forked from proftpd/proftpd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.capabilities
50 lines (42 loc) · 2.21 KB
/
README.capabilities
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
=======
mod_cap
=======
mod_cap provides support for the POSIX.1e security model. Without going into
gory detail, POSIX.1e basically specifies an interface to such goodies as
capabilities, capability sets, access control lists, mandatory access
control and much, much more. The end result of this security model allows
compliant systems and daemons to have very fine-grained control over what
operations are allowed by which services on the system.
Using these features allows a userland program to specifically drop
capabilities (which can be thought of as "privileges") which it does not
need. Once such capabilities are completely dropped, neither the userland
program nor any process it should spawn will be allowed to perform
privileged operations, regardless of whether the program is running as root.
Essentially, this limits the power of root to only those specific functions
that are necessary, with the end effect of making the program much more
secure.
Additionally, a small library is included in contrib/: libcap. This library
provides the interface between mod_cap and the capability syscalls present
in Linux kernels. (Note that this library is simply a slightly modified
version of the libcap library which can be found at
ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/). Building
ProFTPD with the mod_cap module included (see below for instructions on how
to do this) will automatically build and link in the required libcap
library.
When ProFTPD runs with mod_cap installed, its operation changes
slightly:
* The master proftpd process runs as normal, with full capabilities.
* The child proftpd processes, the ones that handle FTP sessions, drop all
capabilities-except for CAP_NET_BIND_SERVICE (which allows a process to
bind to port less than 1024) and CAP_CHOWN (which allows a process to
change a file's ownership)-immediately after a client has authenticated.
Additionally, switching back and forth between root privs and the
authenticated user's privs is no longer possible.
============
Installation
============
After unpacking the latest ProFTPD distribution, follow the normal steps for
using third-party modules with ProFTPD:
./configure --with-modules=mod_cap
make
make install