Re: Incoherent default rcscript and user for pure-ftpd?

Fri, 30 Aug 2013 13:26:34 -0700 

On 30/08/13 3:08 PM, Stuart Henderson wrote:

On 2013/08/30 14:22, Brad Smith wrote:

On 26/08/13 10:17 AM, Donovan Watteau wrote:

Hello,

net/pure-ftpd creates the following user and group:
@newgroup _pure-ftpd:642
@newuser _pure-ftpd:642:_pure-ftpd:daemon:pure-ftpd 
user:/nonexistent:/sbin/nologin

but then, /etc/rc.d/pure_ftpd has:
daemon_flags="-A -B -H -u1000"

so, with this default configuration, users below 1000 can't log in.

Hence, if I create a user this way:
# pure-pw useradd myuser -u _pure-ftpd -d /whatever
# pure-pw mkdb

I can't log in with it ("account disabled"), unless I use something
like "-u600".

Am I missing something about the purpose of the _pure-ftpd user here,
or should the -u parameter in daemon_flags be lowered by default in the
provided package?


I'm looking back at this and to be honest I don't even know why the
port creates the user/group. I understand why the rc script is the
way it is.

Stuart, do you remember why the user / group was added?


This user/group is used for privilege separation, see the section from the
README I've pasted below.

$ ps wwaxu|grep pure
root     13008  0.0  0.0   608  1340 ??  Ss     8:01PM    0:00.01 pure-ftpd: 
-pure-ftpd (SERVER) (pure-ftpd)
_pure-ftpd 20890  0.0  0.0   624  1204 ??  S      8:02PM    0:00.00 pure-ftpd: 
-pure-ftpd (PRIV) (pure-ftpd)
ftp      24033  0.0  0.0   620  1432 ??  S      8:02PM    0:00.07 pure-ftpd: 
-pure-ftpd (IDLE) (pure-ftpd)

I use a separate account with uid >=1000 as a file owner for anonymous
ftp or as account owner for virtual users.



...snip...

     ------------------------ PRIVILEGE SEPARATION ------------------------


When privilege separation is enabled, each session will spawn two processes :
a "privileged" process running as root, but that can only do very basic
and trusted actions (binding a port and remove the ftpwho scoreboard) and
the "client" process. The "client" process definitely revokes all privileges
after authentication and chroot() and punctually communicates with the
parent over a private channel.

Privilege separation decreases performance of loaded servers, but it
increases security and reliability. Enabling it is recommended.
Ok, thanks. I knew I was missing something and making a connection attempt to the daemon I see the second process now.

Reply via email to