Bug 22574 - Updated package: pure-ftpd
Summary: Updated package: pure-ftpd
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 22566
  Show dependency treegraph
 
Reported: 2018-02-11 01:05 CET by Stig-Ørjan Smelror
Modified: 2018-02-17 13:20 CET (History)
4 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Stig-Ørjan Smelror 2018-02-11 01:05:00 CET
Advisory
========

Fixed an issue where pure-ftpd didn't read the configuration file. Also fixed the startup scripts.

References
==========
https://bugs.mageia.org/show_bug.cgi?id=22566

Files
=====
These files has been pushed to core/updates_testing

pure-ftpd-1.0.47-1.2.mga6
pure-ftpd-anon-upload-1.0.47-1.2.mga6
pure-ftpd-anonymous-1.0.47-1.2.mga6

from pure-ftpd-1.0.47-1.2.mga6.src.rpm
Stig-Ørjan Smelror 2018-02-11 01:05:13 CET

Blocks: (none) => 22566

Comment 1 Thomas Backlund 2018-02-11 09:12:01 CET
Have you done the same fix in Cauldron ?

CC: (none) => tmb

Comment 2 Stig-Ørjan Smelror 2018-02-11 09:13:29 CET
Thomas.

It was late last night, so I am planning on fixing Cauldron today.

Cheers,
Stig
Comment 3 Len Lawrence 2018-02-11 10:55:02 CET
Mageia 6 :: x86_64

Installed the server packages before the update and found that the system needed to be rebooted before pure-ftpd would start.

After the update it appeared that things had regressed.  
# systemctl restart pure-ftpd
failed after a long wait.
# systemctl status pure-ftpd
● pure-ftpd.service - LSB: Pure FTPd FTP server
   Loaded: loaded (/etc/rc.d/init.d/pure-ftpd; generated; vendor preset: enabled
   Active: failed (Result: timeout) since Sun 2018-02-11 09:36:23 GMT; 3min 26s 
     Docs: man:systemd-sysv-generator(8)
  Process: 18334 ExecStart=/etc/rc.d/init.d/pure-ftpd start (code=exited, status
 Main PID: 4512 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/pure-ftpd.service
           └─10127 /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf

Feb 11 09:31:23 difda systemd[1]: Starting LSB: Pure FTPd FTP server...
Feb 11 09:31:23 difda pure-ftpd[18334]: Starting Pure-ftpd: [  OK  ]
Feb 11 09:31:23 difda systemd[1]: pure-ftpd.service: PID file /var/run/pure-ftpd
Feb 11 09:36:23 difda systemd[1]: pure-ftpd.service: Start operation timed out. 
Feb 11 09:36:23 difda systemd[1]: Failed to start LSB: Pure FTPd FTP server.
Feb 11 09:36:23 difda systemd[1]: pure-ftpd.service: Unit entered failed state.
Feb 11 09:36:23 difda systemd[1]: pure-ftpd.service: Failed with result 'timeout

After a reboot pure-ftpd had still not started.
$ systemctl status pure-ftpd
● pure-ftpd.service - LSB: Pure FTPd FTP server
   Loaded: loaded (/etc/rc.d/init.d/pure-ftpd; generated; vendor preset: enabled
   Active: activating (start) since Sun 2018-02-11 09:46:46 GMT; 1min 3s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4470 ExecStart=/etc/rc.d/init.d/pure-ftpd start (code=exited, status=
   CGroup: /system.slice/pure-ftpd.service
           └─4510 /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf

Warning: Journal has been rotated since unit was started. Log output is incomple
$ systemctl status pure-ftpd
● pure-ftpd.service - LSB: Pure FTPd FTP server
   Loaded: loaded (/etc/rc.d/init.d/pure-ftpd; generated; vendor preset: enabled
   Active: activating (start) since Sun 2018-02-11 09:46:46 GMT; 2min 13s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4470 ExecStart=/etc/rc.d/init.d/pure-ftpd start (code=exited, status=
   CGroup: /system.slice/pure-ftpd.service
           └─4510 /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf

Warning: Journal has been rotated since unit was started. Log output is incomple

CC: (none) => tarazed25

Comment 4 Len Lawrence 2018-02-11 11:08:01 CET
Re comment 3.  Note that there was a long wait during the installation of the update package.  Trying to downgrade now and have hit the same problem.
Comment 5 Len Lawrence 2018-02-11 11:12:51 CET
# urpmi --downgrade pure-ftpd
The following package has to be removed for others to be upgraded:
pure-ftpd-1.0.47-1.2.mga6.x86_64
 (in order to install pure-ftpd-1.0.47-1.1.mga6.x86_64) (y/N) y


    $MIRRORLIST: media/core/updates/pure-ftpd-1.0.47-1.1.mga6.x86_64.rpm
installing pure-ftpd-1.0.47-1.1.mga6.x86_64.rpm from /var/cache/urpmi/rpms     
Preparing...                     #############################################
      1/1: pure-ftpd             #############################################
warning: %post(pure-ftpd-1.0.47-1.1.mga6.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for pure-ftpd-1.0.47-1.1.mga6.x86_64
      1/1: removing pure-ftpd-1.0.47-1.2.mga6.x86_64
                                 #############################################
Comment 6 Len Lawrence 2018-02-11 11:31:22 CET
Back to square one - the old version starts on boot OK.
Comment 7 Stig-Ørjan Smelror 2018-02-11 11:50:30 CET
Hi.

Thanks for the report.

At first I didn't experience the issues you mention, but then found out that I had the /var/run/pure-ftpd directory.

This is now added in the new update just pushed to updates_testing.

Cheers,
Stig
Comment 8 Stig-Ørjan Smelror 2018-02-11 11:52:11 CET
Advisory
========

Fixed an issue where pure-ftpd didn't read the configuration file.

References
==========
https://bugs.mageia.org/show_bug.cgi?id=22566

Files
=====
These files has been pushed to core/updates_testing

pure-ftpd-1.0.47-1.3.mga6
pure-ftpd-anon-upload-1.0.47-1.3.mga6
pure-ftpd-anonymous-1.0.47-1.3.mga6

from pure-ftpd-1.0.47-1.3.mga6.src.rpm
Comment 9 Len Lawrence 2018-02-11 12:19:40 CET
Thanks Stig.  Waiting for it to hit the mirrors.
Comment 10 Thomas Backlund 2018-02-11 12:25:18 CET
(In reply to Stig-Ørjan Smelror from comment #2)
> Thomas.
> 
> It was late last night, so I am planning on fixing Cauldron today.
> 

You mentor should have told you that we always do "Cauldron first" for all fixes or something _will_ get forgotten...

(In reply to Stig-Ørjan Smelror from comment #7)
> Hi.
> 
> Thanks for the report.
> 
> At first I didn't experience the issues you mention, but then found out that
> I had the /var/run/pure-ftpd directory.
> 
> This is now added in the new update just pushed to updates_testing.
> 

Nope, wrong fix... wich you mentor should have taught you...

_NÒTHING_ shoud be packaged directly for /run /var/run...

rundir is a tmpfs, so you need to use tmpfiles

basically you need a conf file in /usr/lib/tmpfiles.d/

for example look at /usr/lib/tmpfiles.d/pam.conf to get an idea...
Comment 11 Stig-Ørjan Smelror 2018-02-11 12:48:00 CET
Thank you Thomas, for the lessons.

I will, from now on, do Cauldron first.

Cheers,
Stig
Comment 12 Stig-Ørjan Smelror 2018-02-11 13:00:41 CET
Advisory
========

Fixed an issue where pure-ftpd didn't read the configuration file and fixed the long startup time and failure.

References
==========
https://bugs.mageia.org/show_bug.cgi?id=22566

Files
=====
These files has been pushed to core/updates_testing

pure-ftpd-1.0.47-1.4.mga6
pure-ftpd-anon-upload-1.0.47-1.4.mga6
pure-ftpd-anonymous-1.0.47-1.4.mga6

from pure-ftpd-1.0.47-1.4.mga6.src.rpm
Comment 13 Len Lawrence 2018-02-11 19:17:09 CET
Mageia 6 :: x86_64

Installed pure-ftpd again and noted that the config file was placed in /usr/lib/tempfile.d.
Not possible to start it from the command line at that stage.
Rebooted and pure-ftpd was running at login.
The config file had been moved to /etc/pure-ftpd/ and a command-line restart succeeded immediately.

Installed ncftp.
$ ncftp -u lcl -p <password> vega
ncftp /home/lcl > get manifest.drm
manifest.drm:                                          114.00 B  257.11 kB/s  
ncftp /home/lcl > put Rakefile
Rakefile:                                              194.00 B   90.82 kB/s  
ncftp /home/lcl > ls Rake*
Rakefile

$ ncftp ftp://128.10.252.10/pub/
$ ncftp ftp://128.10.252.10/pub/
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 128.10.252.10...                                                  
::ffff:128.10.252.10 FTP server ready
Logging in...                                                                   
Anonymous access granted, restrictions apply
Logged in to 128.10.252.10.                                                     
Current remote directory is /pub.
ncftp /pub > ls
advisories/  doc/         ls-lR        tools/
dict/        lists/       os/
ncftp /pub > cd dict/dictionaries
ncftp /pub/dict/dictionaries > ls
DanKlein/          English/           Hindi/             Swedish/
DEC-collection/    Finnish/           Italian/
Dutch/             German/            Norwegian/
ncftp /pub/dict/dictionaries > ls Swedish
Fandboken.gz       words.swedish.Z
ncftp /pub/dict/dictionaries > get Swedish/Fandboken.gz
Fandboken.gz:                         174349 bytes  254.08 kB/s               
ncftp /pub/dict/dictionaries > exit

Assuming this is all OK.  Let me know if not so.

Whiteboard: (none) => MGA6-64-OK

Comment 14 Stig-Ørjan Smelror 2018-02-11 19:39:50 CET
Hi Len.

Please check if changes to /etc/pure-ftpd/pure-ftpd.conf is reflected after a restart.

For example, change the Bind port or enable TLS (with this, pure-ftpd should fail to start if you don't have a valid certificate).

Another, easy test is to set ChrootEveryone to no, restart pure-ftpd and log in with your user and see if you're chrooted or not.

Regarding the config file you mention, it is a file that creates the pid file directory, re comment 10 by Thomas.

Cheers,
Stig
Len Lawrence 2018-02-11 20:53:56 CET

Whiteboard: MGA6-64-OK => (none)

Comment 15 Len Lawrence 2018-02-11 21:06:05 CET
Withdrawing 64-bit OK.

Tried the "easy" test - set ChrootEveryone to 'no' and restarted.

$ ncftp -u lcl -p <password> difda
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 192.168.1.103...                                                  
--------- Welcome to Pure-FTPd [privsep] [TLS] ----------
You are user number 1 of 50 allowed.
Local time is now 19:59. Server port: 21.
IPv6 connections are also welcome on this server.
You will be disconnected after 15 minutes of inactivity.
Logging in...                                                                   
OK. Current directory is /home/lcl
Logged in to difda. 

I don't actually know anything about chrooting.  Never done it, never had to do it.  So how does one check if you are chrooted?  I was hoping that there might be a message of some kind.
Comment 16 Stig-Ørjan Smelror 2018-02-11 21:09:28 CET
Hi.

The difference is that when you're chrooted, your ftp-root is your home directory. You can't "cd .." to get to /home.

When you set ChrootEveryone no, you see the whole path to your home directory:
Logging in...                                                                   
OK. Current directory is /home/lcl
Logged in to difda.

When chrooted:
Logging in...                                                                   
OK. Current directory is /
Logged in to difda.

So, it looks like pure-ftpd is now reading the config file as it should.

Cheers,
Stig
Comment 17 Len Lawrence 2018-02-11 21:21:06 CET
Thanks for the clarification, meanwhile Part two:
Uncommented Bind and set the localhost port to 2121.
Restarted pure-ftpd.

$ ncftp -u lcl -p <password> vega
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 192.168.1.3...                                                    
--------- Welcome to Pure-FTPd [privsep] [TLS] ----------
You are user number 1 of 50 allowed.
Local time is now 20:16. Server port: 21.
IPv6 connections are also welcome on this server.
You will be disconnected after 15 minutes of inactivity.
Logging in...                                                                   
OK. Current directory is /home/lcl
Logged in to vega. 

Still using port 21.
Comment 18 Stig-Ørjan Smelror 2018-02-11 21:30:41 CET
/etc/pure-ftpd/pure-ftpd.conf
# IP address/port to listen to (default=all IP addresses, port 21).
Bind                         127.0.0.1,2121

If you plan on connecting from another host, you can set the IP address to the actual IP address of that machine, i.e. 192.168.1.100 or just the port.
I was unable to connect from another machine when Bind was using 127.0.0.1,2121.

/etc/pure-ftpd/pure-ftpd.conf
# IP address/port to listen to (default=all IP addresses, port 21).
Bind                         192.168.1.100,2121
# Or
Bind                         2121

$ sudo systemctl restart pure-ftpd

─$ ncftp -u stig localhost
NcFTP 3.2.6 (Dec 04, 2016) by Mike Gleason (http://www.NcFTP.com/contact/).
Could not connect to 127.0.0.1: Connection refused.
^Ceeping 20 seconds...

$ ncftp -P2121 -u stig localhost
NcFTP 3.2.6 (Dec 04, 2016) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 127.0.0.1...
--------- Welcome to Pure-FTPd [privsep] [TLS] ----------
You are user number 1 of 50 allowed.
Local time is now 21:22. Server port: 2121.
You will be disconnected after 15 minutes of inactivity.
Logging in...
Password requested by 127.0.0.1 for user "stig".

    User stig OK. Password required

Password: ********

OK. Current restricted directory is /
Logged in to localhost.
Comment 19 Len Lawrence 2018-02-11 21:34:23 CET
OK:  ChrootEveryone is 'no'

Local login via ncftp.
Logging in...                                                                   
OK. Current directory is /home/lcl
Logged in to difda.                                                             

At this point the user is free to move about the file system.

Changed the 'no' to 'yes' and 

Logging in...                                                                   
OK. Current restricted directory is /
Logged in to difda.                                                             
ncftp / > cd /home
Could not chdir to /home: server said: Can't change directory to home: No such file or directory

So that works anyway.
Comment 20 Len Lawrence 2018-02-11 21:36:56 CET
Re comment 18.  Looking into this.  Thanks for your patience Stig.
Comment 21 Len Lawrence 2018-02-11 21:51:40 CET
Non default Bind port enabled.

$ ncftp -u lcl difda
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Could not connect to 192.168.1.103: Connection refused.
$ ncftp -P2121 -u lcl difda
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Could not connect to 192.168.1.103: Connection refused. 

But, using your alternative method, not being specific about localhost, it works.
i.e.  Bind    2121

$ ncftp -P2121 -u lcl difda
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 192.168.1.103...                                                  
--------- Welcome to Pure-FTPd [privsep] [TLS] ----------
You are user number 1 of 50 allowed.
Local time is now 20:47. Server port: 2121.
IPv6 connections are also welcome on this server.
You will be disconnected after 15 minutes of inactivity.
Logging in...                                                                   
Password requested by 192.168.1.103 for user "lcl".

    User lcl OK. Password required

Password: **********

OK. Current directory is /home/lcl
Logged in to difda.                                                              

Once again, thanks for your help Stig.  Reinstating the 64-bit OK.
Len Lawrence 2018-02-11 21:51:55 CET

Whiteboard: (none) => MGA6-64-OK

Comment 22 Dieter Schütze 2018-02-13 11:03:34 CET
I'm wondering about the comment from Thomas Backlund in comment 10.
Do you think such things should be published in the bug list ?
This is the wrong place to measures others.

Additional i'm a little bit upset about the fact that you want couldron (development) first about failure on stable production packages. 
What should people think, who are left hanging with their production servers ?

I think this is not the right way to handle failures on stable packages.

Regards
Dieter 

and thank you Stig-Ørjan Smelror for the fast response very late in the evening.

CC: (none) => dieter

Comment 23 claire robinson 2018-02-13 12:00:16 CET
Nobody is left hanging. Everybody is free to contribute their time and assist.
Comment 24 Stig-Ørjan Smelror 2018-02-13 12:32:55 CET
Dieter.

You can think of Cauldron as a testing ground for bugfixes and features that, if they work out as expected, WILL get backported to MGA6.

Imagine pushing several iterations of an update to production systems before the final fix that really works. Which to you prefer?

Cheers,
Stig
Comment 25 Thomas Backlund 2018-02-13 15:34:53 CET
(In reply to Dieter Schütze from comment #22)
> I'm wondering about the comment from Thomas Backlund in comment 10.
> Do you think such things should be published in the bug list ?
> This is the wrong place to measures others.
> 

Its not about measuring... it's about a learning process and preventing broken fixes to land in stable releases...

> Additional i'm a little bit upset about the fact that you want couldron
> (development) first about failure on stable production packages. 
> What should people think, who are left hanging with their production servers
> ?
> 
> I think this is not the right way to handle failures on stable packages.
> 

It is, and its based on years of distro development process...

If fixes is not in cauldron first, it means some of them will be forgotten, and that will create regressions or breakages during distro upgrades...

And by landing in cauldron first, it also takes the "hit" in case of a broken fix, preventing the damage in stable releases...
Comment 26 claire robinson 2018-02-15 20:21:44 CET
Is this now good to go?
Comment 27 Stig-Ørjan Smelror 2018-02-15 20:25:07 CET
(In reply to claire robinson from comment #26)
> Is this now good to go?

Based on what I've tested myself and the tests done here, I say it's ready to go.

Cheers,
Stig

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 28 claire robinson 2018-02-15 20:39:38 CET
Advisory uploaded

Keywords: (none) => advisory

Comment 29 Mageia Robot 2018-02-17 13:20:08 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2018-0032.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.