diff --git a/use-system-wide-tls-cipher-policy.patch b/use-system-wide-tls-cipher-policy.patch new file mode 100644 index 0000000..d395908 --- /dev/null +++ b/use-system-wide-tls-cipher-policy.patch @@ -0,0 +1,26 @@ +Index: vsftpd-3.0.5/tunables.c +=================================================================== +--- vsftpd-3.0.5.orig/tunables.c 2022-02-02 10:58:56.589962539 +0100 ++++ vsftpd-3.0.5/tunables.c 2022-02-02 11:00:17.600782133 +0100 +@@ -295,7 +295,7 @@ tunables_load_defaults() + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); +- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); ++ install_str_setting("DEFAULT_SUSE", &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +Index: vsftpd-3.0.5/vsftpd.conf.5 +=================================================================== +--- vsftpd-3.0.5.orig/vsftpd.conf.5 2022-02-02 10:58:56.589962539 +0100 ++++ vsftpd-3.0.5/vsftpd.conf.5 2022-02-02 11:01:58.855306755 +0100 +@@ -1025,7 +1025,7 @@ man page for further details. Note that + security precaution as it prevents malicious remote parties forcing a cipher + which they have found problems with. + +-Default: DES-CBC3-SHA ++Default: DEFAULT_SUSE + .TP + .B ssl_sni_hostname + If set, SSL connections will be rejected unless the SNI hostname in the diff --git a/vsftpd-allow-dev-log-socket.patch b/vsftpd-allow-dev-log-socket.patch new file mode 100644 index 0000000..0a75b08 --- /dev/null +++ b/vsftpd-allow-dev-log-socket.patch @@ -0,0 +1,30 @@ +From: mvyskocil@suse.com +Subject: enable /dev/log related socket call + +Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp +sandbox, daemon is killed by SIGSYS. Because the attempt is made by process +with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in +pam. Anyway I would say the risc is small, and other socket syscalls are disabled. + +Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024 + +Index: vsftpd-3.0.5/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.5.orig/seccompsandbox.c 2022-02-02 11:03:38.133860169 +0100 ++++ vsftpd-3.0.5/seccompsandbox.c 2022-02-02 11:03:38.177859528 +0100 +@@ -366,6 +366,15 @@ seccomp_sandbox_init() + { + bug("bad state in seccomp_sandbox_init"); + } ++ ++ //this is very probably an attempt to open /dev/log ++ //it fails because process cannot open any file, so it might be safe ++ //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files) ++ allow_nr_3_arg_match(__NR_socket, ++ 1, PF_FILE, ++ 2, SOCK_DGRAM | SOCK_CLOEXEC, ++ 3, 0); ++ + } + + void diff --git a/vsftpd-enable-sendto-for-prelogin-syslog.patch b/vsftpd-enable-sendto-for-prelogin-syslog.patch new file mode 100644 index 0000000..ae01b4f --- /dev/null +++ b/vsftpd-enable-sendto-for-prelogin-syslog.patch @@ -0,0 +1,21 @@ +Enable sendto for syslog logging to /dev/log in prelogin + +We write to log from check_limits() and therefore we have to allow +sendto() for syslog otherwise sandbox will kill the child. + +Index: vsftpd-3.0.2/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.2.orig/seccompsandbox.c ++++ vsftpd-3.0.2/seccompsandbox.c +@@ -388,6 +388,11 @@ seccomp_sandbox_setup_prelogin(const str + 1, PF_FILE, + 2, SOCK_DGRAM | SOCK_CLOEXEC, + 3, 0); ++ // allow syslog logs from check_limits() ++ if (tunable_syslog_enable) ++ { ++ allow_nr_1_arg_match(__NR_sendto, 6, 0); ++ } + + } + diff --git a/vsftpd.changes b/vsftpd.changes index c9acfa4..b658344 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -32,6 +32,14 @@ Tue Feb 1 18:42:41 UTC 2022 - Peter Simons configurations and it was never documented anywhere -- not in the package's changelog and not in the packages's own man page. +- Apply "use-system-wide-tls-cipher-policy.patch" so that vsftpd + follows the system-wide TLS cipher policy "DEFAULT_SUSE" by + default. Run the command "openssl ciphers -v DEFAULT_SUSE" to see + which ciphers this includes. + +- Apply "add vsftpd-allow-dev-log-socket.patch" to allow sendto() + syscall when /dev/log support is enabled. [bnc#786024] + ------------------------------------------------------------------- Wed Jan 5 10:21:02 UTC 2022 - Johannes Segitz @@ -67,6 +75,8 @@ Tue Jun 15 07:49:13 AM UTC 2021 - Peter Simons - "0001-Introduce-TLSv1.3-option.patch" is now obsolete. +- "vsftpd-seccomp-syslog.patch" is now obsolete. + ------------------------------------------------------------------- Mon Jun 14 14:26:05 UTC 2021 - Peter Simons @@ -260,6 +270,12 @@ Wed Mar 23 10:07:55 UTC 2016 - tchvatal@suse.com - Require shadow and do not output the error out of useradd +------------------------------------------------------------------- +Tue Mar 22 14:56:05 UTC 2016 - tchvatal@suse.com + +- Fix hang when using seccomp and syslog bnc#971784: + * vsftpd-seccomp-syslog.patch + ------------------------------------------------------------------- Tue Mar 22 14:27:27 UTC 2016 - tchvatal@suse.com diff --git a/vsftpd.spec b/vsftpd.spec index de38179..55e4464 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -93,6 +93,9 @@ Patch38: vsftpd-seccomp-getrandom.patch Patch39: vsftpd-seccomp-ssl.patch Patch40: vsftpd-seccomp-wait4.patch Patch41: revert-undocumented-config-file-format-changes.patch +Patch42: use-system-wide-tls-cipher-policy.patch +Patch43: vsftpd-allow-dev-log-socket.patch +Patch44: vsftpd-enable-sendto-for-prelogin-syslog.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel