** Description changed:
+ [Impact]
+
+ vsftpd is broken by default. seccomp sandboxing is turned on by default,
+ and it doesn't work because it blocks itself from gettimeofday() calls
+ for logging. The workaround is to disable seccomp sandboxing, which
+ removes one layer of protection. vsftpd is security sensitive, so this
+ is far from ideal.
+
+ [Development Fix]
+
+ Patched the seccomp sandbox to permit gettimeofday() calls. Patch sent
+ upstream; no response received yet (24 hours, so a little early to
+ expect a response).
+
+ dep8 test added to detect this in the future.
+
+ [Stable Fix]
+
+ Same as development fix.
+
+ [Test Case]
+
+ The included dep8 test automatically verifies the fix for this bug.
+ Manual steps:
+
+ apt-get install vsftpd
+ ftp localhost
+ Press enter (to accept the default user)
+
+ Expected result: password prompt
+ Actual result: 500 oops
+
+ [Regression Potential]
+
+ seccomp sandboxing does not appear to work at all (in the default
+ configuration, at least), and the patch only alters seccomp sandboxing.
+ Thus those not using seccomp sandboxing should not be affected. This is
+ a security sensitive patch, but the gettimeofday() call that is now
+ permitted can only receive the time and cannot do anything to the
+ system.
+
+ It is possible that adding an extra call to the whitelist could overflow
+ something and break seccomp sandboxing in some drastic and insecure way,
+ but the code involved is relatively small and appears to have
+ appropriate bounds checking.
+
+ [Workaround]
+
Adding seccomp_sandbox=NO to /etc/vsftpd.conf works around this issue
but turns off the nice sandboxing feature.
ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: vsftpd 3.0.2-1ubuntu2
ProcVersionSignature: User Name 3.10.0-6.17-generic 3.10.3
Uname: Linux 3.10.0-6-generic x86_64
ApportVersion: 2.12.1-0ubuntu3
Architecture: amd64
Date: Mon Sep 2 14:20:38 2013
Ec2AMI: ami-0000008b
Ec2AMIManifest: FIXME
Ec2AvailabilityZone: nova
Ec2InstanceType: m1.small
Ec2Kernel: aki-00000002
Ec2Ramdisk: ari-00000002
MarkForUpload: True
ProcEnviron:
TERM=screen
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: vsftpd
UpgradeStatus: No upgrade log present (probably fresh install)
vsftpd.log: Error: [Errno 13] Permission denied: '/var/log/vsftpd.log'
** Changed in: vsftpd (Ubuntu Trusty)
Status: New => Triaged
** Changed in: vsftpd (Ubuntu Trusty)
Importance: Undecided => High
** Changed in: vsftpd (Ubuntu Trusty)
Assignee: (unassigned) => Robie Basak (racb)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in Ubuntu.
https://bugs.launchpad.net/bugs/1219857
Title:
vsftpd connections fail on amd64: "500 OOPS: child died"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1219857/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
