Linux capabilities is a project aimed at providing the POSIX.1e security model under Linux. Documentation for this project can be found here:
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privsWithout going into gory detail, POSIX.1e basically specifies an interface to such goodies as capabilities, capability sets, access control lists, mandatory access control and much, much more. The end result of this security model allows compliant systems and daemons to have very fine-grained control over what operations are allowed by which services on the system.
The best part of the whole story is that Linux kernels (since 2.1) already have two important facets of the security model in place, namely capabilities and capability sets. Using these features allows a userland program to specifically drop capabilities (which can be thought of as "privileges") which it does not need. Once such capabilities are completely dropped, neither the userland program nor any binary it should spawn will be allowed to perform privileged operations, regardless of whether the program is running as root or not. Essentially, this limits the power of root to only those specific functions that are necessary, with the end effect of making the program much more secure.
A contributed module has been added in the
mod_cap. It can be found in the
libcap library provides the interface between
mod_cap and the capability syscalls present in Linux kernels.
(Note that this library can be found at
www.kernel.org or sourceforge.net/projects/linux-privs).
proftpd runs with
mod_cap installed, its
operation changes slightly:
proftpdprocess runs as normal, with full capabilities.
proftpdprocesses, the ones that handle FTP sessions, drop all capabilities-except for
CAP_NET_BIND_SERVICE(which allows a process to bind to port less than 1024) and
CAP_CHOWN(which allows a process to change a file's ownership)-immediately after a client has authenticated.
Additionally, switching back and forth between root privileges and the authenticated user's privileges is no longer possible.
mod_capcan be found here.
The most current version of
mod_cap can be found in the
ProFTPD source distribution:
CapabilitesEngine directive enables or disables the module's
runtime capabilities engine. If it is set to off this module does no
runtime capabilities processing at all. Use this directive to disable the
By default, the
mod_cap module will revoke (i.e.
drop) root privileges entirely, once the necessary capabilities have been
set. Use the
CapabilitiesRootRevoke directive to change this
default behavior, e.g.:
CapabilitiesSet directive is used to manipulate the set of
mod_cap removes all but a few capabilities
from the session-handling process:
binding to ports lower than 1024 (required for active data transfers), and
CAP_CHOWN, for allowing a process to change a file's ownership
to a different user. The
CAP_CHOWN capability is only strictly
necessary if the
UserOwner configuration directive is in use; if
not being used, the
CAP_CHOWN capability is best removed.
CAP_AUDIT_WRITE is retained if
mod_auth_pam module is present, as this capability is needed
for some PAM modules such as
To remove a capability, prefix the name with a '-'; to enable a capability, use '+'. This directive supports the following capabilities:
CAP_DAC_OVERRIDE(override all directory access controls)
CAP_DAC_READ_SEARCH(allow read and search directory access)
<IfModule mod_cap.c> CapabilitiesEngine on CapabilitiesSet -CAP_CHOWN +CAP_DAC_READ_SEARCH +CAP_FOWNER </IfModule>
mod_capmodule is automatically included when
proftpdis built on a Linux system that supports capabilities; to disable this automatic inclusion, use the
Question: Why do I see the following in my system logs?
warning: `proftpd' uses 32-bit capabilities (legacy support in use)Answer: This warning is coming from the use of the libcap library. A newer version of the libcap library (called the "libcap2" or "libcap2-dev" package on some Linux distributions) is now available.
To remove the above warning, you will need to update/install the newer libcap2 or libcap2-dev package on your system, and re-build proftpd (using version 1.3.2rc1 or later) in order to compile and link against the newer libcap library.
Question: What does the following mean?
chown() as root failed: Operation not permittedAnswer: The purpose of the
mod_capmodule is to restrict the capabilities of the all-powerful
rootuser. Thus when
mod_capis in effect, operations like
The message above usually happens when your configuration uses the
GroupOwner configuration directives.
To enable those directives to function and still use
you will need to use a configuration such as:
<IfModule mod_cap.c> # Allow root to use chown(2) CapabilitiesSet -CAP_CHOWN </IfModule>