From: <bu...@pr...> - 2001-02-01 01:22:59
|
http://bugs.proftpd.net/show_bug.cgi?id=451 *** shadow/451 Tue Jan 30 18:59:29 2001 --- shadow/451.tmp.4197 Wed Jan 31 19:46:01 2001 *************** *** 38,40 **** --- 38,43 ---- it will be more secure. + + ------- Additional Comments From tj...@di... 2001-01-31 19:46 ------- + Could you upgrade to the latest version from CVS, and try to repeat this? \ No newline at end of file -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |
From: <bu...@pr...> - 2001-02-01 18:11:52
|
http://bugs.proftpd.net/show_bug.cgi?id=451 *** shadow/451 Wed Jan 31 19:46:01 2001 --- shadow/451.tmp.5983 Thu Feb 1 12:07:27 2001 *************** *** 41,43 **** --- 41,110 ---- ------- Additional Comments From tj...@di... 2001-01-31 19:46 ------- Could you upgrade to the latest version from CVS, and try to repeat this? + + ------- Additional Comments From bol...@dc... 2001-02-01 12:07 ------- + Today (01/02) I downloaded the cvs version on a pure debian 2.2 with rsbac and + tested again: + (after tail -f /var/log/syslog &) + + rsbac:/home/boldi/src/proftpd-1.2# ftp 0 + Connected to 0. + 220 ProFTPD 1.2.0 Server (ProFTPD Default Installation) + [rsbac.ebizlab.hit.bme.hu] + Name (0:boldi): Feb 2 02:08:42 rsbac kernel: rsbac_adf_request(): request + CHANGE_OWNER, caller_pid 20584, caller_prog_name proftpd, caller_uid 0, target- + type PROCESS, tid 20584, attr owner, value 65535, result NOT_GRANTED by AUTH + Feb 2 02:08:42 rsbac kernel: rsbac_adf_request(): request CHANGE_OWNER, + caller_pid 20584, caller_prog_name proftpd, caller_uid 0, target-type PROCESS, + tid 20584, attr owner, value 65535, result NOT_GRANTED by AUTH + Feb 2 02:08:42 rsbac kernel: rsbac_adf_request(): request CHANGE_OWNER, + caller_pid 20585, caller_prog_name inetd, caller_uid 0, target-type PROCESS, + tid 20585, attr owner, value 100, result NOT_GRANTED by AUTH + Feb 2 02:08:42 rsbac identd[20585]: started + 331 Password required for boldi. + Password:Feb 2 02:08:51 rsbac kernel: rsbac_adf_request(): request + CHANGE_OWNER, caller_pid 20584, caller_prog_name proftpd, caller_uid 0, target- + type PROCESS, tid 20584, attr owner, value 65535, result NOT_GRANTED by AUTH + + 230 User boldi logged in. + Remote system type is UNIX. + Using binary mode to transfer files. + ftp> ls + 200 PORT command successful. + 150 Opening ASCII mode data connection for file list. + drwxr-xr-x 3 root boldi 4096 Feb 2 01:05 src + 226 Transfer complete. + ftp> get /etc/shadow w + local: w remote: /etc/shadow + 200 PORT command successful. + 150 Opening BINARY mode data connection for /etc/shadow (950 bytes). + 226 Transfer complete. + 950 bytes received in 0.00 secs (1117.8 kB/s) + + It seems proftpd tried to set the owner first to 65535 which wasn't successfull. + + After adding setuid capability in rsbac to proftpd: + Connected to 0. + 220 ProFTPD 1.2.0 Server (ProFTPD Default Installation) + [rsbac.ebizlab.hit.bme.hu] + Name (0:boldi): boFeb 2 02:17:01 rsbac kernel: rsbac_adf_request(): request + CHANGE_OWNER, caller_pid 20715, caller_prog_name inetd, caller_uid 0, target- + type PROCESS, tid 20715, attr owner, value 100, result NOT_GRANTED by AUTH + Feb 2 02:17:01 rsbac identd[20715]: started + Feb 2 02:17:01 rsbac kernel: rsbac_adf_request(): request CHANGE_OWNER, + caller_pid 20715, caller_prog_name identd, caller_uid 0, target-type PROCESS, + tid 20715, attr owner, value 65534, result NOT_GRANTED by AUTH + ldi + 331 Password required for boldi. + Password: + 230 User boldi logged in. + Remote system type is UNIX. + Using binary mode to transfer files. + ftp> get /etc/shadow w2 + local: w2 remote: /etc/shadow + 200 PORT command successful. + 550 /etc/shadow: Permission denied + + + + -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |
From: TJ S. <tj...@di...> - 2001-02-01 19:05:23
|
bugs>+ It seems proftpd tried to set the owner first to 65535 which bugs>wasn't successfull. Yes. This is a bug that will be fixed by the end of today. The seteuid() call fails if the given uid_t is -1. If a user happens to have -1/65535 as their UID, then proftpd will fail to drop privileges for them. The fix is going to be to check for such UIDs, and not allow them. ---------------------------------------------------------------- TJ Saunders <tj...@di...> ---------------------------------------------------------------- -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |
From: Jesse S S. <js...@in...> - 2001-02-01 19:25:49
|
On Thu, Feb 01, 2001 at 06:56:25PM +0000, TJ Saunders wrote: > > bugs>+ It seems proftpd tried to set the owner first to 65535 which > bugs>wasn't successfull. > > Yes. This is a bug that will be fixed by the end of today. The seteuid() > call fails if the given uid_t is -1. If a user happens to have -1/65535 > as their UID, then proftpd will fail to drop privileges for them. The fix > is going to be to check for such UIDs, and not allow them. Actually, I think this is a different, but related problem, PRIVS_SETUP is never checked to make sure all went well. In his case he is using RSBAC, with rules defined which prohibit proftpd from switching uids. I've got a patch here that should do the trick, I'll send it his way. -- "In the event of a failure, the system can be configured to automatically restart itself. This feature of Windows NT Server provides maximum system up-time." -- Reliability and Fault Tolerance in Windows NT Server, MSC -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |
From: TJ S. <tj...@di...> - 2001-02-01 20:02:48
|
jss>Actually, I think this is a different, but related problem, jss>PRIVS_SETUP is never checked to make sure all went well. In his jss>case he is using RSBAC, with rules defined which prohibit proftpd jss>from switching uids. I've got a patch here that should do the jss>trick, I'll send it his way. Ahh...cool. Could you post the patch somewhere, too, so we could take a look? =) ---------------------------------------------------------------- TJ Saunders <tj...@di...> ---------------------------------------------------------------- -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |
From: Jesse S S. <js...@in...> - 2001-02-01 20:19:41
|
On Thu, Feb 01, 2001 at 07:55:40PM +0000, TJ Saunders wrote: > > jss>Actually, I think this is a different, but related problem, > jss>PRIVS_SETUP is never checked to make sure all went well. In his > jss>case he is using RSBAC, with rules defined which prohibit proftpd > jss>from switching uids. I've got a patch here that should do the > jss>trick, I'll send it his way. > > Ahh...cool. Could you post the patch somewhere, too, so we could take a > look? =) It's attached to bug #451 on bugs.proftpd.net. I went ahead and committed after doing some minimal testing, as it is exceedingly trivial. -- "In the event of a failure, the system can be configured to automatically restart itself. This feature of Windows NT Server provides maximum system up-time." -- Reliability and Fault Tolerance in Windows NT Server, MSC -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |
From: <bu...@pr...> - 2001-02-01 20:09:57
|
http://bugs.proftpd.net/show_bug.cgi?id=451 *** shadow/451 Thu Feb 1 12:07:27 2001 --- shadow/451.tmp.6250 Thu Feb 1 14:49:42 2001 *************** *** 108,110 **** --- 108,115 ---- + + + ------- Additional Comments From js...@in... 2001-02-01 14:49 ------- + Created an attachment (id=130) + Check uid and gid after PRIVS_SETUP -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |
From: <bu...@pr...> - 2001-02-01 20:09:57
|
http://bugs.proftpd.net/show_bug.cgi?id=451 *** shadow/451 Thu Feb 1 14:49:42 2001 --- shadow/451.tmp.6264 Thu Feb 1 14:51:06 2001 *************** *** 2,9 **** | setuid with lack of check (getuid) | +----------------------------------------------------------------------------+ | Bug #: 451 Product: ProFTPD | ! | Status: NEW Version: 1.2.0pre10 | ! | Resolution: Platform: All | | Severity: minor OS/Version: Linux | | Priority: P4 Component: core | +----------------------------------------------------------------------------+ --- 2,9 ---- | setuid with lack of check (getuid) | +----------------------------------------------------------------------------+ | Bug #: 451 Product: ProFTPD | ! | Status: RESOLVED Version: 1.2.0pre10 | ! | Resolution: FIXED Platform: All | | Severity: minor OS/Version: Linux | | Priority: P4 Component: core | +----------------------------------------------------------------------------+ *************** *** 113,115 **** --- 113,119 ---- ------- Additional Comments From js...@in... 2001-02-01 14:49 ------- Created an attachment (id=130) Check uid and gid after PRIVS_SETUP + + + ------- Additional Comments From js...@in... 2001-02-01 14:51 ------- + Committed to CVS. \ No newline at end of file -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |
From: <bu...@pr...> - 2001-02-01 21:09:12
|
http://bugs.proftpd.net/show_bug.cgi?id=451 *** shadow/451 Thu Feb 1 14:51:06 2001 --- shadow/451.tmp.6334 Thu Feb 1 15:25:06 2001 *************** *** 117,119 **** --- 117,127 ---- ------- Additional Comments From js...@in... 2001-02-01 14:51 ------- Committed to CVS. + + ------- Additional Comments From bol...@dc... 2001-02-01 15:25 ------- + verified: + rsbac:/home/boldi/src/proftpd-1.2# /usr/local/sbin/proftpd + rsbac.ebizlab.hit.bme.hu - unable to set uid to 65534, current uid: 0 + + thanks, + boldi \ No newline at end of file -- To unsubscribe, send mail to pro...@pr... with "unsubscribe" in the subject field of the message. http://www.proftpd.net -- The Official ProFTPD web site. http://bugs.proftpd.net -- Bug reporting and feature requests. |