Debian
vsftpd package

"anon_umask" option doesn't work

Bug #74173 reported by Maciej Słojewski
6
Affects Status Importance Assigned to Milestone
vsftpd (Debian)
Fix Released
Unknown
vsftpd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: vsftpd

Shortly speaking:

"anon_umask" parameter does not work. It is expected that for new copied files to ftp host the file attibutes will change to value as specified with "anon_umask". Regardless of "anon_umask" value the new copied files attributes are set to 0600 (octal value).

Example:

vsftpd.conf :
(...)
anon_umask=022
(...)

should give:

-rw-r--r-- that is 0644 (octal value)

nevertheless it is still
-rw------ that is 0600 (octal value)

The practical implication is that after copying some files to ftp site nobody besides ftp site owner is able to see the files. It shouldn't be like this.

I've checked:
version 2.0.4 of vsftpd on Kubuntu 6.06 LTS
version 2.0.4 of vsftpd on Kubuntu 6.10
version 2.0.5 compiled from source on Kubuntu 6.06 LTS
version 2.0.5 compiled from source on Kubuntu 6.10

None of above worked properly. Problem was reported several times on internet forums (linuxquestions.org, ubuntuforums.org to give a few) by different people:
http://www.linuxquestions.org/questions/showthread.php?t=168393&highlight=anon_umask
http://ubuntuforums.org/showthread.php?t=224603&highlight=mslonik

Kind regards,
Maciej (mslonik)

Some important info:

My root ftp directory:

$ ls -lah
razem 36K
drwxr-xr-x 8 root root 4,0K 2006-12-03 11:16 .
drwxr-xr-x 8 root root 4,0K 2006-11-20 18:42 ..
-rw-r--r-- 1 root root 76 2006-11-18 13:55 czytaj.txt
drwxr-xr-x 4 ftp nogroup 4,0K 2006-12-02 14:24 download
drwxr-xr-x 3 ftp nogroup 4,0K 2006-11-12 20:40 erotyka_foto
drwxr-xr-x 9 ftp nogroup 4,0K 2006-09-17 22:37 maciej
drwxr-xr-x 3 ftp nogroup 4,0K 2006-12-01 21:25 rowery
drwxrwxrwx 3 ftp nogroup 4,0K 2006-12-02 15:42 upload
drwxr-xr-x 2 maciej maciej 4,0K 2006-12-01 21:12 wyklady_MIT

$ sudo cat /etc/vsftpd.conf
# --------------------------------------------------------
# VSFTPD SERVER START SECTION
# --------------------------------------------------------

nopriv_user=vsftpd
secure_chroot_dir=/var/run/vsftpd
listen=YES
background=NO
connect_from_port_20=YES

download_enable=YES
write_enable=YES

# --------------------------------------------------------
# LOCAL USERS SECTION
# --------------------------------------------------------
local_enable=NO

# --------------------------------------------------------
# ANONYMOUS SECTION
# --------------------------------------------------------
anonymous_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
anon_world_readable_only=YES

chown_uploads=YES
chown_username=maciej
anon_umask=022
file_open_mode=0666

ftp_username=ftp

See original description
Revision history for this message
In , Holger Mickler (mickler) wrote : Current version of vsftp is 2.0.3-1, bug is still not resolved...

Dear Daniel Jacobowitz,

I have the same problem as Eric with the current version of vsftpd.
You have not commented on his bug-report, is it to be resolved in the
near future?

Thanks,
   Holger Mickler

Revision history for this message
In , Daniel Jacobowitz (drow) wrote : Re: Bug#269193: Current version of vsftp is 2.0.3-1, bug is still not resolved...

On Wed, Oct 05, 2005 at 12:14:51PM +0200, Holger Mickler wrote:
> Dear Daniel Jacobowitz,
>
> I have the same problem as Eric with the current version of vsftpd.
> You have not commented on his bug-report, is it to be resolved in the
> near future?

Sorry, I haven't had a chance to look at vsftpd bugs lately. I'm going
to have to run this one by Chris...

--
Daniel Jacobowitz
CodeSourcery, LLC

Revision history for this message
Maciej Słojewski (mslonik) wrote :

Binary package hint: vsftpd

Shortly speaking:

"anon_umask" parameter does not work. It is expected that for new copied files to ftp host the file attibutes will change to value as specified with "anon_umask". Regardless of "anon_umask" value the new copied files attributes are set to 0600 (octal value).

Example:

vsftpd.conf :
(...)
anon_umask=022
(...)

should give:

-rw-r--r-- that is 0644 (octal value)

nevertheless it is still
-rw------ that is 0600 (octal value)

The practical implication is that after copying some files to ftp site nobody besides ftp site owner is able to see the files. It shouldn't be like this.

I've checked:
version 2.0.4 of vsftpd on Kubuntu 6.06 LTS
version 2.0.4 of vsftpd on Kubuntu 6.10
version 2.0.5 compiled from source on Kubuntu 6.06 LTS
version 2.0.5 compiled from source on Kubuntu 6.10

None of above worked properly. Problem was reported several times on internet forums (linuxquestions.org, ubuntuforums.org to give a few) by different people:
http://www.linuxquestions.org/questions/showthread.php?t=168393&highlight=anon_umask
http://ubuntuforums.org/showthread.php?t=224603&highlight=mslonik

Kind regards,
Maciej (mslonik)

Maciej Słojewski (mslonik)
description: updated
Revision history for this message
Sebastian Łuczak (nightwish86) wrote :

I'm affected with the same problem. The option "anon_umask" is broken. Changing anon_umask to 0000 gives all files uploaded by anonymous a 0666 chmod, when anon_umask=020 gives 0600.

Revision history for this message
Adam Wendt (adam-ipwebdev) wrote :

Confirmed by upstream bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=269193

Changed in vsftpd:
status: Unconfirmed → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in vsftpd:
status: Unknown → Unconfirmed
Revision history for this message
In , Bruno Cornec (bruno-cornec) wrote : Proposal of patch

Hello,

I'm not a Debian contributer, but a Mandriva one.
Here is the patch I made for the Mandriva cooker package.
Maybe it could be useful, or at least serve as a base for discussion:

--- vsftpd-2.0.5/postlogin.c.orig 2007-05-02 19:43:54.000000000
+0200
+++ vsftpd-2.0.5/postlogin.c 2007-05-02 19:44:28.000000000 +0200
@@ -1009,7 +1009,7 @@
   /* Are we required to chown() this file for security? */
   if (p_sess->is_anonymous && tunable_chown_uploads)
   {
- vsf_sysutil_fchmod(new_file_fd, 0600);
+ vsf_sysutil_fchmod(new_file_fd, (0777 & ~tunable_anon_umask));
     if (tunable_one_process_model)
     {
       vsf_one_process_chown_upload(p_sess, new_file_fd);

HTH,
Bruno.
--
Linux Profession Lead EMEA / Open Source Evangelist \ HP C&I EMEA IET
http://www.mondorescue.org / HP/Intel Solution Center \ http://hpintelco.net
Des infos sur Linux? http://www.HyPer-Linux.org http://www.hp.com/linux
La musique ancienne? http://www.musique-ancienne.org http://www.medieval.org

Bug Watch Updater (bug-watch-updater)
Changed in vsftpd:
status: New → Fix Released
Revision history for this message
Wouter Stomp (wouterstomp-deactivatedaccount) wrote :

This is fixed in debian in 2.0.6-1.

Revision history for this message
Matti Lindell (mlind) wrote :

Fixed in Hardy.

Changed in vsftpd:
status: Confirmed → Fix Released
Revision history for this message
Danger (dangerous3) wrote :

Work-around has shown here: http://kbase.redhat.com/faq/docs/DOC-6202

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.