Hello community, here is the log from the commit of package vsftpd for openSUSE:Factory checked in at 2013-04-05 07:43:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vsftpd (Old) and /work/SRC/openSUSE:Factory/.vsftpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vsftpd", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/vsftpd/vsftpd.changes 2013-03-07 07:35:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.vsftpd.new/vsftpd.changes 2013-04-05 07:43:40.000000000 +0200 @@ -1,0 +2,18 @@ +Thu Apr 4 08:35:40 UTC 2013 - [email protected] + +- add vsftpd-enable-dev-log-sendto.patch (bnc#812406#c1) + * this enabled a sendto on /dev/log socket when syslog is enabled +- provide more verbose explanation about isolate_network and seccomp_sanbox in + config file template +- don't install init file on openSUSE 13.1+ +- drop a build support for SL 10 and older + +------------------------------------------------------------------- +Fri Mar 29 13:15:46 UTC 2013 - [email protected] + +- add vsftpd-drop-newpid-from-clone.patch (bnc#786024#c38) + * drop CLONE_NEWPID from clone to enable audit system +- add vsftpd-enable-fcntl-f_setfl.patch (bnc#812406) + * unconditionally enable F_SETFL patch - might be safe to do + +------------------------------------------------------------------- New: ---- vsftpd-drop-newpid-from-clone.patch vsftpd-enable-dev-log-sendto.patch vsftpd-enable-fcntl-f_setfl.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vsftpd.spec ++++++ --- /var/tmp/diff_new_pack.9sFmFQ/_old 2013-04-05 07:43:55.000000000 +0200 +++ /var/tmp/diff_new_pack.9sFmFQ/_new 2013-04-05 07:43:55.000000000 +0200 @@ -16,15 +16,16 @@ # +%global with_sysvinit 0 +%if 0%{?suse_version} < 1310 +%global with_sysvinit 1 +%endif + Name: vsftpd BuildRequires: gpg-offline +BuildRequires: libcap-devel BuildRequires: openssl-devel BuildRequires: pam-devel -%if 0%{?suse_version} < 1001 -BuildRequires: libcap -%else -BuildRequires: libcap-devel -%endif %if 0%{?suse_version} > 1140 BuildRequires: systemd %endif @@ -54,7 +55,14 @@ Patch9: vsftpd-2.3.5-conf.patch Patch10: vsftpd-3.0.0_gnu_source_defines.patch Patch11: vsftpd-3.0.0-optional-seccomp.patch +#PATCH-FIX-OPENSUSE: bnc#786024 Patch12: vsftpd-allow-dev-log-socket.patch +#PATCH-FIX-OPENSUSE: bnc#786024, second issue with pam_login_acct +Patch13: vsftpd-drop-newpid-from-clone.patch +#PATCH-FIX-OPENSUSE: bnc#812406 +Patch14: vsftpd-enable-fcntl-f_setfl.patch +#PATCH-FIX-OPENSUSE: bnc#812406 +Patch15: vsftpd-enable-dev-log-sendto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Provides: ftp-server PreReq: %insserv_prereq /usr/sbin/useradd @@ -86,6 +94,9 @@ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 %build %define seccomp_opts %{nil} @@ -106,8 +117,12 @@ install -D -m 644 $RPM_SOURCE_DIR/%name.logrotate $RPM_BUILD_ROOT/etc/logrotate.d/%name install -D -m 644 %name.conf.5 $RPM_BUILD_ROOT/%_mandir/man5/%name.conf.5 install -D -m 644 %name.8 $RPM_BUILD_ROOT/%_mandir/man8/%name.8 +%if %{with_sysvinit} install -D -m 755 %SOURCE3 $RPM_BUILD_ROOT/etc/init.d/%name ln -sf ../../etc/init.d/%name $RPM_BUILD_ROOT/%_prefix/sbin/rc%name +%else +ln -sf ../../sbin/service $RPM_BUILD_ROOT/%{_prefix}/sbin/rc%{name} +%endif install -d $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/ install -D -m 644 %SOURCE5 $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/ install -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ @@ -123,20 +138,29 @@ %endif %preun +if [ -e /etc/init.d/%{name} ]; then %stop_on_removal %name +fi + %if 0%{?suse_version} > 1140 %service_del_preun %{name}.service %endif %post +%if %{with_sysvinit} %{fillup_and_insserv -f %{name}} +%endif + %if 0%{?suse_version} > 1140 %service_add_post %{name}.service %endif %postun +%if %{with_sysvinit} %insserv_cleanup %restart_on_update %name +%endif + %if 0%{?suse_version} > 1140 %service_del_postun %{name}.service %endif @@ -151,7 +175,9 @@ %endif /usr/sbin/%name /usr/sbin/rc%name +%if %{with_sysvinit} %config /etc/init.d/%name +%endif %_datadir/omc/svcinfo.d/vsftpd.xml %dir /usr/share/empty %config(noreplace) /etc/xinetd.d/%name ++++++ vsftpd-2.3.5-conf.patch ++++++ --- /var/tmp/diff_new_pack.9sFmFQ/_old 2013-04-05 07:43:55.000000000 +0200 +++ /var/tmp/diff_new_pack.9sFmFQ/_new 2013-04-05 07:43:55.000000000 +0200 @@ -174,7 +174,7 @@ # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. -@@ -77,41 +164,34 @@ connect_from_port_20=YES +@@ -77,41 +164,46 @@ connect_from_port_20=YES # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. @@ -232,7 +232,19 @@ +pasv_min_port=30000 +pasv_max_port=30100 + -+# security features that are incompatible with some other settings. Try to -+# uncomment if vsftpd dies with weird errors. ++### security features that are incompatible with some other settings. ### ++ ++# isolate_network ensures the vsftpd subprocess is started in own network ++# namespace (see CLONE_NEWNET in clone(2)). It however disables the ++# authentication methods needs the network access (LDAP, NIS, ...). +#isolate_network=NO ++ ++# seccomp_sanbox add an aditional security layer limiting the number of a ++# syscalls can be performed via vsftpd. However it might happen that a ++# whitelist don't allow a legitimate call (usually indirectly triggered by ++# third-party library like pam, or openssl) and the process is being killed by kernel. ++# ++# Therefor if your server dies on common situations (file download, upload), ++# uncomment following line and don't forget to open bug at ++# https://bugzilla.novell.com +#seccomp_sandbox=NO ++++++ vsftpd-drop-newpid-from-clone.patch ++++++ From: Michal Vyskocil <[email protected]> Subject: Drop CLONE_NEWPID from clone call Kernel autid system prohibits the processes created with CLONE_NEWPID, so an attempt to log into ftp server ends with audit_log_acct_message() failed: Operation not permitted https://bugzilla.novell.com/show_bug.cgi?id=786024#c38 identified-by: Tony Jones <[email protected]> fixes: bnc#786024 Index: vsftpd-3.0.2/sysdeputil.c =================================================================== --- vsftpd-3.0.2.orig/sysdeputil.c +++ vsftpd-3.0.2/sysdeputil.c @@ -1272,7 +1272,7 @@ vsf_sysutil_fork_isolate_all_failok() if (cloneflags_work) { int ret = syscall(__NR_clone, - CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD, + CLONE_NEWIPC | CLONE_NEWNET | SIGCHLD, NULL); if (ret != -1 || (errno != EINVAL && errno != EPERM)) { @@ -1295,7 +1295,7 @@ vsf_sysutil_fork_isolate_failok() static int cloneflags_work = 1; if (cloneflags_work) { - int ret = syscall(__NR_clone, CLONE_NEWPID | CLONE_NEWIPC | SIGCHLD, NULL); + int ret = syscall(__NR_clone, CLONE_NEWIPC | SIGCHLD, NULL); if (ret != -1 || (errno != EINVAL && errno != EPERM)) { if (ret == 0) ++++++ vsftpd-enable-dev-log-sendto.patch ++++++ From: [email protected] Subject: enable sendto to /dev/log vsftpd is killed once a file is downloaded and it try to log the success to /dev/log. This patch enables a sendto on fd 4, in a case the syslog logging is enabled. Fixes: https://bugzilla.novell.com/show_bug.cgi?id=812406 --- seccompsandbox.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) Index: vsftpd-3.0.2/seccompsandbox.c =================================================================== --- vsftpd-3.0.2.orig/seccompsandbox.c +++ vsftpd-3.0.2/seccompsandbox.c @@ -503,6 +501,15 @@ seccomp_sandbox_setup_postlogin(const st allow_nr(__NR_chmod); } } + + /* + * MV: this enables logging to the syslog - the vsf_log_do_log are in postlogin.c and privops.c, but hopefully this is enough + */ + if (tunable_syslog_enable) + { + allow_nr_1_arg_mask(__NR_sendto, 1, 4); + } + } void ++++++ vsftpd-enable-fcntl-f_setfl.patch ++++++ From: Michal Vyskocil <[email protected]> Subject: Enable fcntl F_SETFL The fcntl with F_SETFL is called from various parts of a vsftpd code, thus add it unconditionally to seccomp sandbox. I've failed to limit it more, however most arguments of F_SETFL are ignored on Linux and the remaining set seems to be safe. fixes: bnc#786024 --- seccompsandbox.c | 22 ++++++++++++++++++++++ 5 files changed, 45 insertions(+), 6 deletions(-) Index: vsftpd-3.0.2/seccompsandbox.c =================================================================== --- vsftpd-3.0.2.orig/seccompsandbox.c +++ vsftpd-3.0.2/seccompsandbox.c @@ -306,6 +306,25 @@ seccomp_sandbox_setup_base() /* Always need to be able to exit ! */ allow_nr(__NR_exit_group); + + /* + * MV: this is needed for + * vsf_sysutil_activate_noblock + * vsf_sysutil_deactivate_noblock + * + * both called from various places (like all those die, bug in utilities), + * so lets enable it by default + */ + allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL); + allow_nr_1_arg_match(__NR_fcntl, 2, F_SETFL); + + /* + * MV: this form have newer worked, neither with O_RDWR, O_RDWR|O_NONBLOCK + * however fcntl(2) says that most of arguments to fcntl are ignored on Linux + * thus this might be safe to do + */ + //allow_nr_2_arg_match(__NR_fcntl, 2, F_SETFL, 3, O_RDWR); + } void -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
