ProFTPD module mod_cap



Linux capabilities is a project aimed at providing the POSIX.1e security model under Linux. Documentation for this project can be found here:

  ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs
Without going into gory detail, POSIX.1e basically specifies an interface to such goodies as capabilities, capability sets, access control lists, mandatory access control and much, much more. The end result of this security model allows compliant systems and daemons to have very fine-grained control over what operations are allowed by which services on the system.

The best part of the whole story is that Linux kernels (since 2.1) already have two important facets of the security model in place, namely capabilities and capability sets. Using these features allows a userland program to specifically drop capabilities (which can be thought of as "privileges") which it does not need. Once such capabilities are completely dropped, neither the userland program nor any binary it should spawn will be allowed to perform privileged operations, regardless of whether the program is running as root or not. Essentially, this limits the power of root to only those specific functions that are necessary, with the end effect of making the program much more secure.

A contributed module has been added in the proftpd distribution, named mod_cap. It can be found in the modules/ directory.

The libcap library provides the interface between mod_cap and the capability syscalls present in Linux kernels. (Note that this library can be found at www.kernel.org or sourceforge.net/projects/linux-privs).

When proftpd runs with mod_cap installed, its operation changes slightly:

Installation instructions for mod_cap can be found here.

The most current version of mod_cap can be found in the ProFTPD source distribution:

  http://www.proftpd.org/

Directives


CapabilitiesEngine

Syntax: CapabilitiesEngine on|off
Default: on
Context: server config, <VirtualHost>, <Global>
Module: mod_cap
Compatibility: 1.2.8rc2 and later

The CapabilitesEngine directive enables or disables the module's runtime capabilities engine. If it is set to off this module does no runtime capabilities processing at all. Use this directive to disable the module.


CapabilitiesSet

Syntax: CapabilitiesSet [+|- cap] ...
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_cap
Compatibility: 1.2.8rc2 and later

The CapabilitiesSet directive is used to manipulate the set of capabilities that mod_cap grants.

By default, mod_cap removes all but two capabilities from the session-handling process: CAP_NET_BIND_SERVICE, for binding to ports lower than 1024 (required for active data transfers), and CAP_CHOWN, for allowing a process to change a file's ownership to a different user. The CAP_CHOWN capability is only strictly necessary if the UserOwner configuration directive is in use; if not being used, the CAP_CHOWN capability is best removed.

To remove a capability, prefix the name with a '-'; to enable a capability, use '+'. This directive only supports the following capabilities: CAP_CHOWN, CAP_DAC_OVERRIDE (override all directory access controls), and CAP_DAC_READ_SEARCH (allow read and search directory access).

Example:

  <IfModule mod_cap.c>
    CapabilitiesEngine on
    CapabilitiesSet -CAP_CHOWN +CAP_DAC_READ_SEARCH
  </IfModule>


Installation

mod_cap is automatically included when proftpd is built on a Linux system that supports capabilities; to disable this automatic inclusion, use the --disable-cap configure option.



Author: $Author: castaglia $
Last Updated: $Date: 2004/04/16 00:36:57 $


© Copyright 2000-2002 TJ Saunders
All Rights Reserved