Bug 27752 - vsftpd does not work if seccomp sandbox is enabled
: vsftpd does not work if seccomp sandbox is enabled
Status: REOPENED
: Sisyphus
(All bugs in Sisyphus/vsftpd)
: unstable
: all Linux
: P3 normal
Assigned To:
:
:
:
:
:
  Show dependency tree
 
Reported: 2012-09-19 11:35 by
Modified: 2016-05-20 00:48 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2012-09-19 11:35:44
Система sisyphus, systemd
$ uname -r
3.5.4-std-def-alt1

$ lftp localhost
lftp localhost:~> ls 123test/
-rw-r--r--    1 ftp      ftp         92699 Aug 27 13:30 whatis.jpeg   
lftp localhost:/> get whatis.jpeg 
get: Ошибка доступа: 550 Failed to open file. (whatis.jpeg)
lftp localhost:/> exit

$ sudo tail /var/log/vsftpd.log
[sudo] password for admin:
Wed Sep 19 11:19:31 2012 [pid 5034] [vsftpd] OK LOGIN: Client "127.0.0.1", anon
password "mozilla@example.com"
Wed Sep 19 11:19:34 2012 [pid 5040] CONNECT: Client "127.0.0.1"
Wed Sep 19 11:19:34 2012 [pid 5039] [vsftpd] OK LOGIN: Client "127.0.0.1", anon
password "mozilla@example.com"
Wed Sep 19 11:27:11 2012 [pid 5058] CONNECT: Client "127.0.0.1"
Wed Sep 19 11:27:11 2012 [pid 5057] [vsftpd] OK LOGIN: Client "127.0.0.1", anon
password "lftp@"
Wed Sep 19 11:28:30 2012 [pid 5083] CONNECT: Client "127.0.0.1"
Wed Sep 19 11:28:30 2012 [pid 5082] [vsftpd] OK LOGIN: Client "127.0.0.1", anon
password "lftp@"
Wed Sep 19 11:29:47 2012 [pid 5093] CONNECT: Client "127.0.0.1"
Wed Sep 19 11:29:47 2012 [pid 5092] [vsftpd] OK LOGIN: Client "127.0.0.1", anon
password "lftp@"
Wed Sep 19 11:29:56 2012 [pid 5096] [vsftpd] FAIL DOWNLOAD: Client "127.0.0.1",
"/whatis.jpeg", 0.00Kbyte/sec

Тоже самое было с ядром 3.5.3-std-def
С ядром 3.4.8-std-def и более ранними - все работает

Возможно, это поправили в новой версии?
(http://www.opennet.ru/opennews/art.shtml?num=34859)
------- Comment #1 From 2012-09-20 20:44:09 -------
vsftpd-3.0.2-alt1 -> sisyphus:

* Thu Sep 20 2012 Dmitry V. Levin <ldv@altlinux> 3.0.2-alt1
- Updated to 3.0.2 (closes: #27752).
------- Comment #2 From 2012-09-24 15:24:15 -------
к сожалению, проблема осталась
vsftpd.conf:
log_ftp_protocol=YES

$ sudo tail /var/log/vsftpd.log
Mon Sep 24 14:28:23 2012 [pid 1] [vsftpd] OK LOGIN: Client "127.0.0.1", anon
password "mozilla@example.com"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1",
"230 Login successful."
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1",
"SYST"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1",
"215 UNIX Type: L8"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1",
"PWD"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1",
"257 "/""
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1",
"TYPE I"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1",
"200 Switching to Binary mode."
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1",
"PASV"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1",
"227 Entering Passive Mode (127,0,0,1,252,10)."
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP command: Client "127.0.0.1", "CWD
/123test/whatis.jpeg"
Mon Sep 24 14:28:23 2012 [pid 3] [vsftpd] FTP response: Client "127.0.0.1",
"550 Failed to change directory."
------- Comment #3 From 2012-09-24 15:34:12 -------
Если seccomp после обновления vsftpd так и не заработал, то вопрос к ядерщикам,
все ли в порядке с поддержкой seccomp в ядрах?
------- Comment #4 From 2013-07-10 14:32:42 -------
на vsftpd-3.0.2-alt2 и ядре  3.9.8-std-def-alt1 воспроизводится.
------- Comment #5 From 2013-07-14 13:38:40 -------
У меня на vsftpd-3.0.2-alt2 и 3.9.9-std-def-alt1 x86_64 не воспроизводится.
Какая у вас конфигурация vsftpd, на которой не работает seccomp?
------- Comment #6 From 2013-07-14 18:12:41 -------
дефолтная, из пакета.
------- Comment #7 From 2013-07-14 20:57:55 -------
(In reply to comment #6)
> дефолтная, из пакета.

Дефолтную я проверил: vsftpd-3.0.2-alt2 на 3.9.9-std-def-alt1 x86_64 работает.
------- Comment #8 From 2013-07-14 22:05:12 -------
да, на 3.9.9 заработало. На 3.9.8 не работало.
------- Comment #9 From 2013-07-14 22:05:33 -------
работает на ядре 3.9.9
------- Comment #10 From 2013-07-15 17:31:48 -------
И всё-таки оно не работает. Зависит от клиента.
Воспроизводится, когда клиент - apt
# apt-get update
Get:1 ftp://hpc1 x86_64 release [931B]
Err ftp://hpc1 x86_64 release
  Unable to fetch file, server said 'OOPS: priv_sock_get_cmd  '
Err ftp://hpc1 noarch release
  Server closed the connection
Get:1 ftp://hpc1 x86_64/classic pkglist
Err ftp://hpc1 x86_64/classic pkglist
  Unable to fetch file, server said 'Failed to open file.  '
Hit ftp://hpc1 x86_64/classic release
Get:2 ftp://hpc1 noarch/classic pkglist
Err ftp://hpc1 noarch/classic pkglist
  Unable to fetch file, server said 'Failed to open file.  '
Hit ftp://hpc1 noarch/classic release
Failed to fetch ftp://hpc1/Sisyphus/x86_64/base/release  Unable to fetch file,
server said 'OOPS: priv_sock_get_cmd  '
Failed to fetch ftp://hpc1/Sisyphus/noarch/base/release  Server closed the
connection
Failed to fetch ftp://hpc1/Sisyphus/x86_64/base/pkglist.classic  Unable to
fetch file, server said 'Failed to open file.  '
Failed to fetch ftp://hpc1/Sisyphus/noarch/base/pkglist.classic  Unable to
fetch file, server said 'Failed to open file.  '
Reading Package Lists... Done
Building Dependency Tree... Done
W: Release files for some repositories could not be retrieved or authenticated.
Such repositories are being ignored.
W: You may want to run apt-get update to correct these problems
E: Some index files failed to download, they have been ignored, or old ones
used instead.
------- Comment #11 From 2013-07-15 21:48:46 -------
*** Bug 29137 has been marked as a duplicate of this bug. ***
------- Comment #12 From 2013-07-15 21:52:06 -------
vsftpd-3.0.2-alt3 -> sisyphus:

* Mon Jul 15 2013 Dmitry V. Levin <ldv@altlinux> 3.0.2-alt3
- Enabled fcntl F_SETFL O_RDONLY|O_LARGEFILE in seccomp sandbox
  (closes: #27752).
------- Comment #13 From 2016-05-20 00:13:42 -------
по-прежнему не работает:
lftp mirror
lftp mirror:~> ls
drwxr-sr-x    6 ftp      ftp          4096 May 19 05:45 ALTLinux
lftp mirror:/ALTLinux> cd Sisyphus/noarch/RPMS.classic/
lftp mirror:/ALTLinux/Sisyphus/noarch/RPMS.classic> ls
ls: Фатальная ошибка: 500 OOPS: priv_sock_get_cmd
------- Comment #14 From 2016-05-20 00:17:21 -------
Если добавить в конфиг seccomp_sandbox=NO, то всё начинает работать.
uname -a
Linux 4.4.10-std-def-alt1 #1 SMP Thu May 12 10:46:51 UTC 2016 x86_64 GNU/Linux
------- Comment #15 From 2016-05-20 00:48:16 -------
(In reply to comment #13)
> по-прежнему не работает:
> lftp mirror
> lftp mirror:~> ls
> drwxr-sr-x    6 ftp      ftp          4096 May 19 05:45 ALTLinux
> lftp mirror:/ALTLinux> cd Sisyphus/noarch/RPMS.classic/
> lftp mirror:/ALTLinux/Sisyphus/noarch/RPMS.classic> ls
> ls: Фатальная ошибка: 500 OOPS: priv_sock_get_cmd

Пока что не получается это воспроизвести.

(In reply to comment #14)
> Если добавить в конфиг seccomp_sandbox=NO, то всё начинает работать.
> uname -a
> Linux 4.4.10-std-def-alt1 #1 SMP Thu May 12 10:46:51 UTC 2016 x86_64 GNU/Linux

Может, дело в новом ядре.  Надо бы это проверить...