27752 2012-09-19 11:35:44 +0400 vsftpd does not work if seccomp sandbox is enabled 2021-01-15 14:47:41 +0300 1 1 4 Development Sisyphus vsftpd unstable all Linux CLOSED FIXED P3 normal --- 1 petervf shaba aspsk boyarsh kopilo4ka lav rider shaba vic_1980 qa-sisyphus oldest_to_newest 133381 0 petervf 2012-09-19 11:35:44 +0400 Система sisyphus, systemd $ uname -r 3.5.4-std-def-alt1 $ lftp localhost lftp localhost:~> ls 123test/ -rw-r--r-- 1 ftp ftp 92699 Aug 27 13:30 whatis.jpeg lftp localhost:/> get whatis.jpeg get: Ошибка доступа: 550 Failed to open file. (whatis.jpeg) lftp localhost:/> exit $ sudo tail /var/log/vsftpd.log [sudo] password for admin: Wed Sep 19 11:19:31 2012 [pid 5034] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "mozilla@example.com" Wed Sep 19 11:19:34 2012 [pid 5040] CONNECT: Client "127.0.0.1" Wed Sep 19 11:19:34 2012 [pid 5039] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "mozilla@example.com" Wed Sep 19 11:27:11 2012 [pid 5058] CONNECT: Client "127.0.0.1" Wed Sep 19 11:27:11 2012 [pid 5057] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "lftp@" Wed Sep 19 11:28:30 2012 [pid 5083] CONNECT: Client "127.0.0.1" Wed Sep 19 11:28:30 2012 [pid 5082] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "lftp@" Wed Sep 19 11:29:47 2012 [pid 5093] CONNECT: Client "127.0.0.1" Wed Sep 19 11:29:47 2012 [pid 5092] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "lftp@" Wed Sep 19 11:29:56 2012 [pid 5096] [vsftpd] FAIL DOWNLOAD: Client "127.0.0.1", "/whatis.jpeg", 0.00Kbyte/sec Тоже самое было с ядром 3.5.3-std-def С ядром 3.4.8-std-def и более ранними - все работает Возможно, это поправили в новой версии? (http://www.opennet.ru/opennews/art.shtml?num=34859) 133407 1 repository-robot 2012-09-20 20:44:09 +0400 vsftpd-3.0.2-alt1 -> sisyphus: * Thu Sep 20 2012 Dmitry V. Levin <ldv@altlinux> 3.0.2-alt1 - Updated to 3.0.2 (closes: #27752). 133491 2 petervf 2012-09-24 15:24:15 +0400 к сожалению, проблема осталась vsftpd.conf: log_ftp_protocol=YES $ sudo tail /var/log/vsftpd.log Mon Sep 24 14:28:23 2012 [pid 1] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "mozilla@example.com" Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "230 Login successful." Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "SYST" Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "215 UNIX Type: L8" Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "PWD" Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "257 "/"" Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "TYPE I" Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "200 Switching to Binary mode." Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "PASV" Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,252,10)." Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "CWD /123test/whatis.jpeg" Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "550 Failed to change directory." 133492 3 ldv 2012-09-24 15:34:12 +0400 Если seccomp после обновления vsftpd так и не заработал, то вопрос к ядерщикам, все ли в порядке с поддержкой seccomp в ядрах? 141429 4 rider 2013-07-10 14:32:42 +0400 на vsftpd-3.0.2-alt2 и ядре 3.9.8-std-def-alt1 воспроизводится. 141499 5 ldv 2013-07-14 13:38:40 +0400 У меня на vsftpd-3.0.2-alt2 и 3.9.9-std-def-alt1 x86_64 не воспроизводится. Какая у вас конфигурация vsftpd, на которой не работает seccomp? 141500 6 rider 2013-07-14 18:12:41 +0400 дефолтная, из пакета. 141505 7 ldv 2013-07-14 20:57:55 +0400 (In reply to comment #6) > дефолтная, из пакета. Дефолтную я проверил: vsftpd-3.0.2-alt2 на 3.9.9-std-def-alt1 x86_64 работает. 141506 8 rider 2013-07-14 22:05:12 +0400 да, на 3.9.9 заработало. На 3.9.8 не работало. 141507 9 rider 2013-07-14 22:05:33 +0400 работает на ядре 3.9.9 141520 10 rider 2013-07-15 17:31:48 +0400 И всё-таки оно не работает. Зависит от клиента. Воспроизводится, когда клиент - apt # apt-get update Get:1 ftp://hpc1 x86_64 release [931B] Err ftp://hpc1 x86_64 release Unable to fetch file, server said 'OOPS: priv_sock_get_cmd ' Err ftp://hpc1 noarch release Server closed the connection Get:1 ftp://hpc1 x86_64/classic pkglist Err ftp://hpc1 x86_64/classic pkglist Unable to fetch file, server said 'Failed to open file. ' Hit ftp://hpc1 x86_64/classic release Get:2 ftp://hpc1 noarch/classic pkglist Err ftp://hpc1 noarch/classic pkglist Unable to fetch file, server said 'Failed to open file. ' Hit ftp://hpc1 noarch/classic release Failed to fetch ftp://hpc1/Sisyphus/x86_64/base/release Unable to fetch file, server said 'OOPS: priv_sock_get_cmd ' Failed to fetch ftp://hpc1/Sisyphus/noarch/base/release Server closed the connection Failed to fetch ftp://hpc1/Sisyphus/x86_64/base/pkglist.classic Unable to fetch file, server said 'Failed to open file. ' Failed to fetch ftp://hpc1/Sisyphus/noarch/base/pkglist.classic Unable to fetch file, server said 'Failed to open file. ' Reading Package Lists... Done Building Dependency Tree... Done W: Release files for some repositories could not be retrieved or authenticated. Such repositories are being ignored. W: You may want to run apt-get update to correct these problems E: Some index files failed to download, they have been ignored, or old ones used instead. 141532 11 ldv 2013-07-15 21:48:46 +0400 *** Bug 29137 has been marked as a duplicate of this bug. *** 141533 12 repository-robot 2013-07-15 21:52:06 +0400 vsftpd-3.0.2-alt3 -> sisyphus: * Mon Jul 15 2013 Dmitry V. Levin <ldv@altlinux> 3.0.2-alt3 - Enabled fcntl F_SETFL O_RDONLY|O_LARGEFILE in seccomp sandbox (closes: #27752). 156870 13 shaba 2016-05-20 00:13:42 +0300 по-прежнему не работает: lftp mirror lftp mirror:~> ls drwxr-sr-x 6 ftp ftp 4096 May 19 05:45 ALTLinux lftp mirror:/ALTLinux> cd Sisyphus/noarch/RPMS.classic/ lftp mirror:/ALTLinux/Sisyphus/noarch/RPMS.classic> ls ls: Фатальная ошибка: 500 OOPS: priv_sock_get_cmd 156871 14 shaba 2016-05-20 00:17:21 +0300 Если добавить в конфиг seccomp_sandbox=NO, то всё начинает работать. uname -a Linux 4.4.10-std-def-alt1 #1 SMP Thu May 12 10:46:51 UTC 2016 x86_64 GNU/Linux 156872 15 ldv 2016-05-20 00:48:16 +0300 (In reply to comment #13) > по-прежнему не работает: > lftp mirror > lftp mirror:~> ls > drwxr-sr-x 6 ftp ftp 4096 May 19 05:45 ALTLinux > lftp mirror:/ALTLinux> cd Sisyphus/noarch/RPMS.classic/ > lftp mirror:/ALTLinux/Sisyphus/noarch/RPMS.classic> ls > ls: Фатальная ошибка: 500 OOPS: priv_sock_get_cmd Пока что не получается это воспроизвести. (In reply to comment #14) > Если добавить в конфиг seccomp_sandbox=NO, то всё начинает работать. > uname -a > Linux 4.4.10-std-def-alt1 #1 SMP Thu May 12 10:46:51 UTC 2016 x86_64 GNU/Linux Может, дело в новом ядре. Надо бы это проверить... 169814 16 kopilo4ka 2018-03-22 10:24:57 +0300 Воспроизводится на p8, наверно и в сизифе тоже, при: kernel 4.9.71-std-def-alt0.M80P.1 vsftpd-3.0.3-alt1 С опцией seccomp_sandbox=NO заработало. 195071 17 repository-robot 2020-12-19 22:13:02 +0300 vsftpd-3.0.3-alt2 -> sisyphus: Sat Dec 19 2020 Dmitry V. Levin <ldv@altlinux> 3.0.3-alt2 - Updated seccomp filter (closes: #27752, #35901). - Fixed build with gcc-10.