vsftpd: enable seccomp (#158974)

* vsftpd: enable seccomp * nixos/tests/vsftpd: add basic test * vsftpd: add test to passthru
2024-09-29 07:32:58 +00:00 · 2022-03-01 04:03:47 +01:00 · 2022-03-01 04:03:47 +01:00 · 8289e6478b
commit 8289e6478b
parent e78a5bc15a
3 changed files with 50 additions and 3 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -554,6 +554,7 @@ in
  vikunja = handleTest ./vikunja.nix {};
  virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
  vscodium = discoverTests (import ./vscodium.nix);
+  vsftpd = handleTest ./vsftpd.nix {};
  wasabibackend = handleTest ./wasabibackend.nix {};
  wiki-js = handleTest ./wiki-js.nix {};
  wine = handleTest ./wine.nix {};
--- a/nixos/tests/vsftpd.nix
+++ b/nixos/tests/vsftpd.nix
@ -0,0 +1,42 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "vsftpd";
+
+  nodes = {
+    server = {
+      services.vsftpd = {
+        enable = true;
+        userlistDeny = false;
+        localUsers = true;
+        userlist = [ "ftp-test-user" ];
+        writeEnable = true;
+        localRoot = "/tmp";
+      };
+      networking.firewall.enable = false;
+
+      users = {
+        users.ftp-test-user = {
+          isSystemUser = true;
+          password = "ftp-test-password";
+          group = "ftp-test-group";
+        };
+        groups.ftp-test-group = {};
+      };
+    };
+
+    client = {};
+  };
+
+  testScript = ''
+    client.start()
+    server.wait_for_unit("vsftpd")
+    server.wait_for_open_port("21")
+
+    client.succeed("curl -u ftp-test-user:ftp-test-password ftp://server")
+    client.succeed('echo "this is a test" > /tmp/test.file.up')
+    client.succeed("curl -v -T /tmp/test.file.up -u ftp-test-user:ftp-test-password ftp://server")
+    client.succeed("curl -u ftp-test-user:ftp-test-password ftp://server/test.file.up > /tmp/test.file.down")
+    client.succeed("diff /tmp/test.file.up /tmp/test.file.down")
+    assert client.succeed("cat /tmp/test.file.up") == server.succeed("cat /tmp/test.file.up")
+    assert client.succeed("cat /tmp/test.file.down") == server.succeed("cat /tmp/test.file.up")
+  '';
+})
--- a/pkgs/servers/ftp/vsftpd/default.nix
+++ b/pkgs/servers/ftp/vsftpd/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, libcap, openssl, pam }:
+{ lib, stdenv, fetchurl, libcap, libseccomp, openssl, pam, nixosTests }:

 stdenv.mkDerivation rec {
  pname = "vsftpd";
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "sha256-JrYCrkVLC6bZnvRKCba54N+n9nIoEGc23x8njHC8kdM=";
  };

-  buildInputs = [ libcap openssl pam ];
+  buildInputs = [ libcap openssl libseccomp pam ];

  patches = [ ./CVE-2015-1419.patch ];

@ -30,10 +30,14 @@ stdenv.mkDerivation rec {
    "CC=${stdenv.cc.targetPrefix}cc"
  ];

-  NIX_LDFLAGS = "-lcrypt -lssl -lcrypto -lpam -lcap";
+  NIX_LDFLAGS = "-lcrypt -lssl -lcrypto -lpam -lcap -lseccomp";

  enableParallelBuilding = true;

+  passthru = {
+    tests = { inherit (nixosTests) vsftpd; };
+  };
+
  meta = with lib; {
    description = "A very secure FTP daemon";
    license = licenses.gpl2;