Description of problem: a correctly logged in user can't delete his own files. directory permission are 755, the process runs as user proftpd does not produce any log informations in default log mode in debug = 10 mode, it logs this: 2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching PRE_CMD command 'DELE viewstate.product.class.php' to mod_sql 2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching PRE_CMD command 'DELE viewstate.product.class.php' to mod_log 2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching CMD command 'DELE viewstate.product.class.php' to mod_core 2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): in dir_check_full(): path = '/lib/view/page/viewstate.product.class.php', fullpath = '/opt/root/home/THEMAINUSERNAME/public_html/lib/view/page/viewstate.product.class.php'. 2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): in dir_check_full(): setting umask to 0022 (was 0022) 2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): WARNING: attempt to use sensitive path '/lib/view/page/viewstate.product.class.php' within chroot '/opt/root/home/THEMAINUSERNAME/public_html', rejecting 2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): error deleting '/lib/view/page/viewstate.product.class.php': Keine Berechtigung 2016-03-08 19:22:11,661 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching POST_CMD_ERR command 'DELE viewstate.product.class.php' to mod_sql 2016-03-08 19:22:11,661 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching LOG_CMD_ERR command 'DELE viewstate.product.class.php' to mod_sql 2016-03-08 19:22:11,661 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching LOG_CMD_ERR command 'DELE viewstate.product.class.php' to mod_log Version-Release number of selected component (if applicable): proftpd-1.3.5-6.fc22 verified with proftpd-1.3.5a-5.fc22 How reproducible: 100% Actual results: > dele viewstate.product.class.php Cmd: DELE viewstate.product.class.php 550: viewstate.product.class.php: Keine Berechtigung delete viewstate.product.class.php: server said: viewstate.product.class.php: Keine Berechtigung delete viewstate.product.class.php: server said: viewstate.product.class.php: Keine Berechtigung ncftp /lib/view/page > ll > ll Cmd: TYPE A 200: Type set to A Cmd: EPSV 229: Entering Extended Passive Mode (|||22861|) Cmd: MLSD 150: Opening ASCII mode data connection for MLSD 226: Transfer complete Remote listing contents { modify=20121006173925;perm=adfrw;size=664;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.registersuccess.class.php modify=20121006173921;perm=adfrw;size=662;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.contactsuccess.class.php modify=20130627075440;perm=adfrw;size=5128;type=file;UNIX.group=578;UNIX.mode=0664;UNIX.owner=577; viewstate.techspecs.class.php modify=20121006173923;perm=adfrw;size=687;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.imprint.class.php modify=20121006173923;perm=adfrw;size=687;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.privacy.class.php modify=20121006173925;perm=adfrw;size=1379;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.sendpassword.class.php modify=20121006173922;perm=adfrw;size=675;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.faq.class.php modify=20121006173923;perm=adfrw;size=1416;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.gettingstarted.class.php modify=20130627074009;perm=flcdmpe;type=cdir;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; . modify=20121006173925;perm=adfrw;size=5126;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.references.class.php modify=20121006173921;perm=adfrw;size=1702;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; view.page.class.php modify=20121006173925;perm=adfrw;size=7604;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.register.class.php modify=20121006173921;perm=adfrw;size=815;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; view.terms.class.php modify=20121006173926;perm=adfrw;size=659;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.sendpwsuccess.class.php modify=20121006173924;perm=adfrw;size=5823;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.purchase.class.php modify=20121006173922;perm=adfrw;size=886;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.downloads.class.php modify=20121006173924;perm=adfrw;size=3762;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.purchasecontact.class.php modify=20121006173922;perm=adfrw;size=696;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.disclaimer.class.php modify=20121006173921;perm=adfrw;size=2474;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.contact.class.php modify=20150810093042;perm=adfrw;size=2082;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.product.class.php modify=20121006173942;perm=flcdmpe;type=pdir;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; .. modify=20121006173926;perm=adfrw;size=4404;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.techspecs.class.php.old } -rw-r--r-- 577 578 1702 Okt 6 2012 view.page.class.php -rw-r--r-- 577 578 1702 Okt 6 2012 view.page.class.php -rw-r--r-- 577 578 2474 Okt 6 2012 viewstate.contact.class.php -rw-r--r-- 577 578 2474 Okt 6 2012 viewstate.contact.class.php -rw-r--r-- 577 578 662 Okt 6 2012 viewstate.contactsuccess.class.php -rw-r--r-- 577 578 662 Okt 6 2012 viewstate.contactsuccess.class.php -rw-r--r-- 577 578 696 Okt 6 2012 viewstate.disclaimer.class.php -rw-r--r-- 577 578 696 Okt 6 2012 viewstate.disclaimer.class.php -rw-r--r-- 577 578 886 Okt 6 2012 viewstate.downloads.class.php -rw-r--r-- 577 578 886 Okt 6 2012 viewstate.downloads.class.php -rw-r--r-- 577 578 675 Okt 6 2012 viewstate.faq.class.php -rw-r--r-- 577 578 675 Okt 6 2012 viewstate.faq.class.php -rwxr-xr-x 577 578 1416 Okt 6 2012 viewstate.gettingstarted.class.php -rwxr-xr-x 577 578 1416 Okt 6 2012 viewstate.gettingstarted.class.php -rw-r--r-- 577 578 687 Okt 6 2012 viewstate.imprint.class.php -rw-r--r-- 577 578 687 Okt 6 2012 viewstate.imprint.class.php -rw-r--r-- 577 578 687 Okt 6 2012 viewstate.privacy.class.php -rw-r--r-- 577 578 687 Okt 6 2012 viewstate.privacy.class.php -rw-r--r-- 577 578 2082 Aug 10 2015 viewstate.product.class.php -rw-r--r-- 577 578 2082 Aug 10 2015 viewstate.product.class.php -rwxr-xr-x 577 578 5823 Okt 6 2012 viewstate.purchase.class.php -rwxr-xr-x 577 578 5823 Okt 6 2012 viewstate.purchase.class.php -rwxr-xr-x 577 578 3762 Okt 6 2012 viewstate.purchasecontact.class.php -rwxr-xr-x 577 578 3762 Okt 6 2012 viewstate.purchasecontact.class.php -rwxr-xr-x 577 578 5126 Okt 6 2012 viewstate.references.class.php -rwxr-xr-x 577 578 5126 Okt 6 2012 viewstate.references.class.php -rw-r--r-- 577 578 7604 Okt 6 2012 viewstate.register.class.php -rw-r--r-- 577 578 7604 Okt 6 2012 viewstate.register.class.php -rw-r--r-- 577 578 664 Okt 6 2012 viewstate.registersuccess.class.php -rw-r--r-- 577 578 664 Okt 6 2012 viewstate.registersuccess.class.php -rw-r--r-- 577 578 1379 Okt 6 2012 viewstate.sendpassword.class.php -rw-r--r-- 577 578 1379 Okt 6 2012 viewstate.sendpassword.class.php -rw-r--r-- 577 578 659 Okt 6 2012 viewstate.sendpwsuccess.class.php -rw-r--r-- 577 578 659 Okt 6 2012 viewstate.sendpwsuccess.class.php -rw-rw-r-- 577 578 5128 Jun 27 2013 viewstate.techspecs.class.php -rw-rw-r-- 577 578 5128 Jun 27 2013 viewstate.techspecs.class.php -rwxr-xr-x 577 578 4404 Okt 6 2012 viewstate.techspecs.class.php.old -rwxr-xr-x 577 578 4404 Okt 6 2012 viewstate.techspecs.class.php.old -rw-r--r-- 577 578 815 Okt 6 2012 view.terms.class.php -rw-r--r-- 577 578 815 Okt 6 2012 view.terms.class.php O== THE WEBPAGE of PROFTPD says this : ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The checks in question will specifically prevent any attempts to upload files into the /etc and /lib directories, or attempts to delete, create, rename, link, or otherwise try to change anything in these directories. All attempts to make modifications will be rejected with "Permission denied" errors. In addition, the following message will be logged (at debug level 2): WARNING: attempt to use sensitive path '/etc/file' within chroot '/home/user', rejecting ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ O== The path, the file is in, starts with /lib/ BUT its not the /lib/ of the chroot proftpd puts the user into. It's *A* path named lib in the users home directory structure. Proftpd shows the correct full path as : /opt/root/home/THEMAINUSERNAME/public_html/lib/view/page/viewstate.product.class.php the chroot directory in this config states public_html as base directory. public_html/lib/ becomes /lib/ of the chroot in this case => sensitive directory per definition of the proftpd devs. In the real world, it's just a simple directory with no potentional harm of any sort. Please fix this. Solution: an option to disable the above behavior WITHOUT disabling the chroot at all, and enforce this ruleset : check if the documentroot is a symlink ( of anykind to anywhere ), proceed only if it is not one, proceed only if documentroot is equal or a subdirectory of the users home. *solved*
Solution: "rlimitchroot off"