Re: proftpd TLS
On Tuesday 19 May 2009 21:18:48 alexus wrote: On Tue, May 19, 2009 at 2:26 PM, Mehul Ved mehul.n@gmail.com wrote: On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 wouldn't it sort of make it more risky in terms of security to run ftpd as root vs nobody? in general daemon do not run as root and thats for a reason.. Yes, don't do it. Is proftpd started as root? Then this shouldn't occur, although a forum post[1] suggests that mod_cap can fiddle with this. [1] http://forums.proftpd.org/smf/index.php?topic=1315.0 -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Wed, May 20, 2009 at 7:46 AM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Tuesday 19 May 2009 21:18:48 alexus wrote: On Tue, May 19, 2009 at 2:26 PM, Mehul Ved mehul.n@gmail.com wrote: On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 wouldn't it sort of make it more risky in terms of security to run ftpd as root vs nobody? in general daemon do not run as root and thats for a reason.. Yes, don't do it. Is proftpd started as root? Then this shouldn't occur, although a forum post[1] suggests that mod_cap can fiddle with this. [1] http://forums.proftpd.org/smf/index.php?topic=1315.0 -- Mel if i set User in proftpd.conf to root, then it runs as a root the other thing is mod_cap has something to do with Linux compatibility w/ POSIX I run FreeBSD... -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Wed, May 20, 2009 at 10:13 AM, alexus ale...@gmail.com wrote: On Wed, May 20, 2009 at 7:46 AM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Tuesday 19 May 2009 21:18:48 alexus wrote: On Tue, May 19, 2009 at 2:26 PM, Mehul Ved mehul.n@gmail.com wrote: On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 wouldn't it sort of make it more risky in terms of security to run ftpd as root vs nobody? in general daemon do not run as root and thats for a reason.. Yes, don't do it. Is proftpd started as root? Then this shouldn't occur, although a forum post[1] suggests that mod_cap can fiddle with this. [1] http://forums.proftpd.org/smf/index.php?topic=1315.0 -- Mel if i set User in proftpd.conf to root, then it runs as a root the other thing is mod_cap has something to do with Linux compatibility w/ POSIX I run FreeBSD... -- http://alexus.org/ for test purposes i set it to root, but even with that i'm unable to connect to ftp and my tls.log says following May 20 10:16:58 mod_tls/2.2.1[41536]: error locking passphrase into memory: Operation not permitted May 20 10:16:58 mod_tls/2.2.1[41536]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) May 20 10:16:58 mod_tls/2.2.1[41536]: TLS/TLS-C requested, starting TLS handshake May 20 10:17:01 mod_tls/2.2.1[41536]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits) May 20 10:17:01 mod_tls/2.2.1[41536]: Protection set to Private and it hangs... -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Wed, May 20, 2009 at 10:18 AM, alexus ale...@gmail.com wrote: On Wed, May 20, 2009 at 10:13 AM, alexus ale...@gmail.com wrote: On Wed, May 20, 2009 at 7:46 AM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Tuesday 19 May 2009 21:18:48 alexus wrote: On Tue, May 19, 2009 at 2:26 PM, Mehul Ved mehul.n@gmail.com wrote: On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 wouldn't it sort of make it more risky in terms of security to run ftpd as root vs nobody? in general daemon do not run as root and thats for a reason.. Yes, don't do it. Is proftpd started as root? Then this shouldn't occur, although a forum post[1] suggests that mod_cap can fiddle with this. [1] http://forums.proftpd.org/smf/index.php?topic=1315.0 -- Mel if i set User in proftpd.conf to root, then it runs as a root the other thing is mod_cap has something to do with Linux compatibility w/ POSIX I run FreeBSD... -- http://alexus.org/ for test purposes i set it to root, but even with that i'm unable to connect to ftp and my tls.log says following May 20 10:16:58 mod_tls/2.2.1[41536]: error locking passphrase into memory: Operation not permitted May 20 10:16:58 mod_tls/2.2.1[41536]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) May 20 10:16:58 mod_tls/2.2.1[41536]: TLS/TLS-C requested, starting TLS handshake May 20 10:17:01 mod_tls/2.2.1[41536]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits) May 20 10:17:01 mod_tls/2.2.1[41536]: Protection set to Private and it hangs... -- http://alexus.org/ actually, I take it back, I can connect even though I'm seeing this message error locking passphrase into memory: Operation not permitted but i guess my main concern it not to run it as root now -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Wednesday 20 May 2009 16:13:15 alexus wrote: On Wed, May 20, 2009 at 7:46 AM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Tuesday 19 May 2009 21:18:48 alexus wrote: On Tue, May 19, 2009 at 2:26 PM, Mehul Ved mehul.n@gmail.com wrote: On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 wouldn't it sort of make it more risky in terms of security to run ftpd as root vs nobody? in general daemon do not run as root and thats for a reason.. Yes, don't do it. Is proftpd started as root? Then this shouldn't occur, although a forum post[1] suggests that mod_cap can fiddle with this. [1] http://forums.proftpd.org/smf/index.php?topic=1315.0 -- Mel if i set User in proftpd.conf to root, then it runs as a root I said *start* as root. Theoretically, the pass phrase part for your certificate comes before dropping privileges. But maybe there's a bug in the code. Is proftpd running jailed or not? -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Wed, May 20, 2009 at 10:47 AM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Wednesday 20 May 2009 16:13:15 alexus wrote: On Wed, May 20, 2009 at 7:46 AM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Tuesday 19 May 2009 21:18:48 alexus wrote: On Tue, May 19, 2009 at 2:26 PM, Mehul Ved mehul.n@gmail.com wrote: On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 wouldn't it sort of make it more risky in terms of security to run ftpd as root vs nobody? in general daemon do not run as root and thats for a reason.. Yes, don't do it. Is proftpd started as root? Then this shouldn't occur, although a forum post[1] suggests that mod_cap can fiddle with this. [1] http://forums.proftpd.org/smf/index.php?topic=1315.0 -- Mel if i set User in proftpd.conf to root, then it runs as a root I said *start* as root. Theoretically, the pass phrase part for your certificate comes before dropping privileges. But maybe there's a bug in the code. Is proftpd running jailed or not? -- Mel yes, proftpd runs inside of jail -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Wed, May 20, 2009 at 4:57 PM, alexus ale...@gmail.com wrote: On Wed, May 20, 2009 at 10:47 AM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Wednesday 20 May 2009 16:13:15 alexus wrote: On Wed, May 20, 2009 at 7:46 AM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.net wrote: On Tuesday 19 May 2009 21:18:48 alexus wrote: On Tue, May 19, 2009 at 2:26 PM, Mehul Ved mehul.n@gmail.com wrote: On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 wouldn't it sort of make it more risky in terms of security to run ftpd as root vs nobody? in general daemon do not run as root and thats for a reason.. Yes, don't do it. Is proftpd started as root? Then this shouldn't occur, although a forum post[1] suggests that mod_cap can fiddle with this. [1] http://forums.proftpd.org/smf/index.php?topic=1315.0 -- Mel if i set User in proftpd.conf to root, then it runs as a root I said *start* as root. Theoretically, the pass phrase part for your certificate comes before dropping privileges. But maybe there's a bug in the code. Is proftpd running jailed or not? -- Mel yes, proftpd runs inside of jail -- http://alexus.org/ this is proftpd started as root then it switch to nobody nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) SsJ = j means jail -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
alexus ale...@gmail.com wrote: ... i guess my main concern it not to run it as root now AFAIK it is normal for a daemon to run as root if it expects to receive login credentials: * For any but the most minimal authentication scheme, it must be root to authenticate the credentials. (A scheme which enables an untrusted program to authenticate login credentials is vulnerable to brute-force attacks.) * Regardless of the authentication scheme, it must be root in order to assume the identity of the newly logged in user. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Wed, May 20, 2009 at 5:43 PM, per...@pluto.rain.com wrote: alexus ale...@gmail.com wrote: ... i guess my main concern it not to run it as root now AFAIK it is normal for a daemon to run as root if it expects to receive login credentials: * For any but the most minimal authentication scheme, it must be root to authenticate the credentials. (A scheme which enables an untrusted program to authenticate login credentials is vulnerable to brute-force attacks.) * Regardless of the authentication scheme, it must be root in order to assume the identity of the newly logged in user. all my users are virtual users to begin with, so that's not really a concern, but i'd like to keep it running as non root thats for sure -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Mon, May 18, 2009 at 8:16 AM, Nikos Vassiliadis nvass9...@gmx.com wrote: alexus wrote: i just enable TLS for my proftpd and in tls.log I'm getting following messages mod_tls/2.2.1[45739]: error locking passphrase into memory: Operation not permitted mod_tls/2.2.1[45739]: TLS/TLS-C requested, starting TLS handshake From the error message, I can suspect that proftpd tries to use mlock(2) to lock some page in physical memory. That's typical behavior with programs dealing with sensitive data, as passwords. The mlock system call can only by used by the superuser. Is proftpd running with superuser privileges? Nikos i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
On Tue, May 19, 2009 at 2:26 PM, Mehul Ved mehul.n@gmail.com wrote: On Tue, May 19, 2009 at 11:14 PM, alexus ale...@gmail.com wrote: i start it as a root, but it switchs to non-root nobody 52346 0.0 0.1 11820 4208 ?? SsJ Sun06PM 0:00.66 proftpd: (accepting connections) (proftpd) Check the value for 'user' in proftpd.conf. It will be nobody. Change it to root. -- Dyslexics have more fnu. - http://kingsly.net/tmp/fortune.php/1242364116 wouldn't it sort of make it more risky in terms of security to run ftpd as root vs nobody? in general daemon do not run as root and thats for a reason.. -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: proftpd TLS
alexus wrote: i just enable TLS for my proftpd and in tls.log I'm getting following messages mod_tls/2.2.1[45739]: error locking passphrase into memory: Operation not permitted mod_tls/2.2.1[45739]: TLS/TLS-C requested, starting TLS handshake From the error message, I can suspect that proftpd tries to use mlock(2) to lock some page in physical memory. That's typical behavior with programs dealing with sensitive data, as passwords. The mlock system call can only by used by the superuser. Is proftpd running with superuser privileges? Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
proftpd TLS
i just enable TLS for my proftpd and in tls.log I'm getting following messages mod_tls/2.2.1[45739]: error locking passphrase into memory: Operation not permitted mod_tls/2.2.1[45739]: TLS/TLS-C requested, starting TLS handshake anyone had this in the past? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org