mod_cap
Linux capabilities is a project aimed at providing the POSIX.1e security model under Linux. Documentation for this project can be found here:
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs
The best part of the whole story is that Linux kernels (since 2.1) already have two important facets of the security model in place, namely capabilities and capability sets. Using these features allows a userland program to specifically drop capabilities (which can be thought of as "privileges") which it does not need. Once such capabilities are completely dropped, neither the userland program nor any binary it should spawn will be allowed to perform privileged operations, regardless of whether the program is running as root or not. Essentially, this limits the power of root to only those specific functions that are necessary, with the end effect of making the program much more secure.
A contributed module has been added in the proftpd distribution, named mod_cap. It can be found in the modules/ directory.
proftpd
modules/
The libcap library provides the interface between mod_cap and the capability syscalls present in Linux kernels. (Note that this library can be found at www.kernel.org or sourceforge.net/projects/linux-privs).
libcap
When proftpd runs with mod_cap installed, its operation changes slightly:
CAP_NET_BIND_SERVICE
CAP_CHOWN
Additionally, switching back and forth between root privileges and the authenticated user's privileges is no longer possible.
The most current version of mod_cap can be found in the ProFTPD source distribution:
http://www.proftpd.org/
<VirtualHost>
<Global>
The CapabilitesEngine directive enables or disables the module's runtime capabilities engine. If it is set to off this module does no runtime capabilities processing at all. Use this directive to disable the module.
CapabilitesEngine
By default, the mod_cap module will revoke (i.e. drop) root privileges entirely, once the necessary capabilities have been set. Use the CapabilitiesRootRevoke directive to change this default behavior, e.g.:
CapabilitiesRootRevoke
CapabilitiesRootRevoke off
The CapabilitiesSet directive is used to manipulate the set of capabilities that mod_cap grants.
CapabilitiesSet
By default, mod_cap removes all but a few capabilities from the session-handling process: CAP_NET_BIND_SERVICE, for binding to ports lower than 1024 (required for active data transfers), and CAP_CHOWN, for allowing a process to change a file's ownership to a different user. The CAP_CHOWN capability is only strictly necessary if the UserOwner configuration directive is in use; if not being used, the CAP_CHOWN capability is best removed. Additionally, CAP_AUDIT_WRITE is retained if the mod_auth_pam module is present, as this capability is needed for some PAM modules such as pam_loginuid.
UserOwner
CAP_AUDIT_WRITE
mod_auth_pam
pam_loginuid
To remove a capability, prefix the name with a '-'; to enable a capability, use '+'. This directive supports the following capabilities:
CAP_DAC_OVERRIDE
CAP_DAC_READ_SEARCH
CAP_FOWNER
CAP_FSETID
CAP_SETUID
Example:
<IfModule mod_cap.c> CapabilitiesEngine on CapabilitiesSet -CAP_CHOWN +CAP_DAC_READ_SEARCH +CAP_FOWNER </IfModule>
--disable-cap
Question: Why do I see the following in my system logs?
warning: `proftpd' uses 32-bit capabilities (legacy support in use)
To remove the above warning, you will need to update/install the newer libcap2 or libcap2-dev package on your system, and re-build proftpd (using version 1.3.2rc1 or later) in order to compile and link against the newer libcap library.
Question: What does the following mean?
chown() as root failed: Operation not permitted
root
chown()
The message above usually happens when your configuration uses the UserOwner or GroupOwner configuration directives. To enable those directives to function and still use mod_cap, you will need to use a configuration such as:
GroupOwner
<IfModule mod_cap.c> # Allow root to use chown(2) CapabilitiesSet -CAP_CHOWN </IfModule>