On Tue, Mar 31, 2015 at 11:34:21AM +0200, Willem Jan Withagen wrote: > On 31-3-2015 10:44, Slawa Olhovchenkov wrote: > > On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote: > > > >> On 31-3-2015 05:44, Slawa Olhovchenkov wrote: > >>> On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: > >>> > >>>> Slawa Olhovchenkov <[email protected]> writes: > >>>> > >>>>> ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database > >>>>> (for case of chrooted login). > >>>>> This is lack security information. > >>>>> I found this is done by r202209 and r202604. > >>>>> I can't understand reason of this. > >>>>> Can somebody explain? > >>>> > >>>> Having a jail log into the base system is a security issue in the > >>>> making. Can't you do this in a safer way by doing remote logging to the > >>>> base system rather than having the jail hold on to a file handle that > >>>> belongs outside the jail? > >>> > >>> Jail? Why I you talk about jail? > >>> > >>>> It's certainly possible to maintain these kinds of capabilities, but > >>>> you would have to convince code reviewers that the same results can't be > >>>> achieved some other way that's easier to secure. > >> > >> I might have just too many miles on the clock already.... > >> > >> It used to liek this: to be able to do anything usefull in a chroot, > >> you'd rebuild those parts of the system tree that you need in under the > >> chrootdir. > >> Eg. including ls(1) and all the libs it needed to function in ftpd. > >> Some for apaches that ran chrooted, you'd carry/duplicate all you needed > >> into the chroot env > >> > >> So in this case you probably need > >> ${CHROOTDIR/var/log > >> and create the database there. > > > > I have many ftp acconts, than need be isolated by ftp. > > I need united database about login and logout. > > FreeBSD 1.x-9.x do this. > > Why this removed in 10.x? > > Slawa, > > I can't tell you that, but it is in r202209. And you can ask the one > that removed it (ed@). :) > Like r202209 says 5 years ago: > Maybe we can address this in the future if it turns out to be a > real issue.
What about issue talk? Opened file outside chroot? /dev/null and /var/run/logpriv still opened. Disabling logging for chrooted accounts? Realy?! > Hasn't been an issue uptill now, it seems. > > But then there are many flavours of FTP server out there ATM, so freely > quoted from Andy Tannenbaum: > If you don't like this version, get another one. Now I only see removing old and working functionality w/o reassonable > Or write a script that actually unites the output from either the > database and/or last(8). You kidding. For this I need rearange ALL ftp acconts. Change permissions. Create hieararhie. Learn users. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
