Accepting request 229628 from network

- Move the enabling of timeofday and alarm one level deeper to
  be sure it is whitelisted everytime.
  Also should possibly fix bnc#872215.
- Updated patch:
  * vsftpd-enable-gettimeofday-sec.patch

- Remove forking from service type as it hangs in endless loop.

- Fix warning about dangling symlink on rcvsftpd from rpmlint and
  remove also clean section while at it.

- Add patch to allow gettimeofday and alarm calls with seccomp
  enabled. bnc#870122
- Added patch:
  * vsftpd-enable-gettimeofday-sec.patch

- Specify that the service type is forking

- changed license to SUSE-GPL-2.0-with-openssl-exception
  * suggested by legal team

- add allow_root_squashed_chroot option to enable chroot on nsf
  mounted with squash_root option (fate#311051)
  * vsftpd-root-squashed-chroot.patch (forwarded request 229627 from scarabeus_iv)

OBS-URL: https://build.opensuse.org/request/show/229628
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=42

vsftpd-enable-gettimeofday-sec.patch

@@ -0,0 +1,18 @@
+diff -urN vsftpd-3.0.2/seccompsandbox.c vsftpd-3.0.2.new/seccompsandbox.c
+--- vsftpd-3.0.2/seccompsandbox.c	2012-09-18 08:52:30.000000000 +0200
++++ vsftpd-3.0.2.new/seccompsandbox.c	2014-04-10 14:55:30.855607231 +0200
+@@ -303,6 +303,14 @@
+   allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
+   allow_nr(__NR_restart_syscall);
+   allow_nr(__NR_close);
++  
++ /*
++  * Calls to alarm and date
++  * Seems to be some part of the logging
++  * wrt bnc#870122
++  */
++   allow_nr(__NR_alarm);
++   allow_nr(__NR_gettimeofday);
+ 
+   /* Always need to be able to exit ! */
+   allow_nr(__NR_exit_group);

vsftpd-root-squashed-chroot.patch

@@ -0,0 +1,112 @@
+---
+ parseconf.c   |    1 +
+ secutil.c     |    6 ++++--
+ secutil.h     |    2 ++
+ tunables.c    |    2 ++
+ tunables.h    |    1 +
+ twoprocess.c  |    6 ++++++
+ vsftpd.conf   |    4 ++++
+ vsftpd.conf.5 |    7 +++++++
+ 8 files changed, 27 insertions(+), 2 deletions(-)
+
+Index: vsftpd-3.0.2/tunables.c
+===================================================================
+--- vsftpd-3.0.2.orig/tunables.c
++++ vsftpd-3.0.2/tunables.c
+@@ -88,6 +88,7 @@ int tunable_ftp_enable;
+ int tunable_http_enable;
+ int tunable_seccomp_sandbox;
+ int tunable_allow_writeable_chroot;
++int tunable_allow_root_squashed_chroot;
+ 
+ unsigned int tunable_accept_timeout;
+ unsigned int tunable_connect_timeout;
+@@ -228,6 +229,7 @@ tunables_load_defaults()
+   tunable_http_enable = 0;
+   tunable_seccomp_sandbox = 1;
+   tunable_allow_writeable_chroot = 0;
++  tunable_allow_root_squashed_chroot = 0;
+ 
+   tunable_accept_timeout = 60;
+   tunable_connect_timeout = 60;
+Index: vsftpd-3.0.2/tunables.h
+===================================================================
+--- vsftpd-3.0.2.orig/tunables.h
++++ vsftpd-3.0.2/tunables.h
+@@ -89,6 +89,7 @@ extern int tunable_ftp_enable;
+ extern int tunable_http_enable;               /* Allow HTTP protocol */
+ extern int tunable_seccomp_sandbox;           /* seccomp filter sandbox */
+ extern int tunable_allow_writeable_chroot;    /* Allow misconfiguration */
++extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */
+ 
+ /* Integer/numeric defines */
+ extern unsigned int tunable_accept_timeout;
+Index: vsftpd-3.0.2/parseconf.c
+===================================================================
+--- vsftpd-3.0.2.orig/parseconf.c
++++ vsftpd-3.0.2/parseconf.c
+@@ -107,6 +107,7 @@ parseconf_bool_array[] =
+   { "http_enable", &tunable_http_enable },
+   { "seccomp_sandbox", &tunable_seccomp_sandbox },
+   { "allow_writeable_chroot", &tunable_allow_writeable_chroot },
++  { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot },
+   { 0, 0 }
+ };
+ 
+Index: vsftpd-3.0.2/twoprocess.c
+===================================================================
+--- vsftpd-3.0.2.orig/twoprocess.c
++++ vsftpd-3.0.2/twoprocess.c
+@@ -164,6 +164,9 @@ drop_all_privs(void)
+   {
+     str_alloc_text(&dir_str, tunable_secure_chroot_dir);
+   }
++  if (tunable_allow_root_squashed_chroot) {
++    option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
++  }
+   /* Be kind: give good error message if the secure dir is missing */
+   {
+     struct vsf_sysutil_statbuf* p_statbuf = 0;
+@@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se
+     {
+       secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;
+     }
++    if (do_chroot && tunable_allow_root_squashed_chroot) {
++        secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
++    }
+     calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
+                         p_user_str, p_orig_user_str);
+     vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
+Index: vsftpd-3.0.2/vsftpd.conf.5
+===================================================================
+--- vsftpd-3.0.2.orig/vsftpd.conf.5
++++ vsftpd-3.0.2/vsftpd.conf.5
+@@ -42,6 +42,13 @@ connections.
+ 
+ Default: NO
+ .TP
++.B allow_root_squashed_chroot
++If set to YES, chroot is called with non-root credentials. This enabled chroot
++on squashed nfs. This option is applied only if chroot is performed, otherwise
++ignored.
++
++Default: NO
++.TP
+ .B anon_mkdir_write_enable
+ If set to YES, anonymous users will be permitted to create new directories
+ under certain conditions. For this to work, the option
+Index: vsftpd-3.0.2/vsftpd.conf
+===================================================================
+--- vsftpd-3.0.2.orig/vsftpd.conf
++++ vsftpd-3.0.2/vsftpd.conf
+@@ -64,6 +64,10 @@ local_enable=YES
+ # (default follows)
+ #chroot_list_file=/etc/vsftpd.chroot_list
+ #
++# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root,
++# where root becomes nobody and would need -x access.
++#allow_root_squashed_chroot=YES
++#
+ # The maximum data transfer rate permitted, in bytes per second, for
+ # local authenticated users. The default is 0 (unlimited).
+ #local_max_rate=7200

vsftpd.changes

@@ -1,3 +1,50 @@
+-------------------------------------------------------------------
+Thu Apr 10 12:56:03 UTC 2014 - tchvatal@suse.com
+
+- Move the enabling of timeofday and alarm one level deeper to
+  be sure it is whitelisted everytime.
+  Also should possibly fix bnc#872215.
+
+- Updated patch:
+  * vsftpd-enable-gettimeofday-sec.patch
+
+-------------------------------------------------------------------
+Thu Apr 10 12:06:25 UTC 2014 - tchvatal@suse.com
+
+- Remove forking from service type as it hangs in endless loop.
+
+-------------------------------------------------------------------
+Wed Apr  2 07:47:05 UTC 2014 - tchvatal@suse.com
+
+- Fix warning about dangling symlink on rcvsftpd from rpmlint and
+  remove also clean section while at it.
+
+-------------------------------------------------------------------
+Wed Apr  2 07:35:27 UTC 2014 - tchvatal@suse.com
+
+- Add patch to allow gettimeofday and alarm calls with seccomp
+  enabled. bnc#870122
+- Added patch:
+  * vsftpd-enable-gettimeofday-sec.patch
+
+-------------------------------------------------------------------
+Tue Apr  1 07:17:50 UTC 2014 - tchvatal@suse.com
+
+- Specify that the service type is forking
+
+-------------------------------------------------------------------
+Mon Jan 27 13:04:19 UTC 2014 - mvyskocil@suse.com
+
+- changed license to SUSE-GPL-2.0-with-openssl-exception
+  * suggested by legal team
+
+-------------------------------------------------------------------
+Tue Jan 21 11:00:13 UTC 2014 - mvyskocil@suse.com
+
+- add allow_root_squashed_chroot option to enable chroot on nsf
+  mounted with squash_root option (fate#311051)
+  * vsftpd-root-squashed-chroot.patch
+
 -------------------------------------------------------------------
 Sat Jul 20 21:23:31 UTC 2013 - crrodriguez@opensuse.org
 

vsftpd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package vsftpd
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,7 +32,7 @@ BuildRequires:  systemd
 Version:        3.0.2
 Release:        0
 Summary:        Very Secure FTP Daemon - Written from Scratch
-License:        GPL-2.0+
+License:        SUSE-GPL-2.0-with-openssl-exception
 Group:          Productivity/Networking/Ftp/Servers
 Url:            https://security.appspot.com/vsftpd.html
 Source0:        https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
@@ -63,9 +63,13 @@ Patch13:        vsftpd-drop-newpid-from-clone.patch
 Patch14:        vsftpd-enable-fcntl-f_setfl.patch
 #PATCH-FIX-OPENSUSE: bnc#812406
 Patch15:        vsftpd-enable-dev-log-sendto.patch
+#PATCH-FEATURE-SUSE: FATE#311051, call chroot with user credentials to enable nsf with squash_root option
+Patch16:        vsftpd-root-squashed-chroot.patch
+#PATCH-FIX-UPSTREAM: bnc#870122
+Patch17:        vsftpd-enable-gettimeofday-sec.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Provides:       ftp-server
-PreReq:         %insserv_prereq /usr/sbin/useradd
+Requires(pre):  %insserv_prereq /usr/sbin/useradd
 %{?systemd_requires}
 Requires:       logrotate
 
@@ -97,6 +101,8 @@ tests.
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
+%patch17 -p1
 
 %build
 %define seccomp_opts %{nil}
@@ -121,7 +127,7 @@ install -D -m 644 %name.8 $RPM_BUILD_ROOT/%_mandir/man8/%name.8
 install -D -m 755 %SOURCE3 $RPM_BUILD_ROOT/etc/init.d/%name
 ln -sf ../../etc/init.d/%name $RPM_BUILD_ROOT/%_prefix/sbin/rc%name
 %else
-ln -sf ../../sbin/service $RPM_BUILD_ROOT/%{_prefix}/sbin/rc%{name}
+ln -sf service $RPM_BUILD_ROOT/%{_prefix}/sbin/rc%{name}
 %endif
 install -d $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/
 install -D -m 644 %SOURCE5 $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/
@@ -165,9 +171,6 @@ fi
 %service_del_postun %{name}.service
 %endif
 
-%clean
-rm -rf $RPM_BUILD_ROOT
-
 %files
 %defattr(-,root,root)
 %if 0%{?suse_version} > 1140