From d0822112a785f4849c134ec303204ea1e1586cbe Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: May 03 2017 14:44:00 +0000 Subject: Check for symlinks in home directory path as logging-in user AllowChrootSymlinks off could cause login failures depending on filesystem permissions: use the IDs of the logging-in user to perform the directory walk, looking for symlinks, to be more consistent with similar checks done during login (#1443507, upstream bug 4306) Also, require perl(Crypt::CrackLib) unconditionally now (for ftpasswd) --- diff --git a/459693c7.patch b/459693c7.patch new file mode 100644 index 0000000..2dbb55f --- /dev/null +++ b/459693c7.patch @@ -0,0 +1,31 @@ +From 459693c70c83b7d173ec10bb8089d4ce4e59d301 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Tue, 2 May 2017 19:56:39 -0700 +Subject: [PATCH] Bug#4306: AllowChrootSymlinks off could cause login failures + depending on filesystem permissions. + +Use the IDs of the logging-in user to perform the directory walk, looking +for symlinks, to be more consistent with similar checks done during login. +--- + modules/mod_auth.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/modules/mod_auth.c b/modules/mod_auth.c +index d93c630..2b76070 100644 +--- a/modules/mod_auth.c ++++ b/modules/mod_auth.c +@@ -936,9 +936,13 @@ static int get_default_root(pool *p, int allow_symlinks, const char **root) { + path[pathlen-1] = '\0'; + } + ++ PRIVS_USER + res = is_symlink_path(p, path, pathlen); ++ xerrno = errno; ++ PRIVS_RELINQUISH ++ + if (res < 0) { +- if (errno == EPERM) { ++ if (xerrno == EPERM) { + pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink " + "(denied by AllowChrootSymlinks config)", path); + } diff --git a/proftpd.spec b/proftpd.spec index 4178380..edac854 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -36,7 +36,7 @@ %global _hardened_build 1 #global prever rc3 -%global rpmrel 1 +%global rpmrel 2 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd @@ -58,6 +58,7 @@ Source13: http://search.cpan.org/CPAN/authors/id/C/CL/CLEMBURG/Test-Unit-0.14.t Patch0: https://github.com/proftpd/proftpd/commit/d800ece1.patch Patch1: proftpd-1.3.5e-shellbang.patch Patch2: proftpd.conf-no-memcached.patch +Patch3: https://github.com/proftpd/proftpd/commit/459693c7.patch Patch4: proftpd-1.3.4rc1-mod_vroot-test.patch Patch27: proftpd-mod-vroot-0.9.2-bug3841.patch Requires(preun): coreutils, findutils @@ -162,6 +163,10 @@ Module to add PostgreSQL support to the ProFTPD FTP server. %package utils Summary: ProFTPD - Additional utilities Requires: %{name} = %{version}-%{release} +Requires: perl +# ftpasswd --use-cracklib requires Crypt::Cracklib +BuildRequires: perl(Crypt::Cracklib) +Requires: perl(Crypt::Cracklib) %description utils This package contains additional utilities for monitoring and configuring the @@ -195,6 +200,12 @@ cp -p %{SOURCE1} proftpd.conf # Change shellbangs /usr/bin/env perl ⇒ /usr/bin/perl %patch1 +# Check for symlinks in home directory path as logged-in user +# http://bugs.proftpd.org/show_bug.cgi?id=4306 +# https://bugzilla.redhat.com/show_bug.cgi?id=1443507 +# https://github.com/proftpd/proftpd/pull/496 +%patch3 -p1 + # If we're running the full test suite, include the mod_vroot test %patch4 -p1 -b .test_vroot @@ -473,6 +484,13 @@ fi %{_mandir}/man1/ftpwho.1* %changelog +* Wed May 3 2017 Paul Howarth - 1.3.5e-2 +- AllowChrootSymlinks off could cause login failures depending on filesystem + permissions: use the IDs of the logging-in user to perform the directory + walk, looking for symlinks, to be more consistent with similar checks done + during login (#1443507, upstream bug 4306) +- Crypt::CrackLib always available now + * Mon Apr 10 2017 Paul Howarth - 1.3.5e-1 - Update to 1.3.5e - SFTP clients using umac-64@openssh.com digest failed to connect