Bugzilla – Bug 789833
Pure-ftpd login gails on pam_loginuid(pure-ftpd:session): set_loginuid
Last modified: 2017-08-11 15:30:12 UTC
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0 When pure-ftpd is started as a service, this happens when trying to connect: :~> ftp localhost Trying ::1... Connected to localhost. 220-Welcome to Pure-FTPd. 220-You are user number 1 of 10 allowed. 220-Local time is now 17:08. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. Name (localhost:evdvelde): 331 User evdvelde OK. Password required Password: 421 Service not available, remote server has closed connection. ftp: Login failed. ftp> quit No errors recorded in the log files. When running on command line, it works fine. Configuration done normally through Yast, this is the command that is recorded in /var/log/messages (same command I use on the command line): /usr/sbin/pure-ftpd --daemonize -A -c10 -B -C3 -d -z -D -E -fftp -H -I15 -lpam -L10000:8 -m4 -s -u40 -x -r -i -k99 -G -Z -Y0 Reproducible: Always Steps to Reproduce: 1. Install pure-ftpd 2. Configure through Yast (I disabled anonymous login) 3. Try connecting when pure-ftpd runs as a service Actual Results: Error: 421 Service not available, remote server has closed connection. Expected Results: Succesful connection pure-ftpd 1.0.36-3.1.3
(In reply to comment #0) > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 > Firefox/16.0 > > When pure-ftpd is started as a service What does it means "started as a service"? You mean started through systemd? Anyway do you have something special in your /etc/pure-ftpd/pure-ftpd.conf?
Created attachment 513411 [details] pure-ftpd.conf
Yes, started through systemd (on boot or with /etc/init.d/pure-ftpd restart). Nothing special, I attach my config file for reference.
I've the same - the /var/log/messages contains Dec 18 16:06:42 zelva pure-ftpd: (?@10.100.13.12) [INFO] New connection from 10.100.13.12 Dec 18 16:06:42 zelva pure-ftpd: (?@10.100.13.12) [DEBUG] Command [user] [mvyskocil] Dec 18 16:06:44 zelva pure-ftpd: (?@10.100.13.12) [DEBUG] Command [pass] [<*>] Dec 18 16:06:45 zelva pure-ftpd: pam_sss(pure-ftpd:auth): authentication success; logname= uid=0 euid=0 tty=pure-ftpd ruser=mvyskocil rhost= user=mvyskocil Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid failed BTW: This seems as a dup of bnc#780724 @mc: why the pam_loginuid fails on systemd-powered systems? I found such issue, but it was on a system with ro /proc, which does not apply to my own. I use standard openSUSE kernel with zgrep AUDIT /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y # CONFIG_AUDIT_LOGINUID_IMMUTABLE is not set CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 CONFIG_KVM_MMU_AUDIT=y but audit daemon is not installed on my system.
ping
What info is expected further? I do not see what more can be given at this time.
The NEEDINFO was not on you, but on our pam maintainer.
(In reply to comment #4) > Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid > failed This says everything. pam_loginuid is not allowed to write into /proc/self/loginuid Either the system/kernel is wrong configured or pure-ftpd drops the privilegs in the wrong place, don't know. But this has nothing to do with PAM at all.
*** Bug 780724 has been marked as a duplicate of this bug. ***
(In reply to comment #8) > (In reply to comment #4) > > > Dec 18 16:06:45 zelva pure-ftpd: pam_loginuid(pure-ftpd:session): set_loginuid > > failed > > This says everything. pam_loginuid is not allowed to write into > /proc/self/loginuid At least /proc is mounted as rw according /proc/pid/mount > > Either the system/kernel is wrong configured or pure-ftpd drops the privilegs > in the wrong place, don't know. But this has nothing to do with PAM at all. and capabilities seems to have CAP_AUDIT_WRITE, so I'm not sure why pam_loginuid fails ... Needs some investigation.
OK, reality is obviously a bit more complicated than documentation. The CAP_AUDIT_WRITE is/was not enough for set loginuid [1] and CAP_AUDIT_CONTROL will be needed for it as well. But there is new kernel option CAP_AUDIT_IMMUTABLE [2] for systemd powered systems, which should make CAP_AUDIT_CONTROL useless - needs to check it on some 12.2 system. [1] http://osdir.com/ml/linux.redhat.security.audit/2007-02/msg00022.html [2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=633b45454503489209b0d9a45f9e3cd1b852c614
Do you need any help? I have 12.2 and using pure-ftpd installed.
So it seems the CAP_AUDIT_WRITE is not enough for pam_loginuid and as 12.2, neither 12.3 kernel have CAP_AUDIT_IMMUTABLE, I'll need to change pure-ftpd as well. @maintenance: can I ask for 12.1 and 12.2 update for pure-ftpd? 12.3 is not yet branched, so Factory submission is enough, I'm right?
sent fixed packages factory: 149628 12.2: 149629 12.1: 149630
This is an autogenerated message for OBS integration: This bug (789833) was mentioned in https://build.opensuse.org/request/show/149628 Factory / pure-ftpd https://build.opensuse.org/request/show/149629 Maintenance / https://build.opensuse.org/request/show/149630 Maintenance /
openSUSE-RU-2013:0221-1: An update that has one recommended fix can now be installed. Category: recommended (low) Bug References: 789833 CVE References: Sources used: openSUSE 12.2 (src): pure-ftpd-1.0.36-3.4.1 openSUSE 12.1 (src): pure-ftpd-1.0.32-5.4.1
I still have an issue on openSUSE 12.2 when using PAMAuthentication yes. When I use UnixAuthentication it works fine. Am I missing something?
To give it another try, I used pure-ftpd-1.0.36-8.1.1.src.rpm from openSUSE 12.3 to build pure-ftpd-1.0.36-8.1.1.x86_64.rpm on openSUSE 12.2. Also with this, I run into the same issue with PAMAuthentication: ftp:/etc/pure-ftpd # ftp localhost Trying ::1... ftp: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. 220-Welcome to Pure-FTPd. 220-You are user number 1 of 50 allowed. 220-Local time is now 14:45. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. Name (localhost:root): dion 331 User dion OK. Password required Password: 230-This server supports FXP transfers 230 OK. Current restricted directory is / 421 Service not available, remote server has closed connection. ftp: No control connection for command. ftp: No control connection for command. ftp> It is ok with UnixAuthentication: ftp:/etc/pure-ftpd # ftp localhost Trying ::1... ftp: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. 220-Welcome to Pure-FTPd. 220-You are user number 2 of 50 allowed. 220-Local time is now 14:47. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. Name (localhost:root): dion 331 User dion OK. Password required Password: 230-This server supports FXP transfers 230 OK. Current restricted directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp>
12.2 is out of support. Please try with updated release on Leap/Tumbleweed and open a new issue if it is still happening.