Page MenuHomeSolus

vsftpd has no PAM configuration and needs "seccomp_sandbox=NO"
Closed, ResolvedPublic

Description

vsftpd defaults to trying to use the PAM config file ftp, but this doesn't exist, and causes any login attempts to fail, along with outputting a PAM warning to journalctl.

As a random solution, I set pam_service_name=login (since /etc/pam.d/login exists) in vsftpd.conf which seems to work, but I'm not certain as to how good of an idea this is. I believe other distros have a vsftpd-specific (just named vsftpd) PAM config file, and Ubuntu uses a ftp config file.

Another problem is that I needed to set seccomp_sandbox=NO in vsftpd.conf. Without that, I can't browse certain directories with FileZilla. I'm not certain what the setting does but I also needed it in Arch Linux and Fedora if I recall correctly.

Event Timeline

DataDrake moved this task from Backlog to Package Fixes on the Software board.Oct 28 2016, 8:42 PM
JoshStrobl triaged this task as Normal priority.
JoshStrobl changed the task status from Open to In Progress.Oct 28 2016, 11:08 PM
Espionage724 added a comment.EditedNov 10 2016, 12:50 PM

I did a clean install of Solus and vsftpd a bit ago and pam_service_name="login" doesn't seem to work. However, pam_service_name=login does (no quotes around login), so it seems vsftpd is a little strict on that.

On another note, is it a good idea to use the login PAM configuration? I'm not sure if it would be worthwhile or not, but copying the login PAM config and naming it to ftp would allow vsftpd to work without needing to specify the pam_service_name.

I only chose login because it sounded the best and happens to work; I'm not entirely aware of any security implications or anything of it or if it even benefits to have all the config stuff in that file.

Espionage724 reopened this task as Open.Nov 10 2016, 12:55 PM
JoshStrobl closed this task as Resolved.Nov 11 2016, 7:31 PM
JoshStrobl added a subscriber: ikey.

Landed in unstable as of https://git.solus-project.com/packages/vsftpd/commit/?id=569d484bb4c6a88dab75f0777c82578f93160a71

Whether or not it is a good idea, quite frankly I don't know. Probably a better question for @ikey.

Regardless, resolved. In the future, please file a separate issue rather than reopening this one. Thanks.