| Summary: | Backport fix for handling/propagation of SUID/SGID bits from parent directory | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Roger Williams <srlnrow> |
| Component: | proftpd | Assignee: | Paul Howarth <paul> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | el6 | CC: | itamar, matthias, paul |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | proftpd-1.3.3g-8.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-15 18:56:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Roger Williams
2016-01-11 03:00:01 UTC
I'm struggling to reproduce this; the SGID bit is working for me in my tests, both with and without use of UserOwner/GroupOwner. If I create a directory in an anonymous area with the SGID bit set, I always get the SGID bit in the resulting directory. Can you tell me what configuration you're using for proftpd, and the directory structure/permissions? It looks like the fix for CVE-2012-6095 introduced whatever issue you're having. The update looks easy enough to backport once I can actually reproduce the issue to test it. Here is a scratch build you can try: http://koji.fedoraproject.org/koji/taskinfo?taskID=12515129 Here is part of the server configuration:
ServerType standalone
Umask 022
...
<Anonymous /data/ftp>
User ftpanon
Group ftpanon
UserAlias ftp ftpanon
UserAlias anonymous ftpanon
...
<Directory pub/incoming>
<Limit WRITE>
AllowAll
</Limit>
</Directory>
Here are the actual permissions of the pub/incoming directory:
drwxrwsrwx 13 root ftpanon 12288 Jan 13 08:26 incoming/
Now use an ftp client to make a directory in pub/incoming:
230 Anonymous login ok, restrictions apply.
ftp> cd pub/incoming
250 CWD command successful
ftp> mkdir foo
257 "/pub/incoming/foo" - Directory successfully created
ftp> quit
221 Goodbye.
And here are the permissions of the newly-created directory:
drwxr-xr-x 2 ftpanon ftpanon 4096 Jan 13 08:26 foo/
[missing the sgid bit on the directory. This used to be propagated]
Contact me directly if you need more detail of the configuration.
--
Roger W
OK, I've reproduced the problem (I got rid of mod_vroot in my configuration) and the scratch build from Comment #2 fixes it for me. Can you give it a try? Looks good. [ Standard CentOS 6.x with proftpd-1.3.3g-7] 230 Anonymous login ok, restrictions apply. ftp> cd pub/incoming 250 CWD command successful ftp> mkdir made-with-1.3.3g-7 257 "/pub/incoming/made-with-1.3.3g-7" - Directory successfully created ftp> quit 221 Goodbye. [ Installed your proftpd-1.3.3g-8.el6.x86_64.rpm ] 230 Anonymous login ok, restrictions apply. ftp> cd pub/incoming 250 CWD command successful ftp> mkdir made-with-1.3.3g-8 257 "/pub/incoming/made-with-1.3.3g-8" - Directory successfully created ftp> quit 221 Goodbye. These are the created directory permissions for comparison: drwxrwsrwx 4 root ftpanon 4096 Jan 14 13:51 ./ drwxr-xr-x 3 root root 4096 Jan 14 13:39 ../ drwxr-xr-x 2 ftpanon ftpanon 4096 Jan 14 13:49 made-with-1.3.3g-7/ drwxr-sr-x 2 ftpanon ftpanon 4096 Jan 14 13:51 made-with-1.3.3g-8/ So, the SGID bit is being propagated as expected now. Thanks, Roger W. proftpd-1.3.3g-8.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-690aa89065 proftpd-1.3.3g-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-690aa89065 proftpd-1.3.3g-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.3g-5.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846 proftpd-1.3.3g-5.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846 proftpd-1.3.3g-6.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846 proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846 proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |