User avatar
palswim
Posts: 15
Joined: Thu Jan 09, 2014 9:15 pm

ProFTPD can't chroot

Thu Jan 09, 2014 10:14 pm

Raspberry Pi, Model A, running XBian 1.02B

I installed ProFTPD, and attempted to configure it with the DefaultRoot directive (both with "DefaultRoot ~" and "DefaultRoot /absolute/path"). But, I noticed that ProFTPD would start me in the filesystem root no matter what.

So, I checked the logs to see if they were reporting any chroot errors. But, they didn't seem to show anything out of the ordinary:
Jan 00 00:00:00 server proftpd[PID] server (0.0.0.0[0.0.0.0]): FTP session opened.
Jan 00 00:00:02 server proftpd[PID] server (0.0.0.0[0.0.0.0]): Preparing to chroot to directory '/absolute/path'
Jan 00 00:00:02 server proftpd[PID] server (0.0.0.0[0.0.0.0]): USER user: Login successful.
It seems that ProFTPD does a chroot, and then serves the root directory, but in this case the chroot call does nothing, so it serves the actual root directory.

Config:
Include /etc/proftpd/modules.conf
UseIPv6 on
IdentLookups off
ServerType inetd
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
Port 21
User proftpd
Group nogroup
Umask 022 022
AllowOverwrite on
DefaultRoot ~
<Limit LOGIN>
AllowGroup fileusers
DenyAll
</Limit>
SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
Include /etc/proftpd/conf.d/

User avatar
palswim
Posts: 15
Joined: Thu Jan 09, 2014 9:15 pm

Re: ProFTPD can't chroot

Wed Jan 15, 2014 7:44 am

In essence, I'm wondering, who has the problem, ProFTPD's mod_vroot, XBian's chroot, or someone else?

User avatar
DougieLawson
Posts: 41309
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: ProFTPD can't chroot

Wed Jan 15, 2014 7:55 am

Why are you trying to run an ftp daemon?
Use the secure ftp (sftp) feature of sshd, it's already running if sshd is active.
Any language using left-hand whitespace for syntax is ridiculous

Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.

Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

User avatar
palswim
Posts: 15
Joined: Thu Jan 09, 2014 9:15 pm

Re: ProFTPD can't chroot

Thu Mar 27, 2014 6:42 pm

DougieLawson wrote:Why are you trying to run an ftp daemon?
Use the secure ftp (sftp) feature of sshd, it's already running if sshd is active.
We can start another discussion about using SFTP instead of FTP, but I'm mainly asking about the chroot ability of the Raspbian (or XBian) system.

User avatar
palswim
Posts: 15
Joined: Thu Jan 09, 2014 9:15 pm

Re: ProFTPD can't chroot

Thu Mar 27, 2014 7:14 pm

I tried a similar setup with Pure-FTPd, and the chroot feature doesn't work with Pure-FTPd, either. It seems like Raspbian's (or XBian's) chroot doesn't work in the way ProFTPd or Pure-FTPd expect.

User avatar
DougieLawson
Posts: 41309
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: ProFTPD can't chroot

Fri Mar 28, 2014 12:13 am

If you insist on running ProFTPD then DO NOT EVER open port forwarding. It's a MASSIVE security exposure.

Change

Code: Select all

DefaultRoot ~
To

Code: Select all

DefaultRoot /home/someone/somewhere/somesubdirectory
Then make sure you have the right permissions and ownership set on that directory.
Any language using left-hand whitespace for syntax is ridiculous

Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.

Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

User avatar
palswim
Posts: 15
Joined: Thu Jan 09, 2014 9:15 pm

Re: ProFTPD can't chroot

Wed Jul 23, 2014 12:16 am

palswim wrote:I tried a similar setup with Pure-FTPd, and the chroot feature doesn't work with Pure-FTPd, either. It seems like Raspbian's (or XBian's) chroot doesn't work in the way ProFTPd or Pure-FTPd expect.
Update: I did eventually accomplish this with Pure-FTPd's Virtual Chroot feature. I added the following line to my inetd config:

Code: Select all

ftp	stream	tcp	nowait	root	/usr/sbin/tcpd	/usr/sbin/pure-ftpd-wrapper virtualchroot

Return to “Troubleshooting”