|Summary:||ftp/proftpd bug, chroot does not allow for access to or creation of folders named 'lib'|
|Product:||Ports & Packages||Reporter:||Paul Macdonald <paul>|
|Component:||Individual Port(s)||Assignee:||Martin Matuska <mm>|
|Severity:||Affects Many People||CC:||000.fbsd, pi, w.schwarzenfeld|
Description Paul Macdonald 2015-03-26 22:53:43 UTC
FreeBSD Proftpd with chroot on (default root ~) does not allow for the creation of, or uploading to folders named 'lib' Upstream To test if this is an upstream problem with proftpd I have installed proftpd-basic_1.3.4a-5+deb7u2_armhf.deb onto a raspberry pi to test but can create and upload to 'lib' folders there. Additional As many wordpress plugins use such folders, this is quite problematic.
Comment 1 Mark Linimon 2015-03-27 02:58:42 UTC
Fix Summary and assign.
Comment 2 Kurt Jaeger 2015-03-30 13:51:15 UTC
There is a special case in src/fsio.c, mentioning https://auscert.org.au/15286 https://auscert.org.au/15526 which basically says: We do not allow uploads to /etc and /lib if chrooted. Those are old CERT alerts, so someone needs to check if proftpd on FreeBSD is still vulnerable to that attack vector.
Comment 3 Paul Macdonald 2015-04-17 10:11:41 UTC
Not a fix, but as a workaround you can give users a login to a folder above, which makes it /parent/lib instead of /lib.
Comment 4 Miroslav Lachman 2015-05-20 16:28:40 UTC
It is sad, because we have hundereds of domains (FTP users) on our servers using ProFTPd, so we can not change directory layout and some of our clients are using ~/lib/ for libraries of PHP webapplications for many years - and now are inaccessible.
Comment 5 Walter Schwarzenfeld 2018-01-12 21:54:25 UTC
Is this still relevant?
Comment 6 Miroslav Lachman 2018-01-12 22:58:29 UTC
(In reply to w.schwarzenfeld from comment #5) Yes, it is still relevant for proftpd-1.3.6 "lib" cennot be created (or accessed): Status: Creating directory '/lib'... Command: MKD lib Response: 550 lib: Permission denied Command: MKD /lib Response: 550 /lib: Permission denied "lib2" was successfully created: Status: Creating directory '/lib2'... Status: Retrieving directory listing of "/lib2"... Status: Directory listing of "/lib2" successful
Comment 7 Martin Matuska 2019-03-19 00:11:33 UTC
Did you consider using ftp/proftpd-mod_vroot? http://www.castaglia.org/proftpd/modules/mod_vroot.html
Comment 8 Miroslav Lachman 2019-03-25 21:06:08 UTC
(In reply to Martin Matuska from comment #7) No. And from the manpage I don't know how it should be configured to use current directory layout but allow us to use "lib" directory as it was possible back in the days. ProFTPd is causing me more and more headaches (segfaulting regularly after midnight logrotation) that I am more and more heading to switch to another FTP daemon with similar functionalities.