FTP server trouble

perot · April 1, 2020, 9:26pm

Need to install an FTP server. OpenWRT docs describe installation of vsftpd, proftpd and pure-ftpd. Only proftpd and pure-ftpd seem to not exist in OpenWRT v19.07.2? No maintainer?

So I installed vsftpd, being the only existing one. After mastering several idiosyncrasies, I'm stuck with

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

The medium to be accessed is mounted on /storage, and this is to be the directory where ftp users can work. The ftp server runs on a travel router, is not accessible from WAN, and only me and my wife access it. So there are no security issues. So I decided to allow anonymous access only.

However the login fails with the message cited above. Plenty of advice from the Internet tells to use the

allow_writeable_chroot=YES

option which is available since version 3 of the daemon. The OpenWRT package has v3.0.3, but the option apparently has no effect whatsoever. Did the maintainer take out parts of the code? Or, what else could cause this problem?

Here is the vsftpd.conf

background=YES
listen=YES
anonymous_enable=YES
no_anon_password=YES
local_enable=NO
write_enable=YES
local_umask=022
check_shell=NO
session_support=NO
syslog_enable=YES
userlist_enable=NO
userlist_deny=YES
anon_root=/storage
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
connect_from_port_20=YES
ftp_data_port=20
delete_failed_uploads=YES
dirlist_enable=YES
download_enable=YES
connect_timeout=5
data_connection_timeout=15
pasv_enable=YES
pasv_min_port=10090
pasv_max_port=10100

tmomas · April 1, 2020, 10:19pm

Does this help?

perot · April 2, 2020, 10:02am

It worked by inspiring me to think of further experiments.

The first one is that I changed anon_root=/storage to anon_root=/. The ftp (or anonymous) user's home directory is /storage. Now I could login. BUT: Working directory at login is /, listing ("dir") the directory lists the root directory of the device. I could "cd" into /etc and list all the configuration files, and presumably mess them up too. This is unacceptable, of course, and it completely surprised me, as I had set

chroot_local_user=YES

for which the docs say

If set to YES, local users will be (by default) placed in a chroot() jail in
their home directory after login.

Obviously this didn't happen (there is no chroot exception list to make it deviate from default). Either this is another case where the OpenWRT version of vsftpd deviates from upstream, or the anonymous user is not considered a local user (even though there is a /etc/passwd entry for it). But, what bizarre logic is that: local users, which are supposed to be more trustable than anonymous, are jailed while anonymous can roam freely? There seems to be no option available to specifically jail the anonymous user.

My other experiment was about moving the home directory to /storage/ftp. So I changed /etc/passwd to reflect this, created the /storage/ftp directory, and reverted to anon_root=/storage. With that change I'm back to what I had before:

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

and, like before, allow_writeable_chroot=YES did not have any effect whatsoever. So it seems the only way to get it working like this is by removing all the write permissions from /storage. But that is silly, as I have half a dozen other services related to that directory, like samba, nfs, etc., those would break, or be rendered useless. Conversely, with write permission, some samba user, for instance, may accidentally delete the /storage/ftp directory, presumably disabling ftp login.

I read the clear statement that enforcing non-writable root is a security measure introduced in version 3, with the option to switch it off (allow_writeable_chroot) implemented at the same time, recognising the measure could be harmful. So there should be no way of the measure biting me with no way to switch it off. Then, why does allow_writeable_chroot not work? Did some security-moron(*) take the code out?

I looked for the source under openwrt.git/tree, but I cannot find it there. Where should I look for the source of the OpenWRT package of vsftpd?

(*) security-moron: security fanatic that fails to realise that any security measure under certain circumstances can do little good but great harm.

perot · April 2, 2020, 12:15pm

Hmm, maybe that was wrong information. On the webpage suggested by tmomas I found the following remark:

Somebody backported the feature to add allow_writeable_chroot=YES 
from version 3.0.0 to 2.3.5

That would indicate the discussed security measure was introduced in version 2.3.5 or earlier.

winhex · December 2, 2020, 11:01am

I ran into same problem. Anyone have some ideas?

ppwwyyxx · January 5, 2022, 1:30am

Turns out that's because the option allow_writeable_chroot is meaningless in anonymous mode:

github.com

djarosz/vsftpd/blob/afa02b8c085feb0174ab8d465d67a6f5c1e75bda/twoprocess.c#L452-L455

    
      
          if (!was_anon && tunable_allow_writeable_chroot)
          {
            secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;
          }