Bug 27752

Summary:	vsftpd does not work if seccomp sandbox is enabled
Product:	Sisyphus	Reporter:	PeterVF <petervf>
Component:	vsftpd	Assignee:	Alexey Shabalin <shaba>
Status:	CLOSED FIXED	QA Contact:	qa-sisyphus
Severity:	normal
Priority:	P3	CC:	aspsk, boyarsh, kopilo4ka, lav, rider, shaba, vic_1980
Version:	unstable
Hardware:	all
OS:	Linux

Description PeterVF 2012-09-19 11:35:44 MSK

Система sisyphus, systemd
$ uname -r
3.5.4-std-def-alt1

$ lftp localhost
lftp localhost:~> ls 123test/
-rw-r--r--    1 ftp      ftp         92699 Aug 27 13:30 whatis.jpeg   
lftp localhost:/> get whatis.jpeg 
get: Ошибка доступа: 550 Failed to open file. (whatis.jpeg)
lftp localhost:/> exit

$ sudo tail /var/log/vsftpd.log
[sudo] password for admin:
Wed Sep 19 11:19:31 2012 [pid 5034] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "mozilla@example.com"
Wed Sep 19 11:19:34 2012 [pid 5040] CONNECT: Client "127.0.0.1"
Wed Sep 19 11:19:34 2012 [pid 5039] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "mozilla@example.com"
Wed Sep 19 11:27:11 2012 [pid 5058] CONNECT: Client "127.0.0.1"
Wed Sep 19 11:27:11 2012 [pid 5057] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "lftp@"
Wed Sep 19 11:28:30 2012 [pid 5083] CONNECT: Client "127.0.0.1"
Wed Sep 19 11:28:30 2012 [pid 5082] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "lftp@"
Wed Sep 19 11:29:47 2012 [pid 5093] CONNECT: Client "127.0.0.1"
Wed Sep 19 11:29:47 2012 [pid 5092] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "lftp@"
Wed Sep 19 11:29:56 2012 [pid 5096] [vsftpd] FAIL DOWNLOAD: Client "127.0.0.1", "/whatis.jpeg", 0.00Kbyte/sec

Тоже самое было с ядром 3.5.3-std-def
С ядром 3.4.8-std-def и более ранними - все работает

Возможно, это поправили в новой версии? (http://www.opennet.ru/opennews/art.shtml?num=34859)

Comment 1 Repository Robot 2012-09-20 20:44:09 MSK

vsftpd-3.0.2-alt1 -> sisyphus:

* Thu Sep 20 2012 Dmitry V. Levin <ldv@altlinux> 3.0.2-alt1
- Updated to 3.0.2 (closes: #27752).

Comment 2 PeterVF 2012-09-24 15:24:15 MSK

к сожалению, проблема осталась
vsftpd.conf:
log_ftp_protocol=YES

$ sudo tail /var/log/vsftpd.log
Mon Sep 24 14:28:23 2012 [pid 1] [vsftpd] OK LOGIN: Client "127.0.0.1", anon password "mozilla@example.com"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "230 Login successful."
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "SYST"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "215 UNIX Type: L8"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "PWD"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "257 "/""
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "TYPE I"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "200 Switching to Binary mode."
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "PASV"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,252,10)."
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "CWD /123test/whatis.jpeg"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1", "550 Failed to change directory."

Comment 3 Dmitry V. Levin 2012-09-24 15:34:12 MSK

Если seccomp после обновления vsftpd так и не заработал, то вопрос к ядерщикам,
все ли в порядке с поддержкой seccomp в ядрах?

Comment 4 Anton Farygin 2013-07-10 14:32:42 MSK

на vsftpd-3.0.2-alt2 и ядре  3.9.8-std-def-alt1 воспроизводится.

Comment 5 Dmitry V. Levin 2013-07-14 13:38:40 MSK

У меня на vsftpd-3.0.2-alt2 и 3.9.9-std-def-alt1 x86_64 не воспроизводится.
Какая у вас конфигурация vsftpd, на которой не работает seccomp?

Comment 6 Anton Farygin 2013-07-14 18:12:41 MSK

дефолтная, из пакета.

Comment 7 Dmitry V. Levin 2013-07-14 20:57:55 MSK

(In reply to comment #6)
> дефолтная, из пакета.

Дефолтную я проверил: vsftpd-3.0.2-alt2 на 3.9.9-std-def-alt1 x86_64 работает.

Comment 8 Anton Farygin 2013-07-14 22:05:12 MSK

да, на 3.9.9 заработало. На 3.9.8 не работало.

Comment 9 Anton Farygin 2013-07-14 22:05:33 MSK

работает на ядре 3.9.9

Comment 10 Anton Farygin 2013-07-15 17:31:48 MSK

И всё-таки оно не работает. Зависит от клиента.
Воспроизводится, когда клиент - apt
# apt-get update
Get:1 ftp://hpc1 x86_64 release [931B]
Err ftp://hpc1 x86_64 release
  Unable to fetch file, server said 'OOPS: priv_sock_get_cmd  '
Err ftp://hpc1 noarch release
  Server closed the connection
Get:1 ftp://hpc1 x86_64/classic pkglist
Err ftp://hpc1 x86_64/classic pkglist
  Unable to fetch file, server said 'Failed to open file.  '
Hit ftp://hpc1 x86_64/classic release
Get:2 ftp://hpc1 noarch/classic pkglist
Err ftp://hpc1 noarch/classic pkglist
  Unable to fetch file, server said 'Failed to open file.  '
Hit ftp://hpc1 noarch/classic release
Failed to fetch ftp://hpc1/Sisyphus/x86_64/base/release  Unable to fetch file, server said 'OOPS: priv_sock_get_cmd  '
Failed to fetch ftp://hpc1/Sisyphus/noarch/base/release  Server closed the connection
Failed to fetch ftp://hpc1/Sisyphus/x86_64/base/pkglist.classic  Unable to fetch file, server said 'Failed to open file.  '
Failed to fetch ftp://hpc1/Sisyphus/noarch/base/pkglist.classic  Unable to fetch file, server said 'Failed to open file.  '
Reading Package Lists... Done
Building Dependency Tree... Done
W: Release files for some repositories could not be retrieved or authenticated. Such repositories are being ignored.
W: You may want to run apt-get update to correct these problems
E: Some index files failed to download, they have been ignored, or old ones used instead.

Comment 11 Dmitry V. Levin 2013-07-15 21:48:46 MSK

*** Bug 29137 has been marked as a duplicate of this bug. ***

Comment 12 Repository Robot 2013-07-15 21:52:06 MSK

vsftpd-3.0.2-alt3 -> sisyphus:

* Mon Jul 15 2013 Dmitry V. Levin <ldv@altlinux> 3.0.2-alt3
- Enabled fcntl F_SETFL O_RDONLY|O_LARGEFILE in seccomp sandbox
  (closes: #27752).

Comment 13 Alexey Shabalin 2016-05-20 00:13:42 MSK

по-прежнему не работает:
lftp mirror
lftp mirror:~> ls
drwxr-sr-x    6 ftp      ftp          4096 May 19 05:45 ALTLinux
lftp mirror:/ALTLinux> cd Sisyphus/noarch/RPMS.classic/
lftp mirror:/ALTLinux/Sisyphus/noarch/RPMS.classic> ls
ls: Фатальная ошибка: 500 OOPS: priv_sock_get_cmd

Comment 14 Alexey Shabalin 2016-05-20 00:17:21 MSK

Если добавить в конфиг seccomp_sandbox=NO, то всё начинает работать.
uname -a
Linux 4.4.10-std-def-alt1 #1 SMP Thu May 12 10:46:51 UTC 2016 x86_64 GNU/Linux

Comment 15 Dmitry V. Levin 2016-05-20 00:48:16 MSK

(In reply to comment #13)
> по-прежнему не работает:
> lftp mirror
> lftp mirror:~> ls
> drwxr-sr-x    6 ftp      ftp          4096 May 19 05:45 ALTLinux
> lftp mirror:/ALTLinux> cd Sisyphus/noarch/RPMS.classic/
> lftp mirror:/ALTLinux/Sisyphus/noarch/RPMS.classic> ls
> ls: Фатальная ошибка: 500 OOPS: priv_sock_get_cmd

Пока что не получается это воспроизвести.

(In reply to comment #14)
> Если добавить в конфиг seccomp_sandbox=NO, то всё начинает работать.
> uname -a
> Linux 4.4.10-std-def-alt1 #1 SMP Thu May 12 10:46:51 UTC 2016 x86_64 GNU/Linux

Может, дело в новом ядре.  Надо бы это проверить...

Comment 16 Vadim Gusev 2018-03-22 10:24:57 MSK

Воспроизводится на p8, наверно и в сизифе тоже, при:
kernel 4.9.71-std-def-alt0.M80P.1
vsftpd-3.0.3-alt1
С опцией seccomp_sandbox=NO заработало.

Comment 17 Repository Robot 2020-12-19 22:13:02 MSK

vsftpd-3.0.3-alt2 -> sisyphus:

 Sat Dec 19 2020 Dmitry V. Levin <ldv@altlinux> 3.0.3-alt2
 - Updated seccomp filter (closes: #27752, #35901).
 - Fixed build with gcc-10.