Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
20886490 proftpd can't open wtmpx after one login failure, doesn't register the ftp login s11u2-sru
authorWilliam.D.Johnston <William.D.Johnston@oracle.com>
Tue, 15 Sep 2015 13:31:29 -0700
branchs11u2-sru
changeset 4859 1d1f96c52667
parent 4853 3a88b6e33071
child 4865 e7dc039720a4
20886490 proftpd can't open wtmpx after one login failure, doesn't register the ftp login 20717794 proftpd changes group ownership of file /etc/shadow after user login failure 19318572 root logins can't get all privilege when Solaris PrivilegeEngine enabled
components/proftpd/mod_solaris_audit.c file | annotate | diff | comparison | revisions
components/proftpd/mod_solaris_priv.c file | annotate | diff | comparison | revisions 
--- a/components/proftpd/mod_solaris_audit.c	Thu Sep 10 13:15:41 2015 -0700
+++ b/components/proftpd/mod_solaris_audit.c	Tue Sep 15 13:31:29 2015 -0700
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - FTP server daemon
- * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -280,6 +280,11 @@
     pr_log_pri(PR_LOG_ERR, "Auditing privilege initialization failed");
     return rval;
   }
+
+  (void) getppriv(PRIV_INHERITABLE, privset);
+  priv_addset(privset, PRIV_PROC_AUDIT);
+  (void) setppriv(PRIV_SET, PRIV_INHERITABLE, privset);
+
   (void) getppriv(PRIV_EFFECTIVE, privset);
   priv_addset(privset, PRIV_SYS_AUDIT);
   (void) setppriv(PRIV_SET, PRIV_EFFECTIVE, privset);
--- a/components/proftpd/mod_solaris_priv.c	Thu Sep 10 13:15:41 2015 -0700
+++ b/components/proftpd/mod_solaris_priv.c	Tue Sep 15 13:31:29 2015 -0700
@@ -56,6 +56,11 @@
 #define	PRIV_USE_FILE_OWNER		0x0040
 #define	PRIV_DROP_FILE_WRITE		0x0080
 
+#define	PRIV_SOL_ROOT_PRIVS	( \
+    PRIV_USE_FILE_CHOWN | PRIV_USE_FILE_CHOWN_SELF | \
+    PRIV_USE_DAC_READ | PRIV_USE_DAC_WRITE | PRIV_USE_DAC_SEARCH | \
+    PRIV_USE_FILE_OWNER)
+
 static unsigned int solaris_priv_flags = 0;
 static unsigned char use_privs = TRUE;
 
@@ -145,12 +150,18 @@
  */
 MODRET solaris_priv_post_pass(cmd_rec *cmd) {
   int res = -1;
+  int priv_flags = solaris_priv_flags;
   priv_set_t *p = NULL;
   priv_set_t *i = NULL;
 
   if (!use_privs)
     return PR_DECLINED(cmd);
 
+  /* If we authenticated as root, we get all appropriate privs */
+  if (session.uid == 0) {
+     priv_flags = PRIV_SOL_ROOT_PRIVS;
+  }
+
   pr_signals_block();
 
   /* The only privilege we need is PRIV_NET_PRIVADDR (bind
@@ -185,29 +196,29 @@
   priv_delset(p, PRIV_PROC_INFO);
   priv_delset(p, PRIV_PROC_SESSION);
 
-  if (solaris_priv_flags & PRIV_USE_SETID)
+  if (priv_flags & PRIV_USE_SETID)
     priv_addset(p, PRIV_PROC_SETID);
 
   /* Add any of the configurable privileges. */
-  if (solaris_priv_flags & PRIV_USE_FILE_CHOWN)
+  if (priv_flags & PRIV_USE_FILE_CHOWN)
     priv_addset(p, PRIV_FILE_CHOWN);
 
-  if (solaris_priv_flags & PRIV_USE_FILE_CHOWN_SELF)
+  if (priv_flags & PRIV_USE_FILE_CHOWN_SELF)
     priv_addset(p, PRIV_FILE_CHOWN_SELF);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_READ)
+  if (priv_flags & PRIV_USE_DAC_READ)
     priv_addset(p, PRIV_FILE_DAC_READ);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_WRITE)
+  if (priv_flags & PRIV_USE_DAC_WRITE)
     priv_addset(p, PRIV_FILE_DAC_WRITE);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_SEARCH)
+  if (priv_flags & PRIV_USE_DAC_SEARCH)
     priv_addset(p, PRIV_FILE_DAC_SEARCH);
 
-  if (solaris_priv_flags & PRIV_USE_FILE_OWNER)
+  if (priv_flags & PRIV_USE_FILE_OWNER)
     priv_addset(p, PRIV_FILE_OWNER);
 
-  if (solaris_priv_flags & PRIV_DROP_FILE_WRITE)
+  if (priv_flags & PRIV_DROP_FILE_WRITE)
     priv_delset(p, PRIV_FILE_WRITE);
 
   res = setppriv(PRIV_SET, PRIV_PERMITTED, p);
@@ -247,51 +258,6 @@
     fn, "effective", strerror(errno));
 }
 
-MODRET solaris_priv_post_fail(cmd_rec *cmd) {
-  priv_set_t* effective_set = NULL;
-
-  if ((effective_set = priv_allocset()) == NULL) {
-    log_err_effective("priv_allocset");
-    goto out;
-  }
-
-  if (getppriv(PRIV_EFFECTIVE, effective_set) != 0) {
-    log_err_effective("getppriv");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_AUDIT) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_SYS_AUDIT) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_SETID) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_TASKID) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (setppriv(PRIV_SET, PRIV_EFFECTIVE, effective_set) != 0) {
-    log_err_effective("setppriv");
-    goto out;
-  }
-
-out:
-  if (effective_set != NULL)
-    priv_freeset(effective_set);
-
-  return PR_DECLINED(cmd);
-}
-
 /* Initialization routines
  */
 
@@ -414,7 +380,6 @@
 
 static cmdtable solaris_priv_cmdtab[] = {
   { POST_CMD, C_PASS, G_NONE, solaris_priv_post_pass, FALSE, FALSE },
-  { POST_CMD_ERR, C_PASS, G_NONE, solaris_priv_post_fail, FALSE, FALSE },
   { 0, NULL }
 };
upstream/oracle/userland-gate