https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c0
Summary: Pure-ftpd does not allow login when started as service Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Other OS/Version: openSUSE 12.2 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: erwin.vandevelde@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: ---
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
When pure-ftpd is started as a service, this happens when trying to connect: :~> ftp localhost Trying ::1... Connected to localhost. 220-Welcome to Pure-FTPd. 220-You are user number 1 of 10 allowed. 220-Local time is now 17:08. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. Name (localhost:evdvelde): 331 User evdvelde OK. Password required Password: 421 Service not available, remote server has closed connection. ftp: Login failed. ftp> quit
No errors recorded in the log files.
When running on command line, it works fine.
Configuration done normally through Yast, this is the command that is recorded in /var/log/messages (same command I use on the command line): /usr/sbin/pure-ftpd --daemonize -A -c10 -B -C3 -d -z -D -E -fftp -H -I15 -lpam -L10000:8 -m4 -s -u40 -x -r -i -k99 -G -Z -Y0
Reproducible: Always
Steps to Reproduce: 1. Install pure-ftpd 2. Configure through Yast (I disabled anonymous login) 3. Try connecting when pure-ftpd runs as a service Actual Results: Error: 421 Service not available, remote server has closed connection.
Expected Results: Succesful connection
pure-ftpd 1.0.36-3.1.3
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c
Erwin Van de Velde erwin.vandevelde@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Platform|Other |x86-64 Severity|Normal |Major
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c
Jiaying ren jren@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jren@suse.com AssignedTo|bnc-team-screening@forge.pr |mvyskocil@suse.com |ovo.novell.com |
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c1
Michal Vyskocil mvyskocil@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |erwin.vandevelde@gmail.com
--- Comment #1 from Michal Vyskocil mvyskocil@suse.com 2012-11-16 08:52:58 UTC --- (In reply to comment #0)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
When pure-ftpd is started as a service
What does it means "started as a service"? You mean started through systemd? Anyway do you have something special in your /etc/pure-ftpd/pure-ftpd.conf?
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c2
--- Comment #2 from Erwin Van de Velde erwin.vandevelde@gmail.com 2012-11-16 08:59:51 UTC --- Created an attachment (id=513411) --> (http://bugzilla.novell.com/attachment.cgi?id=513411) pure-ftpd.conf
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c3
Erwin Van de Velde erwin.vandevelde@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|erwin.vandevelde@gmail.com |
--- Comment #3 from Erwin Van de Velde erwin.vandevelde@gmail.com 2012-11-16 09:00:03 UTC --- Yes, started through systemd (on boot or with /etc/init.d/pure-ftpd restart). Nothing special, I attach my config file for reference.
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c4
Michal Vyskocil mvyskocil@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |NEEDINFO CC| |mc@suse.com InfoProvider| |mc@suse.com Summary|Pure-ftpd does not allow |Pure-ftpd login gails on |login when started as |pam_loginuid(pure-ftpd:sess |service |ion): set_loginuid
--- Comment #4 from Michal Vyskocil mvyskocil@suse.com 2012-12-18 15:16:55 UTC --- I've the same - the /var/log/messages contains
Dec 18 16:06:42 zelva pure-ftpd: (?@10.100.13.12) [INFO] New connection from 10.100.13.12 Dec 18 16:06:42 zelva pure-ftpd: (?@10.100.13.12) [DEBUG] Command [user] [mvyskocil] Dec 18 16:06:44 zelva pure-ftpd: (?@10.100.13.12) [DEBUG] Command [pass] [<*>] Dec 18 16:06:45 zelva pure-ftpd: pam_sss(pure-ftpd:auth): authentication success; logname= uid=0 euid=0 tty=pure-ftpd ruser=mvyskocil rhost= user=mvyskocil Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid failed
BTW: This seems as a dup of bnc#780724
@mc: why the pam_loginuid fails on systemd-powered systems? I found such issue, but it was on a system with ro /proc, which does not apply to my own. I use standard openSUSE kernel with
zgrep AUDIT /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y # CONFIG_AUDIT_LOGINUID_IMMUTABLE is not set CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 CONFIG_KVM_MMU_AUDIT=y
but audit daemon is not installed on my system.
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c5
--- Comment #5 from Michal Vyskocil mvyskocil@suse.com 2013-01-08 15:25:26 UTC --- ping
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c6
Erwin Van de Velde erwin.vandevelde@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|mc@suse.com |
--- Comment #6 from Erwin Van de Velde erwin.vandevelde@gmail.com 2013-01-08 15:29:21 UTC --- What info is expected further? I do not see what more can be given at this time.
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c7
Michal Vyskocil mvyskocil@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |vcizek@suse.com InfoProvider| |mc@suse.com
--- Comment #7 from Michal Vyskocil mvyskocil@suse.com 2013-01-08 15:53:01 UTC --- The NEEDINFO was not on you, but on our pam maintainer.
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c8
Thorsten Kukuk kukuk@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|mc@suse.com |
--- Comment #8 from Thorsten Kukuk kukuk@suse.com 2013-01-11 14:14:03 UTC --- (In reply to comment #4)
Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid failed
This says everything. pam_loginuid is not allowed to write into /proc/self/loginuid
Either the system/kernel is wrong configured or pure-ftpd drops the privilegs in the wrong place, don't know. But this has nothing to do with PAM at all.
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c9
Lukas Ocilka locilka@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |denixx.baykin@gmail.com
--- Comment #9 from Lukas Ocilka locilka@suse.com 2013-01-11 14:30:31 UTC --- *** Bug 780724 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=780724
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c10
Michal Vyskocil mvyskocil@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
--- Comment #10 from Michal Vyskocil mvyskocil@suse.com 2013-01-21 15:27:10 UTC --- (In reply to comment #8)
(In reply to comment #4)
Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid failed
This says everything. pam_loginuid is not allowed to write into /proc/self/loginuid
At least /proc is mounted as rw according /proc/pid/mount
Either the system/kernel is wrong configured or pure-ftpd drops the privilegs in the wrong place, don't know. But this has nothing to do with PAM at all.
and capabilities seems to have CAP_AUDIT_WRITE, so I'm not sure why pam_loginuid fails ... Needs some investigation.
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c11
--- Comment #11 from Michal Vyskocil mvyskocil@suse.com 2013-01-22 09:49:51 UTC --- OK, reality is obviously a bit more complicated than documentation. The CAP_AUDIT_WRITE is/was not enough for set loginuid [1] and CAP_AUDIT_CONTROL will be needed for it as well. But there is new kernel option CAP_AUDIT_IMMUTABLE [2] for systemd powered systems, which should make CAP_AUDIT_CONTROL useless - needs to check it on some 12.2 system.
[1] http://osdir.com/ml/linux.redhat.security.audit/2007-02/msg00022.html [2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=...
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c12
--- Comment #12 from denixx baykin denixx.baykin@gmail.com 2013-01-22 09:55:42 UTC --- Do you need any help? I have 12.2 and using pure-ftpd installed.
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c13
Michal Vyskocil mvyskocil@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |maintenance@opensuse.org
--- Comment #13 from Michal Vyskocil mvyskocil@suse.com 2013-01-22 14:15:28 UTC --- So it seems the CAP_AUDIT_WRITE is not enough for pam_loginuid and as 12.2, neither 12.3 kernel have CAP_AUDIT_IMMUTABLE, I'll need to change pure-ftpd as well.
@maintenance: can I ask for 12.1 and 12.2 update for pure-ftpd? 12.3 is not yet branched, so Factory submission is enough, I'm right?
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c14
Michal Vyskocil mvyskocil@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|maintenance@opensuse.org | Resolution| |FIXED
--- Comment #14 from Michal Vyskocil mvyskocil@suse.com 2013-01-23 08:55:19 UTC --- sent fixed packages
factory: 149628 12.2: 149629 12.1: 149630
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c15
--- Comment #15 from Bernhard Wiedemann bwiedemann@suse.com 2013-01-23 10:00:08 CET --- This is an autogenerated message for OBS integration: This bug (789833) was mentioned in https://build.opensuse.org/request/show/149628 Factory / pure-ftpd https://build.opensuse.org/request/show/149629 Maintenance / https://build.opensuse.org/request/show/149630 Maintenance /
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c16
--- Comment #16 from Swamp Workflow Management swamp@suse.de 2013-01-31 16:07:04 UTC --- openSUSE-RU-2013:0221-1: An update that has one recommended fix can now be installed.
Category: recommended (low) Bug References: 789833 CVE References: Sources used: openSUSE 12.2 (src): pure-ftpd-1.0.36-3.4.1 openSUSE 12.1 (src): pure-ftpd-1.0.32-5.4.1
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c17
Dion Kant g.w.kant@hunenet.nl changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |g.w.kant@hunenet.nl Resolution|FIXED |
--- Comment #17 from Dion Kant g.w.kant@hunenet.nl 2014-01-19 13:39:33 UTC --- I still have an issue on openSUSE 12.2 when using PAMAuthentication yes. When I use UnixAuthentication it works fine.
Am I missing something?
https://bugzilla.novell.com/show_bug.cgi?id=789833
https://bugzilla.novell.com/show_bug.cgi?id=789833#c18
--- Comment #18 from Dion Kant g.w.kant@hunenet.nl 2014-01-19 13:49:49 UTC --- To give it another try, I used pure-ftpd-1.0.36-8.1.1.src.rpm from openSUSE 12.3 to build pure-ftpd-1.0.36-8.1.1.x86_64.rpm on openSUSE 12.2.
Also with this, I run into the same issue with PAMAuthentication:
ftp:/etc/pure-ftpd # ftp localhost Trying ::1... ftp: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. 220-Welcome to Pure-FTPd. 220-You are user number 1 of 50 allowed. 220-Local time is now 14:45. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. Name (localhost:root): dion 331 User dion OK. Password required Password: 230-This server supports FXP transfers 230 OK. Current restricted directory is / 421 Service not available, remote server has closed connection. ftp: No control connection for command. ftp: No control connection for command. ftp>
It is ok with UnixAuthentication:
ftp:/etc/pure-ftpd # ftp localhost Trying ::1... ftp: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. 220-Welcome to Pure-FTPd. 220-You are user number 2 of 50 allowed. 220-Local time is now 14:47. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. Name (localhost:root): dion 331 User dion OK. Password required Password: 230-This server supports FXP transfers 230 OK. Current restricted directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp>
http://bugzilla.novell.com/show_bug.cgi?id=789833
SMASH SMASH smash_bz@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| | maint:planned:update
-
bugzilla_noreply@novell.com