Hi,
I get this error when i try to create a directory:
wooley grsec: From 192.168.1.30: (root:U:/usr/sbin/pure-ftpd) denied mkdir of /www/club/test2 by /usr/sbin/pure-ftpd[pure-ftpd:7845] uid/euid:0/1119 gid/egid:1119/1119, parent /usr/sbin/pure-ftpd[pure-ftpd:6524] uid/euid:0/0 gid/egid:0/0
the two acls:
under role root :
subject /usr/sbin/pure-ftpd o {
/
/dev h
/dev/log rw
/dev/null rw
/dev/urandom r
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/proc h
/proc/loadavg r
/sbin h
/sbin/insmod x
/usr h
/usr/lib/libcrypto.so.0.9.6 rx
/usr/lib/libssl.so.0.9.6 rx
/usr/sbin/pure-ftpd x
/usr/share/zoneinfo/Europe/London r
/var h
/var/log/pure-ftpd
/var/log/pure-ftpd/transfer.log w
/var/run/pure-ftpd rwcd
-CAP_ALL
+CAP_NET_BIND_SERVICE
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind 192.168.5.35/32:21 stream dgram ip tcp
bind 192.168.5.35/32:12523-13123 stream dgram ip tcp
connect 192.168.0.9/32:53 dgram udp
connect 192.168.0.10/32:53 dgram udp
}
under role club (user id 1119):
subject /usr/sbin/pure-ftpd o {
/
/dev h
/dev/log rw
/dev/null rw
/dev/urandom r
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow h
/lib rx
/proc h
/proc/loadavg r
/sbin h
/sbin/insmod x
/usr h
/usr/lib/libcrypto.so.0.9.6 rx
/usr/lib/libssl.so.0.9.6 rx
/usr/sbin/pure-ftpd x
/usr/share/zoneinfo/Europe/London r
/var h
/var/log/pure-ftpd
/var/log/pure-ftpd/transfer.log w
/var/run/pure-ftpd rwcd
/var/www h
/www/club rwcd
-CAP_ALL
+CAP_NET_BIND_SERVICE
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind 192.168.5.35/32:21 stream dgram ip tcp
# bind 192.168.5.35/32:22523-23123 stream dgram ip tcp
connect 192.168.0.9/32:53 dgram udp
connect 192.168.0.10/32:53 dgram udp
}
ps faxu:
root 18768 0.0 0.3 3072 1824 ? Ss 16:30 0:00 pure-ftpd (SERVER)
root 13645 0.0 0.4 3224 2072 ? S 16:47 0:00 \_ pure-ftpd (PRIV)
club 12525 0.0 0.4 3228 2276 ? S 16:47 0:00 \_ pure-ftpd (IDLE)
Thanks,
Andras
RBAC and pure-ftpd
6 posts
• Page 1 of 1
RBAC and pure-ftpd
by klajosh » Thu Jan 06, 2005 9:44 am
- klajosh
- Posts: 7
- Joined: Tue Aug 31, 2004 8:55 am
Re: RBAC and pure-ftpd
by Hue-Bond » Fri Jan 07, 2005 1:07 pm
>wooley grsec: From 192.168.1.30: (root:U:/usr/sbin/pure-ftpd)
This is user role root.
>denied mkdir of /www/club/test2 by /usr/sbin/pure-ftpd
>under role root :
>subject /usr/sbin/pure-ftpd o {
There's no ACL for /www/club in this subject under this role, so access is denied.
This is user role root.
>denied mkdir of /www/club/test2 by /usr/sbin/pure-ftpd
>under role root :
>subject /usr/sbin/pure-ftpd o {
There's no ACL for /www/club in this subject under this role, so access is denied.
- Hue-Bond
- Posts: 34
- Joined: Mon Dec 13, 2004 4:31 pm
by klajosh » Mon Jan 10, 2005 9:15 am
>wooley grsec: From 192.168.1.30: (root:U:/usr/sbin/pure-ftpd)
This is user role root.
>denied mkdir of /www/club/test2 by /usr/sbin/pure-ftpd
>under role root :
>subject /usr/sbin/pure-ftpd o {
There's no ACL for /www/club in this subject under this role, so access is denied.
Yes, this is my problem.
I have to add write access to root to
write in a user's ftp folder instead of the user in grsec acl. My question is why?
I think this is not grsecurity related issue, but pure-ftpd or pure-ftpd configuration. (I put my question here because probably somebody
has already met this problem). If I run a ps faxu I get this:
- Code: Select all
root 10322 0.0 0.3 3052 1816 ? Ss Jan06 0:00 pure-ftpd (SERVER)
root 31985 0.2 0.4 3204 2068 ? S 14:13 0:00 \_ pure-ftpd (PRIV)
club 7013 0.2 0.4 3208 2244 ? S 14:13 0:00 \_ pure-ftpd (IDLE)
- klajosh
- Posts: 7
- Joined: Tue Aug 31, 2004 8:55 am
by Hue-Bond » Mon Jan 10, 2005 1:47 pm
>>There's no ACL for /www/club in this subject under this role, so access is
>>denied.
>Yes, this is my problem.
>I have to add write access to root to
>write in a user's ftp folder instead of the user in grsec acl. My question
>is why?
Because the ftpd wants to do that as root.
>I think this is not grsecurity related issue, but pure-ftpd or pure-ftpd
>configuration.
Right.
>root 10322 0.0 0.3 3052 1816 ? Ss Jan06 0:00 pure-ftpd (SERVER)
>root 31985 0.2 0.4 3204 2068 ? S 14:13 0:00 \_ pure-ftpd (PRIV)
>club 7013 0.2 0.4 3208 2244 ? S 14:13 0:00 \_ pure-ftpd (IDLE)
You can check in the logs the pid who does the mkdir.
>>denied.
>Yes, this is my problem.
>I have to add write access to root to
>write in a user's ftp folder instead of the user in grsec acl. My question
>is why?
Because the ftpd wants to do that as root.
>I think this is not grsecurity related issue, but pure-ftpd or pure-ftpd
>configuration.
Right.
>root 10322 0.0 0.3 3052 1816 ? Ss Jan06 0:00 pure-ftpd (SERVER)
>root 31985 0.2 0.4 3204 2068 ? S 14:13 0:00 \_ pure-ftpd (PRIV)
>club 7013 0.2 0.4 3208 2244 ? S 14:13 0:00 \_ pure-ftpd (IDLE)
You can check in the logs the pid who does the mkdir.
- Hue-Bond
- Posts: 34
- Joined: Mon Dec 13, 2004 4:31 pm
by klajosh » Tue Jan 11, 2005 5:08 am
Hue-Bond wrote:>>There's no ACL for /www/club in this subject under this role, so access is
>>denied.
>Yes, this is my problem.
>I have to add write access to root to
>write in a user's ftp folder instead of the user in grsec acl. My question
>is why?
Because the ftpd wants to do that as root.
>I think this is not grsecurity related issue, but pure-ftpd or pure-ftpd
>configuration.
Right.
>root 10322 0.0 0.3 3052 1816 ? Ss Jan06 0:00 pure-ftpd (SERVER)
>root 31985 0.2 0.4 3204 2068 ? S 14:13 0:00 \_ pure-ftpd (PRIV)
>club 7013 0.2 0.4 3208 2244 ? S 14:13 0:00 \_ pure-ftpd (IDLE)
You can check in the logs the pid who does the mkdir.
hm... the process is owned by root ...
(child of the main process)
strange I thought that pure-ftpd operates as a non privileged user
when I try to upload files... hm....
Have you ever used pure-ftpd? Did I miss something in config?
- klajosh
- Posts: 7
- Joined: Tue Aug 31, 2004 8:55 am
by jnf » Tue Jan 11, 2005 3:19 pm
Re: running as root
I could be incorrect here, as I've never run pureftpd, however it most likely setreuid/setregid/chroot's after an authenticated connection, so that it changes it chroot's then changes it uid/gid- which under normal circumstances requires root. I imagine you could run it as a non-root user and give it the right capabilities- however it may have a getuid() check or similar in there that you would need to fool in order to allow it to run as a non-root user.
I could be off-base, just my thoughts on the subject.
I could be incorrect here, as I've never run pureftpd, however it most likely setreuid/setregid/chroot's after an authenticated connection, so that it changes it chroot's then changes it uid/gid- which under normal circumstances requires root. I imagine you could run it as a non-root user and give it the right capabilities- however it may have a getuid() check or similar in there that you would need to fool in order to allow it to run as a non-root user.
I could be off-base, just my thoughts on the subject.
- jnf
- Posts: 5
- Joined: Wed Jan 05, 2005 7:31 pm
6 posts
• Page 1 of 1