Chroot in ftpd on newer kernel versions

Harald Becker ralda at gmx.de
Wed Oct 3 03:47:12 UTC 2012 

Hi Rich !

On 02-10-2012 22:56 Rich Felker <dalias at aerifal.cx> wrote:

>chroot has never been possible for non-root users. Allowing non-root
>users to chroot will almost surely allow them to obtain root if there
>are any suid-root binaries on the system.

At least on some 2.6er kernel versions I had bean able to chroot to
accessible directories as none root. And sure, if there are suid-root
programs inside the chroot path you may obtain such rights, but this is
true even before you do a chroot. I do not use the chroot for sake of
security, I use it for kind of novice protection and simplicity. Here I
wanted to isolate Busybox ftpd (which is a pure anonymous access
server) to a specific path, so users do not see (or accidentally try
to access) other files via ftp access.

>I would urge you not to even think of using any ftpd except vsftpd.
>I've never seen another one that's remotely secure.

vsftpd is a separate program/package. I do just have Busybox in a pure
initramfs environment on that small machine (at least at the step of
maintenance I have tried to use the machine). If there would come a
more secure ftpd a part of Busybox I could switch to that one, but there
is no option of installing a different package. ... and I'm not talking
about a public accessible machine (where security issues could be
fatal). My machine sits behind a firewall and access is only from a
small home LAN side.

I'm talking  about the Busybox ftpd applet which contains a chroot
(working only when run as root user) but does not have code to drop
privileges to a different user after doing chroot. So I call this an
issue in using that applet. There is at least some inconsistency and
I'm asking how it could be solved best to BE ABLE TO USE the Busybox
ftpd for anonymous access to files in a limited path as a none root
user. Which could all be nice for simple setups to share a set of
files in a small LAN for doing some maintenance steps.

Do you really complain about not using Busybox ftpd for such a purpose?
How do you build and install different ftpd packages without even
having (yet) a compiler on the machine? ... before you are able to get
things ready to build different packages.

--
Harald

More information about the busybox mailing list