File vsftpd-root-squashed-chroot.patch of Package vsftpd
---
parseconf.c | 1 +
secutil.c | 6 ++++--
secutil.h | 2 ++
tunables.c | 2 ++
tunables.h | 1 +
twoprocess.c | 6 ++++++
vsftpd.conf | 4 ++++
vsftpd.conf.5 | 7 +++++++
8 files changed, 27 insertions(+), 2 deletions(-)
Index: vsftpd-3.0.2/tunables.c
===================================================================
--- vsftpd-3.0.2.orig/tunables.c
+++ vsftpd-3.0.2/tunables.c
@@ -88,6 +88,7 @@ int tunable_ftp_enable;
int tunable_http_enable;
int tunable_seccomp_sandbox;
int tunable_allow_writeable_chroot;
+int tunable_allow_root_squashed_chroot;
unsigned int tunable_accept_timeout;
unsigned int tunable_connect_timeout;
@@ -228,6 +229,7 @@ tunables_load_defaults()
tunable_http_enable = 0;
tunable_seccomp_sandbox = 1;
tunable_allow_writeable_chroot = 0;
+ tunable_allow_root_squashed_chroot = 0;
tunable_accept_timeout = 60;
tunable_connect_timeout = 60;
Index: vsftpd-3.0.2/tunables.h
===================================================================
--- vsftpd-3.0.2.orig/tunables.h
+++ vsftpd-3.0.2/tunables.h
@@ -89,6 +89,7 @@ extern int tunable_ftp_enable;
extern int tunable_http_enable; /* Allow HTTP protocol */
extern int tunable_seccomp_sandbox; /* seccomp filter sandbox */
extern int tunable_allow_writeable_chroot; /* Allow misconfiguration */
+extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */
/* Integer/numeric defines */
extern unsigned int tunable_accept_timeout;
Index: vsftpd-3.0.2/parseconf.c
===================================================================
--- vsftpd-3.0.2.orig/parseconf.c
+++ vsftpd-3.0.2/parseconf.c
@@ -107,6 +107,7 @@ parseconf_bool_array[] =
{ "http_enable", &tunable_http_enable },
{ "seccomp_sandbox", &tunable_seccomp_sandbox },
{ "allow_writeable_chroot", &tunable_allow_writeable_chroot },
+ { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot },
{ 0, 0 }
};
Index: vsftpd-3.0.2/twoprocess.c
===================================================================
--- vsftpd-3.0.2.orig/twoprocess.c
+++ vsftpd-3.0.2/twoprocess.c
@@ -164,6 +164,9 @@ drop_all_privs(void)
{
str_alloc_text(&dir_str, tunable_secure_chroot_dir);
}
+ if (tunable_allow_root_squashed_chroot) {
+ option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
+ }
/* Be kind: give good error message if the secure dir is missing */
{
struct vsf_sysutil_statbuf* p_statbuf = 0;
@@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se
{
secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;
}
+ if (do_chroot && tunable_allow_root_squashed_chroot) {
+ secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
+ }
calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
p_user_str, p_orig_user_str);
vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
Index: vsftpd-3.0.2/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf.5
+++ vsftpd-3.0.2/vsftpd.conf.5
@@ -42,6 +42,13 @@ connections.
Default: NO
.TP
+.B allow_root_squashed_chroot
+If set to YES, chroot is called with non-root credentials. This enabled chroot
+on squashed nfs. This option is applied only if chroot is performed, otherwise
+ignored.
+
+Default: NO
+.TP
.B anon_mkdir_write_enable
If set to YES, anonymous users will be permitted to create new directories
under certain conditions. For this to work, the option
Index: vsftpd-3.0.2/vsftpd.conf
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf
+++ vsftpd-3.0.2/vsftpd.conf
@@ -64,6 +64,10 @@ local_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
+# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root,
+# where root becomes nobody and would need -x access.
+#allow_root_squashed_chroot=YES
+#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#local_max_rate=7200
