--===============1691380575==
Content-Type: multipart/alternative;
boundary="=====================_300238125==.ALT"

--=====================_300238125==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed

Summary: ProFTPD running under user 'root' may not have all the
privileges you'd think it has. (!?)

Found another dark corner, that has perfectly good documentation, and
yet surprised me even so.

I'm continuing in my desire to not use the default server context,
but to only configure explicit 's. So as I migrate from
1.2.8 to 1.3.0 and rebuild my configuration file (and retest all my
assumptions) I have very little outside of the and
sections.

I got to the point where I was ready to add my original AuthXxxxFile
statements into the section I was building up. But
when I tested I got
- error: unable to open passwd file
'/usr/local/etc/proftpd.budgie.passwd': Permission denied
I rechecked directory permissions and file permissions and nothing
was obviously wrong.
-rw-r----- 1 budg nobody 39166 Aug 2 14:02
/usr/local/etc/proftpd.budgie.passwd
I changed to
-rw-r--r-- 1 budg nobody 39166 Aug 2 14:02
/usr/local/etc/proftpd.budgie.passwd
and logins worked, confirming that it was a file permissions problem.

But this didn't make sense to me. Here's a boiled down config:
ServerType standalone
DefaultServer off
SocketBindTight on
Port 0



User budg
Group budg
AuthUserFile /usr/local/etc/proftpd.budgie.passwd
AuthGroupFile /usr/local/etc/proftpd.budgie.group
AuthOrder mod_auth_file.c


Chiefly the error didn't make sense to me because (as I'd assumed)
when I checked with 'ps' I could see the server running as userid
'root'. And 'root' can do anything, right?

But that did prompt me to try a change to the config. I added back
in the statements I'd originally had in the old config, in the
default server context area:
Port 0
User nobody
Group nobody

and then logins worked again. And 'ps' reported we were running as 'nobody'.

And it working again makes sense, given the description in
proftpd-1.3.0\doc\howto\AuthFiles.html :
"The proftpd server thus assumes that it will not need special
privileges to read an AuthUserFile or an AuthGroupFile. The process
will access any AuthUserFiles and AuthGroupFiles with the credentials
of the user and group configured via the User and Group directives."
So once running under group nobody, of course we could read a file
owned by group nobody.

Now, if you start ProFTPD under 'root', and you don't have "User" and
"Group" statements in the server context, the server continues to run
under 'root'.

And 'root' can do anything, right? But, not here? Huh??


--
For all their days are full of pain, and their work is a vexation;
even at night their minds do not rest. This is also vanity.
Ecclesiastes 2:23 (King Solomon knew programmers?)
--=====================_300238125==.ALT
Content-Type: text/html; charset="us-ascii"



Summary: ProFTPD running under user 'root' may not have all the
privileges you'd think it has. (!?)


Found another dark corner, that has perfectly good documentation, and yet
surprised me even so.


I'm continuing in my desire to not use the default server context, but to
only configure explicit <VirtualHost>'s.  So as I migrate from
1.2.8 to 1.3.0 and rebuild my configuration file (and retest all my
assumptions) I have very little outside of the <Global> and
<VirtualHost> sections.


I got to the point where I was ready to add my original AuthXxxxFile
statements into the <VirtualHost> section I was building up. 
But when I tested I got

   - error: unable to open passwd file
'/usr/local/etc/proftpd.budgie.passwd': Permission denied

I rechecked directory permissions and file permissions and nothing was
obviously wrong.

      -rw-r-----   1
budg     nobody     39166
Aug  2 14:02 /usr/local/etc/proftpd.budgie.passwd

I changed to

      -rw-r--r--   1
budg     nobody     39166
Aug  2 14:02 /usr/local/etc/proftpd.budgie.passwd

and logins worked, confirming that it was a file permissions
problem.


But this didn't make sense to me.  Here's a boiled down config:

    ServerType     
standalone

    DefaultServer   off

    SocketBindTight on

    Port 0

    <Global>

    </Global>

    <VirtualHost 192.168.233.25>

     
User             
budg

     
Group            
budg

      AuthUserFile     
/usr/local/etc/proftpd.budgie.passwd

      AuthGroupFile    
/usr/local/etc/proftpd.budgie.group

     
AuthOrder        
mod_auth_file.c

    </VirtualHost>


Chiefly the error didn't make sense to me because (as I'd assumed)
when I checked with 'ps' I could see the server running as userid
'root'.  And 'root' can do anything, right?


But that did prompt me to try a change to the config.  I added back
in the statements I'd originally had in the old config, in the default
server context area:

    Port 0

    User  nobody

    Group nobody

    <Global>

and then logins worked again.  And 'ps' reported we were
running as 'nobody'.


And it working again makes sense, given the description in
proftpd-1.3.0\doc\howto\AuthFiles.html :

    "The proftpd server thus assumes that it will not
need special

     privileges to read an AuthUserFile or an
AuthGroupFile. The process

    will access any AuthUserFiles and AuthGroupFiles with
the credentials

     of the user and group configured via the User
and Group directives."

So once running under group nobody, of course we could read a file owned
by group nobody.


Now, if you start ProFTPD under 'root', and you don't have
"User" and "Group" statements in the server context,
the server continues to run under 'root'. 


And 'root' can do anything, right?  But, not here? 
Huh??



--

For all their days are full of pain, and their work is a vexation;

even at night their minds do not rest.  This is also vanity.

Ecclesiastes 2:23     
     (King Solomon knew
programmers?)


--=====================_300238125==.ALT--


--===============1691380575==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
--===============1691380575==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
--===============1691380575==--