vsftpd/vsftpd-root-squashed-chroot.patch

---
 parseconf.c   |    1 +
 secutil.c     |    6 ++++--
 secutil.h     |    2 ++
 tunables.c    |    2 ++
 tunables.h    |    1 +
 twoprocess.c  |    6 ++++++
 vsftpd.conf   |    4 ++++
 vsftpd.conf.5 |    7 +++++++
 8 files changed, 27 insertions(+), 2 deletions(-)

Index: vsftpd-3.0.2/tunables.c
===================================================================
--- vsftpd-3.0.2.orig/tunables.c
+++ vsftpd-3.0.2/tunables.c
@@ -88,6 +88,7 @@ int tunable_ftp_enable;
 int tunable_http_enable;
 int tunable_seccomp_sandbox;
 int tunable_allow_writeable_chroot;
+int tunable_allow_root_squashed_chroot;
 
 unsigned int tunable_accept_timeout;
 unsigned int tunable_connect_timeout;
@@ -228,6 +229,7 @@ tunables_load_defaults()
   tunable_http_enable = 0;
   tunable_seccomp_sandbox = 1;
   tunable_allow_writeable_chroot = 0;
+  tunable_allow_root_squashed_chroot = 0;
 
   tunable_accept_timeout = 60;
   tunable_connect_timeout = 60;
Index: vsftpd-3.0.2/tunables.h
===================================================================
--- vsftpd-3.0.2.orig/tunables.h
+++ vsftpd-3.0.2/tunables.h
@@ -89,6 +89,7 @@ extern int tunable_ftp_enable;
 extern int tunable_http_enable;               /* Allow HTTP protocol */
 extern int tunable_seccomp_sandbox;           /* seccomp filter sandbox */
 extern int tunable_allow_writeable_chroot;    /* Allow misconfiguration */
+extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */
 
 /* Integer/numeric defines */
 extern unsigned int tunable_accept_timeout;
Index: vsftpd-3.0.2/parseconf.c
===================================================================
--- vsftpd-3.0.2.orig/parseconf.c
+++ vsftpd-3.0.2/parseconf.c
@@ -107,6 +107,7 @@ parseconf_bool_array[] =
   { "http_enable", &tunable_http_enable },
   { "seccomp_sandbox", &tunable_seccomp_sandbox },
   { "allow_writeable_chroot", &tunable_allow_writeable_chroot },
+  { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot },
   { 0, 0 }
 };
 
Index: vsftpd-3.0.2/twoprocess.c
===================================================================
--- vsftpd-3.0.2.orig/twoprocess.c
+++ vsftpd-3.0.2/twoprocess.c
@@ -164,6 +164,9 @@ drop_all_privs(void)
   {
     str_alloc_text(&dir_str, tunable_secure_chroot_dir);
   }
+  if (tunable_allow_root_squashed_chroot) {
+    option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
+  }
   /* Be kind: give good error message if the secure dir is missing */
   {
     struct vsf_sysutil_statbuf* p_statbuf = 0;
@@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se
     {
       secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;
     }
+    if (do_chroot && tunable_allow_root_squashed_chroot) {
+        secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
+    }
     calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
                         p_user_str, p_orig_user_str);
     vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
Index: vsftpd-3.0.2/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf.5
+++ vsftpd-3.0.2/vsftpd.conf.5
@@ -42,6 +42,13 @@ connections.
 
 Default: NO
 .TP
+.B allow_root_squashed_chroot
+If set to YES, chroot is called with non-root credentials. This enabled chroot
+on squashed nfs. This option is applied only if chroot is performed, otherwise
+ignored.
+
+Default: NO
+.TP
 .B anon_mkdir_write_enable
 If set to YES, anonymous users will be permitted to create new directories
 under certain conditions. For this to work, the option
Index: vsftpd-3.0.2/vsftpd.conf
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf
+++ vsftpd-3.0.2/vsftpd.conf
@@ -64,6 +64,10 @@ local_enable=YES
 # (default follows)
 #chroot_list_file=/etc/vsftpd.chroot_list
 #
+# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root,
+# where root becomes nobody and would need -x access.
+#allow_root_squashed_chroot=YES
+#
 # The maximum data transfer rate permitted, in bytes per second, for
 # local authenticated users. The default is 0 (unlimited).
 #local_max_rate=7200
Accepting request 229627 from home:scarabeus_iv - Move the enabling of timeofday and alarm one level deeper to be sure it is whitelisted everytime. Also should possibly fix bnc#872215. - Updated patch: * vsftpd-enable-gettimeofday-sec.patch - Remove forking from service type as it hangs in endless loop. - Fix warning about dangling symlink on rcvsftpd from rpmlint and remove also clean section while at it. - Add patch to allow gettimeofday and alarm calls with seccomp enabled. bnc#870122 - Added patch: * vsftpd-enable-gettimeofday-sec.patch - Specify that the service type is forking - changed license to SUSE-GPL-2.0-with-openssl-exception * suggested by legal team - add allow_root_squashed_chroot option to enable chroot on nsf mounted with squash_root option (fate#311051) * vsftpd-root-squashed-chroot.patch OBS-URL: https://build.opensuse.org/request/show/229627 OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=59 2014-04-10 15:24:27 +02:00			`---`
			`parseconf.c \| 1 +`
			`secutil.c \| 6 ++++--`
			`secutil.h \| 2 ++`
			`tunables.c \| 2 ++`
			`tunables.h \| 1 +`
			`twoprocess.c \| 6 ++++++`
			`vsftpd.conf \| 4 ++++`
			`vsftpd.conf.5 \| 7 +++++++`
			`8 files changed, 27 insertions(+), 2 deletions(-)`

			`Index: vsftpd-3.0.2/tunables.c`
			`===================================================================`
			`--- vsftpd-3.0.2.orig/tunables.c`
			`+++ vsftpd-3.0.2/tunables.c`
			`@@ -88,6 +88,7 @@ int tunable_ftp_enable;`
			`int tunable_http_enable;`
			`int tunable_seccomp_sandbox;`
			`int tunable_allow_writeable_chroot;`
			`+int tunable_allow_root_squashed_chroot;`

			`unsigned int tunable_accept_timeout;`
			`unsigned int tunable_connect_timeout;`
			`@@ -228,6 +229,7 @@ tunables_load_defaults()`
			`tunable_http_enable = 0;`
			`tunable_seccomp_sandbox = 1;`
			`tunable_allow_writeable_chroot = 0;`
			`+ tunable_allow_root_squashed_chroot = 0;`

			`tunable_accept_timeout = 60;`
			`tunable_connect_timeout = 60;`
			`Index: vsftpd-3.0.2/tunables.h`
			`===================================================================`
			`--- vsftpd-3.0.2.orig/tunables.h`
			`+++ vsftpd-3.0.2/tunables.h`
			`@@ -89,6 +89,7 @@ extern int tunable_ftp_enable;`
			`extern int tunable_http_enable; /* Allow HTTP protocol */`
			`extern int tunable_seccomp_sandbox; /* seccomp filter sandbox */`
			`extern int tunable_allow_writeable_chroot; /* Allow misconfiguration */`
			`+extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */`

			`/* Integer/numeric defines */`
			`extern unsigned int tunable_accept_timeout;`
			`Index: vsftpd-3.0.2/parseconf.c`
			`===================================================================`
			`--- vsftpd-3.0.2.orig/parseconf.c`
			`+++ vsftpd-3.0.2/parseconf.c`
			`@@ -107,6 +107,7 @@ parseconf_bool_array[] =`
			`{ "http_enable", &tunable_http_enable },`
			`{ "seccomp_sandbox", &tunable_seccomp_sandbox },`
			`{ "allow_writeable_chroot", &tunable_allow_writeable_chroot },`
			`+ { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot },`
			`{ 0, 0 }`
			`};`

			`Index: vsftpd-3.0.2/twoprocess.c`
			`===================================================================`
			`--- vsftpd-3.0.2.orig/twoprocess.c`
			`+++ vsftpd-3.0.2/twoprocess.c`
			`@@ -164,6 +164,9 @@ drop_all_privs(void)`
			`{`
			`str_alloc_text(&dir_str, tunable_secure_chroot_dir);`
			`}`
			`+ if (tunable_allow_root_squashed_chroot) {`
			`+ option \|= VSF_SECUTIL_OPTION_CHANGE_EUID;`
			`+ }`
			`/* Be kind: give good error message if the secure dir is missing */`
			`{`
			`struct vsf_sysutil_statbuf* p_statbuf = 0;`
			`@@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se`
			`{`
			`secutil_option \|= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;`
			`}`
			`+ if (do_chroot && tunable_allow_root_squashed_chroot) {`
			`+ secutil_option \|= VSF_SECUTIL_OPTION_CHANGE_EUID;`
			`+ }`
			`calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,`
			`p_user_str, p_orig_user_str);`
			`vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,`
			`Index: vsftpd-3.0.2/vsftpd.conf.5`
			`===================================================================`
			`--- vsftpd-3.0.2.orig/vsftpd.conf.5`
			`+++ vsftpd-3.0.2/vsftpd.conf.5`
			`@@ -42,6 +42,13 @@ connections.`

			`Default: NO`
			`.TP`
			`+.B allow_root_squashed_chroot`
			`+If set to YES, chroot is called with non-root credentials. This enabled chroot`
			`+on squashed nfs. This option is applied only if chroot is performed, otherwise`
			`+ignored.`
			`+`
			`+Default: NO`
			`+.TP`
			`.B anon_mkdir_write_enable`
			`If set to YES, anonymous users will be permitted to create new directories`
			`under certain conditions. For this to work, the option`
			`Index: vsftpd-3.0.2/vsftpd.conf`
			`===================================================================`
			`--- vsftpd-3.0.2.orig/vsftpd.conf`
			`+++ vsftpd-3.0.2/vsftpd.conf`
			`@@ -64,6 +64,10 @@ local_enable=YES`
			`# (default follows)`
			`#chroot_list_file=/etc/vsftpd.chroot_list`
			`#`
			`+# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root,`
			`+# where root becomes nobody and would need -x access.`
			`+#allow_root_squashed_chroot=YES`
			`+#`
			`# The maximum data transfer rate permitted, in bytes per second, for`
			`# local authenticated users. The default is 0 (unlimited).`
			`#local_max_rate=7200`