Date: Mon, 30 Mar 2015 20:08:49 -0400 From: Lowell Gilbert <freebsd-security-local@be-well.ilk.org> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: freebsd-security@freebsd.org Subject: Re: ftpd don't record login in utmpx Message-ID: <44y4me9gfi.fsf@lowell-desk.lan> In-Reply-To: <20150330142543.GD74532@zxy.spb.ru> (Slawa Olhovchenkov's message of "Mon, 30 Mar 2015 17:25:43 %2B0300") References: <20150330142543.GD74532@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Slawa Olhovchenkov <slw@zxy.spb.ru> writes: > ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database > (for case of chrooted login). > This is lack security information. > I found this is done by r202209 and r202604. > I can't understand reason of this. > Can somebody explain? Having a jail log into the base system is a security issue in the making. Can't you do this in a safer way by doing remote logging to the base system rather than having the jail hold on to a file handle that belongs outside the jail? It's certainly possible to maintain these kinds of capabilities, but you would have to convince code reviewers that the same results can't be achieved some other way that's easier to secure.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44y4me9gfi.fsf>