Security – vsftp: why is allow_writeable_chroot=YES a bad idea

chrootSecurityvsftpd

There are several thousand blog posts about vsftp and allow_writeable_chroot=YES

The common error message:

Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()

I solved the problem on my server.

But one question remains:

Why is it advisable to use allow_writeable_chroot=NO?

Up to now I only found nebulous arguments like "For security reasons".

What are these "security reasons"?

Best Answer

If the FTP credentials of a user (even a virtual user) with a writeable chroot get compromised, the attacker might conceivably be able to perform a ROARING BEAST ATTACK. To summarise my rough understanding of this attack, it involves exploiting the fact that some C libraries (perhaps including ones used by the FTP server) will look for dynamic libraries that they depend on at hard-coded paths in /etc or other common locations. The attacker uploads evil versions of those dynamic libraries to the /etc within the chroot, then sends a command to the (running-as-root) FTP server that induces it to run some code that loads in that dynamic library from /etc. The attacker's evil code then runs as root. This escalates the attack from a mere compromise of the user's FTP folder to rooting the entire machine.

Having a non-writeable chroot renders this attack impossible (unless you, the sysadmin, have unwisely created writeable folders with names like /etc and /lib within your FTP users' chroot directories).

Related Solutions

Ftp – VSFTP chroot_local_user doesn’t work

Do you have the chroot_list_enable option enabled? If so, any users listed in chroot_list_file will not be chrooted.

Ubuntu – vsftpd: ECONNREFUSED with “allow_writeable_chroot=YES”

In earlier versions, the allow_writeable_chroot=YES configuration option is not available (it was added in vsftpd version 3 onwards).

As the other answer states, you can create write permissions on subfolders, but keep the chroot folder (and hidden files within) read-only.

In my implementation, you can create another /home/username folder within the chroot. In this way, connecting to the FTP server will default into the user's home directory relative to the chroot.

In my user account creation script, this is how this is accomplished (all commands run as sudo):

chown root:root /home/$username
mkdir -p /home/$username/home/$username
chown $username:$username /home/$username/home/$username

Then, when a user logs into the ftp server, they have a new home folder relative to their chroot. They own this folder, and they can make changes within the folder. Additional configuration may be required to set it as their default login folder (passwd?); when a user clicks on their "home" button on whichever ftp client they are using, it will take them to this folder.

Best Answer

Related Solutions

Ftp – VSFTP chroot_local_user doesn’t work

Ubuntu – vsftpd: ECONNREFUSED with “allow_writeable_chroot=YES”

Related Topic