diff --git a/vsftpd-2.3.5-conf.patch b/vsftpd-2.3.5-conf.patch index 5bff5e6..31ec526 100644 --- a/vsftpd-2.3.5-conf.patch +++ b/vsftpd-2.3.5-conf.patch @@ -174,7 +174,7 @@ Index: vsftpd.conf # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. -@@ -77,41 +164,34 @@ connect_from_port_20=YES +@@ -77,41 +164,46 @@ connect_from_port_20=YES # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. @@ -232,7 +232,19 @@ Index: vsftpd.conf +pasv_min_port=30000 +pasv_max_port=30100 + -+# security features that are incompatible with some other settings. Try to -+# uncomment if vsftpd dies with weird errors. ++### security features that are incompatible with some other settings. ### ++ ++# isolate_network ensures the vsftpd subprocess is started in own network ++# namespace (see CLONE_NEWNET in clone(2)). It however disables the ++# authentication methods needs the network access (LDAP, NIS, ...). +#isolate_network=NO ++ ++# seccomp_sanbox add an aditional security layer limiting the number of a ++# syscalls can be performed via vsftpd. However it might happen that a ++# whitelist don't allow a legitimate call (usually indirectly triggered by ++# third-party library like pam, or openssl) and the process is being killed by kernel. ++# ++# Therefor if your server dies on common situations (file download, upload), ++# uncomment following line and don't forget to open bug at ++# https://bugzilla.novell.com +#seccomp_sandbox=NO diff --git a/vsftpd-drop-newpid-from-clone.patch b/vsftpd-drop-newpid-from-clone.patch new file mode 100644 index 0000000..181dd75 --- /dev/null +++ b/vsftpd-drop-newpid-from-clone.patch @@ -0,0 +1,35 @@ +From: Michal Vyskocil +Subject: Drop CLONE_NEWPID from clone call + +Kernel autid system prohibits the processes created with CLONE_NEWPID, so an +attempt to log into ftp server ends with + +audit_log_acct_message() failed: Operation not permitted + +https://bugzilla.novell.com/show_bug.cgi?id=786024#c38 + +identified-by: Tony Jones +fixes: bnc#786024 + +Index: vsftpd-3.0.2/sysdeputil.c +=================================================================== +--- vsftpd-3.0.2.orig/sysdeputil.c ++++ vsftpd-3.0.2/sysdeputil.c +@@ -1272,7 +1272,7 @@ vsf_sysutil_fork_isolate_all_failok() + if (cloneflags_work) + { + int ret = syscall(__NR_clone, +- CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD, ++ CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD, + NULL); + if (ret != -1 || (errno != EINVAL && errno != EPERM)) + { +@@ -1295,7 +1295,7 @@ vsf_sysutil_fork_isolate_failok() + static int cloneflags_work = 1; + if (cloneflags_work) + { +- int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL); ++ int ret = syscall(__NR_clone, CLONE_NEWIPC | SIGCHLD, NULL); + if (ret != -1 || (errno != EINVAL && errno != EPERM)) + { + if (ret == 0) diff --git a/vsftpd-enable-dev-log-sendto.patch b/vsftpd-enable-dev-log-sendto.patch new file mode 100644 index 0000000..444750a --- /dev/null +++ b/vsftpd-enable-dev-log-sendto.patch @@ -0,0 +1,33 @@ +From: mvyskocil@suse.com +Subject: enable sendto to /dev/log + +vsftpd is killed once a file is downloaded and it try to log the success to +/dev/log. This patch enables a sendto on fd 4, in a case the syslog logging is +enabled. + +Fixes: https://bugzilla.novell.com/show_bug.cgi?id=812406 + +--- + seccompsandbox.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +Index: vsftpd-3.0.2/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.2.orig/seccompsandbox.c ++++ vsftpd-3.0.2/seccompsandbox.c +@@ -503,6 +501,15 @@ seccomp_sandbox_setup_postlogin(const st + allow_nr(__NR_chmod); + } + } ++ ++ /* ++ * MV: this enables logging to the syslog - the vsf_log_do_log are in postlogin.c and privops.c, but hopefully this is enough ++ */ ++ if (tunable_syslog_enable) ++ { ++ allow_nr_1_arg_mask(__NR_sendto, 1, 4); ++ } ++ + } + + void diff --git a/vsftpd-enable-fcntl-f_setfl.patch b/vsftpd-enable-fcntl-f_setfl.patch new file mode 100644 index 0000000..ea99050 --- /dev/null +++ b/vsftpd-enable-fcntl-f_setfl.patch @@ -0,0 +1,44 @@ +From: Michal Vyskocil +Subject: Enable fcntl F_SETFL + +The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add +it unconditionally to seccomp sandbox. I've failed to limit it more, however +most arguments of F_SETFL are ignored on Linux and the remaining set seems to be +safe. + +fixes: bnc#786024 + +--- + seccompsandbox.c | 22 ++++++++++++++++++++++ + 5 files changed, 45 insertions(+), 6 deletions(-) + +Index: vsftpd-3.0.2/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.2.orig/seccompsandbox.c ++++ vsftpd-3.0.2/seccompsandbox.c +@@ -306,6 +306,25 @@ seccomp_sandbox_setup_base() + + /* Always need to be able to exit ! */ + allow_nr(__NR_exit_group); ++ ++ /* ++ * MV: this is needed for ++ * vsf_sysutil_activate_noblock ++ * vsf_sysutil_deactivate_noblock ++ * ++ * both called from various places (like all those die, bug in utilities), ++ * so lets enable it by default ++ */ ++ allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL); ++ allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL); ++ ++ /* ++ * MV: this form have newer worked, neither with O_RDWR, O_RDWR|O_NONBLOCK ++ * however fcntl(2) says that most of arguments to fcntl are ignored on Linux ++ * thus this might be safe to do ++ */ ++ //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR); ++ + } + + void diff --git a/vsftpd.changes b/vsftpd.changes index 5f48de3..5248c6d 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Thu Apr 4 08:35:40 UTC 2013 - mvyskocil@suse.com + +- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1) + * this enabled a sendto on /dev/log socket when syslog is enabled +- provide more verbose explanation about isolate_network and seccomp_sanbox in + config file template +- don't install init file on openSUSE 13.1+ +- drop a build support for SL 10 and older + +------------------------------------------------------------------- +Fri Mar 29 13:15:46 UTC 2013 - mvyskocil@suse.com + +- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38) + * drop CLONE_NEWPID from clone to enable audit system +- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406) + * unconditionally enable F_SETFL patch - might be safe to do + ------------------------------------------------------------------- Thu Feb 28 16:02:17 UTC 2013 - lnussel@suse.de diff --git a/vsftpd.spec b/vsftpd.spec index a718419..2ea6e27 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -16,15 +16,16 @@ # +%global with_sysvinit 0 +%if 0%{?suse_version} < 1310 +%global with_sysvinit 1 +%endif + Name: vsftpd BuildRequires: gpg-offline +BuildRequires: libcap-devel BuildRequires: openssl-devel BuildRequires: pam-devel -%if 0%{?suse_version} < 1001 -BuildRequires: libcap -%else -BuildRequires: libcap-devel -%endif %if 0%{?suse_version} > 1140 BuildRequires: systemd %endif @@ -54,7 +55,14 @@ Patch8: vsftpd-2.0.5-utf8-log-names.patch Patch9: vsftpd-2.3.5-conf.patch Patch10: vsftpd-3.0.0_gnu_source_defines.patch Patch11: vsftpd-3.0.0-optional-seccomp.patch +#PATCH-FIX-OPENSUSE: bnc#786024 Patch12: vsftpd-allow-dev-log-socket.patch +#PATCH-FIX-OPENSUSE: bnc#786024, second issue with pam_login_acct +Patch13: vsftpd-drop-newpid-from-clone.patch +#PATCH-FIX-OPENSUSE: bnc#812406 +Patch14: vsftpd-enable-fcntl-f_setfl.patch +#PATCH-FIX-OPENSUSE: bnc#812406 +Patch15: vsftpd-enable-dev-log-sendto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Provides: ftp-server PreReq: %insserv_prereq /usr/sbin/useradd @@ -86,6 +94,9 @@ tests. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 %build %define seccomp_opts %{nil} @@ -106,8 +117,12 @@ install -D -m 644 $RPM_SOURCE_DIR/%name.pam $RPM_BUILD_ROOT/etc/pam.d/%name install -D -m 644 $RPM_SOURCE_DIR/%name.logrotate $RPM_BUILD_ROOT/etc/logrotate.d/%name install -D -m 644 %name.conf.5 $RPM_BUILD_ROOT/%_mandir/man5/%name.conf.5 install -D -m 644 %name.8 $RPM_BUILD_ROOT/%_mandir/man8/%name.8 +%if %{with_sysvinit} install -D -m 755 %SOURCE3 $RPM_BUILD_ROOT/etc/init.d/%name ln -sf ../../etc/init.d/%name $RPM_BUILD_ROOT/%_prefix/sbin/rc%name +%else +ln -sf ../../sbin/service $RPM_BUILD_ROOT/%{_prefix}/sbin/rc%{name} +%endif install -d $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/ install -D -m 644 %SOURCE5 $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/ install -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ @@ -123,20 +138,29 @@ install -D -m 0644 %SOURCE7 %{buildroot}/%{_unitdir}/%{name}.service %endif %preun +if [ -e /etc/init.d/%{name} ]; then %stop_on_removal %name +fi + %if 0%{?suse_version} > 1140 %service_del_preun %{name}.service %endif %post +%if %{with_sysvinit} %{fillup_and_insserv -f %{name}} +%endif + %if 0%{?suse_version} > 1140 %service_add_post %{name}.service %endif %postun +%if %{with_sysvinit} %insserv_cleanup %restart_on_update %name +%endif + %if 0%{?suse_version} > 1140 %service_del_postun %{name}.service %endif @@ -151,7 +175,9 @@ rm -rf $RPM_BUILD_ROOT %endif /usr/sbin/%name /usr/sbin/rc%name +%if %{with_sysvinit} %config /etc/init.d/%name +%endif %_datadir/omc/svcinfo.d/vsftpd.xml %dir /usr/share/empty %config(noreplace) /etc/xinetd.d/%name