ProFTPD module mod

ProFTPD module `mod_cap`

Linux capabilities is a project aimed at providing the POSIX.1e security model under Linux. Documentation for this project can be found here:

  ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs

Without going into gory detail, POSIX.1e basically specifies an interface to such goodies as capabilities, capability sets, access control lists, mandatory access control and much, much more. The end result of this security model allows compliant systems and daemons to have very fine-grained control over what operations are allowed by which services on the system.

The best part of the whole story is that Linux kernels (since 2.1) already have two important facets of the security model in place, namely capabilities and capability sets. Using these features allows a userland program to specifically drop capabilities (which can be thought of as "privileges") which it does not need. Once such capabilities are completely dropped, neither the userland program nor any binary it should spawn will be allowed to perform privileged operations, regardless of whether the program is running as root or not. Essentially, this limits the power of root to only those specific functions that are necessary, with the end effect of making the program much more secure.

A contributed module has been added in the proftpd distribution, named mod_cap. It can be found in the modules/ directory.

The libcap library provides the interface between mod_cap and the capability syscalls present in Linux kernels. (Note that this library can be found at www.kernel.org or sourceforge.net/projects/linux-privs).

When proftpd runs with mod_cap installed, its operation changes slightly:

The master proftpd process runs as normal, with full capabilities.

The child proftpd processes, the ones that handle FTP sessions, drop all capabilities-except for CAP_NET_BIND_SERVICE (which allows a process to bind to port less than 1024) and CAP_CHOWN (which allows a process to change a file's ownership)-immediately after a client has authenticated.
Additionally, switching back and forth between root privileges and the authenticated user's privileges is no longer possible.

Installation instructions for mod_cap can be found here.

The most current version of mod_cap can be found in the ProFTPD source distribution:

  http://www.proftpd.org/

CapabilitiesEngine

Syntax: CapabilitiesEngine on|off
Default: on
Context: server config, <VirtualHost>, <Global>
Module: mod_cap
Compatibility: 1.2.8rc2 and later

The CapabilitesEngine directive enables or disables the module's runtime capabilities engine. If it is set to off this module does no runtime capabilities processing at all. Use this directive to disable the module.

CapabilitiesRootRevoke

Syntax: CapabilitiesRootRevoke on|off
Default: CapabilitiesRootRevoke on
Context: server config, <VirtualHost>, <Global>
Module: mod_cap
Compatibility: 1.3.5rc1 and later

By default, the mod_cap module will revoke (i.e. drop) root privileges entirely, once the necessary capabilities have been set. Use the CapabilitiesRootRevoke directive to change this default behavior, e.g.:

  CapabilitiesRootRevoke off

CapabilitiesSet

Syntax: CapabilitiesSet [+|- cap] ...
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_cap
Compatibility: 1.2.8rc2 and later

The CapabilitiesSet directive is used to manipulate the set of capabilities that mod_cap grants.

By default, mod_cap removes all but a few capabilities from the session-handling process: CAP_NET_BIND_SERVICE, for binding to ports lower than 1024 (required for active data transfers), and CAP_CHOWN, for allowing a process to change a file's ownership to a different user. The CAP_CHOWN capability is only strictly necessary if the UserOwner configuration directive is in use; if not being used, the CAP_CHOWN capability is best removed. Additionally, CAP_AUDIT_WRITE is retained if the mod_auth_pam module is present, as this capability is needed for some PAM modules such as pam_loginuid.

To remove a capability, prefix the name with a '-'; to enable a capability, use '+'. This directive supports the following capabilities:

CAP_CHOWN
CAP_DAC_OVERRIDE (override all directory access controls)
CAP_DAC_READ_SEARCH (allow read and search directory access)
CAP_FOWNER
CAP_FSETID
CAP_SETUID

Example:

  <IfModule mod_cap.c>
    CapabilitiesEngine on
    CapabilitiesSet -CAP_CHOWN +CAP_DAC_READ_SEARCH +CAP_FOWNER
  </IfModule>

Installation

The mod_cap module is automatically included when proftpd is built on a Linux system that supports capabilities; to disable this automatic inclusion, use the --disable-cap configure option.

FAQ

Question: Why do I see the following in my system logs?

  warning: `proftpd' uses 32-bit capabilities (legacy support in use)

Answer: This warning is coming from the use of the libcap library. A newer version of the libcap library (called the "libcap2" or "libcap2-dev" package on some Linux distributions) is now available.

To remove the above warning, you will need to update/install the newer libcap2 or libcap2-dev package on your system, and re-build proftpd (using version 1.3.2rc1 or later) in order to compile and link against the newer libcap library.

Question: What does the following mean?

  chown() as root failed: Operation not permitted

Answer: The purpose of the mod_cap module is to restrict the capabilities of the all-powerful root user. Thus when mod_cap is in effect, operations like chown() are restricted.

The message above usually happens when your configuration uses the UserOwner or GroupOwner configuration directives. To enable those directives to function and still use mod_cap, you will need to use a configuration such as:

  <IfModule mod_cap.c>
    # Allow root to use chown(2)
    CapabilitiesSet -CAP_CHOWN
  </IfModule>