Bug 599263 - Vsftpd anonymous login fails while ypbind is active on server
Summary: Vsftpd anonymous login fails while ypbind is active on server
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: vsftpd   
(Show other bugs)
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jiri Skala
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-03 00:52 UTC by Need Real Name
Modified: 2014-11-09 22:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-05 01:36:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
vsftpd.conf on server (4.39 KB, application/octet-stream)
2010-06-03 17:22 UTC, Need Real Name
no flags Details
rpcinfo output on server (1.35 KB, text/plain)
2010-06-03 17:22 UTC, Need Real Name
no flags Details
netstat output on server (346 bytes, text/plain)
2010-06-03 17:23 UTC, Need Real Name
no flags Details
lftp debug output with hang (809 bytes, text/plain)
2010-06-03 17:23 UTC, Need Real Name
no flags Details

Description Need Real Name 2010-06-03 00:52:54 UTC
Description of problem:

Anonymous login to vsftpd server fails when ypbind is active, and works when ypbind is temporarily stopped.

Version-Release number of selected component (if applicable):

vsftpd-2.2.2-3.fc12.x86_64, otherwise up to date Fedora 12 as of June 1, 2010.

How reproducible:

Always

Steps to Reproduce:
1. enable ypbind to an NIS server
2. enable vsftpd with anonymous access
3. try to login anonymously with an ftp client
  
Actual results:

% ftp my.host.fqdn
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to my.host.fqdn (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (my.host.fqdn:me): anonymous
331 Please specify the password.
Password:
do_ypcall: clnt_call: RPC: Unable to send; errno = Network is unreachable
Login failed.
ftp> 230 Login successful.
% 

Expected results:

crater::karlcz[~] ftp my.host.fqdn
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to my.host.fqdn (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (my.host.fqdn:me): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Additional info:

This does not seem to be affected by putting selinux into permissive or enforcing mode, and I do not see selinux audit events related to the failures. I have to turn off ypbind to get the success results.  Other activities using NIS seem to work, e.g. finger or finding a user's home directory all retrieve NIS results properly while ypbind is active.

This seems to be a recent regression, as the same host configuration, NIS environment, and vsftpd setup worked in the past with this host already running Fedora 12. However, I am not sure of the exact timeline of the regression... it may have been months ago, as the vsftpd service is seldom used on this host.

Comment 1 Jiri Skala 2010-06-03 09:11:09 UTC
Hi,
I'm not able to reproduce it. Watching your debug info I have additional questions/demands:

- could you provide me netstat output (e.g. netstat -a | grep -e ftp -e bind)
- may I have your vsftpd.conf
- please try another ftp client - e. g. lftp -d

Thank you

Jiri

Comment 2 Jiri Skala 2010-06-03 11:34:26 UTC
Please, try to get output of 'rpcinfo' too.

Comment 3 Need Real Name 2010-06-03 17:22:30 UTC
Created attachment 419453 [details]
vsftpd.conf on server

Comment 4 Need Real Name 2010-06-03 17:22:58 UTC
Created attachment 419454 [details]
rpcinfo output on server

Comment 5 Need Real Name 2010-06-03 17:23:21 UTC
Created attachment 419455 [details]
netstat output on server

Comment 6 Need Real Name 2010-06-03 17:23:57 UTC
Created attachment 419456 [details]
lftp debug output with hang

Comment 7 Need Real Name 2010-06-03 17:25:59 UTC
I get the failure with lftp, though it is delayed until I try to issue the first command, and the client actually authenticates.  In the attached output, it is hanging indefinitely after I issued "ls" command.  If I give an interrupt it returns to the lftp prompt, but further commands also hang the same way.

Comment 8 Jiri Skala 2010-06-04 07:15:42 UTC
Hi,
thank you for the data. I'm still not able to reproduce it. Netstat output seems to be ok and rpcinfo as well.
So I have additional wish. I'd like to see network traffic. Could you get network data with wireshark or tcpdump?

Thanks, Jiri

Comment 9 Need Real Name 2010-06-04 18:09:14 UTC
Can you be more specific about what traffic you want to see?  This host is in a busy production LAN with a steady flood of multicast and broadcast traffic... I can't very well provide a raw dump.

I forgot to mention, my nsswitch.conf uses these settings:

passwd:     compat
shadow:     files nis
group:      compat
hosts:      files dns

everything else is 'files' only.

My /etc/passwd ends with: +:*:::::/bin/false
My /etc/group ends with: +:::

Perhaps that will help reproducing it?

What I don't understand is why it is doing any yp request at all, when the ftp client is authenticating as anonymous (which doesn't have anything to do with NIS accounts).

Comment 10 Need Real Name 2010-06-05 01:36:29 UTC
I found that the problem was on my machine.  I had forgotten that I encountered a problem with FTP previously, and had followed a procedure documented on a Fedora discussion forum which created a new SELinux module called "brokenftp"... I just did semodule -d brokenftp and now my problem with anonymous login seems to have gone away!

Sorry about the confusion.


Note You need to log in before you can comment on or make changes to this bug.