# HG changeset patch # User William.D.Johnston # Date 1436900948 25200 # Node ID 2bb9a036a5f2edfa859f543285cb7391bc7b85d8 # Parent 7e2c683157d698b80c0ba53f8063c669ca8df803 20886490 proftpd can't open wtmpx after one login failure, doesn't register the ftp login 20717794 proftpd changes group ownership of file /etc/shadow after user login failure 19318572 root logins can't get all privilege when Solaris PrivilegeEngine enabled diff -r 7e2c683157d6 -r 2bb9a036a5f2 components/proftpd/mod_solaris_audit.c --- a/components/proftpd/mod_solaris_audit.c Tue Jun 23 14:51:21 2015 -0700 +++ b/components/proftpd/mod_solaris_audit.c Tue Jul 14 12:09:08 2015 -0700 @@ -1,6 +1,6 @@ /* * ProFTPD - FTP server daemon - * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -280,6 +280,11 @@ pr_log_pri(PR_LOG_ERR, "Auditing privilege initialization failed"); return rval; } + + (void) getppriv(PRIV_INHERITABLE, privset); + priv_addset(privset, PRIV_PROC_AUDIT); + (void) setppriv(PRIV_SET, PRIV_INHERITABLE, privset); + (void) getppriv(PRIV_EFFECTIVE, privset); priv_addset(privset, PRIV_SYS_AUDIT); (void) setppriv(PRIV_SET, PRIV_EFFECTIVE, privset); diff -r 7e2c683157d6 -r 2bb9a036a5f2 components/proftpd/mod_solaris_priv.c --- a/components/proftpd/mod_solaris_priv.c Tue Jun 23 14:51:21 2015 -0700 +++ b/components/proftpd/mod_solaris_priv.c Tue Jul 14 12:09:08 2015 -0700 @@ -56,6 +56,11 @@ #define PRIV_USE_FILE_OWNER 0x0040 #define PRIV_DROP_FILE_WRITE 0x0080 +#define PRIV_SOL_ROOT_PRIVS \ + (PRIV_USE_FILE_CHOWN | PRIV_USE_FILE_CHOWN_SELF | \ + PRIV_USE_DAC_READ | PRIV_USE_DAC_WRITE | PRIV_USE_DAC_SEARCH | \ + PRIV_USE_FILE_OWNER) + static unsigned int solaris_priv_flags = 0; static unsigned char use_privs = TRUE; @@ -145,12 +150,18 @@ */ MODRET solaris_priv_post_pass(cmd_rec *cmd) { int res = -1; + int priv_flags = solaris_priv_flags; priv_set_t *p = NULL; priv_set_t *i = NULL; if (!use_privs) return PR_DECLINED(cmd); + /* If we authenticated as root, we get all appropriate privs */ + if (session.uid == 0) { + priv_flags = PRIV_SOL_ROOT_PRIVS; + } + pr_signals_block(); /* The only privilege we need is PRIV_NET_PRIVADDR (bind @@ -185,29 +196,29 @@ priv_delset(p, PRIV_PROC_INFO); priv_delset(p, PRIV_PROC_SESSION); - if (solaris_priv_flags & PRIV_USE_SETID) + if (priv_flags & PRIV_USE_SETID) priv_addset(p, PRIV_PROC_SETID); /* Add any of the configurable privileges. */ - if (solaris_priv_flags & PRIV_USE_FILE_CHOWN) + if (priv_flags & PRIV_USE_FILE_CHOWN) priv_addset(p, PRIV_FILE_CHOWN); - if (solaris_priv_flags & PRIV_USE_FILE_CHOWN_SELF) + if (priv_flags & PRIV_USE_FILE_CHOWN_SELF) priv_addset(p, PRIV_FILE_CHOWN_SELF); - if (solaris_priv_flags & PRIV_USE_DAC_READ) + if (priv_flags & PRIV_USE_DAC_READ) priv_addset(p, PRIV_FILE_DAC_READ); - if (solaris_priv_flags & PRIV_USE_DAC_WRITE) + if (priv_flags & PRIV_USE_DAC_WRITE) priv_addset(p, PRIV_FILE_DAC_WRITE); - if (solaris_priv_flags & PRIV_USE_DAC_SEARCH) + if (priv_flags & PRIV_USE_DAC_SEARCH) priv_addset(p, PRIV_FILE_DAC_SEARCH); - if (solaris_priv_flags & PRIV_USE_FILE_OWNER) + if (priv_flags & PRIV_USE_FILE_OWNER) priv_addset(p, PRIV_FILE_OWNER); - if (solaris_priv_flags & PRIV_DROP_FILE_WRITE) + if (priv_flags & PRIV_DROP_FILE_WRITE) priv_delset(p, PRIV_FILE_WRITE); res = setppriv(PRIV_SET, PRIV_PERMITTED, p); @@ -247,51 +258,6 @@ fn, "effective", strerror(errno)); } -MODRET solaris_priv_post_fail(cmd_rec *cmd) { - priv_set_t* effective_set = NULL; - - if ((effective_set = priv_allocset()) == NULL) { - log_err_effective("priv_allocset"); - goto out; - } - - if (getppriv(PRIV_EFFECTIVE, effective_set) != 0) { - log_err_effective("getppriv"); - goto out; - } - - if (priv_addset(effective_set, PRIV_PROC_AUDIT) != 0) { - log_err_effective("priv_addset"); - goto out; - } - - if (priv_addset(effective_set, PRIV_SYS_AUDIT) != 0) { - log_err_effective("priv_addset"); - goto out; - } - - if (priv_addset(effective_set, PRIV_PROC_SETID) != 0) { - log_err_effective("priv_addset"); - goto out; - } - - if (priv_addset(effective_set, PRIV_PROC_TASKID) != 0) { - log_err_effective("priv_addset"); - goto out; - } - - if (setppriv(PRIV_SET, PRIV_EFFECTIVE, effective_set) != 0) { - log_err_effective("setppriv"); - goto out; - } - -out: - if (effective_set != NULL) - priv_freeset(effective_set); - - return PR_DECLINED(cmd); -} - /* Initialization routines */ @@ -414,7 +380,6 @@ static cmdtable solaris_priv_cmdtab[] = { { POST_CMD, C_PASS, G_NONE, solaris_priv_post_pass, FALSE, FALSE }, - { POST_CMD_ERR, C_PASS, G_NONE, solaris_priv_post_fail, FALSE, FALSE }, { 0, NULL } };