Bug 599263 - Vsftpd anonymous login fails while ypbind is active on server
Vsftpd anonymous login fails while ypbind is active on server
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: vsftpd (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Jiri Skala
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-02 20:52 EDT by Need Real Name
Modified: 2014-11-09 17:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-04 21:36:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
vsftpd.conf on server (4.39 KB, application/octet-stream)
2010-06-03 13:22 EDT, Need Real Name
no flags Details
rpcinfo output on server (1.35 KB, text/plain)
2010-06-03 13:22 EDT, Need Real Name
no flags Details
netstat output on server (346 bytes, text/plain)
2010-06-03 13:23 EDT, Need Real Name
no flags Details
lftp debug output with hang (809 bytes, text/plain)
2010-06-03 13:23 EDT, Need Real Name
no flags Details

  None (edit)
Description Need Real Name 2010-06-02 20:52:54 EDT
Description of problem:

Anonymous login to vsftpd server fails when ypbind is active, and works when ypbind is temporarily stopped.

Version-Release number of selected component (if applicable):

vsftpd-2.2.2-3.fc12.x86_64, otherwise up to date Fedora 12 as of June 1, 2010.

How reproducible:

Always

Steps to Reproduce:
1. enable ypbind to an NIS server
2. enable vsftpd with anonymous access
3. try to login anonymously with an ftp client
  
Actual results:

% ftp my.host.fqdn
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to my.host.fqdn (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (my.host.fqdn:me): anonymous
331 Please specify the password.
Password:
do_ypcall: clnt_call: RPC: Unable to send; errno = Network is unreachable
Login failed.
ftp> 230 Login successful.
% 

Expected results:

crater::karlcz[~] ftp my.host.fqdn
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to my.host.fqdn (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (my.host.fqdn:me): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Additional info:

This does not seem to be affected by putting selinux into permissive or enforcing mode, and I do not see selinux audit events related to the failures. I have to turn off ypbind to get the success results.  Other activities using NIS seem to work, e.g. finger or finding a user's home directory all retrieve NIS results properly while ypbind is active.

This seems to be a recent regression, as the same host configuration, NIS environment, and vsftpd setup worked in the past with this host already running Fedora 12. However, I am not sure of the exact timeline of the regression... it may have been months ago, as the vsftpd service is seldom used on this host.
Comment 1 Jiri Skala 2010-06-03 05:11:09 EDT
Hi,
I'm not able to reproduce it. Watching your debug info I have additional questions/demands:

- could you provide me netstat output (e.g. netstat -a | grep -e ftp -e bind)
- may I have your vsftpd.conf
- please try another ftp client - e. g. lftp -d

Thank you

Jiri
Comment 2 Jiri Skala 2010-06-03 07:34:26 EDT
Please, try to get output of 'rpcinfo' too.
Comment 3 Need Real Name 2010-06-03 13:22:30 EDT
Created attachment 419453 [details]
vsftpd.conf on server
Comment 4 Need Real Name 2010-06-03 13:22:58 EDT
Created attachment 419454 [details]
rpcinfo output on server
Comment 5 Need Real Name 2010-06-03 13:23:21 EDT
Created attachment 419455 [details]
netstat output on server
Comment 6 Need Real Name 2010-06-03 13:23:57 EDT
Created attachment 419456 [details]
lftp debug output with hang
Comment 7 Need Real Name 2010-06-03 13:25:59 EDT
I get the failure with lftp, though it is delayed until I try to issue the first command, and the client actually authenticates.  In the attached output, it is hanging indefinitely after I issued "ls" command.  If I give an interrupt it returns to the lftp prompt, but further commands also hang the same way.
Comment 8 Jiri Skala 2010-06-04 03:15:42 EDT
Hi,
thank you for the data. I'm still not able to reproduce it. Netstat output seems to be ok and rpcinfo as well.
So I have additional wish. I'd like to see network traffic. Could you get network data with wireshark or tcpdump?

Thanks, Jiri
Comment 9 Need Real Name 2010-06-04 14:09:14 EDT
Can you be more specific about what traffic you want to see?  This host is in a busy production LAN with a steady flood of multicast and broadcast traffic... I can't very well provide a raw dump.

I forgot to mention, my nsswitch.conf uses these settings:

passwd:     compat
shadow:     files nis
group:      compat
hosts:      files dns

everything else is 'files' only.

My /etc/passwd ends with: +:*:::::/bin/false
My /etc/group ends with: +:::

Perhaps that will help reproducing it?

What I don't understand is why it is doing any yp request at all, when the ftp client is authenticating as anonymous (which doesn't have anything to do with NIS accounts).
Comment 10 Need Real Name 2010-06-04 21:36:29 EDT
I found that the problem was on my machine.  I had forgotten that I encountered a problem with FTP previously, and had followed a procedure documented on a Fedora discussion forum which created a new SELinux module called "brokenftp"... I just did semodule -d brokenftp and now my problem with anonymous login seems to have gone away!

Sorry about the confusion.

Note You need to log in before you can comment on or make changes to this bug.