Login is not possible
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openSUSE |
Fix Released
|
High
|
|||
vsftpd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Raring |
Fix Released
|
High
|
Unassigned |
Bug Description
* Impact:
connecting to raring vsftpd servers doesn't work
* Test Case:
- install vsftpd on raring, configure the server, try to connect to it
* Regression potential:
the server was failing to accept connections before so should only be better
---
I'm using Ubuntu 13.04 dev with vsftpd 3.0.2-1ubuntu1. local_enable and write_enable are set to YES but I'm not able to login:
sworddragon@
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
/var/log/vsftpd.log contains:
Thu Mar 21 09:00:33 2013 [pid 2] CONNECT: Client "127.0.0.1"
Thu Mar 21 09:00:48 2013 [pid 1] [sworddragon] FAIL LOGIN: Client "127.0.0.1"
/var/log/auth.log has created a line for vsftpd too:
Mar 21 12:18:29 localhost vsftpd: PAM audit_log_
Related branches
- Sebastien Bacher: Approve
- Ubuntu branches: Pending requested
-
Diff: 64 lines (+44/-0)3 files modifiedapidebian/changelog (+8/-0)
debian/patches/13-disable-clone-newpid.patch (+35/-0)
debian/patches/series (+1/-0)
In Novell/SUSE Bugzilla #786024, Suse-beta (suse-beta) wrote : | #51 |
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #52 |
Sounds reasonable, so maintenance team, I'd like to do maintenance update to vsftpd 3.0.2 in 12.2.
Changelog says it's a bugfix release, so I think it's safe to do
In Novell/SUSE Bugzilla #786024, Bbrunner-u (bbrunner-u) wrote : | #53 |
Michal could you do a maintenancerequest with the fixed package for 12.2 and submit it to factory too, please?
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #54 |
ok
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #55 |
12.2: 138997
factory: 138998
In Novell/SUSE Bugzilla #786024, Bwiedemann (bwiedemann) wrote : | #56 |
This is an autogenerated message for OBS integration:
This bug (786024) was mentioned in
https:/
In Novell/SUSE Bugzilla #786024, Swamp-a (swamp-a) wrote : | #57 |
openSUSE-
Category: recommended (low)
Bug References: 786024
CVE References:
Sources used:
openSUSE 12.2 (src): vsftpd-3.0.2-3.4.1
In Novell/SUSE Bugzilla #786024, Suse-beta (suse-beta) wrote : | #58 |
I have good and bad news.
- good news: it works on 12.2
- bad news: I still get the same error on current factory (unmodified vsftpd.conf as shipped in the rpm)
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #59 |
*** Bug 801871 has been marked as a duplicate of this bug. ***
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #60 |
Changed the product to appear on a list of 12.3 bugs ...
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #61 |
It seems there is some race - when I've added vfs_cmdio_write into the code to find the location, where it happens, the priv_sock_get_cmd disappeared. So still under investigating.
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #62 |
Well, I suspect the pam subsystem try to open a /dev/log. When add the socket(PF_FILE) into the whitelist, vsftpd seems to work. However I've got an another issue with pam (this is valid even if seccomp_sanbox is disabled).
2013-02-
2013-02-
2013-02-
2013-02-
@thorsen: I would say both CAP_AUDIT_* are needed for vsftpd. I'm right?
In Novell/SUSE Bugzilla #786024, Kukuk-g (kukuk-g) wrote : | #63 |
(In reply to comment #11)
> Well, I suspect the pam subsystem try to open a /dev/log.
PAM calls syslog(), which I assumes opens /dev/log.
> 2013-02-
> authentication failure; logname= uid=0 euid=0 tty=ftp ruser=mvyskocil rhost=::1
> user=mvyskocil
> 2013-02-
> authentication success; logname= uid=0 euid=0 tty=ftp ruser=mvyskocil rhost=::1
> user=mvyskocil
> 2013-02-
> audit_log_
> 2013-02-
> Client "::1"
>
> @thorsen: I would say both CAP_AUDIT_* are needed for vsftpd. I'm right?
I have no idea about CAP_AUDIT_*, but PAM is using the audit subsystem for logging.
In Novell/SUSE Bugzilla #786024, Suse-beta (suse-beta) wrote : | #64 |
(In reply to comment #11)
> @thorsen: I would say both CAP_AUDIT_* are needed for vsftpd. I'm right?
Just ask AppArmor, your friendly permission inventory software (and, side effect, it secures your server ;-)
This is what I have in my AppArmor profile for vsftpd:
capability audit_write,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
Note: sys_admin might be a leftover from older versions and might no longer be needed - IIRC in the past audit_write was a part of sys_admin.
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #65 |
@cboltz: thanks, I'll patch vsftpd to keep CAP_AUDIT_WRITE then.
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #66 |
It still prints the same error - I've patched vsftpd to set CAP_AUDIT_WRITE (and CAP_AUDIT_CONTROL) before pam auth session, but the fail remains the same.
11256 16:38:08.161851 capget(
11256 16:38:08.161911 capset(
11256 16:38:08.161964 getppid() = 0
and later on ...
11256 16:38:08.188437 sendto(5, "<82>Feb 27 16:38:08 vsftpd[1]: PAM audit_log_
I've verified this behaves same for local users as well, so not connected with pam_sss.
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #67 |
Created an attachment (id=527476)
strace output of vsftpd
This is the full strace output, but I was not able to realize which syscall triggered the audit error. Note that process calls capset for CAP_AUDIT_WRITE (+ _CONTROL, which shall not be needed). I would not say there are no more capabilities to try.
This is a part relevant starting with what audit_init do
7462 14:01:23.677346 socket(PF_NETLINK, SOCK_RAW, 9) = 4
7462 14:01:23.677412 fcntl(4, F_SETFD, FD_CLOEXEC) = 0
7462 14:01:23.677463 socket(PF_NETLINK, SOCK_RAW, 0) = 5
7462 14:01:23.677499 bind(5, {sa_family=
7462 14:01:23.677541 getsockname(5, {sa_family=
7462 14:01:23.677583 sendto(5, "\24\0\
7462 14:01:23.677634 recvmsg(5, {msg_name(
7462 14:01:23.677687 recvmsg(5, {msg_name(
7462 14:01:23.677730 recvmsg(5, {msg_name(
7462 14:01:23.677769 socket(PF_FILE, SOCK_STREAM|
7462 14:01:23.677804 connect(6, {sa_family=AF_FILE, sun_path=
7462 14:01:23.677847 sendto(6, "\2\0\0\
7462 14:01:23.677882 poll([{fd=6, events=
7462 14:01:23.677936 recvmsg(6, {msg_name(0)=NULL, msg_iov(
7462 14:01:23.678022 mmap(NULL, 217032, PROT_READ, MAP_SHARED, 7, 0) = 0x7fc3b1cf7000
7462 14:01:23.678113 close(7) = 0
7462 14:01:23.678169 close(6) = 0
7462 14:01:23.678252 close(5) = 0
7462 14:01:23.678388 readlink(
7462 14:01:23.678541 sendto(4, "\204\0\
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #68 |
@tonyj: can you check the strace output and find why the pam returns such error? The Linux-PAM-
rc = audit_log_
(retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
-1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
/* libaudit sets errno to his own negative error code. This can be
an official errno number, but must not. It can also be a audit
internal error code. Which makes errno useless :-((. Try the
best to fix it. */
errno = -rc;
pamh->audit_state |= PAMAUDIT_LOGGED;
if (rc < 0) {
if (rc == -EPERM && getuid() != 0)
return 0;
if (errno != old_errno) {
old_errno = errno;
}
}
return rc;
so audit_log_
In Novell/SUSE Bugzilla #786024, Bwiedemann (bwiedemann) wrote : | #69 |
This is an autogenerated message for OBS integration:
This bug (786024) was mentioned in
https:/
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #70 |
*** Bug 806758 has been marked as a duplicate of this bug. ***
In Novell/SUSE Bugzilla #786024, Tonyj-2 (tonyj-2) wrote : | #71 |
I need to get this string data in a format that's easier to understand. The \230 part is a netlink header but "strace -xx" format would be much easier for me to decipher.
7462 14:01:23.678654 recvfrom(4,
"\230\0\
acct=\"test\" exe=\"/
terminal=ftp res=success\0", 8988, MSG_PEEK|
{sa_family=
7462 14:01:23.678709 recvfrom(4,
"\230\0\
acct=\"test\" exe=\"/
terminal=ftp res=success\0", 8988, MSG_DONTWAIT, {sa_family=
groups=00000000}, [12]) = 152
In Novell/SUSE Bugzilla #786024, Tonyj-2 (tonyj-2) wrote : | #72 |
\230\0\0\0 is the nlmsghdr.nlmsg_len
\2\0 is nlmsghdr.nlmsg_type == NLMSG_ERROR
it would be easier to decipher the rest in hex.
In Novell/SUSE Bugzilla #786024, Tonyj-2 (tonyj-2) wrote : | #73 |
(In reply to comment #17)
> @tonyj: can you check the strace output and find why the pam returns such
> error? The Linux-PAM-
>
> rc = audit_log_
> (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
> -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
>
> /* libaudit sets errno to his own negative error code. This can be
> an official errno number, but must not. It can also be a audit
> internal error code. Which makes errno useless :-((. Try the
> best to fix it. */
> errno = -rc;
>
> pamh->audit_state |= PAMAUDIT_LOGGED;
>
> if (rc < 0) {
> if (rc == -EPERM && getuid() != 0)
> return 0;
> if (errno != old_errno) {
> old_errno = errno;
> pam_syslog (pamh, LOG_CRIT, "audit_
> }
> }
> return rc;
>
> so audit_log_
The code in audit (lib/netlink.
/* NLMSG_ERROR can indicate success, only report nonzero */
if (rep.error->error) {
Based on the strace log, rep.error->error is -1 which should be what is returned back to PAM.
Is there anything informative in the kernel or audit logs? Otherwise can you give me a quick tutorial on how to setup to reproduce as I'll have to debug the library.
Thanks!
In Novell/SUSE Bugzilla #786024, O-nicolas (o-nicolas) wrote : | #74 |
(In reply to comment #20)
> I need to get this string data in a format that's easier to understand. The
> \230 part is a netlink header but "strace -xx" format would be much easier for
> me to decipher.
strace -xx output
[pid 6654] close(6) = 0
[pid 6654] close(5) = 0
[pid 6654] readlink(
[pid 6654] sendto(4, "\x78\x00\
[pid 6654] poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}])
[pid 6654] recvfrom(4, "\x8c\x00\
[pid 6654] recvfrom(4, "\x8c\x00\
[pid 6654] getuid() = 0
[pid 6654] getuid() = 0
[pid 6654] socket(PF_FILE, SOCK_DGRAM|
[pid 6654] connect(5, {sa_family=AF_FILE, sun_path=
[pid 6654] sendto(5, "\x3c\x38\
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #75 |
> Is there anything informative in the kernel or audit logs? Otherwise can you
> give me a quick tutorial on how to setup to reproduce as I'll have to debug the
> library.
Hi, I don't see anything useful in system log
2013-03-
2013-03-
2013-03-
2013-03-
2013-03-
2013-03-
and dmesg seems to be full of wlan0 related things only.
Steps to reproduce
1.) install 12.3 RC2
2.) zypper install vsftpd
3.) useradd test
4.) echo "test" | passwd test
5.) systemctl start vsftpd.service
6.) ftp ftp://test:
BTW: you might get a OOPS: priv_sock_get_cmd, in this case please add
Workaround: add seccomp_sandbox=NO to vsftpd.conf
It has been fixed, just I am not sure if it appear in RC2
In Novell/SUSE Bugzilla #786024, Bwiedemann (bwiedemann) wrote : | #76 |
This is an autogenerated message for OBS integration:
This bug (786024) was mentioned in
https:/
In Novell/SUSE Bugzilla #786024, Tonyj-2 (tonyj-2) wrote : | #77 |
(In reply to comment #24)
> Steps to reproduce
> 1.) install 12.3 RC2
> 2.) zypper install vsftpd
> 3.) useradd test
> 4.) echo "test" | passwd test
> 5.) systemctl start vsftpd.service
> 6.) ftp ftp://test:
>
> BTW: you might get a OOPS: priv_sock_get_cmd, in this case please add
>
> Workaround: add seccomp_sandbox=NO to vsftpd.conf
>
> It has been fixed, just I am not sure if it appear in RC2
Thanks, I can reproduce, but I don't have an answer yet.
It's odd as
- 'auditctl -m' is working fine, this calls audit_send_
- su succeeds, here PAM is calling audit_log_
su:
in audit_log_
return is 6
vsftp:
in audit_log_
return is -1
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #78 |
*** Bug 809858 has been marked as a duplicate of this bug. ***
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #79 |
@tonyj: would you say the audit=0 on a commandline can work-around it?
In Novell/SUSE Bugzilla #786024, Cristian Rodríguez (crrodriguez) wrote : | #80 |
*** Bug 811324 has been marked as a duplicate of this bug. ***
Serge Hallyn (serge-hallyn) wrote : | #1 |
Thanks for reporting this bug. I can't reproduce this on a new raring system. Could you please paste your entire /etc/vsftpd.conf and your /etc/pam.d/vsftpd file and any files it @includes?
Changed in vsftpd (Ubuntu): | |
status: | New → Incomplete |
importance: | Undecided → High |
Removed by request (removed3425744) wrote : | #2 |
Removed by request (removed3425744) wrote : | #3 |
Removed by request (removed3425744) wrote : | #4 |
Removed by request (removed3425744) wrote : | #5 |
Removed by request (removed3425744) wrote : | #6 |
Changed in vsftpd (Ubuntu): | |
status: | Incomplete → New |
In Novell/SUSE Bugzilla #786024, Cjgunzel (cjgunzel) wrote : | #81 |
When attempting to start vsftpd in system services of YaST a message is returned that network-remotefs service is required. It appears vsftpd is started because port 21 is open from a remote machine but it is not possible to connect to the server.
A Linux server with no working FTP server is a real black eye!
In Novell/SUSE Bugzilla #786024, Cjgunzel (cjgunzel) wrote : | #82 |
P.S. I'm using 12.3 released version, 64 bit. This is no longer a development version issue.
In Novell/SUSE Bugzilla #786024, Johanp (johanp) wrote : | #83 |
(In reply to comment #30)
> A Linux server with no working FTP server is a real black eye!
Until this is fixed an easy workaround for this "black-eye" is to use pure-ftpd instead which works just fine and is functional equivalent in (almost) all practical sense to vsftpd
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #84 |
changed summary to match the current problem
In Novell/SUSE Bugzilla #786024, Itheodoridis (itheodoridis) wrote : | #85 |
I am facing the same problem with OpenSuSE 12.3 64bit, network install.
Pure-ftpd is reported (OpenSuSE forums) to work only if pam athentication is disabled (and local authentication enabled) in the pure-ftpd configuration.
In Novell/SUSE Bugzilla #786024, Johanp (johanp) wrote : | #86 |
(In reply to comment #35)
> Pure-ftpd is reported (OpenSuSE forums) to work only if pam athentication is
> disabled (and local authentication enabled) in the pure-ftpd configuration.
Strange, I'm using pure-ftpd (SuSE 12.3) with configuration
PAMAuthentication yes
and this works just fine (but vsftpd does not).
In Novell/SUSE Bugzilla #786024, Itheodoridis (itheodoridis) wrote : | #87 |
When I tried it personally, it refused to start. I will check one more time and repost.
Launchpad Janitor (janitor) wrote : | #7 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in vsftpd (Ubuntu): | |
status: | New → Confirmed |
Lenar (lenar) wrote : | #8 |
After upgrade from quantal to current raring I have the same problem too.
In Novell/SUSE Bugzilla #786024, Tonyj-2 (tonyj-2) wrote : | #88 |
Ubuntu bug on this also: https:/
The issue is occurring because it seems vsftp has changed it's pid namespace.
Probably from sysdeputil.
"syscall(
There is a specific prohibition in the kernel on this:
-------
commit 34e36d8ecbd958b
Author: Eric W. Biederman <email address hidden>
Date: Mon Sep 10 23:20:20 2012 -0700
audit: Limit audit requests to processes in the initial pid and user namespaces.
This allows the code to safely make the assumption that all of the
uids gids and pids that need to be send in audit messages are in the
initial namespaces.
If someone cares we may lift this restriction someday but start with
limiting access so at least the code is always correct.
-------
Regarding audit=0. I imagine it would solve the issue, rather extreme. Also if I boot with audit=0 then client side ftp fails with "500 OOPS: priv_sock_get_cmd" (seccomp_sandbox=NO in /etc/vsftpd.conf).
Can you verify if the above vsftp codepath is indeed being executed and see what happens if VSF_SYSDEP_
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #89 |
vsftpd calls CLONE_NEWPID on SUSE - it is visible in #comment11 (see vsftpd[1]).
> Also if I boot with audit=0 then client side ftp fails with "500 OOPS:
> priv_sock_get_cmd" (seccomp_sandbox=NO in /etc/vsftpd.conf).
This does not makes any sense to me. This bug is related to enabled seccomp sanbox, but it was fixed before 12.3 release. I'll test that.
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #90 |
> Can you verify if the above vsftp codepath is indeed being executed and see
> what happens if VSF_SYSDEP_
With a traditional fork pam session can be opened, however next test - an attempt to download the file dies on a seccomp sanbox. The same apply for a clone w/o NEW_PID, where an audit error is different. I will track this in an another bug to not pollute this one with third issue.
lowering a priority of this issue, patch is in home:mvyskocil:
https:/
In Novell/SUSE Bugzilla #786024, Edu-rm-85 (edu-rm-85) wrote : | #91 |
Well, I have a question now.
Will the system be updated to run VSFTPD correctly or I have to apply the patch manually?
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #92 |
(In reply to comment #41)
> Well, I have a question now.
>
> Will the system be updated to run VSFTPD correctly or I have to apply the patch
> manually?
There will be a maintenance update, once all issues will be resolved.
Seth Arnold (seth-arnold) wrote : | #9 |
A pal spotted this bug report and suggests "[this] is caused by vsftp switching pid namespaces (audit kernel code prohibits)". Hope this helps.
In Novell/SUSE Bugzilla #786024, Bwiedemann (bwiedemann) wrote : | #93 |
This is an autogenerated message for OBS integration:
This bug (786024) was mentioned in
https:/
In Novell/SUSE Bugzilla #786024, Bwiedemann (bwiedemann) wrote : | #94 |
This is an autogenerated message for OBS integration:
This bug (786024) was mentioned in
https:/
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #95 |
Sent an update to 12.3 via 162608
@maintenance, please open a new maintenance incident
In Novell/SUSE Bugzilla #786024, Meissner-i (meissner-i) wrote : | #96 |
accepted
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #97 |
Hi all,
I see that the update is accepted but not yet released.
Is there an ETA on the update?
Perhaps a testing repo for the update to see if it works?
Cheers,
Angelos
In Novell/SUSE Bugzilla #786024, Meissner-i (meissner-i) wrote : | #98 |
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #99 |
Thanks Markus,
I installed the test-update repository and vsftp from there.
I get the following error:
ftp ftp://test:
Trying ::1...
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 Welcome message
331 Please specify the password.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
ftp: Login failed.
ftp: Can't connect or login to host `localhost'
500 OOPS: priv_sock_get_cmd
Any ideas?
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #100 |
Update:
I flushed everything from my server, even the yast-ftp module.
Then I installed vsftp from test-update and it works.
Now I am having issue with Extended Passive Mode that seems to be enabled by default.
I reinstalled yast-ftp module and I get the 500 error as above.
Jingwei Zhang (iceboal) wrote : | #10 |
I have the same problem too. Both anonymous user and local user are unable to login.
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #101 |
Update2:
I flushed again everything but did not manage to get it working again.
The log message when I run "service vsftpd status" shows login success, but the client reports error 500 and closes connection.
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #102 |
(In reply to comment #37)
> When I tried it personally, it refused to start. I will check one more time and
> repost.
Hi Ioannis,
Any updates on that? Did you manage to make it work with pure-ftp?
I am having the same problem: pure-ftp refuses to start. I upgraded from 12.2. Did you upgrade too or was it a clean install?
In Novell/SUSE Bugzilla #786024, Itheodoridis (itheodoridis) wrote : | #103 |
(In reply to comment #52)
> (In reply to comment #37)
> > When I tried it personally, it refused to start. I will check one more time and
> > repost.
>
> Hi Ioannis,
>
> Any updates on that? Did you manage to make it work with pure-ftp?
> I am having the same problem: pure-ftp refuses to start. I upgraded from 12.2.
> Did you upgrade too or was it a clean install?
Hello Angelos :)
Yes I tried again, it needs to start through xinetd or it will not start on its own (standalone). I can't say I like it, but I will live until we get the official update for vsftpd through official repos, which I am waiting for very patiantly...
Let's hope it doesn't take forever..
Guys the limitations of open source are showing in this case.. I know it's unfair, but the reaction I am gettinig in my enterprise is surprise and dissappointment. We are definately not winning over any business people like that.
Personally, I am keeping a low profile till this is resolved.
In Novell/SUSE Bugzilla #786024, Swamp-a (swamp-a) wrote : | #104 |
openSUSE-
Category: recommended (moderate)
Bug References: 786024,812406
CVE References:
Sources used:
openSUSE 12.3 (src): vsftpd-3.0.2-4.5.1
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #105 |
Unfortunately the update did not work for me.
I still get the "500 OOPS: priv_sock_get_cmd" error.
Disabling seccomp sandbox is not working for me either...
MoiZie (moizie) wrote : | #11 |
Same problem. Anonymous works though! Reinstalled entire system twice (quantal) and upgraded (do-release-upgrade -d) to raring. Bug occured both times.
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #106 |
(In reply to comment #55)
> Unfortunately the update did not work for me.
> I still get the "500 OOPS: priv_sock_get_cmd" error.
> Disabling seccomp sandbox is not working for me either...
Well, without a providing any more information I cannot help you much. Would you be so kind to open a new bug?
I would need to explain
what are you try to do - do you see that with (non)-anonymous download? How your vsftpd.conf look like? Does grep 'vsftpd' /var/log/messages says anything usefull?
BTW: the output of strace -tt -s 512 of vsftpd daemon.
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #107 |
Created an attachment (id=535776)
configuration file that fails
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #108 |
Hi Michal,
Thanks for the reply. I have switched to sftp to bypass this issue.
Here is the info you asked:
# ftp ftp://ueser:
Trying ::1...
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220 Welcome message
331 Please specify the password.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
ftp: Login failed.
ftp: Can't connect or login to host `localhost'
500 OOPS: priv_sock_get_cmd
# grep 'vsftpd' /var/log/messages
Apr 18 12:38:49 aiolos xinetd[23286]: Reading included configuration file: /etc/xinetd.
Apr 18 12:39:03 aiolos xinetd[23660]: Reading included configuration file: /etc/xinetd.
Thanks,
Angelos
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #109 |
And the strace:
# strace -p 23677 -tt -s 512
Process 23677 attached
12:51:03.048164 accept(3, {sa_family=AF_INET, sin_port=
12:51:12.678545 clone(child_
12:51:12.678783 close(4) = 0
12:51:12.678855 accept(3, 0x7fffba89a3a0, [28]) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
12:51:16.044845 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=23929, si_status=2, si_utime=0, si_stime=0} ---
12:51:16.044914 alarm(1) = 0
12:51:16.044968 rt_sigreturn() = -1 EINTR (Interrupted system call)
12:51:16.045047 alarm(0) = 1
12:51:16.045095 wait4(-1, NULL, WNOHANG, NULL) = 23929
12:51:16.045173 wait4(-1, NULL, WNOHANG, NULL) = -1 ECHILD (No child processes)
12:51:16.045224 accept(3, {sa_family=AF_INET, sin_port=
12:51:16.083371 clone(child_
12:51:16.083620 close(4) = 0
12:51:16.083690 accept(3, 0x7fffba89a3a0, [28]) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
12:51:25.264770 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=23936, si_status=2, si_utime=0, si_stime=0} ---
12:51:25.264834 alarm(1) = 0
12:51:25.264882 rt_sigreturn() = -1 EINTR (Interrupted system call)
12:51:25.264936 alarm(0) = 1
12:51:25.264977 wait4(-1, NULL, WNOHANG, NULL) = 23936
12:51:25.265053 wait4(-1, NULL, WNOHANG, NULL) = -1 ECHILD (No child processes)
12:51:25.265099 accept(3, {sa_family=AF_INET, sin_port=
12:51:25.302455 clone(child_
12:51:25.302684 close(4) = 0
12:51:25.302754 accept(3, ^CProcess 23677 detached
<detached ...>
In Novell/SUSE Bugzilla #786024, Suse+build (suse+build) wrote : | #110 |
(In reply to comment #58)
> Hi Michal,
>
> Thanks for the reply. I have switched to sftp to bypass this issue.
> Here is the info you asked:
>
> # ftp ftp://ueser:
> Trying ::1...
> ftp: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
> 220 Welcome message
> 331 Please specify the password.
> 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
> ftp: Login failed.
> ftp: Can't connect or login to host `localhost'
> 500 OOPS: priv_sock_get_cmd
Add
allow_
to the bottom of your /etc/vsftpd.conf file.
In Novell/SUSE Bugzilla #786024, Tzotsos (tzotsos) wrote : | #111 |
Thanks, it is working locally now.
I still cannot access from remote location (error while changing to /home/user)
Looking into it.
Thanks,
Angelos
In Novell/SUSE Bugzilla #786024, Cjgunzel (cjgunzel) wrote : | #112 |
My story:
I've done several installs of 12.3. My latest, I tried when installed to start vsftpd from YaST. It would not start, as usual, with the message that for run levels 3, 5, network-remotefs had to be installed (we all know by now there is no run lever 3 or 5 with systemd ??) I tried again a couple of days ago...same thing. I keep installing all the updates so decided last night to attemp to start vsftpd again from YaST only to discover it was running! I was able to connect from another machine! I don't know which fix did it but it seems to have healed itself in some of the updates that have been released.
Many thanks to the team working on this (and other) issues. If we get these basic things working 12.3 has potential to be the best since 11.4. KDE4.10.2 is VERY nice! Awesome!
Oyvind Eriksen (i-oyvind) wrote : | #12 |
Same here. Please fix!
Samir L. Boulema (sboulema-t) wrote : | #13 |
I am also affected by this bug after upgrading to 13.04 :(
Jabawok (spammermattic2000) wrote : | #14 |
Me too, 13.04 upgrade has caused vsftp to stop working with precisely the same symptoms:
auth.log:
Apr 26 10:36:29 ftpserv vsftpd: PAM audit_log_
Tofan Sergiu (tofansergiu) wrote : | #15 |
Same here :(
TommieL (tool-n) wrote : | #16 |
I have serious problem because of this bug!
PAM unable to dlopen(
PAM adding faulty module: pam_ecryptfs.so
pam_unix(
pam_unix(
pam_winbind(
pam_winbind(
PAM audit_log_
dyna (ubuntu-dyna) wrote : | #17 |
Same here, seems to be a kernel issue. It still works with 3.5.x kernel.
Jürgen Kreileder (jk) wrote : | #18 |
SuSE's fix is here https:/
I just rebuilt 3.0.2-1ubuntu1 with their patch, vsftpd works fine now.
Allen Crider (software-eng) wrote : | #19 |
I began experiencing this problem after upgrading to Kubuntu 13.04 (from 12.10) yesterday. For now, I have removed vsftpd and installed pure-ftpd. That is working fine for my needs at the moment.
Dobz (dobz) wrote : | #20 |
Exact same issue after upgrading from 12.10 to 13.04, vsftpd is now unusable.
Oyvind Eriksen (i-oyvind) wrote : | #21 |
Can confirm what Jürgen Kreileder (jk) said in comment #18.
Building vsftpd 3.0.2-1ubuntu1 with the changes in vsftpd-
I basically used this guide if anyone else want to try: http://
Oyvind Eriksen (i-oyvind) wrote : | #22 |
And I tried with a fresh install so it isn't just upgrades that are affected (ref comment #1).
Zane Zakraisek (doublezane) wrote : | #23 |
Same issue. Made school very difficult today when my paper was due and I could log in. hahaha. Please fix!!
description: | updated |
Morlok8k (aoa-supercool) wrote : | #24 |
the open suse link refered to above:
https:/
links to these:
https:/
https:/
Vincent DAVY (vincentdavy) wrote : | #25 |
- vsftpd_3.0.2-1ubuntu1_amd64_patched.deb Edit (119.5 KiB, application/x-debian-package)
Hi all,
I compiled the vsftpd package
Vincent DAVY (vincentdavy) wrote : | #26 |
- vsftpd_3.0.2-1ubuntu1_i386_patched.deb Edit (122.8 KiB, application/x-debian-package)
Here is the patched vsftpd version in 32bits arch.
Vincent DAVY (vincentdavy) wrote : | #27 |
Hi all,
Previous messages were sent too fast and I didn't find a way to remove them.
I posted the patched version of vsftpd in both 34 and 32 bits arch : please feel free to download.
Don't forget to remove the previous installed version on your system or dpkg will tell you that the package is already installed :
sudo apt-get remove vsftpd
sudo dpkg -i vsftpd_patched.deb
That's all, and it doesn't remove config files.
If you prefer to compile your own version, here is the procedure :
mkdir vsftpd-patched
cd vsftpd-patched
sudo apt-get build-dep vsftpd
sudo apt-get install fakeroot
apt-get source vsftpd
--> Go on https:/
patch -p0 < vsftpd-
cd vsftpd-3.0.2/
dpkg-buildpackage -us -uc -nc
cd ../
You'll get the compiled .deb in the directory.
Remove previous installed version of vsftpd on your system and install the brand new patched one.
sudo apt-get remove vsftpd
sudo dpkg -i vsftpd_patched.deb
You can remove the directory where you built the package after installation.
Vincent DAVY (vincentdavy) wrote : | #28 |
Note : you need to build on a 64 bits arch to get a 64bits version of the package and a 32 bits arch for 32bits one.
I used VM for this.
Morlok8k (aoa-supercool) wrote : | #29 |
I've tested Vincents 64bit patch. Confirmed fixed.
Guidouil (guidouil) wrote : | #30 |
Same here on a 64bits server install. Merci Vincent
Robert Navarro (crshman) wrote : | #31 |
Thanks that patch worked for me too!
Alan Tello Oyola (alan-tello) wrote : | #32 |
Muchas gracias Vincent, fuciono para mi, me salvaste la vida :D
---
Thank you very much Vincent, worked for me, saved my life :D
Test 64 patch.
Jefferson (jgmdev) wrote : | #33 |
Also confirming that Vincent DAVY patched vsftpd package fixes the issue.
We need a newer vsftpd on the repository as soon as possible, who knows how many people is having the same problem but haven't found this bug report, I struggled until I found this.
Phil Mundy (p-p-mundy) wrote : | #34 |
I just lost hair over non responsive vsftpd on freshly updated 1304 server till I came here too.
I was having trouble with my ssh setup so I thought I'd do a quick install of ftp to transfer some keys .. LOL how wrong I was...
affects: | vsftpd (openSUSE) → opensuse |
Changed in opensuse: | |
importance: | Undecided → Unknown |
status: | New → Unknown |
GrayBear (bearcode2) wrote : | #35 |
Probably everyone who had the unfortunate idea to upgrade to ubuntu 13.04 in the recent days can't use vsftpd anymore.
First I get the error "ubuntu vsftpd: PAM unable to dlopen(
and then "ubuntu vsftpd: PAM audit_log_
details here: http://
Frealgagu2 (frealgagu-0) wrote : | #36 |
Excuseme, how can i use the patch (#18)?
how can i compile it?
Thanks for response.
Malcolm_C (malcolm-c) wrote : | #37 |
Confirm that the version in #25 is working for me too, many thanks!
Zach Collier (zachmcollier) wrote : | #38 |
Confirmed that version in #26 is working in Lubuntu 13.04.
Thanks Vincent!
Changed in vsftpd (Ubuntu): | |
status: | Confirmed → In Progress |
Sebastien Bacher (seb128) wrote : | #39 |
Ok, I've sponsored the proposed fix to saucy and raring and updated the bug a bit to be SRU compliant (https:/
Changed in vsftpd (Ubuntu Raring): | |
importance: | Undecided → High |
status: | New → In Progress |
Changed in vsftpd (Ubuntu): | |
status: | In Progress → Fix Committed |
description: | updated |
Launchpad Janitor (janitor) wrote : | #40 |
This bug was fixed in the package vsftpd - 3.0.2-1ubuntu2
---------------
vsftpd (3.0.2-1ubuntu2) saucy; urgency=low
* debian/
- patch to remove CLONE_NEWPID syscall
see: https:/
Fixes LP: #1160372
-- Daniel Llewellyn (Bang Communications) <email address hidden> Wed, 08 May 2013 14:08:53 +0100
Changed in vsftpd (Ubuntu): | |
status: | Fix Committed → Fix Released |
Brian Murray (brian-murray) wrote : Please test proposed package | #41 |
Hello Sworddragon, or anyone else affected,
Accepted vsftpd into raring-proposed. The package will build now and be available at http://
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in vsftpd (Ubuntu Raring): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed |
Morlok8k (aoa-supercool) wrote : | #42 |
vsftpd (3.0.2-1ubuntu1.1) has fixed the issue. tested on 64bit ubuntu 13.04
tags: |
added: verification-done removed: verification-needed |
Pascal Fares (pfares) wrote : | #43 |
Hello, when it will be available? Still not working for me
Pascal Fares (pfares) wrote : | #44 |
Must we install the zip or the package will be available?
Changed in vsftpd (Ubuntu Raring): | |
status: | Fix Committed → Fix Released |
maxp (maxp) wrote : | #45 |
Please let me know how to install fixed binary on Ubuntu 13.04 x64?
Or where to download patched binary?
Robie Basak (racb) wrote : | #46 |
@Pascal
This update is in -proposed, and is not yet released. I expect that the SRU team will release it soon after the minimum aging period of 7 days.
For early access to the proposed fix, please see https:/
Changed in vsftpd (Ubuntu Raring): | |
status: | Fix Released → Fix Committed |
Dwain Blazej (dwain-blazej) wrote : | #47 |
Upgrading from 32bit 3.0.2-1ubuntu1 to 3.0.2-1ubuntu1.1 fixes this bug for me. I'm using 32bit Ubuntu 13.04.
maxp (maxp) wrote : | #48 |
Confirm working vsftpd_
Adam Conrad (adconrad) wrote : Update Released | #49 |
The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.
Launchpad Janitor (janitor) wrote : | #50 |
This bug was fixed in the package vsftpd - 3.0.2-1ubuntu1.1
---------------
vsftpd (3.0.2-1ubuntu1.1) raring; urgency=low
* debian/
- patch to remove CLONE_NEWPID syscall
see: https:/
Fixes LP: #1160372
-- Daniel Llewellyn (Bang Communications) <email address hidden> Wed, 08 May 2013 14:08:53 +0100
Changed in vsftpd (Ubuntu Raring): | |
status: | Fix Committed → Fix Released |
In Novell/SUSE Bugzilla #786024, moenchmeyer (rm-anracon) wrote : | #113 |
Hi, I am using Opensue 12.3 64 Bit. Freshly installed and updated to the latest packages from the update repository.
In my opinion the problems regarding the present version 3.0.2-4.5.1 of vsftp are far from resolved. As other related bugs as
https:/
were marked as duplicates of this one I post my findings here.
Bug 1
******
I still need
seccomp_sandbox=NO
to connect, when TLS is enabled. With this option set to NO everything works as expected.
However, if seccomp_sandbox=YES I get the following messages in Filezilla when trying too connect from a remote system which also runs under OS 12.3:
Status: TLS/SSL-Verbindung hergestellt.
Antwort: 331 Please specify the password.
Befehl: PASS *******
Antwort: 230 Login successful.
Befehl: SYST
Antwort: 215 UNIX Type: L8
Befehl: FEAT
Antwort: 211-Features:
Antwort: AUTH TLS
Antwort: EPRT
Antwort: EPSV
Antwort: MDTM
Antwort: PASV
Antwort: PBSZ
Antwort: PROT
Antwort: REST STREAM
Antwort: SIZE
Antwort: TVFS
Antwort: UTF8
Antwort: 211 End
Befehl: OPTS UTF8 ON
Antwort: 200 Always in UTF8 mode.
Befehl: PBSZ 0
Antwort: 200 PBSZ set to 0.
Befehl: PROT P
Antwort: 200 PROT now Private.
Status: Verbunden
Status: Empfange Verzeichnisinha
Befehl: CWD /
Antwort: 250 Directory successfully changed.
Befehl: PWD
Antwort: 257 "/"
Befehl: TYPE I
Antwort: 200 Switching to Binary mode.
Befehl: PASV
Fehler: GnuTLS error -15: Ein unerwartetes TLS-Paket wurde empfangen.
Fehler: Verbindung zum Server getrennt: ECONNABORTED - Connection aborted
Fehler: Verzeichnisinhalt konnte nicht empfangen werden
Bug 2 (maybe related)
******
2) Even with "seccomp_
syslog_enable=YES
I get the following message in filezilla:
Status: Connecting to 192.168.0.37:21...
Status: Connection established, waiting for welcome message...
Response: 500 OOPS: priv_sock_get_cmd
Error: Critical error
Error: Could not connect to server
Bug 3:
******
From some OS 12.3 remote systems I cannot connect in case the following option is not set to NO:
require_
So all in all vsftp still shows major deficiencies on Opensuse 12.3 which were not present in OS 12.2.
Any ideas what I could do ?
In Novell/SUSE Bugzilla #786024, moenchmeyer (rm-anracon) wrote : | #114 |
(In reply to comment #63)
> From some OS 12.3 remote systems I cannot connect in case the following option
> is not set to NO:
>
> require_
>
I have seen that the OS 12.3-systems for which the setting "require_
is required all had the original Filezilla version 3.5.3 form the OS 12.3 OSS repository installed.
After installing Filezilla version 3.7.0.1 from the network repository
http://
this problem, which is obviously client related, disappears and the setting
require_
works.
The other problems described in comment #63, however, remain.
In Novell/SUSE Bugzilla #786024, Abonilla (abonilla) wrote : | #115 |
guys, a fresh install of the vsftp will still show this problem, we had to use the workaround provided. If a configuration setting has changed, ie "require_
Changed in opensuse: | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
In Novell/SUSE Bugzilla #786024, Mvyskocil-l (mvyskocil-l) wrote : | #116 |
@abonilla, @rm: hi, please open a **new** report. It's quite hard to follow the discussion in this one. And please attach the vsftpd.conf and an output of strace -f -tt
You might copy the vsftpd.service to /etc/systemd/
change the ExecStart line to
ExecStart=
and issuse systemctl daemon-reload && systemctl restart vsftpd.service
james richardson (fantasy-phreak77) wrote : | #117 |
Dec 1 07:26:22 watcher-U56E sudo: watcher : TTY=unknown ; PWD=/home/watcher ; USER=root ; COMMAND=
Dec 1 07:26:22 watcher-U56E sudo: pam_unix(
Dec 1 07:26:28 watcher-U56E sudo: pam_unix(
Dec 1 07:30:01 watcher-U56E CRON[2648]: pam_unix(
Dec 1 07:30:01 watcher-U56E CRON[2648]: pam_unix(
Dec 1 07:41:22 watcher-U56E sudo: watcher : TTY=unknown ; PWD=/home/watcher ; USER=root ; COMMAND=
Dec 1 07:41:22 watcher-U56E sudo: pam_unix(
Dec 1 07:41:29 watcher-U56E sudo: pam_unix(
Dec 1 07:56:22 watcher-U56E sudo: watcher : TTY=unknown ; PWD=/home/watcher ; USER=root ; COMMAND=
Dec 1 07:56:22 watcher-U56E sudo: pam_unix(
Dec 1 07:56:30 watcher-U56E sudo: pam_unix(
Dec 1 08:11:22 watcher-U56E sudo: watcher : TTY=unknown ; PWD=/home/watcher ; USER=root ; COMMAND=
Dec 1 08:11:22 watcher-U56E sudo: pam_unix(
Dec 1 08:11:28 watcher-U56E sudo: pam_unix(
Dec 1 08:17:01 watcher-U56E CRON[2784]: pam_unix(
Dec 1 08:17:01 watcher-U56E CRON[2784]: pam_unix(
Dec 1 08:26:22 watcher-U56E sudo: watcher : TTY=unknown ; PWD=/home/watcher ; USER=root ; COMMAND=
Dec 1 08:26:22 watcher-U56E sudo: pam_unix(
Dec 1 08:26:28 watcher-U56E sudo: pam_unix(
Dec 1 08:31:25 watcher-U56E mdm[1596]: pam_unix(
Dec 1 08:31:25 watcher-U56E mdm[1596]: pam_ck_
Dec 1 08:31:27 watcher-U56E dbus[1143]: [system] Rejected send message, 7 matched rules; type="method_
Dec 1 08:31:31 watcher-U56E polkitd(
Dec 1 08:31:34 watcher-U56E sudo: watcher : TTY=unknown ; PWD=/home/watcher ; USER=root ; COMMAND=
Dec 1 08:31:34 watcher-U56E sudo: pam_unix(
Dec 1 08:31:42 watcher-U56E sudo: pam_unix...
Changed in vsftpd (Ubuntu): | |
assignee: | nobody → ToshinoriTakada (to6540ta) |
assignee: | ToshinoriTakada (to6540ta) → nobody |
Jeff Van Epps (lordbah) wrote : | #118 |
I've just stumbled into this bug on 14.04.1. Worked around by commenting out "auth required pam_shells.so" in /etc/pam.d/vsftpd and restarting vsftpd as mentioned in 869684.
Linggar Dedi Kurniawan (14linggar) wrote : | #119 |
my server environment install vsftpd version 2.3.xx and i want config my vsftpd to jail user directory.
but when insert parameter file vsftpd and uncomment 'allow_
one again when insert 'seccomp_
maybe can help for this case :)
thank's before.
In Novell/SUSE Bugzilla #786024, Swamp-a (swamp-a) wrote : | #120 |
SUSE-RU-
Category: recommended (moderate)
Bug References: 786024,
CVE References:
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src): vsftpd-3.0.2-31.1
SUSE Linux Enterprise Server 12 (src): vsftpd-3.0.2-31.1
In Novell/SUSE Bugzilla #786024, Swamp-a (swamp-a) wrote : | #121 |
openSUSE-
Category: recommended (moderate)
Bug References: 786024,
CVE References:
Sources used:
openSUSE Leap 42.1 (src): vsftpd-3.0.2-17.1
vsftpd is running, but...
# ncftp -u demo localhost www.NcFTP. com/contact/).
NcFTP 3.2.4 (May 16, 2010) by Mike Gleason (http://
Server hungup immediately after connect.
OOPS: priv_sock_get_cmd
Workaround: add seccomp_sandbox=NO to vsftpd.conf
See also https:/ /bbs.archlinux. org/viewtopic. php?id= 147074 - the page says this is fixed in vsftpd 3.0.2, so updating vsftpd to this version should be enough.
I did not test if this bug is only in Factory (I'm using factory-tested from 2012-10-03) or also in 12.2.