From owner-freebsd-security@FreeBSD.ORG Mon Mar 30 14:25:46 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 285551A2 for ; Mon, 30 Mar 2015 14:25:46 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D41D39CC for ; Mon, 30 Mar 2015 14:25:45 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YcadL-000O2I-QS for freebsd-security@freebsd.org; Mon, 30 Mar 2015 17:25:43 +0300 Date: Mon, 30 Mar 2015 17:25:43 +0300 From: Slawa Olhovchenkov To: freebsd-security@freebsd.org Subject: ftpd don't record login in utmpx Message-ID: <20150330142543.GD74532@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Mar 2015 14:25:46 -0000 ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database (for case of chrooted login). This is lack security information. I found this is done by r202209 and r202604. I can't understand reason of this. Can somebody explain? From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 00:08:57 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1A23136D for ; Tue, 31 Mar 2015 00:08:57 +0000 (UTC) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id E6414E5B for ; Tue, 31 Mar 2015 00:08:56 +0000 (UTC) Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.41]) by be-well.ilk.org (Postfix) with ESMTP id ECB3E33C46; Mon, 30 Mar 2015 20:08:50 -0400 (EDT) Received: by lowell-desk.lan (Postfix, from userid 1147) id 019FC3983C; Mon, 30 Mar 2015 20:08:49 -0400 (EDT) From: Lowell Gilbert To: Slawa Olhovchenkov Subject: Re: ftpd don't record login in utmpx References: <20150330142543.GD74532@zxy.spb.ru> Reply-To: freebsd-security@freebsd.org Date: Mon, 30 Mar 2015 20:08:49 -0400 In-Reply-To: <20150330142543.GD74532@zxy.spb.ru> (Slawa Olhovchenkov's message of "Mon, 30 Mar 2015 17:25:43 +0300") Message-ID: <44y4me9gfi.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 00:08:57 -0000 Slawa Olhovchenkov writes: > ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database > (for case of chrooted login). > This is lack security information. > I found this is done by r202209 and r202604. > I can't understand reason of this. > Can somebody explain? Having a jail log into the base system is a security issue in the making. Can't you do this in a safer way by doing remote logging to the base system rather than having the jail hold on to a file handle that belongs outside the jail? It's certainly possible to maintain these kinds of capabilities, but you would have to convince code reviewers that the same results can't be achieved some other way that's easier to secure. From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 03:44:12 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 214F8829 for ; Tue, 31 Mar 2015 03:44:12 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CBE10A45 for ; Tue, 31 Mar 2015 03:44:11 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1Ycn5u-000LrZ-IA for freebsd-security@freebsd.org; Tue, 31 Mar 2015 06:44:02 +0300 Date: Tue, 31 Mar 2015 06:44:02 +0300 From: Slawa Olhovchenkov To: freebsd-security@freebsd.org Subject: Re: ftpd don't record login in utmpx Message-ID: <20150331034402.GE74532@zxy.spb.ru> References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44y4me9gfi.fsf@lowell-desk.lan> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 03:44:12 -0000 On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: > Slawa Olhovchenkov writes: > > > ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database > > (for case of chrooted login). > > This is lack security information. > > I found this is done by r202209 and r202604. > > I can't understand reason of this. > > Can somebody explain? > > Having a jail log into the base system is a security issue in the > making. Can't you do this in a safer way by doing remote logging to the > base system rather than having the jail hold on to a file handle that > belongs outside the jail? Jail? Why I you talk about jail? > It's certainly possible to maintain these kinds of capabilities, but > you would have to convince code reviewers that the same results can't be > achieved some other way that's easier to secure. Can you explain some more? A im lost point. From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 08:09:13 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C41263FA for ; Tue, 31 Mar 2015 08:09:13 +0000 (UTC) Received: from smtp.digiware.nl (smtp.digiware.nl [31.223.170.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 807ECAB6 for ; Tue, 31 Mar 2015 08:09:13 +0000 (UTC) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 7634016A404; Tue, 31 Mar 2015 10:09:04 +0200 (CEST) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8w_AqDc2p8Q; Tue, 31 Mar 2015 10:09:03 +0200 (CEST) Received: from [IPv6:2001:4cb8:3:1:19fb:2e2a:b977:8dce] (unknown [IPv6:2001:4cb8:3:1:19fb:2e2a:b977:8dce]) by smtp.digiware.nl (Postfix) with ESMTP id 5D48B16A401; Tue, 31 Mar 2015 10:09:03 +0200 (CEST) Message-ID: <551A561C.5000904@digiware.nl> Date: Tue, 31 Mar 2015 10:09:00 +0200 From: Willem Jan Withagen Organization: Digiware Management b.v. User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Slawa Olhovchenkov , freebsd-security@freebsd.org Subject: Re: ftpd don't record login in utmpx References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> In-Reply-To: <20150331034402.GE74532@zxy.spb.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 08:09:13 -0000 On 31-3-2015 05:44, Slawa Olhovchenkov wrote: > On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: > >> Slawa Olhovchenkov writes: >> >>> ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database >>> (for case of chrooted login). >>> This is lack security information. >>> I found this is done by r202209 and r202604. >>> I can't understand reason of this. >>> Can somebody explain? >> >> Having a jail log into the base system is a security issue in the >> making. Can't you do this in a safer way by doing remote logging to the >> base system rather than having the jail hold on to a file handle that >> belongs outside the jail? > > Jail? Why I you talk about jail? > >> It's certainly possible to maintain these kinds of capabilities, but >> you would have to convince code reviewers that the same results can't be >> achieved some other way that's easier to secure. I might have just too many miles on the clock already.... It used to liek this: to be able to do anything usefull in a chroot, you'd rebuild those parts of the system tree that you need in under the chrootdir. Eg. including ls(1) and all the libs it needed to function in ftpd. Some for apaches that ran chrooted, you'd carry/duplicate all you needed into the chroot env So in this case you probably need ${CHROOTDIR/var/log and create the database there. A Jail is no different in that, other than that it does this by default in some of the packages: eg. ezjail. --WjW From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 08:44:29 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EBF11A04 for ; Tue, 31 Mar 2015 08:44:29 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A280DEC8 for ; Tue, 31 Mar 2015 08:44:29 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1Ycrmc-00018x-BT; Tue, 31 Mar 2015 11:44:26 +0300 Date: Tue, 31 Mar 2015 11:44:26 +0300 From: Slawa Olhovchenkov To: Willem Jan Withagen Subject: Re: ftpd don't record login in utmpx Message-ID: <20150331084426.GX23643@zxy.spb.ru> References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <551A561C.5000904@digiware.nl> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 08:44:30 -0000 On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote: > On 31-3-2015 05:44, Slawa Olhovchenkov wrote: > > On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: > > > >> Slawa Olhovchenkov writes: > >> > >>> ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database > >>> (for case of chrooted login). > >>> This is lack security information. > >>> I found this is done by r202209 and r202604. > >>> I can't understand reason of this. > >>> Can somebody explain? > >> > >> Having a jail log into the base system is a security issue in the > >> making. Can't you do this in a safer way by doing remote logging to the > >> base system rather than having the jail hold on to a file handle that > >> belongs outside the jail? > > > > Jail? Why I you talk about jail? > > > >> It's certainly possible to maintain these kinds of capabilities, but > >> you would have to convince code reviewers that the same results can't be > >> achieved some other way that's easier to secure. > > I might have just too many miles on the clock already.... > > It used to liek this: to be able to do anything usefull in a chroot, > you'd rebuild those parts of the system tree that you need in under the > chrootdir. > Eg. including ls(1) and all the libs it needed to function in ftpd. > Some for apaches that ran chrooted, you'd carry/duplicate all you needed > into the chroot env > > So in this case you probably need > ${CHROOTDIR/var/log > and create the database there. I have many ftp acconts, than need be isolated by ftp. I need united database about login and logout. FreeBSD 1.x-9.x do this. Why this removed in 10.x? From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 09:34:47 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4C3E1654 for ; Tue, 31 Mar 2015 09:34:47 +0000 (UTC) Received: from smtp.digiware.nl (unknown [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A30762D for ; Tue, 31 Mar 2015 09:34:46 +0000 (UTC) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 3C81116A404; Tue, 31 Mar 2015 11:34:43 +0200 (CEST) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6NLPn76vjI38; Tue, 31 Mar 2015 11:34:24 +0200 (CEST) Received: from [IPv6:2001:4cb8:3:1:19fb:2e2a:b977:8dce] (unknown [IPv6:2001:4cb8:3:1:19fb:2e2a:b977:8dce]) by smtp.digiware.nl (Postfix) with ESMTP id 6DD8116A405; Tue, 31 Mar 2015 11:34:24 +0200 (CEST) Message-ID: <551A6A1D.5030307@digiware.nl> Date: Tue, 31 Mar 2015 11:34:21 +0200 From: Willem Jan Withagen Organization: Digiware Management b.v. User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Slawa Olhovchenkov Subject: Re: ftpd don't record login in utmpx References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> In-Reply-To: <20150331084426.GX23643@zxy.spb.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 09:34:47 -0000 On 31-3-2015 10:44, Slawa Olhovchenkov wrote: > On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote: > >> On 31-3-2015 05:44, Slawa Olhovchenkov wrote: >>> On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: >>> >>>> Slawa Olhovchenkov writes: >>>> >>>>> ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database >>>>> (for case of chrooted login). >>>>> This is lack security information. >>>>> I found this is done by r202209 and r202604. >>>>> I can't understand reason of this. >>>>> Can somebody explain? >>>> >>>> Having a jail log into the base system is a security issue in the >>>> making. Can't you do this in a safer way by doing remote logging to the >>>> base system rather than having the jail hold on to a file handle that >>>> belongs outside the jail? >>> >>> Jail? Why I you talk about jail? >>> >>>> It's certainly possible to maintain these kinds of capabilities, but >>>> you would have to convince code reviewers that the same results can't be >>>> achieved some other way that's easier to secure. >> >> I might have just too many miles on the clock already.... >> >> It used to liek this: to be able to do anything usefull in a chroot, >> you'd rebuild those parts of the system tree that you need in under the >> chrootdir. >> Eg. including ls(1) and all the libs it needed to function in ftpd. >> Some for apaches that ran chrooted, you'd carry/duplicate all you needed >> into the chroot env >> >> So in this case you probably need >> ${CHROOTDIR/var/log >> and create the database there. > > I have many ftp acconts, than need be isolated by ftp. > I need united database about login and logout. > FreeBSD 1.x-9.x do this. > Why this removed in 10.x? Slawa, I can't tell you that, but it is in r202209. And you can ask the one that removed it (ed@). :) Like r202209 says 5 years ago: Maybe we can address this in the future if it turns out to be a real issue. Hasn't been an issue uptill now, it seems. But then there are many flavours of FTP server out there ATM, so freely quoted from Andy Tannenbaum: If you don't like this version, get another one. Or write a script that actually unites the output from either the database and/or last(8). --WjW From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 09:49:19 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2C14D92E for ; Tue, 31 Mar 2015 09:49:19 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D6BD07C0 for ; Tue, 31 Mar 2015 09:49:18 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YcsnL-0002X7-LE; Tue, 31 Mar 2015 12:49:15 +0300 Date: Tue, 31 Mar 2015 12:49:15 +0300 From: Slawa Olhovchenkov To: Willem Jan Withagen Subject: Re: ftpd don't record login in utmpx Message-ID: <20150331094915.GY23643@zxy.spb.ru> References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> <551A6A1D.5030307@digiware.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <551A6A1D.5030307@digiware.nl> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 09:49:19 -0000 On Tue, Mar 31, 2015 at 11:34:21AM +0200, Willem Jan Withagen wrote: > On 31-3-2015 10:44, Slawa Olhovchenkov wrote: > > On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote: > > > >> On 31-3-2015 05:44, Slawa Olhovchenkov wrote: > >>> On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: > >>> > >>>> Slawa Olhovchenkov writes: > >>>> > >>>>> ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database > >>>>> (for case of chrooted login). > >>>>> This is lack security information. > >>>>> I found this is done by r202209 and r202604. > >>>>> I can't understand reason of this. > >>>>> Can somebody explain? > >>>> > >>>> Having a jail log into the base system is a security issue in the > >>>> making. Can't you do this in a safer way by doing remote logging to the > >>>> base system rather than having the jail hold on to a file handle that > >>>> belongs outside the jail? > >>> > >>> Jail? Why I you talk about jail? > >>> > >>>> It's certainly possible to maintain these kinds of capabilities, but > >>>> you would have to convince code reviewers that the same results can't be > >>>> achieved some other way that's easier to secure. > >> > >> I might have just too many miles on the clock already.... > >> > >> It used to liek this: to be able to do anything usefull in a chroot, > >> you'd rebuild those parts of the system tree that you need in under the > >> chrootdir. > >> Eg. including ls(1) and all the libs it needed to function in ftpd. > >> Some for apaches that ran chrooted, you'd carry/duplicate all you needed > >> into the chroot env > >> > >> So in this case you probably need > >> ${CHROOTDIR/var/log > >> and create the database there. > > > > I have many ftp acconts, than need be isolated by ftp. > > I need united database about login and logout. > > FreeBSD 1.x-9.x do this. > > Why this removed in 10.x? > > Slawa, > > I can't tell you that, but it is in r202209. And you can ask the one > that removed it (ed@). :) > Like r202209 says 5 years ago: > Maybe we can address this in the future if it turns out to be a > real issue. What about issue talk? Opened file outside chroot? /dev/null and /var/run/logpriv still opened. Disabling logging for chrooted accounts? Realy?! > Hasn't been an issue uptill now, it seems. > > But then there are many flavours of FTP server out there ATM, so freely > quoted from Andy Tannenbaum: > If you don't like this version, get another one. Now I only see removing old and working functionality w/o reassonable > Or write a script that actually unites the output from either the > database and/or last(8). You kidding. For this I need rearange ALL ftp acconts. Change permissions. Create hieararhie. Learn users. From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 10:28:23 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CB86E6 for ; Tue, 31 Mar 2015 10:28:23 +0000 (UTC) Received: from smtp.digiware.nl (smtp.digiware.nl [31.223.170.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D809CC25 for ; Tue, 31 Mar 2015 10:28:22 +0000 (UTC) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 5840A16A404; Tue, 31 Mar 2015 12:28:19 +0200 (CEST) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMuhl8FTtHar; Tue, 31 Mar 2015 12:28:07 +0200 (CEST) Received: from [IPv6:2001:4cb8:3:1:19fb:2e2a:b977:8dce] (unknown [IPv6:2001:4cb8:3:1:19fb:2e2a:b977:8dce]) by smtp.digiware.nl (Postfix) with ESMTP id 3D07516A401; Tue, 31 Mar 2015 12:28:07 +0200 (CEST) Message-ID: <551A76B4.6050306@digiware.nl> Date: Tue, 31 Mar 2015 12:28:04 +0200 From: Willem Jan Withagen Organization: Digiware Management b.v. User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Slawa Olhovchenkov Subject: Re: ftpd don't record login in utmpx References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> <551A6A1D.5030307@digiware.nl> <20150331094915.GY23643@zxy.spb.ru> In-Reply-To: <20150331094915.GY23643@zxy.spb.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 10:28:23 -0000 On 31-3-2015 11:49, Slawa Olhovchenkov wrote: > On Tue, Mar 31, 2015 at 11:34:21AM +0200, Willem Jan Withagen wrote: > >> On 31-3-2015 10:44, Slawa Olhovchenkov wrote: >>> On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote: >>> >>>> On 31-3-2015 05:44, Slawa Olhovchenkov wrote: >>>>> On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: >>>>> >>>>>> Slawa Olhovchenkov writes: >>>>>> >>>>>>> ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database >>>>>>> (for case of chrooted login). >>>>>>> This is lack security information. >>>>>>> I found this is done by r202209 and r202604. >>>>>>> I can't understand reason of this. >>>>>>> Can somebody explain? >>>>>> >>>>>> Having a jail log into the base system is a security issue in the >>>>>> making. Can't you do this in a safer way by doing remote logging to the >>>>>> base system rather than having the jail hold on to a file handle that >>>>>> belongs outside the jail? >>>>> >>>>> Jail? Why I you talk about jail? >>>>> >>>>>> It's certainly possible to maintain these kinds of capabilities, but >>>>>> you would have to convince code reviewers that the same results can't be >>>>>> achieved some other way that's easier to secure. >>>> >>>> I might have just too many miles on the clock already.... >>>> >>>> It used to liek this: to be able to do anything usefull in a chroot, >>>> you'd rebuild those parts of the system tree that you need in under the >>>> chrootdir. >>>> Eg. including ls(1) and all the libs it needed to function in ftpd. >>>> Some for apaches that ran chrooted, you'd carry/duplicate all you needed >>>> into the chroot env >>>> >>>> So in this case you probably need >>>> ${CHROOTDIR/var/log >>>> and create the database there. >>> >>> I have many ftp acconts, than need be isolated by ftp. >>> I need united database about login and logout. >>> FreeBSD 1.x-9.x do this. >>> Why this removed in 10.x? >> >> Slawa, >> >> I can't tell you that, but it is in r202209. And you can ask the one >> that removed it (ed@). :) >> Like r202209 says 5 years ago: >> Maybe we can address this in the future if it turns out to be a >> real issue. > > What about issue talk? > Opened file outside chroot? /dev/null and /var/run/logpriv still opened. > Disabling logging for chrooted accounts? Realy?! Read the submit message!? The reason is there, nothing with security as I read it, but it just did not fit into the way the new lib for wtmp worked/works. Clearly you do not agree, but you are rather late to the party. Could be that in the mean time code has been added to wtmp, and now you can do it from inside a chroot? Perhaps ask ed@ of on hackers@?? >> Hasn't been an issue uptill now, it seems. >> >> But then there are many flavours of FTP server out there ATM, so freely >> quoted from Andy Tannenbaum: >> If you don't like this version, get another one. > > Now I only see removing old and working functionality w/o reassonable Well that is only in your eyes. wtmp moved (on) to a different way of storing the data. At that point in time nobody had a problem with that. And in 5 years you are the first one to be vocal about it. >> Or write a script that actually unites the output from either the >> database and/or last(8). > > You kidding. > For this I need rearange ALL ftp acconts. Change permissions. Create > hieararhie. Learn users. Well perhaps one of the other flavours of FTPDs suits your need better. --WjW From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 11:02:19 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 509AE5D5 for ; Tue, 31 Mar 2015 11:02:19 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 05E07FAC for ; Tue, 31 Mar 2015 11:02:19 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1Yctvz-00043c-NW; Tue, 31 Mar 2015 14:02:15 +0300 Date: Tue, 31 Mar 2015 14:02:15 +0300 From: Slawa Olhovchenkov To: Willem Jan Withagen Subject: Re: ftpd don't record login in utmpx Message-ID: <20150331110215.GZ23643@zxy.spb.ru> References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> <551A6A1D.5030307@digiware.nl> <20150331094915.GY23643@zxy.spb.ru> <551A76B4.6050306@digiware.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <551A76B4.6050306@digiware.nl> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 11:02:19 -0000 On Tue, Mar 31, 2015 at 12:28:04PM +0200, Willem Jan Withagen wrote: > >> Slawa, > >> > >> I can't tell you that, but it is in r202209. And you can ask the one > >> that removed it (ed@). :) > >> Like r202209 says 5 years ago: > >> Maybe we can address this in the future if it turns out to be a > >> real issue. > > > > What about issue talk? > > Opened file outside chroot? /dev/null and /var/run/logpriv still opened. > > Disabling logging for chrooted accounts? Realy?! > > Read the submit message!? The reason is there, nothing with security as > I read it, but it just did not fit into the way the new lib for wtmp > worked/works. I read it. And I don't understund it. May be I don't know somewere. Or missed. Can you explain? > Clearly you do not agree, but you are rather late to the party. > > Could be that in the mean time code has been added to wtmp, and now you > can do it from inside a chroot? Perhaps ask ed@ of on hackers@?? First I am ask security@. Logging login and logout -- security task. > >> Hasn't been an issue uptill now, it seems. > >> > >> But then there are many flavours of FTP server out there ATM, so freely > >> quoted from Andy Tannenbaum: > >> If you don't like this version, get another one. > > > > Now I only see removing old and working functionality w/o reassonable > > Well that is only in your eyes. wtmp moved (on) to a different way of > storing the data. At that point in time nobody had a problem with that. > And in 5 years you are the first one to be vocal about it. All others still using old version? > >> Or write a script that actually unites the output from either the > >> database and/or last(8). > > > > You kidding. > > For this I need rearange ALL ftp acconts. Change permissions. Create > > hieararhie. Learn users. > > Well perhaps one of the other flavours of FTPDs suits your need better. I don't ask what I need do. I just ask why switch off logging. What issues may be happen? From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 12:47:26 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B6B1E4E2 for ; Tue, 31 Mar 2015 12:47:26 +0000 (UTC) Received: from smtp.digiware.nl (smtp.digiware.nl [31.223.170.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 449A2D5D for ; Tue, 31 Mar 2015 12:47:25 +0000 (UTC) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 0522B16A402; Tue, 31 Mar 2015 14:47:23 +0200 (CEST) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wNhFjxDuXi-N; Tue, 31 Mar 2015 14:47:13 +0200 (CEST) Received: from [192.168.101.198] (unknown [192.168.101.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.digiware.nl (Postfix) with ESMTPSA id E5F0B16A404; Tue, 31 Mar 2015 14:47:13 +0200 (CEST) Message-ID: <551A9759.2020004@digiware.nl> Date: Tue, 31 Mar 2015 14:47:21 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Slawa Olhovchenkov Subject: Re: ftpd don't record login in utmpx References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> <551A6A1D.5030307@digiware.nl> <20150331094915.GY23643@zxy.spb.ru> <551A76B4.6050306@digiware.nl> <20150331110215.GZ23643@zxy.spb.ru> In-Reply-To: <20150331110215.GZ23643@zxy.spb.ru> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 12:47:26 -0000 On 31-3-2015 13:02, Slawa Olhovchenkov wrote: > On Tue, Mar 31, 2015 at 12:28:04PM +0200, Willem Jan Withagen wrote: > >>>> Slawa, >>>> >>>> I can't tell you that, but it is in r202209. And you can ask the one >>>> that removed it (ed@). :) >>>> Like r202209 says 5 years ago: >>>> Maybe we can address this in the future if it turns out to be a >>>> real issue. >>> >>> What about issue talk? >>> Opened file outside chroot? /dev/null and /var/run/logpriv still opened. >>> Disabling logging for chrooted accounts? Realy?! >> >> Read the submit message!? The reason is there, nothing with security as >> I read it, but it just did not fit into the way the new lib for wtmp >> worked/works. > > I read it. And I don't understund it. May be I don't know somewere. > Or missed. Can you explain? In 9.0 the utmp stuff got rewritten, IIRC by Ed Schouten. But with the consequence that the API changed. And now it is no longer possible * to open a file at init, * keep it open while chrooting. * write records when needed. The interface is just completely different. Check: man utempter_add_record If you want the old behaviour, you have to dig into the code, and DIY. >> Clearly you do not agree, but you are rather late to the party. >> >> Could be that in the mean time code has been added to wtmp, and now you >> can do it from inside a chroot? Perhaps ask ed@ of on hackers@?? > > First I am ask security@. > Logging login and logout -- security task. Not quite IMHO ... I'd consider security@ more of a thing where it involves things that are related to things that can cause a secirity problem. But then again I understand how you look at it. >>>> Hasn't been an issue uptill now, it seems. >>>> >>>> But then there are many flavours of FTP server out there ATM, so freely >>>> quoted from Andy Tannenbaum: >>>> If you don't like this version, get another one. >>> >>> Now I only see removing old and working functionality w/o reassonable >> >> Well that is only in your eyes. wtmp moved (on) to a different way of >> storing the data. At that point in time nobody had a problem with that. >> And in 5 years you are the first one to be vocal about it. > > All others still using old version? Or they don't care about the log. > >>>> Or write a script that actually unites the output from either the >>>> database and/or last(8). >>> >>> You kidding. >>> For this I need rearange ALL ftp acconts. Change permissions. Create >>> hieararhie. Learn users. >> >> Well perhaps one of the other flavours of FTPDs suits your need better. > > I don't ask what I need do. > I just ask why switch off logging. > What issues may be happen? That is not the nice way to answer. I'm trying to explain why you have this problem. And as a mere suggestion I offered the insight that there are other FTPDs. Bluntly put: I don't think anybody is going to fix YOUR problem. If only because in 5 years time nobody had an issue with it. Regards, --WjW From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 13:00:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B0211988 for ; Tue, 31 Mar 2015 13:00:21 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 66309E94 for ; Tue, 31 Mar 2015 13:00:21 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YcvmE-0006FT-C3; Tue, 31 Mar 2015 16:00:18 +0300 Date: Tue, 31 Mar 2015 16:00:18 +0300 From: Slawa Olhovchenkov To: Willem Jan Withagen Subject: Re: ftpd don't record login in utmpx Message-ID: <20150331130018.GA23643@zxy.spb.ru> References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> <551A6A1D.5030307@digiware.nl> <20150331094915.GY23643@zxy.spb.ru> <551A76B4.6050306@digiware.nl> <20150331110215.GZ23643@zxy.spb.ru> <551A9759.2020004@digiware.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <551A9759.2020004@digiware.nl> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 13:00:21 -0000 On Tue, Mar 31, 2015 at 02:47:21PM +0200, Willem Jan Withagen wrote: > On 31-3-2015 13:02, Slawa Olhovchenkov wrote: > > On Tue, Mar 31, 2015 at 12:28:04PM +0200, Willem Jan Withagen wrote: > > > >>>> Slawa, > >>>> > >>>> I can't tell you that, but it is in r202209. And you can ask the one > >>>> that removed it (ed@). :) > >>>> Like r202209 says 5 years ago: > >>>> Maybe we can address this in the future if it turns out to be a > >>>> real issue. > >>> > >>> What about issue talk? > >>> Opened file outside chroot? /dev/null and /var/run/logpriv still opened. > >>> Disabling logging for chrooted accounts? Realy?! > >> > >> Read the submit message!? The reason is there, nothing with security as > >> I read it, but it just did not fit into the way the new lib for wtmp > >> worked/works. > > > > I read it. And I don't understund it. May be I don't know somewere. > > Or missed. Can you explain? > > In 9.0 the utmp stuff got rewritten, IIRC by Ed Schouten. But with the > consequence that the API changed. And now it is no longer possible > * to open a file at init, > * keep it open while chrooting. > * write records when needed. > The interface is just completely different. > > Check: > man utempter_add_record > > If you want the old behaviour, you have to dig into the code, and DIY. I understund, thanks. > > Bluntly put: I don't think anybody is going to fix YOUR problem. If only > because in 5 years time nobody had an issue with it. Now I see root of problem. I can choose what do: patch ftpd, do nothing or something else. From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 13:25:10 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5A225462 for ; Tue, 31 Mar 2015 13:25:10 +0000 (UTC) Received: from smtp.digiware.nl (smtp.digiware.nl [31.223.170.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 14D09234 for ; Tue, 31 Mar 2015 13:25:09 +0000 (UTC) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 683D816A406; Tue, 31 Mar 2015 15:25:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0f-W4RnUUDJL; Tue, 31 Mar 2015 15:24:41 +0200 (CEST) Received: from [192.168.101.198] (unknown [192.168.101.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.digiware.nl (Postfix) with ESMTPSA id BA9C916A401; Tue, 31 Mar 2015 15:15:37 +0200 (CEST) Message-ID: <551A9E01.90503@digiware.nl> Date: Tue, 31 Mar 2015 15:15:45 +0200 From: Willem Jan Withagen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Slawa Olhovchenkov Subject: Re: ftpd don't record login in utmpx References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> <551A6A1D.5030307@digiware.nl> <20150331094915.GY23643@zxy.spb.ru> <551A76B4.6050306@digiware.nl> <20150331110215.GZ23643@zxy.spb.ru> <551A9759.2020004@digiware.nl> <20150331130018.GA23643@zxy.spb.ru> In-Reply-To: <20150331130018.GA23643@zxy.spb.ru> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 13:25:10 -0000 On 31-3-2015 15:00, Slawa Olhovchenkov wrote: >> Check: >> man utempter_add_record >> >> If you want the old behaviour, you have to dig into the code, and DIY. > > I understund, thanks. > >> >> Bluntly put: I don't think anybody is going to fix YOUR problem. If only >> because in 5 years time nobody had an issue with it. > > Now I see root of problem. > I can choose what do: patch ftpd, do nothing or something else. Sort of sorry, but yes. And then those are the 3 options with every piece of open source software. Whereas with closed software, option 1 would be a no-go. --WjW From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 13:31:15 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5CF7A61D for ; Tue, 31 Mar 2015 13:31:15 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 10EC834D for ; Tue, 31 Mar 2015 13:31:15 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YcwG9-00077t-2t; Tue, 31 Mar 2015 16:31:13 +0300 Date: Tue, 31 Mar 2015 16:31:13 +0300 From: Slawa Olhovchenkov To: Willem Jan Withagen Subject: Re: ftpd don't record login in utmpx Message-ID: <20150331133112.GB23643@zxy.spb.ru> References: <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> <551A6A1D.5030307@digiware.nl> <20150331094915.GY23643@zxy.spb.ru> <551A76B4.6050306@digiware.nl> <20150331110215.GZ23643@zxy.spb.ru> <551A9759.2020004@digiware.nl> <20150331130018.GA23643@zxy.spb.ru> <551A9E01.90503@digiware.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <551A9E01.90503@digiware.nl> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 13:31:15 -0000 On Tue, Mar 31, 2015 at 03:15:45PM +0200, Willem Jan Withagen wrote: > On 31-3-2015 15:00, Slawa Olhovchenkov wrote: > > >> Check: > >> man utempter_add_record > >> > >> If you want the old behaviour, you have to dig into the code, and DIY. > > > > I understund, thanks. > > > >> > >> Bluntly put: I don't think anybody is going to fix YOUR problem. If only > >> because in 5 years time nobody had an issue with it. > > > > Now I see root of problem. > > I can choose what do: patch ftpd, do nothing or something else. > > Sort of sorry, but yes. > > And then those are the 3 options with every piece of open source > software. Whereas with closed software, option 1 would be a no-go. I know what is open source software. I know what different with closed software. I am don't ask about this. And I am don't ask what I need do. I just ask about cause of behaviors changed -- commit messages not cleary explain this. Thanks again, you cleary explain root cause. From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 19:37:24 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 11F83E81 for ; Tue, 31 Mar 2015 19:37:24 +0000 (UTC) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id DF152A65 for ; Tue, 31 Mar 2015 19:37:23 +0000 (UTC) Received: by be-well.ilk.org (Postfix, from userid 1147) id CE41233C22; Tue, 31 Mar 2015 15:37:22 -0400 (EDT) From: Lowell Gilbert To: Slawa Olhovchenkov Subject: Re: ftpd don't record login in utmpx References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> Date: Tue, 31 Mar 2015 15:37:22 -0400 In-Reply-To: <20150331034402.GE74532@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 31 Mar 2015 06:44:02 +0300") Message-ID: <44oan9t0ul.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 19:37:24 -0000 Slawa Olhovchenkov writes: > On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote: > >> Slawa Olhovchenkov writes: >> >> > ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database >> > (for case of chrooted login). >> > This is lack security information. >> > I found this is done by r202209 and r202604. >> > I can't understand reason of this. >> > Can somebody explain? >> >> Having a jail log into the base system is a security issue in the >> making. Can't you do this in a safer way by doing remote logging to the >> base system rather than having the jail hold on to a file handle that >> belongs outside the jail? > > Jail? Why I you talk about jail? Because the principle is the same for any method of imprisoning a process inside a particular file tree, whether it be chroot(8) or jail(8) or a virtualized machine. The principle is: don't give the imprisoned process access to any resources outside of its prison. >> It's certainly possible to maintain these kinds of capabilities, but >> you would have to convince code reviewers that the same results can't be >> achieved some other way that's easier to secure. > > Can you explain some more? > A im lost point. You can always try to limit the ways that direct access outside the chroot (et. al.) can be used (or abused). However, it is much easier to make sure that there are no ways to break out of the chroot if the direct access does not exist in the first place. From owner-freebsd-security@FreeBSD.ORG Tue Mar 31 21:16:13 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CA805DCB for ; Tue, 31 Mar 2015 21:16:13 +0000 (UTC) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id A0E278DB for ; Tue, 31 Mar 2015 21:16:13 +0000 (UTC) Received: by be-well.ilk.org (Postfix, from userid 1147) id 29EE033C1E; Tue, 31 Mar 2015 17:16:12 -0400 (EDT) From: Lowell Gilbert To: Slawa Olhovchenkov Subject: Re: ftpd don't record login in utmpx References: <20150330142543.GD74532@zxy.spb.ru> <44y4me9gfi.fsf@lowell-desk.lan> <20150331034402.GE74532@zxy.spb.ru> <551A561C.5000904@digiware.nl> <20150331084426.GX23643@zxy.spb.ru> <551A6A1D.5030307@digiware.nl> <20150331094915.GY23643@zxy.spb.ru> <551A76B4.6050306@digiware.nl> <20150331110215.GZ23643@zxy.spb.ru> Reply-To: freebsd-security@freebsd.org Date: Tue, 31 Mar 2015 17:16:11 -0400 In-Reply-To: <20150331110215.GZ23643@zxy.spb.ru> (Slawa Olhovchenkov's message of "Tue, 31 Mar 2015 14:02:15 +0300") Message-ID: <44k2xwuauc.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 21:16:13 -0000 Slawa Olhovchenkov writes: > On Tue, Mar 31, 2015 at 12:28:04PM +0200, Willem Jan Withagen wrote: >> Well that is only in your eyes. wtmp moved (on) to a different way of >> storing the data. At that point in time nobody had a problem with that. >> And in 5 years you are the first one to be vocal about it. > > All others still using old version? No. Quite the opposite. My guess is that this feature was *never* very widely used. All of the information that it provides can be sent to the system logs instead. And if you want more user-based information, many types are *only* availabe on the system log. As a bonus, better management and analysis tools are available for system log formats. > I don't ask what I need do. > I just ask why switch off logging. FTP logging did not get turned off. FTP logging from inside of a chroot to outside of a chroot got turned off. As for why this happened, the answer is that the procedure you used to use depended on a feature of wtmp. Eventually, wtmp was replaced by utmpx to support unrelated new features. This meant that ftpd could no longer modify wtmp files, because there no longer *are* any wtmp files. As a final note, I'll point out that in principle, it's possible to implement this feature in a more reasonable way. That involves having a separate privileged task to handle closing sessions. Some alternative FTP daemons are able to do this, but they generally suggest turning it off because it increases resource usage by quite a bit. From owner-freebsd-security@FreeBSD.ORG Fri Apr 3 12:45:48 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6635521D for ; Fri, 3 Apr 2015 12:45:48 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 27E5635A for ; Fri, 3 Apr 2015 12:45:48 +0000 (UTC) Received: from [127.0.0.1] (users-nat.in.devexperts.com [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 0C17B56400 for ; Fri, 3 Apr 2015 15:45:31 +0300 (MSK) Message-ID: <551E8B6A.5030203@FreeBSD.org> Date: Fri, 03 Apr 2015 15:45:30 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: =?UTF-8?B?RW5jcnlwdGVkIHVzZXIgaG9tZSBkaXJzIHdpdGggTkZTL1NNQi9sb2M=?= =?UTF-8?B?YWwgKHNzaCBhbmQgdHJ1ZSBsb2NhbCkgYWNjZXNzIHdpdGhvdXQgYWRkaXRpb24=?= =?UTF-8?B?YWwgcGFzc3dvcmRzIOKAlCBpcyBpdCBwb3NzaWJsZT8=?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 12:45:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I want to encrypt home dirs on multiuser server. Some users use it with "ssh", other users mount home dirs to Windows with samba (3.x, but I could migrate to 4.x) and never login with ssh/locally, some home dirs are mounted to other FreeBSD system via NFS. So, overlay FS with per-file encryption is not a solution, as SMB-only users could not call "mount" and enter password. full-disk encryption is not a solution too, as "root" could read all files in such case, as here is no encryption at all. Is it possible at all? - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJVHotfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePV9wP/0eEehQ9LlL/IyB3zFRrE5/T VzMLCKDTxTj7yHWf0dr0ljrE1MMYHXCFKP/G71JZcOpqwF3lnl4P4Xl8hcqomVs5 UKlWDNwJyj8B+FviSJ8bJ8bY6CDB0NaVDIiMg4JQu+Biaap/ha7mq6XkDYCXNiS8 MqQnhRQz1rDGnTYeDDlN1LNKi6oWpi3c0Bdl9CWQQFWJd/duL2ezJZMvU1dtQZ7S 27JNYa0QqvmWurxi0wjOpR65armEMiA5a9sgGqe6Qx2qXOCni9N2S8gcmp51SwxT clL75lfJQpMUvTUaDCETmznxvrRmRlEFhjhd7ZF7WNuU94bvg8pXzsuk3sndOW7q thTxKMnFhIqIHAaghmj7NHabyLCgtJcYB2b8JboWTeoQjQBuq3Cq1/ncfjvlbwwL PAEIrgrY23OV8okwD+MiMWDjtVc4ozyX9lHKU2B+zf1f8vKyjLnJ+qnSL4XZjmNw 80OzkyTu90sAAHRceWgZ5ICs2uPooS7fQsiaZ696hr5QsImGTTC3kyTLhqS/vDhz plISUy8QnKUI8uI7w0UDnN5DSgWbXiJj6BzwJFmvryO0drjrNqBu4uaeP6aQEsZR ar6TyDtMFaBc3HB0+qf5+N+jGlFW6pjmg7p4WGyRyuvqp/rDneKWtVM9Lo0Pzy94 +AML8GtBVXMF5tinVDW6 =b6oL -----END PGP SIGNATURE-----