Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 443898 - >=net-ftp/vsftpd-3.0.0: 500 OOPS: priv_sock_get_cmd with seccomp_sandbox=YES (default)
Summary: >=net-ftp/vsftpd-3.0.0: 500 OOPS: priv_sock_get_cmd with seccomp_sandbox=YES ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords:
: 486092 644916 (view as bug list)
Depends on:
Blocks: seccomp
  Show dependency tree
 
Reported: 2012-11-19 07:47 UTC by cyberbat
Modified: 2021-06-08 09:15 UTC (History)
12 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description cyberbat 2012-11-19 07:47:23 UTC
vsftpd 3.0.2

ftp localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
500 OOPS: priv_sock_get_cmd
ftp> ls
Not connected.
ftp> quit

No log entries.

Workaround is setting
seccomp_sandbox=NO
in config.

emerge --info
Portage 2.1.11.31 (default/linux/amd64/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r3, 3.5.7-gentoo x86_64)
=================================================================
System uname: Linux-3.5.7-gentoo-x86_64-Intel-R-_Core-TM-_i7-3930K_CPU_@_3.20GHz-with-gentoo-2.1
Timestamp of tree: Mon, 19 Nov 2012 07:15:01 +0000
ld GNU ld (GNU Binutils) 2.22
ccache version 3.1.8 [enabled]
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.3-r2
dev-util/ccache:          3.1.8
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo x-gsom
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 Q3AEULA PUEL LOKI-EULA Intel-SDP"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /usr/share/themes/oxygen-gtk/gtk-2.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/home/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://gentoo.bloodhost.ru/ ftp://xeon.gentoo.ru/mirrors/Gentoo/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="ru en"
MAKEOPTS="-j13"
PKGDIR="/var/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/gsom"
SYNC="rsync://gentoo.bloodhost.ru/gentoo-portage"
USE="7zip X a52 aac acl acpi alsa amd64 amr audiofile bash-completion bluetooth branding bzip2 cairo cdda cddb cdio cdparanoia cdr cli consolekit cracklib crypt css cups cxx dbus declarative djvu dri dts dv dvd dvdr emboss encode exif ffmpeg firefox flac fontconfig fortran gd geoip gif gimp gmp gnutls gphoto2 gpm graphviz gsm gstreamer gtk iconv icu id3tag idn ieee1394 imagemagick imap imlib inotify iphone ipod ipv6 jabber jbig jingle jpeg jpeg2k kde kipi kvm ladspa lame lcms libnotify libsamplerate lm_sensors lzma lzo mac mad matroska midi mikmod mjpeg mmx mmxext mng modplug modules mp3 mp4 mpeg mplayer mudflap multilib musepack musicbrainz ncurses nls nptl nuv ogg openal openexr opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 quicktime rar raw readline rss rtmp sasl scanner sdl semantic-desktop session smp sndfile socks5 speex spell sqlite sse sse2 sse3 sse4_1 ssl ssse3 startup-notification svg symlink syslog taglib theora threads thumbnail tiff timidity truetype tta udev udisks unicode upower usb v4l video vim-syntax vnc vorbis wavpack webkit webp wma wmf wxwidgets x264 xcb xcomposite xface xml xmp xmpp xpm xscreensaver xv xvid zip zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_owner authz_user autoindex cgid cern_meta dbd deflate dir dumpio env expires ext_filter filter headers imagemap include info log_config log_forensic logio mime mime_magic negotiation proxy rewrite setenvif speling status substitute unique_id userdir version vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="braindump flow karbon kexi krita sheets stage words" CAMERAS="ptp2 canon" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="caps lvm gensplash" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer pdfimport wiki-publisher" LINGUAS="ru en" PHP_TARGETS="php5-3" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="arm i386 x86_64" QEMU_USER_TARGETS="arm i386 x86_64" RUBY_TARGETS="ruby18 ruby19" SANE_BACKENDS="epson epson2" USERLAND="GNU" VIDEO_CARDS="fglrx radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2012-11-19 10:55:09 UTC
IIRC this will be fixed in the next upstream version
Comment 2 Jarry 2013-05-09 19:39:30 UTC
I'm not sure if this is the same problem, but I get this message in ftp-client (500 OOPS: priv_sock_get_cmd) when I include "syslog_enable=YES" in vsftpd.conf. If I remove that option from vsftpd.conf, all works as expected...

And one more thing: I noticed there is no message recorded to any log-file when I restart vsftpd (/etc/init.d/vsftpd restart). vsftpd is restarted and messages are printed on the console-screen, but not recorded to /var/log/messages or anywhere else...
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2013-10-03 07:26:37 UTC
*** Bug 486092 has been marked as a duplicate of this bug. ***
Comment 4 cyberbat 2014-02-04 18:01:59 UTC
(In reply to Jarry from comment #2)
> I'm not sure if this is the same problem, but I get this message in
> ftp-client (500 OOPS: priv_sock_get_cmd) when I include "syslog_enable=YES"
> in vsftpd.conf. If I remove that option from vsftpd.conf, all works as
> expected...
> 
> And one more thing: I noticed there is no message recorded to any log-file
> when I restart vsftpd (/etc/init.d/vsftpd restart). vsftpd is restarted and
> messages are printed on the console-screen, but not recorded to
> /var/log/messages or anywhere else...

Thank you! I confirm this. Insted of turning sandbox off we can just make it log to its own file not to syslog while waiting for fixed version.
Comment 5 Jan Psota 2016-06-09 10:10:14 UTC
To next/fast readers:
        seccomp_sandbox=NO
in vsftpd resolves the problem.

I found it here first: https://bugzilla.redhat.com/show_bug.cgi?id=845980
and think setting seccomp_sandbox=NO should be default (added to example config by emerge) until this bug will be fixed (it rather won't be), because it took me about an hour to find "what I'm doing wrong with vsftpd configuration?" before I started to search a bug.
Comment 6 Pacho Ramos gentoo-dev 2018-06-27 09:46:01 UTC
*** Bug 644916 has been marked as a duplicate of this bug. ***
Comment 7 Richard Gray 2020-02-07 08:16:53 UTC
I have had the *exact* same problem as cyberbat.

The UNDOCUMENTED feature of seccomp_sandbox=NO has fixed the problem, after hours of hacking away at this problem. Happily, the server now behaves just as I want it to for internet facing connections.
Comment 8 Larry the Git Cow gentoo-dev 2020-02-07 18:00:37 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08b7452ea7abf8bfc814520d9b93b39e3b8cdc39

commit 08b7452ea7abf8bfc814520d9b93b39e3b8cdc39
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2020-02-07 17:59:06 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-02-07 17:59:06 +0000

    net-ftp/vsftpd: disable seccomp_sandbox by default
    
    Closes: https://bugs.gentoo.org/443898
    Package-Manager: Portage-2.3.86_p1, Repoman-2.3.20_p43
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 .../files/vsftpd-disable-seccomp-sandbox.patch     | 15 ++++++++
 ...ftpd-3.0.3-r2.ebuild => vsftpd-3.0.3-r3.ebuild} | 45 ++++++++++++----------
 2 files changed, 40 insertions(+), 20 deletions(-)
Comment 9 Mike Gilbert gentoo-dev 2020-03-20 23:49:52 UTC
I'm keeping this bug open because the seccomp code in vsftpd is still broken. Disabling seccomp is a workaround that should be removed if the upstream developer ever fixes it.
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 00:07:03 UTC
(In reply to Mike Gilbert from comment #9)
> I'm keeping this bug open because the seccomp code in vsftpd is still
> broken. Disabling seccomp is a workaround that should be removed if the
> upstream developer ever fixes it.

Thanks.

Possible patch: https://github.com/opencomputeproject/Rack-Manager/blob/master/Contrib-Inspur/openbmc/meta-openembedded/meta-networking/recipes-daemons/vsftpd/vsftpd-3.0.3/0001-vsftpd-allow-syscalls-in-the-seccomp-sandbox.patch

When I get a chance, I'll strace this and dig into it properly.
Comment 11 Larry the Git Cow gentoo-dev 2021-06-08 09:15:52 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd084561a392cdbfe60d4240abf7069b9c8d78bd

commit fd084561a392cdbfe60d4240abf7069b9c8d78bd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-08 09:15:09 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-08 09:15:46 +0000

    net-ftp/vsftpd: add 3.0.4
    
    Restores seccomp filtering as changes were made upstream.
    
    Closes: https://bugs.gentoo.org/443898
    Signed-off-by: Sam James <sam@gentoo.org>

 net-ftp/vsftpd/Manifest            |   1 +
 net-ftp/vsftpd/vsftpd-3.0.4.ebuild | 147 +++++++++++++++++++++++++++++++++++++
 2 files changed, 148 insertions(+)