148748 – net-ftp/vsftpd - home permissions need reconfiguration

Bug 148748 - net-ftp/vsftpd - home permissions need reconfiguration

Summary: net-ftp/vsftpd - home permissions need reconfiguration

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Roy Marples (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-09-23 02:16 UTC by Sergiy Borodych
Modified:	2006-09-27 03:18 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergiy Borodych 2006-09-23 02:16:07 UTC

ftpbase create new ftp user with homedir /home/ftp:

# ll -d /home/ftp/
drwxr-xr-x 2 ftp root 48 Sep 23 12:05 /home/ftp/

by default vsftpd not successfull use this dir
problem appear

describe at http://www.vsftpdrocks.org/faq/

Q) Help! I'm getting the error message "refusing to run with writable anonymous
root".
A) vsftpd is protecting against dangerous configurations. The cause of this
message is usually dodgy ownership of the ftp home directory. The home
directory should NOT be owned by the ftp user itself. Neither should it
be writable by the ftp user. A way to fix this is:
chown root ~ftp; chmod -w ~ftp

suggest
change ftpbase for current access to ftp dir
or
add info to vsftpd ebuild about this incident

Comment 1 Roy Marples (RETIRED) gentoo-dev

2006-09-26 07:03:43 UTC

Odd, by default ftpbase creates the homedir as owned by root:root

Attach the output of `emerge --info` please

Comment 2 Sergiy Borodych 2006-09-27 02:45:11 UTC

# mv /home/ftp /home/ftp.bkp
# emerge -C net-ftp/ftpbase
## remove ftp user and group
# vipw
# vigr
# emerge net-ftp/ftpbase
# ls -ld /home/ftp
drwxr-xr-x 2 ftp root 48 Sep 27 12:35 /home/ftp

also in /usr/portage/eclass/eutils.eclass
we see
enewuser() {
...
    if [[ ! -e ${ROOT}/${ehome} ]] ; then
        einfo " - Creating ${ehome} in ${ROOT}"
        mkdir -p "${ROOT}/${ehome}"
        chown ${euser} "${ROOT}/${ehome}"
        chmod 755 "${ROOT}/${ehome}"
    fi
...
}

after mkdir set chown to ftp ?!

I make it on two different machine: ~x86 and ~amd86

# emerge --info
Portage 2.1.2_pre1-r3 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-suspend2-r5 i686)
=================================================================
System uname: 2.6.17-suspend2-r5 i686 Intel(R) Pentium(R) M processor 1.70GHz
Gentoo Base System version 1.12.5
Last Sync: Wed, 27 Sep 2006 06:00:08 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=pentium-m -fomit-frame-pointer -mfpmath=sse"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=pentium-m -fomit-frame-pointer -mfpmath=sse"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache collision-protect distlocks metadata-transfer sandbox sfperms strict test"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="ru_RU.UTF-8"
LINGUAS="ru uk"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa amr apache2 asf berkdb bitmap-fonts bzip2 cairo cdr chardet chroot cli crypt dbus dlloader dri dvd dvdr elibc_glibc emboss encode fam fat ffmpeg firefox flac fluidsynth freetype gd gdbm gif glitz glut gnome gpm gstreamer gtk gtk2 hal iconv input_devices_keyboard input_devices_mouse input_devices_synaptics irda isdnlog ithreads jpeg kernel_linux libg++ linguas_ru linguas_uk logrotate mikmod mmap mmx mozdevelop mozilla moznocompose moznoirc mp3 ncurses nls nptl nptlonly nsplugin ogg opengl pam pam_chroot pcre perl pic png pnp ppds pppd pthreads readline reflection reiser4 reiserfs samba sdl seamonkey session slang spl sse sse2 ssl svg symlink syslog tcpd threads timidity truetype truetype-fonts type1-fonts udev unicode usb userland_GNU userlocales utf8 video_cards_ati video_cards_fglrx video_cards_radeon video_cards_vesa video_cards_vga vim-with-x vlm vorbis win32codecs wma wxwindows x264 xinerama xml xml2 xmms xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS

Comment 3 Roy Marples (RETIRED) gentoo-dev

2006-09-27 03:18:49 UTC

Heh, someone changed enewuser todo that after I wrote ftpbase then.

I've fixed ftpbase to change owner to root:ftp if the home dir was created by enewuser. Thanks for finding where the fault was :)