Hi Ken, > I looked in var/log/messages and I see a bunch of lines like this, not sure > what they mean or why the are occurring now and not previously. Customer > would be using site admin credentials, wouldn't even know root login. > > Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254 > (198.74.49.153[198.74.49.153 > ]) - ROOT PRIVS: unable to seteuid(): Operation not permitted > Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254
Yeah, ProFTPd doesn't allow user "root" and never has. A seteuid() call happens when a program drops privileges to do something as a lesser user and when it's done it tries to regain the same UID/GID as before via seteuid(). It's something I'm sort of sure ProFTPd doesn't allow without full reauthentication, because from a security point of view it's *very* tricky to get right. In the nooks and crannies of such code usually there often is room for exploits and that's why sensible people don't implement it - unless they really *have* to. And then it's usually the best audited and most well tested part of the code, because one false step and it can get exploited. The last ProFTPd update only changed two things: mod_ban and mod_geoip got activated by default. Other than that it's just ProFTPd 1.3.6-RC1 vs ProFTPd-1.3.5. Are the files in the webspace owned by that siteAdmin or by someone else? This could be where the seteuid() call comes from. Say the files are owned by nobody:siteX or apache:siteX and not by the siteAdmin:siteX. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx