Viewing file:  mod_cap.html (8.1 KB) -rw-r--r--
Select action/file-type:
 (+) | (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
ProFTPD module mod_cap
ProFTPD module mod_cap
Linux capabilities is a project aimed at providing the POSIX.1e security
model under Linux. Documentation for this project can be found here:
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs
Without going into gory detail, POSIX.1e basically specifies an interface to
such goodies as capabilities, capability sets, access control lists, mandatory
access control and much, much more. The end result of this security model
allows compliant systems and daemons to have very fine-grained control
over what operations are allowed by which services on the system.
The best part of the whole story is that Linux kernels (since 2.1)
already have two important facets of the security model in place, namely
capabilities and capability sets. Using these features allows a userland
program to specifically drop capabilities (which can be thought of as
"privileges") which it does not need. Once such capabilities are
completely dropped, neither the userland program nor any binary it
should spawn will be allowed to perform privileged operations, regardless
of whether the program is running as root or not. Essentially, this limits
the power of root to only those specific functions that are necessary, with
the end effect of making the program much more secure.
A contributed module has been added in the proftpd distribution,
named mod_cap. It can be found in the modules/
directory.
The libcap library provides the interface between
mod_cap and the capability syscalls present in Linux kernels.
(Note that this library can be found at
www.kernel.org or sourceforge.net/projects/linux-privs).
When proftpd runs with mod_cap installed, its
operation changes slightly:
Installation instructions for mod_cap can be found
here.
The most current version of mod_cap can be found in the
ProFTPD source distribution:
http://www.proftpd.org/
Directives
Syntax: CapabilitiesEngine on|off
Default: on
Context: server config, <VirtualHost>, <Global>
Module: mod_cap
Compatibility: 1.2.8rc2 and later
The CapabilitesEngine directive enables or disables the module's
runtime capabilities engine. If it is set to off this module does no
runtime capabilities processing at all. Use this directive to disable the
module.
Syntax: CapabilitiesRootRevoke on|off
Default: CapabilitiesRootRevoke on
Context: server config, <VirtualHost>, <Global>
Module: mod_cap
Compatibility: 1.3.5rc1 and later
By default, the mod_cap module will revoke (i.e.
drop) root privileges entirely, once the necessary capabilities have been
set. Use the CapabilitiesRootRevoke directive to change this
default behavior, e.g.:
CapabilitiesRootRevoke off
Syntax: CapabilitiesSet [+|- cap] ...
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_cap
Compatibility: 1.2.8rc2 and later
The CapabilitiesSet directive is used to manipulate the set of
capabilities that mod_cap grants.
By default, mod_cap removes all but a few capabilities
from the session-handling process: CAP_NET_BIND_SERVICE, for
binding to ports lower than 1024 (required for active data transfers), and
CAP_CHOWN, for allowing a process to change a file's ownership
to a different user. The CAP_CHOWN capability is only strictly
necessary if the UserOwner configuration directive is in use; if
not being used, the CAP_CHOWN capability is best removed.
Additionally, CAP_AUDIT_WRITE is retained if
the mod_auth_pam module is present, as this capability is needed
for some PAM modules such as pam_loginuid.
To remove a capability, prefix the name with a '-'; to enable a capability,
use '+'. This directive supports the following capabilities:
CAP_CHOWN
CAP_DAC_OVERRIDE (override all directory access controls)
CAP_DAC_READ_SEARCH (allow read and search directory access)
CAP_FOWNER
CAP_FSETID
CAP_SETUID
Example:
<IfModule mod_cap.c>
CapabilitiesEngine on
CapabilitiesSet -CAP_CHOWN +CAP_DAC_READ_SEARCH +CAP_FOWNER
</IfModule>
The mod_cap module is automatically included when
proftpd is built on a Linux system that supports capabilities; to
disable this automatic inclusion, use the --disable-cap configure
option.
Question: Why do I see the following in my system logs?
warning: `proftpd' uses 32-bit capabilities (legacy support in use)
Answer: This warning is coming from the use of the
libcap library. A newer version of the libcap library (called the
"libcap2" or "libcap2-dev" package on some Linux distributions) is now
available.
To remove the above warning, you will need to update/install the newer libcap2
or libcap2-dev package on your system, and re-build proftpd (using version
1.3.2rc1 or later) in order to compile and link against the newer libcap
library.
Question: What does the following mean?
chown() as root failed: Operation not permitted
Answer: The purpose of the mod_cap
module is to restrict the capabilities of the all-powerful root
user. Thus when mod_cap is in effect, operations like
chown() are restricted.
The message above usually happens when your configuration uses the
UserOwner or GroupOwner configuration directives.
To enable those directives to function and still use mod_cap,
you will need to use a configuration such as:
<IfModule mod_cap.c>
# Allow root to use chown(2)
CapabilitiesSet -CAP_CHOWN
</IfModule>
© Copyright 2000-2013 TJ Saunders
All Rights Reserved
|