Bug#927270: proftpd-basic: jessie-security (1.3.5e) breaks directive with AuthAliasOnly

Tatsuki Sugiura Tue, 16 Apr 2019 23:39:35 -0700

Package: proftpd-basic
Version: 1.3.6-4
Severity: normal

Dear Maintainer,


proftpd-basic package has been updated to 1.3.5e on jessie-security.
It breaks <Anonymous> directive in some case.

In my case, User is not affetcted in <Anonymous> if AuthAliasOnly is on.

This problem is caused on 1.3.5e-0+deb8u1 (jessie-security) and 1.3.6-4 (sid).
1.3.5b-4 (stretch) and 1.3.5-1.1+deb8u2 (jessie) works well.

I think this is related with follwing upstream bug;

 * http://bugs.proftpd.org/show_bug.cgi?id=4314
 * https://github.com/proftpd/proftpd/pull/567
 * https://github.com/proftpd/proftpd/pull/309

[How to reproduce]

Put following setting on /etc/profptd/conf.d/anon-test;

--------
DebugLevel 10
<Anonymous /var/tmp>
    User www-data
    Group fax
    UserAlias anonymous www-data
    #AuthAliasOnly        on
    RequireValidShell    off
    <Limit LOGIN>
        AllowAll
    </Limit>
    <Directory *>
        <Limit ALL>
            AllowAll
        </Limit>
    </Directory>
</Anonymous>
--------

Then upload any file like; 

--------
$ curl -T /etc/debian_version ftp://localhost/
-------

When AuthAliasOnly is commented out, uploaded file is owned by www-data:fax.
However, the file owner is proftpd:fax if AuthAliasOnly is on
with proftpd-basic (>= 1.3.5e).


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.utf-8, LC_CTYPE=ja_JP.utf-8 (charmap=UTF-8), 
LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages proftpd-basic depends on:
ii  adduser            3.118
ii  debianutils        4.8.6.1
ii  libacl1            2.2.53-4
ii  libattr1           1:2.4.48-4
ii  libc6              2.28-8
ii  libcap2            1:2.25-2
ii  libhiredis0.14     0.14.0-3
ii  libmemcached11     1.0.18-4.2
ii  libmemcachedutil2  1.0.18-4.2
ii  libncursesw6       6.1+20181013-2
ii  libpam-runtime     1.3.1-5
ii  libpam0g           1.3.1-5
ii  libpcre3           2:8.39-12
ii  libssl1.1          1.1.1b-1
ii  libtinfo6          6.1+20181013-2
ii  libwrap0           7.6.q-28
ii  lsb-base           10.2019031300
ii  netbase            5.6
ii  sed                4.7-1
ii  ucf                3.0038+nmu1
ii  zlib1g             1:1.2.11.dfsg-1

Versions of packages proftpd-basic recommends:
ii  proftpd-doc  1.3.6-4

Versions of packages proftpd-basic suggests:
ii  openbsd-inetd [inet-superserver]  0.20160825-4
ii  openssl                           1.1.1b-1
pn  proftpd-mod-geoip                 <none>
pn  proftpd-mod-ldap                  <none>
pn  proftpd-mod-mysql                 <none>
pn  proftpd-mod-odbc                  <none>
pn  proftpd-mod-pgsql                 <none>
pn  proftpd-mod-snmp                  <none>
pn  proftpd-mod-sqlite                <none>

-- debconf information excluded

Bug#927270: proftpd-basic: jessie-security (1.3.5e) breaks directive with AuthAliasOnly

Reply via email to