Bug 1315851 - proftpd user can't delete or upload files
Summary: proftpd user can't delete or upload files
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: proftpd
Version: 22
Hardware: i686
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Itamar Reis Peixoto
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-08 18:57 UTC by customercare
Modified: 2016-03-08 19:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-08 19:30:45 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description customercare 2016-03-08 18:57:52 UTC 
Description of problem:

a correctly logged in user can't delete his own files.

directory permission are 755, 
the process runs as user
proftpd does not produce any log informations in default log mode

in debug = 10 mode, it logs this:

2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching PRE_CMD command 'DELE viewstate.product.class.php' to mod_sql
2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching PRE_CMD command 'DELE viewstate.product.class.php' to mod_log
2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching CMD command 'DELE viewstate.product.class.php' to mod_core
2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): in dir_check_full(): path = '/lib/view/page/viewstate.product.class.php', fullpath = '/opt/root/home/THEMAINUSERNAME/public_html/lib/view/page/viewstate.product.class.php'.
2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): in dir_check_full(): setting umask to 0022 (was 0022)
2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): WARNING: attempt to use sensitive path '/lib/view/page/viewstate.product.class.php' within chroot '/opt/root/home/THEMAINUSERNAME/public_html', rejecting
2016-03-08 19:22:11,660 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): error deleting '/lib/view/page/viewstate.product.class.php': Keine Berechtigung
2016-03-08 19:22:11,661 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching POST_CMD_ERR command 'DELE viewstate.product.class.php' to mod_sql
2016-03-08 19:22:11,661 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching LOG_CMD_ERR command 'DELE viewstate.product.class.php' to mod_sql
2016-03-08 19:22:11,661 s120.resellerdesktop.de proftpd[3056] a.b.c.d (93.223.208.15[93.223.208.15]): dispatching LOG_CMD_ERR command 'DELE viewstate.product.class.php' to mod_log




Version-Release number of selected component (if applicable):

proftpd-1.3.5-6.fc22

verified with

proftpd-1.3.5a-5.fc22

How reproducible:

100%

Actual results:

> dele viewstate.product.class.php

Cmd: DELE viewstate.product.class.php
550: viewstate.product.class.php: Keine Berechtigung
delete viewstate.product.class.php: server said: viewstate.product.class.php: Keine Berechtigung
delete viewstate.product.class.php: server said: viewstate.product.class.php: Keine Berechtigung
ncftp /lib/view/page > ll
> ll

Cmd: TYPE A
200: Type set to A
Cmd: EPSV
229: Entering Extended Passive Mode (|||22861|)
Cmd: MLSD
150: Opening ASCII mode data connection for MLSD
226: Transfer complete
Remote listing contents {
    modify=20121006173925;perm=adfrw;size=664;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.registersuccess.class.php
    modify=20121006173921;perm=adfrw;size=662;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.contactsuccess.class.php
    modify=20130627075440;perm=adfrw;size=5128;type=file;UNIX.group=578;UNIX.mode=0664;UNIX.owner=577; viewstate.techspecs.class.php
    modify=20121006173923;perm=adfrw;size=687;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.imprint.class.php
    modify=20121006173923;perm=adfrw;size=687;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.privacy.class.php
    modify=20121006173925;perm=adfrw;size=1379;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.sendpassword.class.php
    modify=20121006173922;perm=adfrw;size=675;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.faq.class.php
    modify=20121006173923;perm=adfrw;size=1416;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.gettingstarted.class.php
    modify=20130627074009;perm=flcdmpe;type=cdir;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; .
    modify=20121006173925;perm=adfrw;size=5126;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.references.class.php
    modify=20121006173921;perm=adfrw;size=1702;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; view.page.class.php
    modify=20121006173925;perm=adfrw;size=7604;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.register.class.php
    modify=20121006173921;perm=adfrw;size=815;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; view.terms.class.php
    modify=20121006173926;perm=adfrw;size=659;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.sendpwsuccess.class.php
    modify=20121006173924;perm=adfrw;size=5823;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.purchase.class.php
    modify=20121006173922;perm=adfrw;size=886;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.downloads.class.php
    modify=20121006173924;perm=adfrw;size=3762;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.purchasecontact.class.php
    modify=20121006173922;perm=adfrw;size=696;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.disclaimer.class.php
    modify=20121006173921;perm=adfrw;size=2474;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.contact.class.php
    modify=20150810093042;perm=adfrw;size=2082;type=file;UNIX.group=578;UNIX.mode=0644;UNIX.owner=577; viewstate.product.class.php
    modify=20121006173942;perm=flcdmpe;type=pdir;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; ..
    modify=20121006173926;perm=adfrw;size=4404;type=file;UNIX.group=578;UNIX.mode=0755;UNIX.owner=577; viewstate.techspecs.class.php.old
}
-rw-r--r--   577      578         1702   Okt  6  2012   view.page.class.php
-rw-r--r--   577      578         1702   Okt  6  2012   view.page.class.php
-rw-r--r--   577      578         2474   Okt  6  2012   viewstate.contact.class.php
-rw-r--r--   577      578         2474   Okt  6  2012   viewstate.contact.class.php
-rw-r--r--   577      578          662   Okt  6  2012   viewstate.contactsuccess.class.php
-rw-r--r--   577      578          662   Okt  6  2012   viewstate.contactsuccess.class.php
-rw-r--r--   577      578          696   Okt  6  2012   viewstate.disclaimer.class.php
-rw-r--r--   577      578          696   Okt  6  2012   viewstate.disclaimer.class.php
-rw-r--r--   577      578          886   Okt  6  2012   viewstate.downloads.class.php
-rw-r--r--   577      578          886   Okt  6  2012   viewstate.downloads.class.php
-rw-r--r--   577      578          675   Okt  6  2012   viewstate.faq.class.php
-rw-r--r--   577      578          675   Okt  6  2012   viewstate.faq.class.php
-rwxr-xr-x   577      578         1416   Okt  6  2012   viewstate.gettingstarted.class.php
-rwxr-xr-x   577      578         1416   Okt  6  2012   viewstate.gettingstarted.class.php
-rw-r--r--   577      578          687   Okt  6  2012   viewstate.imprint.class.php
-rw-r--r--   577      578          687   Okt  6  2012   viewstate.imprint.class.php
-rw-r--r--   577      578          687   Okt  6  2012   viewstate.privacy.class.php
-rw-r--r--   577      578          687   Okt  6  2012   viewstate.privacy.class.php
-rw-r--r--   577      578         2082   Aug 10  2015   viewstate.product.class.php
-rw-r--r--   577      578         2082   Aug 10  2015   viewstate.product.class.php
-rwxr-xr-x   577      578         5823   Okt  6  2012   viewstate.purchase.class.php
-rwxr-xr-x   577      578         5823   Okt  6  2012   viewstate.purchase.class.php
-rwxr-xr-x   577      578         3762   Okt  6  2012   viewstate.purchasecontact.class.php
-rwxr-xr-x   577      578         3762   Okt  6  2012   viewstate.purchasecontact.class.php
-rwxr-xr-x   577      578         5126   Okt  6  2012   viewstate.references.class.php
-rwxr-xr-x   577      578         5126   Okt  6  2012   viewstate.references.class.php
-rw-r--r--   577      578         7604   Okt  6  2012   viewstate.register.class.php
-rw-r--r--   577      578         7604   Okt  6  2012   viewstate.register.class.php
-rw-r--r--   577      578          664   Okt  6  2012   viewstate.registersuccess.class.php
-rw-r--r--   577      578          664   Okt  6  2012   viewstate.registersuccess.class.php
-rw-r--r--   577      578         1379   Okt  6  2012   viewstate.sendpassword.class.php
-rw-r--r--   577      578         1379   Okt  6  2012   viewstate.sendpassword.class.php
-rw-r--r--   577      578          659   Okt  6  2012   viewstate.sendpwsuccess.class.php
-rw-r--r--   577      578          659   Okt  6  2012   viewstate.sendpwsuccess.class.php
-rw-rw-r--   577      578         5128   Jun 27  2013   viewstate.techspecs.class.php
-rw-rw-r--   577      578         5128   Jun 27  2013   viewstate.techspecs.class.php
-rwxr-xr-x   577      578         4404   Okt  6  2012   viewstate.techspecs.class.php.old
-rwxr-xr-x   577      578         4404   Okt  6  2012   viewstate.techspecs.class.php.old
-rw-r--r--   577      578          815   Okt  6  2012   view.terms.class.php
-rw-r--r--   577      578          815   Okt  6  2012   view.terms.class.php

O== THE WEBPAGE of PROFTPD says this :

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 The checks in question will specifically prevent any attempts to upload files into the /etc and /lib directories, or attempts to delete, create, rename, link, or otherwise try to change anything in these directories. All attempts to make modifications will be rejected with "Permission denied" errors. In addition, the following message will be logged (at debug level 2):

  WARNING: attempt to use sensitive path '/etc/file' within chroot '/home/user', rejecting
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

O== 

The path, the file is in, starts with /lib/ BUT its not the /lib/ of the chroot
proftpd puts the user into. It's *A* path named lib in the users home directory 
structure.

Proftpd shows the correct full path  as : 

/opt/root/home/THEMAINUSERNAME/public_html/lib/view/page/viewstate.product.class.php

the chroot directory in this config states public_html as base directory. public_html/lib/ becomes /lib/ of the chroot in this case => sensitive directory per definition of the proftpd devs.

In the real world, it's just a simple directory with no potentional harm of any sort.
Please fix this. 

Solution: 

an option to disable the above behavior WITHOUT disabling the chroot at all,
and enforce this ruleset : 

check if the documentroot is a symlink ( of anykind to anywhere ),
proceed only if it is not one,
proceed only if documentroot is equal or a subdirectory of the users home.

*solved*
Comment 1 customercare 2016-03-08 19:30:45 UTC 
Solution:

"rlimitchroot off"
Note You need to log in before you can comment on or make changes to this bug.