Re: [Proftpd-user] Issue with AuthUserFile - Permissions set in config file ignored
Marc Haber <mh+proftp-user <at> zugschlus.de>
2006-01-16 11:53:06 GMT
Hi,
sorry for taking so long to reply, the holidays threw me out of my
normal work cycle.
On Thu, Dec 22, 2005 at 10:19:52AM -0800, TJ Saunders wrote:
> > Would it be possible to have more information about this fact in the
> > debug output? I would be interested, for exaple, with which uid/gid
> > combiation proftpd tries to execute the access, and which exact call
> > fails.
>
> That sort of information would require more work than is necessary, in my
> opinion. Checking of access is done by the filesystem/OS, not by an
> application like proftpd. Asking the application to duplicate the checks
> done by the kernel is not very efficient. As you discovered below, there
> are other, better ways of obtaining this information.
I would, however, like to have more information about _what_ the
application is actually trying and which privileges it assumes.
Currently, the debug information doesn't even have neither the actual
error code that is passed by the OS, nor the actual error message that
is being transmitted to the client.
> > Actually, stracing the process was helpful to see that in response to
> > the STOR command, proftpd successfully chroots to the correct
> > directory /mnt/main10/var/ftp/customer/user to stat /.bashrc there,
> > which is answered with ENOENT, and then continues in dispatching the
> > POST_CMD_ERR to the modules.
>
> > The directory is ftp-admin(1003):ftp-customer(1004) 2775, and the
> > logged-in user is mapped to uid 1003 with primary group 1004 in
> > /etc/proftpd.passwd and /etc/proftpd.group.
>
> Debugging output, level 10, will display the list of group IDs and names
> that proftpd retrieves for a user. You might double-check, in the output,
> to see that proftpd is retrieving the proper list of IDs/names.
The parts of the log that I consider relevant are:
retrieved group IDs: 1004, 1004
retrieved group names: ftp-customer, ftp-customer
setting group ID: 1004
ROOT PRIVS: ID switching disabled
Should there be more?
A strace shows that the privileges are changed to:
[pid 3007] setgid32(1004) = 0
[pid 3007] setresuid32(-1, 1003, -1) = 0
so proftpd should be running as ftp-admin:ftp-customer, and should
thus have access privileges for the directory, which is
ftp-admin(1003):ftp-customer(1004) 2775.
Even when I change the directory mode to 2777 (which is a real stupid
thing to do, but I was really desperate, and I changed the mode back
to 2775 afterwards), I get a "permission denied" error in the client.
I have also verified from strace and debugging output that proftpd is
actually chrooting to the correct directory.
Any more hints
Greetings
Marc
--
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
ProFTPD Users List <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
RSS Feed