Hello community, here is the log from the commit of package vsftpd for openSUSE:Factory checked in at 2014-04-11 13:42:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vsftpd (Old) and /work/SRC/openSUSE:Factory/.vsftpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vsftpd" Changes: -------- --- /work/SRC/openSUSE:Factory/vsftpd/vsftpd.changes 2013-07-22 14:56:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.vsftpd.new/vsftpd.changes 2014-04-11 13:42:44.000000000 +0200 @@ -1,0 +2,47 @@ +Thu Apr 10 12:56:03 UTC 2014 - [email protected] + +- Move the enabling of timeofday and alarm one level deeper to + be sure it is whitelisted everytime. + Also should possibly fix bnc#872215. + +- Updated patch: + * vsftpd-enable-gettimeofday-sec.patch + +------------------------------------------------------------------- +Thu Apr 10 12:06:25 UTC 2014 - [email protected] + +- Remove forking from service type as it hangs in endless loop. + +------------------------------------------------------------------- +Wed Apr 2 07:47:05 UTC 2014 - [email protected] + +- Fix warning about dangling symlink on rcvsftpd from rpmlint and + remove also clean section while at it. + +------------------------------------------------------------------- +Wed Apr 2 07:35:27 UTC 2014 - [email protected] + +- Add patch to allow gettimeofday and alarm calls with seccomp + enabled. bnc#870122 +- Added patch: + * vsftpd-enable-gettimeofday-sec.patch + +------------------------------------------------------------------- +Tue Apr 1 07:17:50 UTC 2014 - [email protected] + +- Specify that the service type is forking + +------------------------------------------------------------------- +Mon Jan 27 13:04:19 UTC 2014 - [email protected] + +- changed license to SUSE-GPL-2.0-with-openssl-exception + * suggested by legal team + +------------------------------------------------------------------- +Tue Jan 21 11:00:13 UTC 2014 - [email protected] + +- add allow_root_squashed_chroot option to enable chroot on nsf + mounted with squash_root option (fate#311051) + * vsftpd-root-squashed-chroot.patch + +------------------------------------------------------------------- New: ---- vsftpd-enable-gettimeofday-sec.patch vsftpd-root-squashed-chroot.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vsftpd.spec ++++++ --- /var/tmp/diff_new_pack.BRp2nn/_old 2014-04-11 13:42:45.000000000 +0200 +++ /var/tmp/diff_new_pack.BRp2nn/_new 2014-04-11 13:42:45.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package vsftpd # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,7 +32,7 @@ Version: 3.0.2 Release: 0 Summary: Very Secure FTP Daemon - Written from Scratch -License: GPL-2.0+ +License: SUSE-GPL-2.0-with-openssl-exception Group: Productivity/Networking/Ftp/Servers Url: https://security.appspot.com/vsftpd.html Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz @@ -63,9 +63,13 @@ Patch14: vsftpd-enable-fcntl-f_setfl.patch #PATCH-FIX-OPENSUSE: bnc#812406 Patch15: vsftpd-enable-dev-log-sendto.patch +#PATCH-FEATURE-SUSE: FATE#311051, call chroot with user credentials to enable nsf with squash_root option +Patch16: vsftpd-root-squashed-chroot.patch +#PATCH-FIX-UPSTREAM: bnc#870122 +Patch17: vsftpd-enable-gettimeofday-sec.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Provides: ftp-server -PreReq: %insserv_prereq /usr/sbin/useradd +Requires(pre): %insserv_prereq /usr/sbin/useradd %{?systemd_requires} Requires: logrotate @@ -97,6 +101,8 @@ %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 +%patch17 -p1 %build %define seccomp_opts %{nil} @@ -121,7 +127,7 @@ install -D -m 755 %SOURCE3 $RPM_BUILD_ROOT/etc/init.d/%name ln -sf ../../etc/init.d/%name $RPM_BUILD_ROOT/%_prefix/sbin/rc%name %else -ln -sf ../../sbin/service $RPM_BUILD_ROOT/%{_prefix}/sbin/rc%{name} +ln -sf service $RPM_BUILD_ROOT/%{_prefix}/sbin/rc%{name} %endif install -d $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/ install -D -m 644 %SOURCE5 $RPM_BUILD_ROOT/%_datadir/omc/svcinfo.d/ @@ -165,9 +171,6 @@ %service_del_postun %{name}.service %endif -%clean -rm -rf $RPM_BUILD_ROOT - %files %defattr(-,root,root) %if 0%{?suse_version} > 1140 ++++++ vsftpd-enable-gettimeofday-sec.patch ++++++ diff -urN vsftpd-3.0.2/seccompsandbox.c vsftpd-3.0.2.new/seccompsandbox.c --- vsftpd-3.0.2/seccompsandbox.c 2012-09-18 08:52:30.000000000 +0200 +++ vsftpd-3.0.2.new/seccompsandbox.c 2014-04-10 14:55:30.855607231 +0200 @@ -303,6 +303,14 @@ allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */ allow_nr(__NR_restart_syscall); allow_nr(__NR_close); + + /* + * Calls to alarm and date + * Seems to be some part of the logging + * wrt bnc#870122 + */ + allow_nr(__NR_alarm); + allow_nr(__NR_gettimeofday); /* Always need to be able to exit ! */ allow_nr(__NR_exit_group); ++++++ vsftpd-root-squashed-chroot.patch ++++++ --- parseconf.c | 1 + secutil.c | 6 ++++-- secutil.h | 2 ++ tunables.c | 2 ++ tunables.h | 1 + twoprocess.c | 6 ++++++ vsftpd.conf | 4 ++++ vsftpd.conf.5 | 7 +++++++ 8 files changed, 27 insertions(+), 2 deletions(-) Index: vsftpd-3.0.2/tunables.c =================================================================== --- vsftpd-3.0.2.orig/tunables.c +++ vsftpd-3.0.2/tunables.c @@ -88,6 +88,7 @@ int tunable_ftp_enable; int tunable_http_enable; int tunable_seccomp_sandbox; int tunable_allow_writeable_chroot; +int tunable_allow_root_squashed_chroot; unsigned int tunable_accept_timeout; unsigned int tunable_connect_timeout; @@ -228,6 +229,7 @@ tunables_load_defaults() tunable_http_enable = 0; tunable_seccomp_sandbox = 1; tunable_allow_writeable_chroot = 0; + tunable_allow_root_squashed_chroot = 0; tunable_accept_timeout = 60; tunable_connect_timeout = 60; Index: vsftpd-3.0.2/tunables.h =================================================================== --- vsftpd-3.0.2.orig/tunables.h +++ vsftpd-3.0.2/tunables.h @@ -89,6 +89,7 @@ extern int tunable_ftp_enable; extern int tunable_http_enable; /* Allow HTTP protocol */ extern int tunable_seccomp_sandbox; /* seccomp filter sandbox */ extern int tunable_allow_writeable_chroot; /* Allow misconfiguration */ +extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */ /* Integer/numeric defines */ extern unsigned int tunable_accept_timeout; Index: vsftpd-3.0.2/parseconf.c =================================================================== --- vsftpd-3.0.2.orig/parseconf.c +++ vsftpd-3.0.2/parseconf.c @@ -107,6 +107,7 @@ parseconf_bool_array[] = { "http_enable", &tunable_http_enable }, { "seccomp_sandbox", &tunable_seccomp_sandbox }, { "allow_writeable_chroot", &tunable_allow_writeable_chroot }, + { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot }, { 0, 0 } }; Index: vsftpd-3.0.2/twoprocess.c =================================================================== --- vsftpd-3.0.2.orig/twoprocess.c +++ vsftpd-3.0.2/twoprocess.c @@ -164,6 +164,9 @@ drop_all_privs(void) { str_alloc_text(&dir_str, tunable_secure_chroot_dir); } + if (tunable_allow_root_squashed_chroot) { + option |= VSF_SECUTIL_OPTION_CHANGE_EUID; + } /* Be kind: give good error message if the secure dir is missing */ { struct vsf_sysutil_statbuf* p_statbuf = 0; @@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se { secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT; } + if (do_chroot && tunable_allow_root_squashed_chroot) { + secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID; + } calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str, p_user_str, p_orig_user_str); vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str, Index: vsftpd-3.0.2/vsftpd.conf.5 =================================================================== --- vsftpd-3.0.2.orig/vsftpd.conf.5 +++ vsftpd-3.0.2/vsftpd.conf.5 @@ -42,6 +42,13 @@ connections. Default: NO .TP +.B allow_root_squashed_chroot +If set to YES, chroot is called with non-root credentials. This enabled chroot +on squashed nfs. This option is applied only if chroot is performed, otherwise +ignored. + +Default: NO +.TP .B anon_mkdir_write_enable If set to YES, anonymous users will be permitted to create new directories under certain conditions. For this to work, the option Index: vsftpd-3.0.2/vsftpd.conf =================================================================== --- vsftpd-3.0.2.orig/vsftpd.conf +++ vsftpd-3.0.2/vsftpd.conf @@ -64,6 +64,10 @@ local_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # +# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root, +# where root becomes nobody and would need -x access. +#allow_root_squashed_chroot=YES +# # The maximum data transfer rate permitted, in bytes per second, for # local authenticated users. The default is 0 (unlimited). #local_max_rate=7200 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
