Bug 1297264 - Backport fix for handling/propagation of SUID/SGID bits from parent directory
Backport fix for handling/propagation of SUID/SGID bits from parent directory
Status: ON_QA
Product: Fedora EPEL
Classification: Fedora
Component: proftpd (Show other bugs)
el6
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Paul Howarth
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-10 22:00 EST by Roger Williams
Modified: 2016-07-02 11:18 EDT (History)
3 users (show)

See Also:
Fixed In Version: proftpd-1.3.3g-8.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-31 20:53:40 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Roger Williams 2016-01-10 22:00:01 EST
Description of problem:

An update of the proftpd EPEL package for el6 a few years ago introduced a bug related to not respecting SUID/SGID bits on a parent directory. The proftpd upstream identified this issue and fixed it back to v1.3.4. See the final comments (26-30) in their tracker:

http://bugs.proftpd.org/show_bug.cgi?id=3841

But the problem is still present in the EPEL package. Can the bugfix be backported to that?

Version-Release number of selected component (if applicable):

proftpd-1.3.3g-7.el6

How reproducible:

Every time.

Steps to Reproduce:
1. Make a parent directory in an anonymous area. Define a group and SGID for that directory.
2. Connect anonymously using proftpd. Make a subdirectory of that parent.


Actual results:
The newly created subdirectory will be missing the SGID bit.

Expected results:
The newly created subdirectory should have SGID set to match the parent. (This was the case in early proftpd.*.el6 versions before the bug was introduced)
Comment 1 Paul Howarth 2016-01-12 06:55:09 EST
I'm struggling to reproduce this; the SGID bit is working for me in my tests, both with and without use of UserOwner/GroupOwner. If I create a directory in an anonymous area with the SGID bit set, I always get the SGID bit in the resulting directory.

Can you tell me what configuration you're using for proftpd, and the directory structure/permissions?

It looks like the fix for CVE-2012-6095 introduced whatever issue you're having. The update looks easy enough to backport once I can actually reproduce the issue to test it.
Comment 2 Paul Howarth 2016-01-12 07:14:35 EST
Here is a scratch build you can try:

http://koji.fedoraproject.org/koji/taskinfo?taskID=12515129
Comment 3 Roger Williams 2016-01-12 14:44:00 EST
Here is part of the server configuration:
ServerType                      standalone
Umask                           022
...
<Anonymous /data/ftp>
  User                          ftpanon
  Group                         ftpanon
  UserAlias                     ftp ftpanon
  UserAlias                     anonymous ftpanon
...
  <Directory pub/incoming>
    <Limit WRITE>
      AllowAll
    </Limit>
  </Directory>


Here are the actual permissions of the pub/incoming directory:

drwxrwsrwx 13 root    ftpanon 12288 Jan 13 08:26 incoming/


Now use an ftp client to make a directory in pub/incoming:

230 Anonymous login ok, restrictions apply.
ftp> cd pub/incoming
250 CWD command successful
ftp> mkdir foo
257 "/pub/incoming/foo" - Directory successfully created
ftp> quit
221 Goodbye.


And here are the permissions of the newly-created directory:

drwxr-xr-x  2 ftpanon ftpanon  4096 Jan 13 08:26 foo/

[missing the sgid bit on the directory. This used to be propagated]


Contact me directly if you need more detail of the configuration.

--
Roger W
Comment 4 Paul Howarth 2016-01-13 09:22:32 EST
OK, I've reproduced the problem (I got rid of mod_vroot in my configuration) and the scratch build from Comment #2 fixes it for me. Can you give it a try?
Comment 5 Roger Williams 2016-01-13 19:57:36 EST
Looks good.

[ Standard CentOS 6.x with proftpd-1.3.3g-7]

230 Anonymous login ok, restrictions apply.
ftp> cd pub/incoming
250 CWD command successful
ftp> mkdir made-with-1.3.3g-7    
257 "/pub/incoming/made-with-1.3.3g-7" - Directory successfully created
ftp> quit
221 Goodbye.

[ Installed your proftpd-1.3.3g-8.el6.x86_64.rpm ]

230 Anonymous login ok, restrictions apply.
ftp> cd pub/incoming
250 CWD command successful
ftp> mkdir made-with-1.3.3g-8
257 "/pub/incoming/made-with-1.3.3g-8" - Directory successfully created
ftp> quit
221 Goodbye.

These are the created directory permissions for comparison:

drwxrwsrwx 4 root    ftpanon 4096 Jan 14 13:51 ./
drwxr-xr-x 3 root    root    4096 Jan 14 13:39 ../
drwxr-xr-x 2 ftpanon ftpanon 4096 Jan 14 13:49 made-with-1.3.3g-7/
drwxr-sr-x 2 ftpanon ftpanon 4096 Jan 14 13:51 made-with-1.3.3g-8/


So, the SGID bit is being propagated as expected now.

Thanks,
Roger W.
Comment 6 Fedora Update System 2016-01-14 03:37:39 EST
proftpd-1.3.3g-8.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-690aa89065
Comment 7 Fedora Update System 2016-01-15 03:55:03 EST
proftpd-1.3.3g-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-690aa89065
Comment 8 Fedora Update System 2016-01-31 20:53:36 EST
proftpd-1.3.3g-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-03-15 07:08:30 EDT
proftpd-1.3.3g-5.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
Comment 10 Fedora Update System 2016-03-15 22:16:47 EDT
proftpd-1.3.3g-5.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
Comment 11 Fedora Update System 2016-06-11 06:34:12 EDT
proftpd-1.3.3g-6.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
Comment 12 Fedora Update System 2016-06-12 19:17:06 EDT
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
Comment 13 Fedora Update System 2016-07-02 11:18:27 EDT
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.