Comments (5)
oh, btw, @maverickwoo you might be interested in this, since you originally brought it to my attention.
from fluffi.
now that the documentation is updated, do we still need this?
from fluffi.
probably not for our use case, but it vexes me that v(ery)s(tupid)ftpd does not seem to mind allow_writeable_chroot=YES
at all.
also, if someone wants to extend FLUFFI and needs new directories, it's just inconvenient not to have a writable root.
from fluffi.
Given that there is no easy fix, and the need for this feature is minimal, I would close this issue as won't fix for now. Is that fine with you?
from fluffi.
So, we are running vsftpd version 3.0.3
from the ubuntu repositories for 18.04 as per Dockerfile to which the sources are located here
My initial gut feeling was that the packaging people at ubuntu/debian might have disabled the option for security, but the only patch that touches the subject is debian/patches/0060-seccomp_sandbox.patch
which sets the default value at compile time to tunable_allow_writeable_chroot = 0;
because in several search results on google there are inconsistencies concerning what the config option is supposed to be called, looking into the vsftpd source, we find the correct spelling of the option in parseconf.c
109 { "allow_writeable_chroot", &tunable_allow_writeable_chroot },
so it is actually set when present in the config file. Next, we find the error message in secutil.c:
132 /* Misconfiguration check: don't ever chroot() to a directory writable by
133 * the current user.
134 */
135 if ((options & VSF_SECUTIL_OPTION_CHROOT) &&
136 !(options & VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT))
137 {
138 if (vsf_sysutil_write_access("/"))
139 {
140 die("vsftpd: refusing to run with writable root inside chroot()");
141 }
142 }
which leads us back to twoprocess.c:
452 if (!was_anon && tunable_allow_writeable_chroot)
453 {
454 secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;
455 }
So we learn a seemingly common misunderstanding (looking at the dozens of search results on the topic and no working answer), namely that vsftpd does not allow writable chroot at all when using anonymous login and the chrooting security mechanism, no matter if the config option is set or not. The only conceivable way to reach our goal here might be to disable the chrooting behavior, but that might entail more investigation into consequences.
With these results I'm closing this as wontfix, though I do so begrudgingly.
from fluffi.
Related Issues (20)
- Add support for binaries without static user32 linking HOT 13
- Implement noCov runner
- Preselet Architecture in Managed Instances view
- Fuzzcmp: Identify and patch inlined compare function HOT 1
- Remove option "Add target files to Fuzzjob" (make it what always happens) HOT 1
- Show IP address of system in system overview HOT 1
- Fuzzcmp: Add ability to patch statically linked compare functions
- Fuzzcmp: Add support for common compare functions HOT 1
- FUN setup: Some required external binaries are no longer available HOT 2
- openssl dependency build runs out of memory
- Switch to newer powershell update package
- Web: Cannot configure number of LocalManagers HOT 1
- Web: improve pagination for lm logs
- Race condition when generating agent nice names
- Rsync to ramdisk seems too eager when Linux worker node restarts
- DashSync Issues HOT 1
- Address django CVE alert HOT 2
- Running no. of Local Managers are not consistent HOT 1
- Compilation fails after dynamorio update
- Default Siemens security policy
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fluffi.