Description of problem: An update of the proftpd EPEL package for el6 a few years ago introduced a bug related to not respecting SUID/SGID bits on a parent directory. The proftpd upstream identified this issue and fixed it back to v1.3.4. See the final comments (26-30) in their tracker: http://bugs.proftpd.org/show_bug.cgi?id=3841 But the problem is still present in the EPEL package. Can the bugfix be backported to that? Version-Release number of selected component (if applicable): proftpd-1.3.3g-7.el6 How reproducible: Every time. Steps to Reproduce: 1. Make a parent directory in an anonymous area. Define a group and SGID for that directory. 2. Connect anonymously using proftpd. Make a subdirectory of that parent. Actual results: The newly created subdirectory will be missing the SGID bit. Expected results: The newly created subdirectory should have SGID set to match the parent. (This was the case in early proftpd.*.el6 versions before the bug was introduced)
I'm struggling to reproduce this; the SGID bit is working for me in my tests, both with and without use of UserOwner/GroupOwner. If I create a directory in an anonymous area with the SGID bit set, I always get the SGID bit in the resulting directory. Can you tell me what configuration you're using for proftpd, and the directory structure/permissions? It looks like the fix for CVE-2012-6095 introduced whatever issue you're having. The update looks easy enough to backport once I can actually reproduce the issue to test it.
Here is a scratch build you can try: http://koji.fedoraproject.org/koji/taskinfo?taskID=12515129
Here is part of the server configuration: ServerType standalone Umask 022 ... <Anonymous /data/ftp> User ftpanon Group ftpanon UserAlias ftp ftpanon UserAlias anonymous ftpanon ... <Directory pub/incoming> <Limit WRITE> AllowAll </Limit> </Directory> Here are the actual permissions of the pub/incoming directory: drwxrwsrwx 13 root ftpanon 12288 Jan 13 08:26 incoming/ Now use an ftp client to make a directory in pub/incoming: 230 Anonymous login ok, restrictions apply. ftp> cd pub/incoming 250 CWD command successful ftp> mkdir foo 257 "/pub/incoming/foo" - Directory successfully created ftp> quit 221 Goodbye. And here are the permissions of the newly-created directory: drwxr-xr-x 2 ftpanon ftpanon 4096 Jan 13 08:26 foo/ [missing the sgid bit on the directory. This used to be propagated] Contact me directly if you need more detail of the configuration. -- Roger W
OK, I've reproduced the problem (I got rid of mod_vroot in my configuration) and the scratch build from Comment #2 fixes it for me. Can you give it a try?
Looks good. [ Standard CentOS 6.x with proftpd-1.3.3g-7] 230 Anonymous login ok, restrictions apply. ftp> cd pub/incoming 250 CWD command successful ftp> mkdir made-with-1.3.3g-7 257 "/pub/incoming/made-with-1.3.3g-7" - Directory successfully created ftp> quit 221 Goodbye. [ Installed your proftpd-1.3.3g-8.el6.x86_64.rpm ] 230 Anonymous login ok, restrictions apply. ftp> cd pub/incoming 250 CWD command successful ftp> mkdir made-with-1.3.3g-8 257 "/pub/incoming/made-with-1.3.3g-8" - Directory successfully created ftp> quit 221 Goodbye. These are the created directory permissions for comparison: drwxrwsrwx 4 root ftpanon 4096 Jan 14 13:51 ./ drwxr-xr-x 3 root root 4096 Jan 14 13:39 ../ drwxr-xr-x 2 ftpanon ftpanon 4096 Jan 14 13:49 made-with-1.3.3g-7/ drwxr-sr-x 2 ftpanon ftpanon 4096 Jan 14 13:51 made-with-1.3.3g-8/ So, the SGID bit is being propagated as expected now. Thanks, Roger W.
proftpd-1.3.3g-8.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-690aa89065
proftpd-1.3.3g-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-690aa89065
proftpd-1.3.3g-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.3g-5.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
proftpd-1.3.3g-5.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
proftpd-1.3.3g-6.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-bafacd5846
proftpd-1.3.3g-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.