OpenVZ Forum: Support => Pureftpd and Linux capabilties

Members

Help

Home

Home » General » Support » Pureftpd and Linux capabilties

Show: Today's Messages :: Show Polls :: Message Navigator

E-mail to friend

Pureftpd and Linux capabilties [message #4203]

Sun, 02 July 2006 12:02

christoph
Messages: 18
Registered: July 2006

Junior Member

From: 193.170.67*

Hello!

I'm trying to get pureftpd running inside a Debian sarge VPS.
There seems to be a problem with Linux capabilities.

What can be done to solve that issue without recompiling pureftpd with "--without-capabilities"?

# /etc/init.d/pure-ftpd-mysql start
Starting ftp server: Running: /usr/sbin/pure-ftpd-mysql -l mysql:/etc/pure-ftpd/db/mysql.conf -E -u 60 -O clf:/var/log/ftp/transfer.log -A -B
421 Unable to switch capabilities : Operation not permitted

My versions:
ii pure-ftpd-common 1.0.19-4 Pure-FTPd FTP server (Common Files)
ii pure-ftpd-mysql 1.0.19-4 Pure-FTPd FTP server with MySQL user authenticat

Thank you for any hints!
Christoph

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4205 is a reply to message #4203 ]

Sun, 02 July 2006 15:20

dev
Messages: 1689
Registered: September 2005
Location: Moscow

Senior Member

From: *7ka.mipt.ru

1. you can strace pureftpd to check what capabilities it tries to set and fails.
See http://wiki.openvz.org/Stracing_a_program for information on how to strace an application.

2. after you found what's wrong with capabilities you can add missing capability to your VE with vzctl command. Check vzctl man on how to control VE capabilities (http://openvz.org/documentation/mans/vzctl.8):

#vzctl set <VEID> --capability capname:on|off

Note: changing capabilities requires VE restart.

http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4209 is a reply to message #4203 ]

Sun, 02 July 2006 16:50

christoph
Messages: 18
Registered: July 2006

Junior Member

From: 193.170.67*

Hi!

Thanks for the fast (especially on Sunday Wink

) and competent answer.

I found out with strace that pureftpd likes to set the following capabilities:

CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE

I activated those via vzctl and it works perfectly now!

One thing I was thinking about. What about security when all those capabilities are set?

Christoph

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4210 is a reply to message #4203 ]

Sun, 02 July 2006 20:18

luismi
Messages: 8
Registered: July 2006
Location: Dublin

Junior Member

From: *b-ras1.prp.dublin.eircom.net

Hi there,

Yes, I have the sane problem here.
You need to recompile the pure-ftpd package using the next option:

--without-capabilities: if the capabilities library (libcap) is found,
Pure-FTPd will try to use it in order to enhance security. This option
overrides the test to ignore the library. Try this if capabilities don't
work properly on your system. libcap can be downloaded from
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/ .

From: http://download.pureftpd.org/pub/pure-ftpd/doc/README

I can send you my packages if you want, I use puredb since I have few accounts but I also created the mysql and ldap packages, for the future Grin

I am not using the latest version 1.0.22 since I use the version from a debian stable mirror, that is, 1.0.19.

Also if you need some help recompiling pure-ftpd under debian, let me know, I will try to help you Grin

Regards.

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4211 is a reply to message #4209 ]

Sun, 02 July 2006 20:19

luismi
Messages: 8
Registered: July 2006
Location: Dublin

Junior Member

From: *b-ras1.prp.dublin.eircom.net

Cristoph,

How do you activate those capabilities using vzctl?

I am very insterested on that.

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4214 is a reply to message #4211 ]

Mon, 03 July 2006 02:39

christoph
Messages: 18
Registered: July 2006

Junior Member

From: 193.170.67*

Hi!

Thanks for your package offering. I think I'll stick with the Debian version since it is working now after having set the capabilities.

Here is how I set the capabilities for the VPS via bash:

VPSID=123
for CAP in CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE
do
  vzctl set $VPSID --capability ${CAP}:on --save
done

Regards
Christoph

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4216 is a reply to message #4209 ]

Mon, 03 July 2006 03:22

dev
Messages: 1689
Registered: September 2005
Location: Moscow

Senior Member

From: *sw.ru

can you confirm please that CAP_NET_ADMIN is the one to blame? i.e. remove it and recheck Smile

if it is CAP_NET_ADMIN then it is really buggy software :/
This capability is too powerfull to give it as is. So from security point of view, sure it is not good.

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4244 is a reply to message #4216 ]

Mon, 03 July 2006 14:31

christoph
Messages: 18
Registered: July 2006

Junior Member

From: 193.170.67*

Hi!

I removed CAP_NET_ADMIN and it doesn't work then.

Here is a part of the strace with CAP_NET_ADMIN disabled.
# strace /usr/sbin/pure-ftpd-mysql:

capset(0x19980330, 0, {CAP_CHOWN|CAP_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_NET_ADMIN|CAP_SYS_CHROOT|CAP_SYS_NICE, CAP_CHOWN|CAP_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_NET_ADMIN|CAP_SYS_CHROOT|CAP_SYS_NICE, }) = -1 EPERM (Operation not permitted)
rt_sigprocmask(SIG_BLOCK, ~[RTMIN], [], 8) = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40018000
write(1, "421 Unable to switch capabilitie"..., 61421 Unable to switch capabilities : Operation not permitted
) = 61

Christoph

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4266 is a reply to message #4216 ]

Tue, 04 July 2006 10:15

christoph
Messages: 18
Registered: July 2006

Junior Member

From: *is4all.net

Hi!

I now checked the source code of pureftpd.
It seems that it always keeps CAP_NET_ADMIN.

What should one think about that?

Christoph

caps.c:
http://pureftpd.cvs.sourceforge.net/pureftpd/pureftpd/src/ca ps.c?view=markup

...
void set_initial_caps(void)
{
    apply_caps(cap_keep_startup,
               sizeof(cap_keep_startup) / sizeof(cap_value_t));
}
...

caps_p.h:
http://pureftpd.cvs.sourceforge.net/pureftpd/pureftpd/src/ca ps_p.h?view=markup

...
cap_value_t cap_keep_startup[] = {
    CAP_SETGID,
    CAP_SETUID,
    CAP_CHOWN,
    CAP_NET_BIND_SERVICE,
    CAP_SYS_CHROOT,
    CAP_SYS_NICE,
    CAP_NET_ADMIN,
    CAP_DAC_READ_SEARCH
};

cap_value_t cap_keep_login[] = {
# ifndef WITH_PRIVSEP
#  ifndef HAVE_SYS_FSUID_H
    CAP_SETUID,
#  endif
    CAP_NET_BIND_SERVICE,
# endif
    CAP_NET_ADMIN
};
...

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #4268 is a reply to message #4266 ]

Tue, 04 July 2006 10:26

dev
Messages: 1689
Registered: September 2005
Location: Moscow

Senior Member

From: *sw.ru

You can try to contact pureftpd authors.
First, I can't imagine why CAP_NET_ADMIN can be required for FTP daemon Smile

Next, it looks wrong to fail if this capability is not currently available. why it doesn't try to apply AND mask on current capabilities available via capget()?

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #11162 is a reply to message #4210 ]

Wed, 14 March 2007 09:04

rema
Messages: 17
Registered: November 2006

Junior Member

From: 87.139.122*

luismi wrote on Sun, 02 July 2006 20:18

Hi there,
Also if you need some help recompiling pure-ftpd under debian, let me know, I will try to help you Grin

Regards.

could you give some hints here how this could be done using sarge?

best rema

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #11190 is a reply to message #11162 ]

Thu, 15 March 2007 04:11

Valmont
Messages: 227
Registered: September 2005

Senior Member

From: *net-on.incru.net

//some offtop

The best way - is to use vsftpd. It is fast,secure and doesn't need these caps.

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #11210 is a reply to message #11190 ]

Thu, 15 March 2007 07:03

rema
Messages: 17
Registered: November 2006

Junior Member

From: 87.139.122*

hmm, but i need an mysql backend ....

Report message to a moderator

Re: Pureftpd and Linux capabilties [message #11211 is a reply to message #11210 ]

Thu, 15 March 2007 07:14

Valmont
Messages: 227
Registered: September 2005

Senior Member

From: *net-on.incru.net

At least now - only with pam_mysql.

Report message to a moderator

Previous Topic:	SOLVED Moved /vz and now vzquota is complaining.
Next Topic:	kernel 2.6.18 028stab021.1 on RHEL4?

Goto Forum:

-=] Back to Top [=-

[ Generate printable PDF ] [ Syndicate this forum (XML) ] [

]

Current Time: Thu Sep 2 11:06:12 EDT 2010

.:: Contact :: Home ::.