On 31-3-2015 10:44, Slawa Olhovchenkov wrote:
On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote:
On 31-3-2015 05:44, Slawa Olhovchenkov wrote:
On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote:
Slawa Olhovchenkov <[email protected]> writes:
ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database
(for case of chrooted login).
This is lack security information.
I found this is done by r202209 and r202604.
I can't understand reason of this.
Can somebody explain?
Having a jail log into the base system is a security issue in the
making. Can't you do this in a safer way by doing remote logging to the
base system rather than having the jail hold on to a file handle that
belongs outside the jail?
Jail? Why I you talk about jail?
It's certainly possible to maintain these kinds of capabilities, but
you would have to convince code reviewers that the same results can't be
achieved some other way that's easier to secure.
I might have just too many miles on the clock already....
It used to liek this: to be able to do anything usefull in a chroot,
you'd rebuild those parts of the system tree that you need in under the
chrootdir.
Eg. including ls(1) and all the libs it needed to function in ftpd.
Some for apaches that ran chrooted, you'd carry/duplicate all you needed
into the chroot env
So in this case you probably need
${CHROOTDIR/var/log
and create the database there.
I have many ftp acconts, than need be isolated by ftp.
I need united database about login and logout.
FreeBSD 1.x-9.x do this.
Why this removed in 10.x?
Slawa,
I can't tell you that, but it is in r202209. And you can ask the one
that removed it (ed@). :)
Like r202209 says 5 years ago:
Maybe we can address this in the future if it turns out to be a
real issue.
Hasn't been an issue uptill now, it seems.
But then there are many flavours of FTP server out there ATM, so freely
quoted from Andy Tannenbaum:
If you don't like this version, get another one.
Or write a script that actually unites the output from either the
database and/or last(8).
--WjW
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
