Bug 789833

(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101
> Firefox/16.0
> 
> When pure-ftpd is started as a service

What does it means "started as a service"? You mean started through systemd? Anyway do you have something special in your /etc/pure-ftpd/pure-ftpd.conf?

Created attachment 513411 [details]
pure-ftpd.conf

Yes, started through systemd (on boot or with /etc/init.d/pure-ftpd restart).
Nothing special, I attach my config file for reference.

I've the same - the /var/log/messages contains

Dec 18 16:06:42 zelva pure-ftpd: (?@10.100.13.12) [INFO] New connection from 10.100.13.12
Dec 18 16:06:42 zelva pure-ftpd: (?@10.100.13.12) [DEBUG] Command [user] [mvyskocil]
Dec 18 16:06:44 zelva pure-ftpd: (?@10.100.13.12) [DEBUG] Command [pass] [<*>]
Dec 18 16:06:45 zelva pure-ftpd: pam_sss(pure-ftpd:auth): authentication success; logname= uid=0 euid=0 tty=pure-ftpd ruser=mvyskocil rhost= user=mvyskocil
Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid failed

BTW: This seems as a dup of bnc#780724

@mc: why the pam_loginuid fails on systemd-powered systems? I found such issue, but it was on a system with ro /proc, which does not apply to my own. I use standard openSUSE kernel with

zgrep AUDIT /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
# CONFIG_AUDIT_LOGINUID_IMMUTABLE is not set
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_KVM_MMU_AUDIT=y

but audit daemon is not installed on my system.

ping

What info is expected further? I do not see what more can be given at this time.

The NEEDINFO was not on you, but on our pam maintainer.

(In reply to comment #4)

> Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid
> failed

This says everything. pam_loginuid is not allowed to write into /proc/self/loginuid

Either the system/kernel is wrong configured or pure-ftpd drops the privilegs in the wrong place, don't know. But this has nothing to do with PAM at all.

*** Bug 780724 has been marked as a duplicate of this bug. ***

(In reply to comment #8)
> (In reply to comment #4)
> 
> > Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid
> > failed
> 
> This says everything. pam_loginuid is not allowed to write into
> /proc/self/loginuid

At least /proc is mounted as rw according /proc/pid/mount

> 
> Either the system/kernel is wrong configured or pure-ftpd drops the privilegs
> in the wrong place, don't know. But this has nothing to do with PAM at all.

and capabilities seems to have CAP_AUDIT_WRITE, so I'm not sure why pam_loginuid fails ... Needs some investigation.

OK, reality is obviously a bit more complicated than documentation. The CAP_AUDIT_WRITE is/was not enough for set loginuid [1] and CAP_AUDIT_CONTROL will be needed for it as well. But there is new kernel option CAP_AUDIT_IMMUTABLE [2] for systemd powered systems, which should make CAP_AUDIT_CONTROL useless - needs to check it on some 12.2 system.

[1] http://osdir.com/ml/linux.redhat.security.audit/2007-02/msg00022.html
[2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=633b45454503489209b0d9a45f9e3cd1b852c614

Do you need any help?
I have 12.2 and using pure-ftpd installed.

So it seems the CAP_AUDIT_WRITE is not enough for pam_loginuid and as 12.2, neither 12.3 kernel have CAP_AUDIT_IMMUTABLE, I'll need to change pure-ftpd as well.

@maintenance: can I ask for 12.1 and 12.2 update for pure-ftpd? 12.3 is not yet branched, so Factory submission is enough, I'm right?

sent fixed packages

factory:  149628
12.2:     149629
12.1:     149630

This is an autogenerated message for OBS integration:
This bug (789833) was mentioned in
https://build.opensuse.org/request/show/149628 Factory / pure-ftpd
https://build.opensuse.org/request/show/149629 Maintenance / 
https://build.opensuse.org/request/show/149630 Maintenance /

openSUSE-RU-2013:0221-1: An update that has one recommended fix can now be installed.

Category: recommended (low)
Bug References: 789833
CVE References: 
Sources used:
openSUSE 12.2 (src):    pure-ftpd-1.0.36-3.4.1
openSUSE 12.1 (src):    pure-ftpd-1.0.32-5.4.1

I still have an issue on openSUSE 12.2 when using PAMAuthentication             yes. When I use UnixAuthentication it works fine.

Am I missing something?

To give it another try, I used pure-ftpd-1.0.36-8.1.1.src.rpm from openSUSE 12.3 to build pure-ftpd-1.0.36-8.1.1.x86_64.rpm on openSUSE 12.2.

Also with this, I run into the same issue with PAMAuthentication:

ftp:/etc/pure-ftpd # ftp localhost
Trying ::1...
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220-Welcome to Pure-FTPd.
220-You are user number 1 of 50 allowed.
220-Local time is now 14:45. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (localhost:root): dion
331 User dion OK. Password required
Password:
230-This server supports FXP transfers
230 OK. Current restricted directory is /
421 Service not available, remote server has closed connection.
ftp: No control connection for command.
ftp: No control connection for command.
ftp> 

It is ok with UnixAuthentication:

ftp:/etc/pure-ftpd # ftp localhost
Trying ::1...
ftp: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
220-Welcome to Pure-FTPd.
220-You are user number 2 of 50 allowed.
220-Local time is now 14:47. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (localhost:root): dion
331 User dion OK. Password required
Password:
230-This server supports FXP transfers
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

12.2 is out of support. Please try with updated release on Leap/Tumbleweed and open a new issue if it is still happening.