rpm/vsftpd
SHA256
1
0
Fork 0
forked from pool/vsftpd
Code Pull Requests Activity

Accepting request 156829 from network

Browse Source 
PLEASE COPY TO 12.3!
- add vsftpd-allow-dev-log-socket.patch (bnc#786024)
  * whitelist /dev/log related socket syscall

OBS-URL: https://build.opensuse.org/request/show/156829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=37
This commit is contained in:
Stephan Kulow 2013-03-01 08:06:02 +00:00 committed by Git OBS Bridge
commit 1265a2b4ae
3 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
vsftpd-allow-dev-log-socket.patch Normal file
View File

@ -0,0 +1,30 @@
From: mvyskocil@suse.com
Subject: enable /dev/log related socket call
Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -353,6 +353,15 @@ seccomp_sandbox_setup_prelogin(const str
{
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
}
+
+ //this is very probably an attempt to open /dev/log
+ //it fails because process cannot open any file, so it might be safe
+ //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
+ allow_nr_3_arg_match(__NR_socket,
+ 1, PF_FILE,
+ 2, SOCK_DGRAM | SOCK_CLOEXEC,
+ 3, 0);
+
}
void

6
vsftpd.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Feb 28 13:30:07 UTC 2013 - mvyskocil@suse.com
- add vsftpd-allow-dev-log-socket.patch (bnc#786024)
* whitelist /dev/log related socket syscall
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 20 17:19:03 CET 2012 - sbrabec@suse.cz Tue Nov 20 17:19:03 CET 2012 - sbrabec@suse.cz

4
vsftpd.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package vsftpd # spec file for package vsftpd
# #
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -54,6 +54,7 @@ Patch8: vsftpd-2.0.5-utf8-log-names.patch
Patch9: vsftpd-2.3.5-conf.patch Patch9: vsftpd-2.3.5-conf.patch
Patch10: vsftpd-3.0.0_gnu_source_defines.patch Patch10: vsftpd-3.0.0_gnu_source_defines.patch
Patch11: vsftpd-3.0.0-optional-seccomp.patch Patch11: vsftpd-3.0.0-optional-seccomp.patch
Patch12: vsftpd-allow-dev-log-socket.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Provides: ftp-server Provides: ftp-server
PreReq: %insserv_prereq /usr/sbin/useradd PreReq: %insserv_prereq /usr/sbin/useradd
@ -84,6 +85,7 @@ tests.
%patch9 %patch9
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1
%build %build
%define seccomp_opts %{nil} %define seccomp_opts %{nil}