSE 13.1+
+- drop a build support for SL 10 and older
+
+-------------------------------------------------------------------
+Fri Mar 29 13:15:46 UTC 2013 - mvyskocil@suse.com
+
+- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38)
+  * drop CLONE_NEWPID from clone to enable audit system
+- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406)
+  * unconditionally enable F_SETFL patch - might be safe to do
+
 -------------------------------------------------------------------
 Thu Feb 28 16:02:17 UTC 2013 - lnussel@suse.de
 

vsftpd.spec

@@ -16,15 +16,16 @@
 #
 
 
+%global with_sysvinit 0
+%if 0%{?suse_version} < 1310
+%global with_sysvinit 1
+%endif
+
 Name:           vsftpd
 BuildRequires:  gpg-offline
+BuildRequires:  libcap-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
-%if 0%{?suse_version} < 1001
-BuildRequires:  libcap
-%else
-BuildRequires:  libcap-devel
-%endif
 %if 0%{?suse_version} > 1140
 BuildRequires:  systemd
 %endif
@@ -54,7 +55,14 @@ Patch8:         vsftpd-2.0.5-utf8-log-names.patch
 Patch9:         vsftpd-2.3.5-conf.patch
 Patch10:        vsftpd-3.0.0_gnu_source_defines.patch
 Patch11:        vsftpd-3.0.0-optional-seccomp.patch
+#PATCH-FIX-OPENSUSE: bnc#786024
 Patch12:        vsftpd-allow-dev-log-socket.patch
+#PATCH-FIX-OPENSUSE: bnc#786024, second issue with pam_login_acct
+Patch13:        vsftpd-drop-newpid-from-clone.patch
+#PATCH-FIX-OPENSUSE: bnc#812406
+Patch14:        vsftpd-enable-fcntl-f_setfl.patch
+#PATCH-FIX-OPENSUSE: bnc#812406
+Patch15:        vsftpd-enable-dev-log-sendto.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Provides:       ftp-server
 PreReq:         %insserv_prereq /usr/sbin/useradd
@@ -86,6 +94,9 @@ tests.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
 
 %build
 %define seccomp_opts %{nil}
@@ -106,8 +117,12 @@ install -D -m 644 $RPM_SOURCE_DIR/%name.pam $RPM_BUILD_ROOT/etc/pam.d/%name
 install -D -m 644 $RPM_SOURCE_DIR/%name.logrotate $RPM_BUILD_ROOT/etc/logrotate.d/%name
 install -D -m 644 %name.conf.5 $RPM_BUILD_ROOT/%_mandir/man5/%name.conf.5
 install -D -m 644 %name.8 $RPM_BUILD_ROOT/%_mandir/man8/%name.8
+%if %{with_sysvinit}
 install -D -m 755 %SOURCE3 $RPM_BUILD_ROOT/etc/init.d/%name
 ln -sf ../../etc/init.d/%name $RPM_BUILD_ROOT/%_prefix/sbin/rc%name
+%else
+ln -sf ../../sbin/service $RPM_BUILD_ROOT/%{_prefix}/sbin/rc%{name}
+%endif
 install -d $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/
 install -D -m 644 %SOURCE5 $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/
 install -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/
@@ -123,20 +138,29 @@ install -D -m 0644 %SOURCE7 %{buildroot}/%{_unitdir}/%{name}.service
 %endif
 
 %preun
+if [ -e /etc/init.d/%{name} ]; then
 %stop_on_removal %name
+fi
+
 %if 0%{?suse_version} > 1140
 %service_del_preun %{name}.service
 %endif
 
 %post
+%if %{with_sysvinit}
 %{fillup_and_insserv -f %{name}}
+%endif
+
 %if 0%{?suse_version} > 1140
 %service_add_post %{name}.service
 %endif
 
 %postun
+%if %{with_sysvinit}
 %insserv_cleanup
 %restart_on_update %name
+%endif
+
 %if 0%{?suse_version} > 1140
 %service_del_postun %{name}.service
 %endif
@@ -151,7 +175,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 /usr/sbin/%name
 /usr/sbin/rc%name
+%if %{with_sysvinit}
 %config /etc/init.d/%name
+%endif
 %_datadir/omc/svcinfo.d/vsftpd.xml
 %dir /usr/share/empty
 %config(noreplace) /etc/xinetd.d/%name