Public bug reported:
Release: Ubuntu 18.04.1 LTS
Vsftpd: 3.0.3-9build1
Used this as reference: https://security.appspot.com/vsftpd/vsftpd_conf.html
Situation:
I have the following configuration in /etc/vsftpd.conf (irrelevant &
unmodified package defaults not included, assume the default values for
those options)
anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES // correct spelling for this build
write_enable=YES
dirlist_enable=YES
download_enable=YES
- The local user I want to login with has a home directory set /home/username
- The local user has for the sake of the test his home directory user & group
mod set to rwx.
- The user has a valid shell assigned.
- In the local users home directory I have created a folder and a file with
user & group mod rwx. The user is owner of those files.
Note: this is not a real-life configuration, but the minimal that
reproduce the bug for me.
Expected result:
- I can login as local user
- I am chrooted to /home/username
- I can upload files
- I can download files
- I can see files and directories I have created in his home directory
Actual result:
- I can login as local user
- I am chrooted to /home/username, proven by toggling allow_writeable_chroot to
NO and vsftpd denying access, toggling it to YES again regaining "access" again.
- I can NOT upload files
- I can not download files
- I can not see files and directories I have created in home directory
Additional discoveries:
When I set the option anon_world_readable_only to NO, files and
directories become visible in the local users home directory.
When I set it back to YES and set world mod to r, it also becomes
visible.
Accordingly, all other anon_*-options enable
uploads/downloads/deletions.
Also tested: Anonymous login is NOT possible
** Affects: vsftpd (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Release: Ubuntu 18.04.1 LTS
Vsftpd: 3.0.3-9build1
Used this as reference: https://security.appspot.com/vsftpd/vsftpd_conf.html
Situation:
I have the following configuration in /etc/vsftpd.conf (irrelevant &
unmodified package defaults not included, assume the default values for
those options)
anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES // correct spelling for this build
write_enable=YES
dirlist_enable=YES
download_enable=YES
- The local user I want to login with has a home directory set /home/username
- - The local userh as
- The local user has for the sake of the test his home directory user & group
mod set to rwx.
- The user has a valid shell assigned.
- In the local users home directory I have created a folder and a file with
user & group mod rwx. The user is owner of those files.
Note: this is not a real-life configuration, but the minimal that
reproduce the bug for me.
Expected result:
- I can login as local user
- I am chrooted to /home/username
- I can upload files
- I can download files
- I can see files and directories I have created in his home directory
Actual result:
- I can login as local user
- I am chrooted to /home/username, proven by toggling allow_writeable_chroot
to NO and vsftpd denying access, toggling it to YES again regaining "access"
again.
- I can NOT upload files
- I can not download files
- I can not see files and directories I have created in home directory
Additional discoveries:
When I set the option anon_world_readable_only to NO, files and
directories become visible in the local users home directory.
When I set it back to YES and set world mod to r, it also becomes
visible.
Accordingly, all other anon_*-options enable
uploads/downloads/deletions.
** Description changed:
Release: Ubuntu 18.04.1 LTS
Vsftpd: 3.0.3-9build1
Used this as reference: https://security.appspot.com/vsftpd/vsftpd_conf.html
Situation:
I have the following configuration in /etc/vsftpd.conf (irrelevant &
unmodified package defaults not included, assume the default values for
those options)
anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES // correct spelling for this build
write_enable=YES
dirlist_enable=YES
download_enable=YES
- The local user I want to login with has a home directory set /home/username
- The local user has for the sake of the test his home directory user & group
mod set to rwx.
- The user has a valid shell assigned.
- In the local users home directory I have created a folder and a file with
user & group mod rwx. The user is owner of those files.
Note: this is not a real-life configuration, but the minimal that
reproduce the bug for me.
Expected result:
- I can login as local user
- I am chrooted to /home/username
- I can upload files
- I can download files
- I can see files and directories I have created in his home directory
Actual result:
- I can login as local user
- I am chrooted to /home/username, proven by toggling allow_writeable_chroot
to NO and vsftpd denying access, toggling it to YES again regaining "access"
again.
- I can NOT upload files
- I can not download files
- I can not see files and directories I have created in home directory
Additional discoveries:
When I set the option anon_world_readable_only to NO, files and
directories become visible in the local users home directory.
When I set it back to YES and set world mod to r, it also becomes
visible.
Accordingly, all other anon_*-options enable
uploads/downloads/deletions.
+
+ Also tested: Anonymous login is NOT possible
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802890
Title:
vsftpd local user treated as anonymous users in regards to permissions
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1802890/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
