RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

The subject pretty much says it all.  A new configuration option (allow_writeable_chroot) was added to vsftpd, but it doesn't seem to have been added to the vsftpd.conf man page.  I've searched high and low, and I can find no indication that this was done intentionally to somehow try to hide it as a "dangerous" option to be used only by people who really know what they're doing or anything like that.  In fact a quick Googling around of the error message that results from the condition this new option was meant to address turns up several times "use allow_writeable_chroot=YES to fix it" with very little said about the security implications of doing so.

It seems that if there are security concerns using this option, it would be wise to go ahead and document this option in the man page, and spell out whatever security concerns in there may be, and propose alternate solutions to the problem, so the user can make an informed decision for themselves if they really want to turn it on or not from official documentation, instead of having to rely on "do this" from "some guy on the interwebs"...

Created attachment 1345978 [details]
patch

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0965