Debian Bug report logs - #819546
vsftpd no longer starts with systemd because of listen_ipv6=NO from Bug: #803999

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Louis Bouchard <louis.bouchard@ubuntu.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: vsftpd no longer starts with systemd because of listen_ipv6=NO from Bug: #803999

Date: Wed, 30 Mar 2016 10:15:19 +0000

[Message part 1 (text/plain, inline)]

Package: vsftpd
Version: 3.0.3-3
Severity: grave
Justification: renders package unusable

Dear Maintainer,

Bug #803999 sets listen_ipv6=NO as stated in the manpage. In doing so, it
breaks the systemd unit vsftpd which tries to do the following :

 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf

Running the command manually leads to :

# /usr/sbin/vsftpd /etc/vsftpd.conf
500 OOPS: vsftpd: not configured for standalone, must be started from inetd

Switching back listen_ipv6=YES allows the vsftpd daemon to start correctly.

Right now, installing vsftpd in a fresh debian/sid will lead to a failure to
start unless the parameter is set to listen_ipv6=YES.

This can be easily shown by running the DEP8 test :

Setting up adt-satdep (0) ...
Processing triggers for systemd (229-3ubuntu1) ...
(Reading database ... 87432 files and directories currently installed.)
Removing adt-satdep (0) ...
adt-run [10:50:30]: test smoke: [-----------------------
+ sed -i s/^#\(write_enable=YES\)$/\1/ /etc/vsftpd.conf
+ service vsftpd reload
vsftpd.service is not active, cannot reload.
adt-run [10:50:31]: test smoke: -----------------------]
adt-run [10:50:32]: test smoke:  - - - - - - - - - - results - - - - - - - - - -
smoke                FAIL non-zero exit status 1

The systemd service will clearly not work with such a configuration. So either the
default in the manpage needs to be changed, or the unit needs to force the option
with :
 /usr/sbin/vsftpd /etc/vsftpd.conf -olisten_ipv6=YES

In such a case, it should be outlined somewhere in the manpage.


-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13.0-83-generic (SMP w/12 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages vsftpd depends on:
ii  adduser                3.114
ii  debconf [debconf-2.0]  1.5.59
ii  init-system-helpers    1.29
ii  libc6                  2.22-4
ii  libcap2                1:2.24-12
ii  libpam-modules         1.1.8-3.2
ii  libpam0g               1.1.8-3.2
ii  libssl1.0.2            1.0.2g-1
ii  libwrap0               7.6.q-25
ii  netbase                5.3

Versions of packages vsftpd recommends:
ii  logrotate  3.8.7-2
ii  ssl-cert   1.0.37

vsftpd suggests no packages.

-- debconf information:
  vsftpd/username: ftp
  vsftpd/directory: /srv/ftp

[vsftpd.conf (text/plain, attachment)]

Message #12 received at 819546@bugs.debian.org (full text, mbox, reply):

From: Jörg Frings-Fürst <debian@jff-webhosting.net>

To: Louis Bouchard <louis.bouchard@ubuntu.com>

Cc: 819546@bugs.debian.org, control <control@bugs.debian.org>

Subject: Re: Bug#819546: vsftpd no longer starts with systemd because of listen_ipv6=NO from Bug: #803999

Date: Thu, 31 Mar 2016 06:04:28 +0200

[Message part 1 (text/plain, inline)]

severity 819546 normal
thanks

Hello Louis,

thank you for spending your time helping to make Debian better with
this bug report.

I think that no configuration of vsftpd should be activated without
verification.

FTP is also not a service that is absolutely necessary immediately
after a new installation for the system functionality.

And there are many examples configurations in the documentation.

I do not close this bug because when installing no notice will be
posted.

CU
Jörg



-- 
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB  30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key        : 8CA1D25D
CAcert Key S/N : 0E:D4:56

Old pgp Key: BE581B6E (revoked since 2014-12-31).

Jörg Frings-Fürst
D-54538 Bausendorf

Threema: SYR8SJXB

IRC: j_f-f@freenode.net
     j_f-f@oftc.net

My wish list: 
 - Please send me a picture from the nature at your home.

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 819546@bugs.debian.org (full text, mbox, reply):

From: Louis Bouchard <louis.bouchard@ubuntu.com>

To: debian@jff-webhosting.net

Cc: 819546@bugs.debian.org, control <control@bugs.debian.org>

Subject: Re: Bug#819546: vsftpd no longer starts with systemd because of listen_ipv6=NO from Bug: #803999

Date: Thu, 31 Mar 2016 14:56:34 +0200

[Message part 1 (text/plain, inline)]

Hello,

Le 31/03/2016 06:04, Jörg Frings-Fürst a écrit :
> severity 819546 normal
> thanks
> 
> Hello Louis,
> 
> thank you for spending your time helping to make Debian better with
> this bug report.
> 
> I think that no configuration of vsftpd should be activated without
> verification.
> 
> FTP is also not a service that is absolutely necessary immediately
> after a new installation for the system functionality.
> 
> And there are many examples configurations in the documentation.
> 
> I do not close this bug because when installing no notice will be
> posted.
> 
> CU
> Jörg
> 
> 
> 

I must disagree. First of all, it is an accepted policy that daemons on Debian
do start upon installation of the package. This was the case with vsftpd up
until vsftpd_3.0.2 and only got change with Bug: #803999.

This bug introduces a regression, including on debian/stable which also sets
listen_ipv6=YES.

As a side note, this is not uncommon to set configuration options that diverge
from the default as we can see in man ssh_config :

"     Note that the Debian openssh-client package sets several options as
standard in /etc/ssh/ssh_config which are not the
     default in ssh(1):

           ·   SendEnv LANG LC_*
           ·   HashKnownHosts yes
           ·   GSSAPIAuthentication yes"

I do believe that listen_ipv6 should be brought back to YES to avoid the
regression and that the manpage should be updated to indicate such a modification.

vsftpd's anonymous access is disabled by default so the systematic enablement of
vsftpd is what should be expected.

Kind regards,

...Louis


-- 
Louis Bouchard
Software engineer,
Ubuntu Developer                        Debian Mainainer
GPG : 429D 7A3B DD05 B6F8 AF63  B9C4 8B3D 867C 823E 7A61

[signature.asc (application/pgp-signature, attachment)]

Message #22 received at 819546@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: Jörg Frings-Fürst <debian@jff-webhosting.net>

Cc: Louis Bouchard <louis.bouchard@ubuntu.com>, 819546@bugs.debian.org

Subject: Re: Bug#819546: vsftpd no longer starts with systemd because of listen_ipv6=NO from Bug: #803999

Date: Sat, 7 May 2016 17:05:51 +0200

Hi!

> I must disagree. First of all, it is an accepted policy that daemons
> on Debian do start upon installation of the package.

Indeed. It's the case for Apache, too, for example.

However, upstream, can't seem to agree on the default values either.

From the manpage from the upstream tarball:

listen

If enabled, vsftpd will run in standalone mode. This means that vsftpd
must not be run from an inetd of some kind. Instead,  the  vsftpd  exe‐
cutable is run once directly. vsftpd itself will then take care of
listening for and handling incoming connections.

              Default: NO

listen_ipv6

Like  the  listen  parameter,  except vsftpd will listen on an IPv6
socket instead of an IPv4 one. This parameter and the listen parameter
are mutually exclusive.

              Default: NO

and from the sample vsftpd.conf:

# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4
and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

So, while I would like to see this bug fixed and vsftpd behave
consistently with the remaining daemon packages in Debian, I
want the end result not to deviate too much from upstream.

Might be a good idea to report this issue upstream and ask them
to fix either the manpage or the configuration file so that in
the end, both files are consistent.

I don't really want to upload the package as it is currently
found on mentors.debian.net.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Message #27 received at 819546@bugs.debian.org (full text, mbox, reply):

From: Jörg Frings-Fürst <debian@jff-webhosting.net>

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 819546@bugs.debian.org

Cc: Louis Bouchard <louis.bouchard@ubuntu.com>

Subject: Re: Bug#819546: vsftpd no longer starts with systemd because of listen_ipv6=NO from Bug: #803999

Date: Mon, 16 May 2016 12:04:08 +0200

[Message part 1 (text/plain, inline)]

Hi,

my hints about that:

the comparison between Apache and vsftpd isn't possible. Vsftpd give
access to the local user and can so used for attacks to get local
access. Especially if there are a open IPV6 port. Which is on mostly
systems not well configured.

And at times where git: must replace with https: the dogma for more
security must be "daemons starting only if needed and not starting
after install".

CU
Jörg


-- 
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB  30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key        : 8CA1D25D
CAcert Key S/N : 0E:D4:56

Old pgp Key: BE581B6E (revoked since 2014-12-31).

Jörg Frings-Fürst
D-54538 Bausendorf

Threema: SYR8SJXB

IRC: j_f-f@freenode.net
     j_f-f@oftc.net

My wish list: 
 - Please send me a picture from the nature at your home.

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 819546@bugs.debian.org (full text, mbox, reply):

From: Louis Bouchard <louis.bouchard@ubuntu.com>

To: debian@jff-webhosting.net, John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 819546@bugs.debian.org

Subject: Re: Bug#819546: vsftpd no longer starts with systemd because of listen_ipv6=NO from Bug: #803999

Date: Wed, 18 May 2016 16:49:31 +0200

[Message part 1 (text/plain, inline)]

Hello,

To summarize :

1) This reverts an expected and accepted behavior in the Debian community where
daemons should start when installed with an adequate and secure configuration.
Other ftpd packages like pure-ftpd, twoftpd, tftpd-hpa and muddleftpd among
other all do start upon install.

2) This breaks the DEP8 test debian/tests/smoke that expects the vsftpd service
to be running. You might want to fix this or disable the test. This is how the
change in behavior got detected.

3) The installed vsftpd configuration is not considered secure enough to be
enabled by default.

Thank you for looking into this.

Kind regards,

...Louis

-- 
Louis Bouchard
Software engineer,
Ubuntu developer / Debian Maintainer
GPG : 429D 7A3B DD05 B6F8 AF63  B9C4 8B3D 867C 823E 7A61

-- 
Louis Bouchard
Software engineer,
Ubuntu Developer / Debian Maintainer
GPG : 429D 7A3B DD05 B6F8 AF63  B9C4 8B3D 867C 823E 7A61

[signature.asc (application/pgp-signature, attachment)]

Message #37 received at 819546@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jbicha@ubuntu.com>

To: 819546@bugs.debian.org

Cc: Louis Bouchard <louis.bouchard@ubuntu.com>

Subject: Re: Bug#819546: vsftpd no longer starts with systemd because of listen_ipv6=NO from Bug: #803999

Date: Tue, 5 Jul 2016 01:08:00 -0400

Control: severity -1 grave

Since the maintainer has orphaned this package [1] and therefore this
package is maintained by Debian in general, I'm resetting the bug
severity since I agree with the reporter that this is a RC issue.

Thanks,
Jeremy Bicha

Message #44 received at 819546-close@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: 819546-close@bugs.debian.org

Subject: Bug#819546: fixed in vsftpd 3.0.3-5

Date: Tue, 05 Jul 2016 07:05:10 +0000

Source: vsftpd
Source-Version: 3.0.3-5

We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 819546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofborg@debian.org> (supplier of updated vsftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 05 Jul 2016 08:55:01 +0200
Source: vsftpd
Binary: vsftpd vsftpd-dbg
Architecture: source
Version: 3.0.3-5
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg@debian.org>
Description:
 vsftpd     - lightweight, efficient FTP server written for security
 vsftpd-dbg - lightweight, efficient FTP server written for security (debug)
Closes: 819546
Changes:
 vsftpd (3.0.3-5) unstable; urgency=medium
 .
   * QA upload.
   * Cherry-pick the Ubuntu fix for ipv6 (Closes: #819546)
     - thanks Louis Bouchard and Jeremy Bicha
Checksums-Sha1:
 edf41c539fcd6c0eb779bdda7bed333b51d7f2f7 1946 vsftpd_3.0.3-5.dsc
 72336a869c1e3881995fcf5c6035f5339b5dee5d 34876 vsftpd_3.0.3-5.debian.tar.xz
Checksums-Sha256:
 812c59264cd2e9e349bfe29e6f62c37aa18695e1ce2009264f2eda753e2da24e 1946 vsftpd_3.0.3-5.dsc
 e584ce76ad4882fe048d10bd7b260352bf47ed179b0d9d1347e15d061dbde35d 34876 vsftpd_3.0.3-5.debian.tar.xz
Files:
 483cf14f5735dd785cb9a38f4f491c2e 1946 net extra vsftpd_3.0.3-5.dsc
 70b7d8042d36f3c3488ddd2576596a92 34876 net extra vsftpd_3.0.3-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXe1oCAAoJEPNPCXROn13ZXEAP/jNu9fIv2+OJpGsjz9Qtrt7R
jLxYm4ulEOMp7EP2cRnVP4aEstx10OkZP3TTx/5ZQtlQIWGP7Cba7sAEjuNUiGLf
VPFba26CdhqXqHI64OB13VtoVhG9oZzodfDC9H462yo6PvhH1T91CZ4mHW0rnbui
omrxi5Cb/bHYsa5A0SiNdh2QfaU5nlj6ObeEjz647KHy0GNB73N+WmZyr89lEJ7C
v9Ufbq1V+5KOebGefMMCafBgMlSNlUrsHbTxGwlTH9XQWzUOIobnbBHVRcA5HghD
vmhOSQHAwOO34Qzl5dXN2h69BYNpklquC5FbTugMElKSJ6FCF0miJ7G1SyY1S940
Du0oIlZk7rFm7JA5fecOk145q0AggluQ3N+md+i3AU3PeYeDWETu819wCmVDpAq8
zCG2evoV/2IWcpI5ar4R8DUVdu0Me06/7JPM5nYRJVZA9JY4yrnVkk1VGzTiPpar
gX38zo/Mbh2VHBxuJM6WdAsctTDdAwY7y+uFnEByI/WjcZX/dIe9XHpYPdw3/X0C
qBXVHBmUU2uda9tBrq3eSVGU2zJiduw4+tqJH9t45TLShWo3Ejo0ycDQ+3UqTAmv
kL6ZIM/DgeCDi03bxZzMDOlPLT0QSzssjdoIF4xRgkd1QM5uzHMILhYJSmzr5Gax
so/NK9LjzaWcggE098z5
=awWY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.