Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
20886490 proftpd can't open wtmpx after one login failure, doesn't register the ftp login
authorWilliam.D.Johnston <William.D.Johnston@oracle.com>
Sun, 12 Jul 2015 15:01:25 -0700
changeset 4634 a4940ac4947c
parent 4632 8152228598dc
child 4635 a9a24ad5e78c
20886490 proftpd can't open wtmpx after one login failure, doesn't register the ftp login 20717794 proftpd changes group ownership of file /etc/shadow after user login failure 19318572 root logins can't get all privilege when Solaris PrivilegeEngine enabled
components/proftpd/mod_solaris_audit.c file | annotate | diff | comparison | revisions
components/proftpd/mod_solaris_priv.c file | annotate | diff | comparison | revisions 
--- a/components/proftpd/mod_solaris_audit.c	Sat Jul 11 09:17:55 2015 -0700
+++ b/components/proftpd/mod_solaris_audit.c	Sun Jul 12 15:01:25 2015 -0700
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - FTP server daemon
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -282,6 +282,11 @@
     pr_log_pri(PR_LOG_ERR, "Auditing privilege initialization failed");
     return rval;
   }
+
+  (void) getppriv(PRIV_INHERITABLE, privset);
+  priv_addset(privset, PRIV_PROC_AUDIT);
+  (void) setppriv(PRIV_SET, PRIV_INHERITABLE, privset);
+
   (void) getppriv(PRIV_EFFECTIVE, privset);
   priv_addset(privset, PRIV_SYS_AUDIT);
   (void) setppriv(PRIV_SET, PRIV_EFFECTIVE, privset);
--- a/components/proftpd/mod_solaris_priv.c	Sat Jul 11 09:17:55 2015 -0700
+++ b/components/proftpd/mod_solaris_priv.c	Sun Jul 12 15:01:25 2015 -0700
@@ -2,7 +2,7 @@
  * ProFTPD - FTP server daemon
  * Copyright (c) 1997, 1998 Public Flood Software
  * Copyright (c) 2003-2010 The ProFTPD Project team
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -56,6 +56,11 @@
 #define	PRIV_USE_FILE_OWNER		0x0040
 #define	PRIV_DROP_FILE_WRITE		0x0080
 
+#define	PRIV_SOL_ROOT_PRIVS	\
+	(PRIV_USE_FILE_CHOWN | PRIV_USE_FILE_CHOWN_SELF | \
+	PRIV_USE_DAC_READ | PRIV_USE_DAC_WRITE | PRIV_USE_DAC_SEARCH | \
+	PRIV_USE_FILE_OWNER)
+
 static unsigned int solaris_priv_flags = 0;
 static unsigned char use_privs = TRUE;
 
@@ -145,12 +150,18 @@
  */
 MODRET solaris_priv_post_pass(cmd_rec *cmd) {
   int res = -1;
+  int priv_flags = solaris_priv_flags;
   priv_set_t *p = NULL;
   priv_set_t *i = NULL;
 
   if (!use_privs)
     return PR_DECLINED(cmd);
 
+  /* If we authenticated as root, we get all appropriate privs */
+  if (session.uid == 0) {
+    priv_flags = PRIV_SOL_ROOT_PRIVS;
+  }
+
   pr_signals_block();
 
   /* The only privilege we need is PRIV_NET_PRIVADDR (bind
@@ -185,29 +196,29 @@
   priv_delset(p, PRIV_PROC_INFO);
   priv_delset(p, PRIV_PROC_SESSION);
 
-  if (solaris_priv_flags & PRIV_USE_SETID)
+  if (priv_flags & PRIV_USE_SETID)
     priv_addset(p, PRIV_PROC_SETID);
 
   /* Add any of the configurable privileges. */
-  if (solaris_priv_flags & PRIV_USE_FILE_CHOWN)
+  if (priv_flags & PRIV_USE_FILE_CHOWN)
     priv_addset(p, PRIV_FILE_CHOWN);
 
-  if (solaris_priv_flags & PRIV_USE_FILE_CHOWN_SELF)
+  if (priv_flags & PRIV_USE_FILE_CHOWN_SELF)
     priv_addset(p, PRIV_FILE_CHOWN_SELF);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_READ)
+  if (priv_flags & PRIV_USE_DAC_READ)
     priv_addset(p, PRIV_FILE_DAC_READ);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_WRITE)
+  if (priv_flags & PRIV_USE_DAC_WRITE)
     priv_addset(p, PRIV_FILE_DAC_WRITE);
 
-  if (solaris_priv_flags & PRIV_USE_DAC_SEARCH)
+  if (priv_flags & PRIV_USE_DAC_SEARCH)
     priv_addset(p, PRIV_FILE_DAC_SEARCH);
 
-  if (solaris_priv_flags & PRIV_USE_FILE_OWNER)
+  if (priv_flags & PRIV_USE_FILE_OWNER)
     priv_addset(p, PRIV_FILE_OWNER);
 
-  if (solaris_priv_flags & PRIV_DROP_FILE_WRITE)
+  if (priv_flags & PRIV_DROP_FILE_WRITE)
     priv_delset(p, PRIV_FILE_WRITE);
 
   res = setppriv(PRIV_SET, PRIV_PERMITTED, p);
@@ -247,51 +258,6 @@
     fn, "effective", strerror(errno));
 }
 
-MODRET solaris_priv_post_fail(cmd_rec *cmd) {
-  priv_set_t* effective_set = NULL;
-
-  if ((effective_set = priv_allocset()) == NULL) {
-    log_err_effective("priv_allocset");
-    goto out;
-  }
-
-  if (getppriv(PRIV_EFFECTIVE, effective_set) != 0) {
-    log_err_effective("getppriv");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_AUDIT) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_SYS_AUDIT) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_SETID) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (priv_addset(effective_set, PRIV_PROC_TASKID) != 0) {
-    log_err_effective("priv_addset");
-    goto out;
-  }
-
-  if (setppriv(PRIV_SET, PRIV_EFFECTIVE, effective_set) != 0) {
-    log_err_effective("setppriv");
-    goto out;
-  }
-
-out:
-  if (effective_set != NULL)
-    priv_freeset(effective_set);
-
-  return PR_DECLINED(cmd);
-}
-
 /* Initialization routines
  */
 
@@ -414,7 +380,6 @@
 
 static cmdtable solaris_priv_cmdtab[] = {
   { POST_CMD, C_PASS, G_NONE, solaris_priv_post_pass, FALSE, FALSE },
-  { POST_CMD_ERR, C_PASS, G_NONE, solaris_priv_post_fail, FALSE, FALSE },
   { 0, NULL }
 };
upstream/oracle/userland-gate