--- parseconf.c | 1 + secutil.c | 6 ++++-- secutil.h | 2 ++ tunables.c | 2 ++ tunables.h | 1 + twoprocess.c | 6 ++++++ vsftpd.conf | 4 ++++ vsftpd.conf.5 | 7 +++++++ 8 files changed, 27 insertions(+), 2 deletions(-) Index: vsftpd-3.0.2/tunables.c =================================================================== --- vsftpd-3.0.2.orig/tunables.c +++ vsftpd-3.0.2/tunables.c @@ -88,6 +88,7 @@ int tunable_ftp_enable; int tunable_http_enable; int tunable_seccomp_sandbox; int tunable_allow_writeable_chroot; +int tunable_allow_root_squashed_chroot; unsigned int tunable_accept_timeout; unsigned int tunable_connect_timeout; @@ -228,6 +229,7 @@ tunables_load_defaults() tunable_http_enable = 0; tunable_seccomp_sandbox = 1; tunable_allow_writeable_chroot = 0; + tunable_allow_root_squashed_chroot = 0; tunable_accept_timeout = 60; tunable_connect_timeout = 60; Index: vsftpd-3.0.2/tunables.h =================================================================== --- vsftpd-3.0.2.orig/tunables.h +++ vsftpd-3.0.2/tunables.h @@ -89,6 +89,7 @@ extern int tunable_ftp_enable; extern int tunable_http_enable; /* Allow HTTP protocol */ extern int tunable_seccomp_sandbox; /* seccomp filter sandbox */ extern int tunable_allow_writeable_chroot; /* Allow misconfiguration */ +extern int tunable_allow_root_squashed_chroot;/* Allow chroot on squashed root nfs */ /* Integer/numeric defines */ extern unsigned int tunable_accept_timeout; Index: vsftpd-3.0.2/parseconf.c =================================================================== --- vsftpd-3.0.2.orig/parseconf.c +++ vsftpd-3.0.2/parseconf.c @@ -107,6 +107,7 @@ parseconf_bool_array[] = { "http_enable", &tunable_http_enable }, { "seccomp_sandbox", &tunable_seccomp_sandbox }, { "allow_writeable_chroot", &tunable_allow_writeable_chroot }, + { "allow_root_squashed_chroot", &tunable_allow_root_squashed_chroot }, { 0, 0 } }; Index: vsftpd-3.0.2/twoprocess.c =================================================================== --- vsftpd-3.0.2.orig/twoprocess.c +++ vsftpd-3.0.2/twoprocess.c @@ -164,6 +164,9 @@ drop_all_privs(void) { str_alloc_text(&dir_str, tunable_secure_chroot_dir); } + if (tunable_allow_root_squashed_chroot) { + option |= VSF_SECUTIL_OPTION_CHANGE_EUID; + } /* Be kind: give good error message if the secure dir is missing */ { struct vsf_sysutil_statbuf* p_statbuf = 0; @@ -453,6 +456,9 @@ common_do_login(struct vsf_session* p_se { secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT; } + if (do_chroot && tunable_allow_root_squashed_chroot) { + secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID; + } calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str, p_user_str, p_orig_user_str); vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str, Index: vsftpd-3.0.2/vsftpd.conf.5 =================================================================== --- vsftpd-3.0.2.orig/vsftpd.conf.5 +++ vsftpd-3.0.2/vsftpd.conf.5 @@ -42,6 +42,13 @@ connections. Default: NO .TP +.B allow_root_squashed_chroot +If set to YES, chroot is called with non-root credentials. This enabled chroot +on squashed nfs. This option is applied only if chroot is performed, otherwise +ignored. + +Default: NO +.TP .B anon_mkdir_write_enable If set to YES, anonymous users will be permitted to create new directories under certain conditions. For this to work, the option Index: vsftpd-3.0.2/vsftpd.conf =================================================================== --- vsftpd-3.0.2.orig/vsftpd.conf +++ vsftpd-3.0.2/vsftpd.conf @@ -64,6 +64,10 @@ local_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # +# Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root, +# where root becomes nobody and would need -x access. +#allow_root_squashed_chroot=YES +# # The maximum data transfer rate permitted, in bytes per second, for # local authenticated users. The default is 0 (unlimited). #local_max_rate=7200