20886490 proftpd can't open wtmpx after one login failure, doesn't register the ftp login s11-update
authorWilliam.D.Johnston <William.D.Johnston@oracle.com>
Tue, 14 Jul 2015 12:09:08 -0700
branchs11-update
changeset 4646 2bb9a036a5f2
parent 4645 7e2c683157d6
child 4647 f1f27134bd1c
20886490 proftpd can't open wtmpx after one login failure, doesn't register the ftp login 20717794 proftpd changes group ownership of file /etc/shadow after user login failure 19318572 root logins can't get all privilege when Solaris PrivilegeEngine enabled
components/proftpd/mod_solaris_audit.c
components/proftpd/mod_solaris_priv.c
--- a/components/proftpd/mod_solaris_audit.c	Tue Jun 23 14:51:21 2015 -0700
+++ b/components/proftpd/mod_solaris_audit.c	Tue Jul 14 12:09:08 2015 -0700
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - FTP server daemon
- * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -280,6 +280,11 @@
     pr_log_pri(PR_LOG_ERR, "Auditing privilege initialization failed");
     return rval;
   }
+
+  (void) getppriv(PRIV_INHERITABLE, privset);
+  priv_addset(privset, PRIV_PROC_AUDIT);
+  (void) setppriv(PRIV_SET, PRIV_INHERITABLE, privset);
+
   (void) getppriv(PRIV_EFFECTIVE, privset);
   priv_addset(privset, PRIV_SYS_AUDIT);
   (void) setppriv(PRIV_SET, PRIV_EFFECTIVE, privset);
--- a/components/proftpd/mod_solaris_priv.c	Tue Jun 23 14:51:21 2015 -0700
+++ b/components/proftpd/mod_solaris_priv.c	Tue Jul 14 12:09:08 2015 -0700
@@ -56,6 +56,11 @@
 #define	PRIV_USE_FILE_OWNER		0x0040
 #define	PRIV_DROP_FILE_WRITE		0x0080
 
+#define	PRIV_SOL_ROOT_PRIVS	\
+	(PRIV_USE_FILE_CHOWN | PRIV_USE_FILE_CHOWN_SELF | \
+	PRIV_USE_DAC_READ | PRIV_USE_DAC_WRITE | PRIV_USE_DAC_SEARCH | \
+	PRIV_USE_FILE_OWNER)
+
 static unsigned int solaris_priv_flags = 0;
 static unsigned char use_privs = TRUE;
 
@@ -145,12 +150,18 @@
  */
 MODRET solaris_priv_post_pass(cmd_rec *cmd) {
   int res = -1;
+  int priv_flags = solaris_priv_flags;
   priv_set_t *p = NULL;
   priv_set_t *i = NULL;
 
   if (!use_privs)
     return PR_DECLINED(cmd);
 
+  /* If we authenticated as root, we get all appropriate privs */
+  if (session.uid == 0) {
+    priv_flags = PRIV_SOL_ROOT_PRIVS;
+  }
+
   pr_signals_block();
 
   /* The only privilege we need is PRIV_NET_PRIVADDR (bind
@@ -185,29 +196,29 @@
   priv_delset(p, PRIV_PROC_INFO);
   priv_delset(p, PRIV_PROC_SESSION);
 
-  if (solaris_priv_flags & PRIV_USE_SETID)
+  if (priv_flags & PRIV_USE_SETID)
     priv_addset(p, PRIV_PROC_SETID);
 
   /* Add any of the configurable privileges. */
-  if (solaris_priv_flags & PRIV_USE_FILE_CHOWN)
+  if (priv_flags & PRIV_USE_FILE_CHOWN)
     priv_addset(p, PRIV_FILE_CHOWN);
 
-  if (solaris_priv_flags & PRIV_USE_FILE_CHOWN_SELF)
+  if (priv_flags & PRIV_USE_FILE_CHOWN_SELF)
     priv_addset(p, PRIV_FILE_CHOWN_SELF);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_READ)
+  if (priv_flags & PRIV_USE_DAC_READ)
     priv_addset(p, PRIV_FILE_DAC_READ);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_WRITE)
+  if (priv_flags & PRIV_USE_DAC_WRITE)
     priv_addset(p, PRIV_FILE_DAC_WRITE);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_SEARCH)
+  if (priv_flags & PRIV_USE_DAC_SEARCH)
     priv_addset(p, PRIV_FILE_DAC_SEARCH);
 
-  if (solaris_priv_flags & PRIV_USE_FILE_OWNER)
+  if (priv_flags & PRIV_USE_FILE_OWNER)
     priv_addset(p, PRIV_FILE_OWNER);
 
-  if (solaris_priv_flags & PRIV_DROP_FILE_WRITE)
+  if (priv_flags & PRIV_DROP_FILE_WRITE)
     priv_delset(p, PRIV_FILE_WRITE);
 
   res = setppriv(PRIV_SET, PRIV_PERMITTED, p);
@@ -247,51 +258,6 @@
     fn, "effective", strerror(errno));
 }
 
-MODRET solaris_priv_post_fail(cmd_rec *cmd) {
-  priv_set_t* effective_set = NULL;
-
-  if ((effective_set = priv_allocset()) == NULL) {
-    log_err_effective("priv_allocset");
-    goto out;
-  }
-
-  if (getppriv(PRIV_EFFECTIVE, effective_set) != 0) {
-    log_err_effective("getppriv");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_AUDIT) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_SYS_AUDIT) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_SETID) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_TASKID) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (setppriv(PRIV_SET, PRIV_EFFECTIVE, effective_set) != 0) {
-    log_err_effective("setppriv");
-    goto out;
-  }
-
-out:
-  if (effective_set != NULL)
-    priv_freeset(effective_set);
-
-  return PR_DECLINED(cmd);
-}
-
 /* Initialization routines
  */
 
@@ -414,7 +380,6 @@
 
 static cmdtable solaris_priv_cmdtab[] = {
   { POST_CMD, C_PASS, G_NONE, solaris_priv_post_pass, FALSE, FALSE },
-  { POST_CMD_ERR, C_PASS, G_NONE, solaris_priv_post_fail, FALSE, FALSE },
   { 0, NULL }
 };