Unable to download via SFTP when mod_vroot is present using ProFTPD 1.3.7c

[tsmgeek]

https://forums.proftpd.org/smf/index.php/topic,12383.0.html

Similar but related to reading files via SFTP, I can upload anything I want, but reading it back does not work.
If I connect via FTP it will work just fine downloading the same file.

Version - 1.3.7c

[Castaglia]

Can you please provide the ProFTPD configuration you're using, and the ProFTPD debug logging generated when attempting to do an SFTP download?

[backslash-felix]

Same here, with 1.3.7b it is working, with 1.3.7c I can't read any file over SFTP. Directory listing, delete files and upload files working fine with 1.3.7c.
proftpd.conf
1.3.7b.txt
1.3.7c.txt

[Castaglia]

@backslash-felix What happens if you turn mod_vroot off in your 1.3.7c configuration, i.e. setting:

VRootEngine off

in your <Global> section?

[backslash-felix]

@Castaglia Thank you, works just fine with mod_vroot off. This was a workaround which is hopefully not necessary anymore.

[tsmgeek]

@Castaglia We have VRootEngine enabled in our config.
Ive tried your suggestion but now it does something else, before VRootEngine on I could not read file but could delete it, now with VRootEngine off I can read the file but can not delete it via FTP or SFTP.

@backslash-felix check you can still delete the files.

[backslash-felix]

@tsmgeek I can delete files via FTP and SFTP with VRootEngine off. We used mod_vroot only for one alias and it looks like it's not needed anymore. Maybe you used it for more or we use other compile settings, so I attached them here:
compile-time-settings.txt

[tsmgeek]

This is my config, all users authenticated via SQL, all STOR/MKD/DELE will issue EXEC to a local script.
All user home dirs are stored on a Gluster volume, every authenticated user has their own home dir.

ServerName                      "ProFTPD server"
ServerIdent                     on "FTP Ready"
ServerAdmin                     webmaster@ftp.com
DefaultServer                   off
Port                            0
MaxConnectionRate               100
MultilineRFC2228                on
UseIPv6                         on
UseReverseDNS                   off
PidFile                         /var/run/proftpd.pid

SystemLog                       /var/log/proftpd.log
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"
LogFormat                       write   "%h %l %u %t \"%r\" %s %b"
SyslogLevel                     notice
DebugLevel                      5

<Global>
  TimeoutLogin                    60
  TimeoutIdle                     120
  TimeoutNoTransfer               300
  TimeoutStalled                  300
  TimeoutSession                  0
  DeleteAbortedStores             on
  DeferWelcome                    on
  AllowOverwrite                  on
  AllowStoreRestart               on
  AllowRetrieveRestart            on

  AuthOrder                       mod_sql.c

  # Set the user and group that the server runs as
  User                            nobody
  Group                           nobody

  TransferLog                     /var/log/proftpd_xferlog.log

  # Disable sendfile by default since it breaks displaying the download speeds in
  # ftptop and ftpwho
  UseSendfile                     off

  # Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
  # Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
  <IfDefine DYNAMIC_BAN_LISTS>
    LoadModule                    mod_ban.c
    BanEngine                     on
    BanLog                        /var/log/proftpd/ban.log
    BanTable                      /var/run/proftpd/ban.tab

    # If the same client reaches the MaxLoginAttempts limit 2 times
    # within 10 minutes, automatically add a ban for that client that
    # will expire after one hour.
    BanOnEvent                    MaxLoginAttempts 2/00:10:00 01:00:00

    # Allow the FTP admin to manually add/remove bans
    BanControlsACLs               all allow user ftpadm
  </IfDefine>

  <IfModule mod_delay.c>
    DelayEngine on
    DelayOnEvent FailedLogin 5s
  </IfModule>

  <Limit SITE_CHMOD RNTO RNFR STOR XRMD DELE RMD>
    DenyAll
  </Limit>

  MaxClients                      300
  MaxHostsPerUser                 100
  MaxLoginAttempts                5
  MaxHostsPerUser               50
  DeferWelcome                    on
  Umask                           002

#  PathDenyFilter                 "(\.ftpaccess|\.htaccess|thumbs\.db)$"
#  PathDenyFilter                  "(^(\\.)|thumbs.db|Thumbs.db|\\.htaccess|(^|/)[-.])"
#
  # Only allow filenames containing alphanumeric characters
#  PathAllowFilter                 "^[A-Za-z0-9._-\s]+$"
  PathDenyFilter                  "([^[:print:]]|\.ftpaccess|\.htaccess|thumbs\.db)"
#  PathAllowFilter                 \.(jpg|jpeg|JPG|JPEG)$

  # block upload of files/directories that have spaces at the start or end
  DenyFilter                      "(^ |^/ |\ $|\")"

  # prevent files to be uploaded into root
  <Directory />
    <Limit STOR>
      AllowUser superadmin
      DenyAll
    </Limit>
    <Limit RMD>
      DenyAll
    </Limit>
  </Directory>

  <Directory /00000000>
    <Limit RMD>
      AllowAll
    </Limit>
  </Directory>

  # prevent subdirectories to be uploaded
  <Directory /*/*>
    <Limit MKD XMKD DELE>
      DenyAll
    </Limit>
    <Limit STOR>
      AllowAll
    </Limit>
  </Directory>


  # prevent renaming uploader directory
  <Directory /uploader>
    <Limit RNFR RMD XRMD>
      DenyAll
    </Limit>
  </Directory>

  <Directory /_livestream>
    <Limit RNFR RMD XRMD>
      DenyAll
    </Limit>
  </Directory>

  # allow renaming/deleting dirs/making dirs/folders within the uploader directory
  <Directory /uploader/*>
    <Limit RNTO RNFR RMD DELE MKD XMKD XRMD>
      AllowAll
    </Limit>
  </Directory>
  <Directory /_uploader/*>
    <Limit RNTO RNFR RMD DELE MKD XMKD XRMD>
      AllowAll
    </Limit>
  </Directory>

   <Directory /_archive/*>
    <Limit RNTO RNFR RMD DELE MKD XMKD XRMD>
      AllowAll
    </Limit>
  </Directory>

  <Directory /_livestream/*>
    <Limit RNTO RNFR RMD DELE MKD XMKD XRMD>
      AllowAll
    </Limit>
  </Directory>

  # do not allow showing dot files
  <Directory />
    HideFiles "^(\\.)$"
  </Directory>

  # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
  <IfModule mod_tls.c>
    TLSEngine                     off
#    TLSRequired                   auth+data
    TLSRequired         off
#    TLSRSACertificateFile         /usr/local/etc/proftpd_cert.pem
#    TLSRSACertificateKeyFile      /usr/local/etc/proftpd_certkey.pem
#    TLSCACertificateFile          /usr/local/etc/proftpd_certbundle.pem
    TLSVerifyClient               off
    TLSRenegotiate                none
    #TLSLog                        /usr/local/etc/proftpd_tls.log
    #TLSOptions                 NoCertRequest
  </IfModule>

  <IfModule mod_vroot.c>
    VRootEngine            on
    #VRootLog               /var/log/proftpd/vroot.log

    # To cause every FTP user to be "jailed" (chrooted) into their home
    # directory, uncomment this line.
    # DefaultRoot "/home/ftp/%u"
    DefaultRoot ~
  </IfModule>

  <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteMap replace int:replaceall
    RewriteCondition %m STOR
    #RewriteCondition %m MKD
    RewriteRule ^(.*) "${replace:/$1/ /_}"
  </IfModule>
  CreateHome on
  HiddenStores incoming- .in.%P

  SQLBackend mysql
  SQLEngine on
  SQLAuthenticate users
#  SQLLogFile /var/log/proftpd_sql.log
  #SQLAuthTypes backend
  SQLAuthTypes OpenSSL
  SQLDefaultUID 48
  SQLDefaultGID 48
  SQLDefaultHomedir /tmp
  SQLLog PASS start-session IGNORE_ERRORS
#  SQLLog PASS log_sess IGNORE_ERRORS
#  SQLLog RETR,STOR,DELE insertfileinfo

  SQLConnectInfo ftp@mysql1 ftp Pi7uIjezejEizXA22SuLi6NOfaqId6
  SQLUserInfo custom:/users
  SQLNamedQuery users FREEFORM "SELECT * FROM users_ftpaccounts_proftpd WHERE userid='%U'"
  SQLNamedQuery start-session FREEFORM "UPDATE users_ftpaccounts SET usrft_lastaccess=NOW(3) WHERE usrft_username='%U'"
  SQLNamedQuery log_sess FREEFORM "INSERT INTO ftp_login_history (username, client_ip, server_ip, protocol, ts) VALUES ('%u', '%a', '%V', '%{protocol}', NOW())"
  SQLNamedQuery insertfileinfo FREEFORM "INSERT INTO ftp_filehistory (filename, bytes, cmd, username, ts) VALUES ('%F', %b, '%m', '%u', now())"
  SQLNamedQuery get-host-authorized-keys SELECT "key FROM ftp_sshkeys_host WHERE host='%{0}'"
</Global>

<VirtualHost 192.168.143.1>
  ServerIdent on "Welcome to ftp"
  ServerAlias ftp.com
  PassivePorts 50000 51999
  Port 21
  <IfModule mod_exec.c>
    ExecEngine on
    ExecLog /home/data/logs/proftpd_exec.log
    ExecOnCommand MKD,STOR,DELE /home/console/incoming-set.php --username %u --folder %f --cmd %m --isftp
    ExecOptions logStdout logStderr
    ExecTimeout 10
  </IfModule>
  <Directory /_archive>
    ExecEnable off
  </Directory>
  <Directory /_uploader>
    ExecEnable off
  </Directory>
  <Directory /uploader>
    ExecEnable off
  </Directory>
  <Directory /00000000>
    ExecEnable off
  </Directory>
</VirtualHost>

<VirtualHost 192.168.143.1>
  ServerIdent on "Welcome to ftp (encrypted)"
  Port 990
  PassivePorts 52000 53999
  TLSOptions UseImplicitSSL
  <IfModule mod_exec.c>
    ExecEngine on
    ExecLog /home/data/logs/proftpd_exec.log
    ExecOnCommand MKD,STOR,DELE /home/console/incoming-set.php --username %u --folder %f --cmd %m --isftp
    ExecOptions logStdout logStderr
    ExecTimeout 10
  </IfModule>
  <Directory /_archive>
    ExecEnable off
  </Directory>
  <Directory /_uploader>
    ExecEnable off
  </Directory>
  <Directory /uploader>
    ExecEnable off
  </Directory>
  <Directory /00000000>
    ExecEnable off
  </Directory>
</VirtualHost>


<IfModule mod_sftp.c>
  <VirtualHost 192.168.143.1>
    ServerIdent on "Welcome to sftp"
    ServerAlias ftp.com
    Port 20022
    SFTPEngine on
    SFTPLog /home/data/logs/proftpd_sftp.log

    # Configure the RSA, DSA, and ECDSA host keys
    SFTPHostKey /home/data/proftpd/ssh_host_ecdsa_key
    SFTPHostKey /home/data/proftpd/ssh_host_rsa_key
    SFTPHostKey /home/data/proftpd/ssh_host_ecdsa_key

    SFTPCompression delayed
    SFTPOptions IgnoreSFTPUploadPerms IgnoreSCPUploadPerms

    # Allow the same number of authentication attempts as OpenSSH.
    MaxLoginAttempts 6

    SFTPAuthMethods password

    <IfModule mod_delay.c>
      DelayEngine on
      DelayOnEvent FailedLogin 5s
    </IfModule>

    <IfModule mod_sftp_sql.c>
      # Instead of using a file-based key store, we tell mod_sftp to use
      # the SQL-based key store provided by mod_sftp_sql
      #SFTPAuthorizedUserKeys sql:/get-user-authorized-keys
      #SFTPAuthorizedHostKeys sql:/get-host-authorized-keys
    </IfModule>

    <IfModule mod_exec.c>
      ExecEngine on
      ExecLog /home/data/logs/proftpd_exec.log
      ExecOnCommand MKD,STOR,DELE /home/console/incoming-set.php --username %u --folder %f --cmd %m --isftp
      ExecOptions logStdout logStderr
      ExecTimeout 10
    </IfModule>
    <Directory /_archive>
      ExecEnable off
    </Directory>
    <Directory /_uploader>
      ExecEnable off
    </Directory>
    <Directory /uploader>
      ExecEnable off
    </Directory>
    <Directory /00000000>
      ExecEnable off
    </Directory>
  </VirtualHost>
</IfModule>

<Anonymous ~ftp>
  SQLEngine off
</Anonymous>

Compile-time Settings:
  Version: 1.3.7c (maint)
  Platform: LINUX [Linux 3.10.0-1160.42.2.el7.x86_64 x86_64]
  Built: Tue Sep 21 2021 14:43:27 UTC
  Built With:
    configure  '--with-modules=mod_vroot:mod_sql:mod_sql_passwd:mod_sql_mysql:mod_tls:mod_wrap2:mod_wrap2_sql:mod_exec:mod_readme:mod_sftp:mod_sftp_sql'

  CFLAGS: -g2 -O2 -Wall -fno-omit-frame-pointer -fno-strict-aliasing
  LDFLAGS: -L$(top_srcdir)/lib -L$(top_builddir)/lib  -rdynamic  -L/usr/lib64/mysql
  LIBS:  -lssl -lcrypto -lssl  -lm -lmysqlclient -lz  -lcrypto -lsupp -lcrypt -ldl

  Files:
    Configuration File:
      /usr/local/etc/proftpd.conf
    Pid File:
      /usr/local/var/proftpd.pid
    Scoreboard File:
      /usr/local/var/proftpd.scoreboard

  Info:
    + Max supported UID: 4294967295
    + Max supported GID: 4294967295

  Features:
    - Autoshadow support
    - Controls support
    + curses support
    - Developer support
    - DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    - Memcache support
    + ncurses support
    - NLS support
    + OpenSSL support (OpenSSL 1.0.2k  26 Jan 2017, FIPS enabled)
    - PCRE support
    - POSIX ACL support
    - Redis support
    + Sendfile support
    + Shadow file support
    - Sodium support
    + Trace support
    + xattr support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_ENV_MAX = 2048
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_LOGIN_MAX = 256
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_PATH_MAX = 4096
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 10
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

[Castaglia]

For those having this issue when mod_vroot is used, can you provide the mod_vroot module version being used?

[tsmgeek]

Taken from mod_vroot.h on my last build 'mod_vroot/0.9.9', date on files was Sep 21.

[pedanticdan]

I'm having the same problem on AIX. I'using ProFTPd 1.3.7c an mod_vroot/0.9.9.

It doesn't seem to make any difference whether VRootEngine is on or off. I have to recompile without mod_vroot.

For me the problem only happens for sftp virtual users (mod_auth_file). From the trace logs I've looked at, the home directory is getting prepended to the already fully qualified path. So, /home/user/subdir/filex gets changed to /home/user/home/user/subdir/filex

The virtual users can change directories, and get directory listings, but attempts to download files result in a file not found errror.

Hope this helps.

[Castaglia]

@pedanticdan thanks, that helps. Your reported behavior suggests that the issue is with mod_vroot somehow (as opposed to an issue with mod_sftp). I'm wondering if this ticket should be moved to the mod_vroot repo, since mod_vroot is not a module distributed with the core ProFTPD source releases...

[pedanticdan]

Probably should move there ... I've been struggling with this for a while and didn't realize that it had already been reported here until this morning.

[Castaglia]

@pedanticdan I'm attempting to reproduce this locally; could you provide me with the ProFTPD debug logging, and SFTPLog, for your failing SFTP downloads? I'd like to ensure that I'm correctly reproducing the behavior you're seeing -- and this will require know that exact paths/filenames requested by the SFTP client. Thanks!

[Castaglia]

Ah, I wonder if this is being caused by the condition mentioned in f1dc344 -- once I can reproduce this locally (using 1.3.7c + mod_vroot + mod_sftp downloads), I'll try to confirm this...

[pedanticdan]

@pedanticdan I'm attempting to reproduce this locally; could you provide me with the ProFTPD debug logging, and SFTPLog, for your failing SFTP downloads? I'd like to ensure that I'm correctly reproducing the behavior you're seeing -- and this will require know that exact paths/filenames requested by the SFTP client. Thanks!

I’ll see what I can do … no promises.

[pedanticdan]

Hopefully this will be useful:

debug.tar.gz

[Castaglia]

@pedanticdan Thanks! That does indeed help confirm my hypothesis about the cause; I suspect that if you were to apply 56d500e to your local ProFTPD 1.3.7c code and rebuild, it should work as needed once more...

[pedanticdan]

Thanks, I'll try it tomorrow.

[pedanticdan]

From my initial testing, it looks good.

I have other people doing more thorough testing, but so far it appears to be fixed.

[pedanticdan]

My testing only hit the case where VRootEngine was off.

I'm getting reports that there is still a problem when VRootEngine is on.

I'm investigating.

[EDIT: False alarm ... VRootEngine was off for the test where it should have been on.]

[pedanticdan]

All the testing has been successful. Our problem is resloved.

[Castaglia]

Excellent news, thanks for reporting back @pedanticdan ! As this issue is also passing my local mod_vroot regression testsuite, using ProFTPD 1.3.7 + patch, I'll now consider this fixed.