On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote: > On 31-3-2015 05:44, Slawa Olhovchenkov wrote: > > On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: > > > >> Slawa Olhovchenkov <[email protected]> writes: > >> > >>> ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database > >>> (for case of chrooted login). > >>> This is lack security information. > >>> I found this is done by r202209 and r202604. > >>> I can't understand reason of this. > >>> Can somebody explain? > >> > >> Having a jail log into the base system is a security issue in the > >> making. Can't you do this in a safer way by doing remote logging to the > >> base system rather than having the jail hold on to a file handle that > >> belongs outside the jail? > > > > Jail? Why I you talk about jail? > > > >> It's certainly possible to maintain these kinds of capabilities, but > >> you would have to convince code reviewers that the same results can't be > >> achieved some other way that's easier to secure. > > I might have just too many miles on the clock already.... > > It used to liek this: to be able to do anything usefull in a chroot, > you'd rebuild those parts of the system tree that you need in under the > chrootdir. > Eg. including ls(1) and all the libs it needed to function in ftpd. > Some for apaches that ran chrooted, you'd carry/duplicate all you needed > into the chroot env > > So in this case you probably need > ${CHROOTDIR/var/log > and create the database there.
I have many ftp acconts, than need be isolated by ftp. I need united database about login and logout. FreeBSD 1.x-9.x do this. Why this removed in 10.x? _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
