[Bug 1219857] Re: vsftpd connections fail on amd64: "500 OOPS: child died"

Robie Basak 1219857 at bugs.launchpad.net
Tue Apr 29 16:09:29 UTC 2014 

** Description changed:

+ [Impact]
+ 
+ vsftpd is broken by default. seccomp sandboxing is turned on by default,
+ and it doesn't work because it blocks itself from gettimeofday() calls
+ for logging. The workaround is to disable seccomp sandboxing, which
+ removes one layer of protection. vsftpd is security sensitive, so this
+ is far from ideal.
+ 
+ [Development Fix]
+ 
+ Patched the seccomp sandbox to permit gettimeofday() calls. Patch sent
+ upstream; no response received yet (24 hours, so a little early to
+ expect a response).
+ 
+ dep8 test added to detect this in the future.
+ 
+ [Stable Fix]
+ 
+ Same as development fix.
+ 
+ [Test Case]
+ 
+ The included dep8 test automatically verifies the fix for this bug.
+ Manual steps:
+ 
+ apt-get install vsftpd
+ ftp localhost
+ Press enter (to accept the default user)
+ 
+ Expected result: password prompt
+ Actual result: 500 oops
+ 
+ [Regression Potential]
+ 
+ seccomp sandboxing does not appear to work at all (in the default
+ configuration, at least), and the patch only alters seccomp sandboxing.
+ Thus those not using seccomp sandboxing should not be affected. This is
+ a security sensitive patch, but the gettimeofday() call that is now
+ permitted can only receive the time and cannot do anything to the
+ system.
+ 
+ It is possible that adding an extra call to the whitelist could overflow
+ something and break seccomp sandboxing in some drastic and insecure way,
+ but the code involved is relatively small and appears to have
+ appropriate bounds checking.
+ 
+ [Workaround]
+ 
  Adding seccomp_sandbox=NO to /etc/vsftpd.conf works around this issue
  but turns off the nice sandboxing feature.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 13.10
  Package: vsftpd 3.0.2-1ubuntu2
  ProcVersionSignature: User Name 3.10.0-6.17-generic 3.10.3
  Uname: Linux 3.10.0-6-generic x86_64
  ApportVersion: 2.12.1-0ubuntu3
  Architecture: amd64
  Date: Mon Sep  2 14:20:38 2013
  Ec2AMI: ami-0000008b
  Ec2AMIManifest: FIXME
  Ec2AvailabilityZone: nova
  Ec2InstanceType: m1.small
  Ec2Kernel: aki-00000002
  Ec2Ramdisk: ari-00000002
  MarkForUpload: True
  ProcEnviron:
   TERM=screen
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: vsftpd
  UpgradeStatus: No upgrade log present (probably fresh install)
  vsftpd.log: Error: [Errno 13] Permission denied: '/var/log/vsftpd.log'

** Changed in: vsftpd (Ubuntu Trusty)
       Status: New => Triaged

** Changed in: vsftpd (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: vsftpd (Ubuntu Trusty)
     Assignee: (unassigned) => Robie Basak (racb)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in Ubuntu.
https://bugs.launchpad.net/bugs/1219857

Title:
  vsftpd connections fail on amd64: "500 OOPS: child died"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1219857/+subscriptions

More information about the Ubuntu-server-bugs mailing list