Debian Bug report logs - #406113
libpam-modules: pam_ftp.so incompatible with pam_chroot.so?

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Tyler MacDonald <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: libpam-modules: pam_ftp.so incompatible with pam_chroot.so?

Date: Mon, 08 Jan 2007 12:13:13 -0800

Package: libpam-modules
Version: 0.79-4
Severity: normal


pam_chroot.so does not seem to be invoked when a user is authenticated as
anonymous by pam_ftp. I am not sure if the bug lies with pam_ftp,
pam_chroot, or pure-ftpd.

Consider the config below. When a regular authenticated user logs in, they
are herded into their chroot environment. When the anonymous FTP user logs
in, they are *not* chrooted before the session is handed off to pure-ftpd.

Not a *huge* deal for me, since my ftp isn't writable anyways, I just mount
--bind'ed it outside of it's chroot jail... but it is a little bit annoying
and I can see this causing security problems in other setups.

	Thanks,
		Tyler


# PAM config for pure-ftpd

# allow anonymous users
auth    sufficient      pam_ftp.so
auth    required        pam_unix_auth.so shadow use_first_pass

# /etc/ftpusers contain user list with DENIED access
auth    required        pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed

# Uncomment next line to allow non-anonymous ftp access ONLY for users,
# listed in /etc/ftpallow
#auth    required        pam_listfile.so item=user sense=allow
#file=/etc/ftpallow onerr=fail

# standard
auth    required        pam_shells.so
account required        pam_unix.so
session required        pam_unix.so

session required        pam_chroot.so





-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)

Versions of packages libpam-modules depends on:
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries
ii  libcap1                      1:1.10-14   support for getting/setting POSIX.
ii  libdb4.3                     4.3.29-6    Berkeley v4.3 Database Libraries [
ii  libpam0g                     0.79-4      Pluggable Authentication Modules l
ii  libselinux1                  1.32-3      SELinux shared libraries

libpam-modules recommends no packages.

-- no debconf information

Message #10 received at [email protected] (full text, mbox, reply):

From: Steve Langasek <[email protected]>

To: [email protected]

Subject: Re: libpam-modules: pam_ftp.so incompatible with pam_chroot.so?

Date: Tue, 28 Aug 2007 06:32:43 -0700

reassign 406113 libpam-chroot
thanks

> pam_chroot.so does not seem to be invoked when a user is authenticated as
> anonymous by pam_ftp. I am not sure if the bug lies with pam_ftp,
> pam_chroot, or pure-ftpd.

With the provided config file, I don't see any way that pam_ftp is to blame.
The module won't directly prevent pam_chroot from being called.  It's
possible that one of the values that pam_ftp is setting is interfering with
pam_chroot, but in that case it would be a pam_chroot bug.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[email protected]                                   http://www.debian.org/

Send a report that this bug log contains spam.