Hi everyone,

In a virtual machine (VM) with SLES 12, after enforcing (“enforce mode”) the AppArmor profile for “vsftpd” to confine it (via the “aa-enforce vsftpd” command), I’m doing a “lftp” session to “localhost”, authenticating with the “ftp” user and some password. By doing that, I get the ftp shell prompt (as expected). However, when I run the “ls” command in that ftp shell, I get the following error message:

`ls' at 0 [500 OOPS: setrlimit]

This error does NOT happen when I run vsftpd in “complain mode” / “learning mode” (via “aa-complain vsftpd”): in that case, I do get the expected file and directory listing when I run the “ls” command in the “ftp” shell.

A Google search for “500 OOPS: setrlimit” apparently does not return relevant results.

Could you help me troubleshoot this, please?

In case it’s useful, here is the content of my “/etc/apparmor.d/usr.sbin.vsftpd” file:

[CODE]server1:/etc/apparmor.d # cat usr.sbin.vsftpd

Last Modified: Sun Oct 29 19:55:42 2017

#include <tunables/global>

/usr/sbin/vsftpd {
#include <abstractions/apache2-common>
#include <abstractions/base>

capability net_bind_service,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,

/etc/vsftpd.conf r,
/run/nscd/group r,
/run/nscd/passwd r,
/srv/ftp/ r,
/srv/ftp/* rw,
/srv/ftp/test/ w,
/srv/ftp/upload/* wk,
/usr/sbin/vsftpd mr,

}[/CODE]

Thanks in advance.

ricmarq,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

• Visit http://www.suse.com/support and search the knowledgebase and/or check all
  the other support options available.
• Open a service request: https://www.suse.com/support
• You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team
http://forums.suse.com

Hi ricmarq,

have you tried adding “capability sys_resource” (see “man 7 capabilities”) to the list of allowed capabilities?

Regards,
Angelika

Hi Angelika,

[QUOTE=amozdzen;40170]Hi ricmarq,

have you tried adding “capability sys_resource” (see “man 7 capabilities”) to the list of allowed capabilities?

Regards,
Angelika[/QUOTE]

Thanks for having replied. Based on your tip, I tried adding the line “capability sys_resource,” to the “/etc/apparmor.d/usr.sbin.vsftpd” file and restarting AppArmor (by running “systemctl restart apparmor”). That didn’t solve the issue, however (I still had the [COLOR="#FF0000"]`ls’ at 0 [500 OOPS: setrlimit][/COLOR] error message when running the “ls” command in the lftp shell).

Then, I tried to remove that “capability sys_resource,” line again and restarted AppArmor … and that worked: I stopped having the error! BUT then, I tried to add back again the line “capability sys_resource,” to the “usr.sbin.vsftpd” file and restarting AppArmor … and it also (still) worked (!)

So, I’m quite a bit confused, but at least it’s working now.

Thanks again for your tip!