I'm trying to replace my current ftpd/realusers with proftpd/sqlpw auth and I get the following problem with mod_sqlpw set to non-authoritative: if real user tries to login to ftp with his name, that also exists in the SQL DB but with different password and homedir, he gets the uid,gid and home of the SQL user! Is this the way it should work? If no, is there someone who fixed this? I'm too lazy to make the work already done by somebody ;) To rephrase your question: You are saying that if a user logs in who's login id exists in both /etc/passwd and in the MySQL DB and the user logs in gets the home directory of the user in the MySQL DB. I am assuming that the passwords are the same in both /etc/passwd and MySQL DB. That sounds right to me... Though I don't think we have a good description of what happens if you set SQLauthoritative to "off" and build proftpd with mod_sqlpw... I hope Mark may have some more insight here...
At 15:36 10/04/2000 +0400, **Roman Korolyov**, has written a message, and here is the reply : >Hi! >I'm trying to replace my current ftpd/realusers with proftpd/sqlpw auth >and I get the following problem with mod_sqlpw set to non-authoritative: Sorry this is not an answer, but after checking my archive I found this ----- ProFTPD and mod_sqlpw create a security hole ---------------------------------------------------------------------------- ----
SUMMARY Compiling the mod_sqlpw module into ProFTPD makes it possible for local users to view the passwords of users who have connected to the ftp server. When the module is used, it writes information to wtmp. Unfortunately, it writes the password to wtmp where the username should be. The passwords can be seen when a command such as 'last' is used locally.
DETAILS Solution: Adding the following to your ProFTPd configuration file should solve this problem: <Global> Wtemplog off </Global> Wtmplog details below: WtmpLog Syntax: WtmpLog on|off|NONE Default: WtmpLog on Context: server config, <VirtualHost>, <Anonymous>, <Global> Compatibility: 1.1.7 and later The WtmpLog directive controls proftpd's logging of ftp connections to the host system's wtmp file (used by such commands as `last'). By default, all connections are logged via wtmp.
ADDITIONAL INFORMATION The mentioned vulnerability has been discovered by: <mailto:toddc@NET-LINK.NET> Todd C. Campbell.
Got the latest CVS a few days ago, and the wtmp output of proftpd (with mod_sqlpw & mysql) is still really wired : sometimes is the password (!) logged, and the other times, a kind of random string (*J***J**).
*J***J** ftp 195.130.185.44 Sat Apr 8 01:02 - 01:07 (00:04) *J***J** ftp megazh-d-218.agr Sat Apr 8 00:17 - 00:18 (00:00) *J***J** ftp 195.130.185.92 Fri Apr 7 23:30 - 23:39 (00:08) *J***J** ftp 195.130.185.92 Fri Apr 7 23:14 - 23:14 (00:00) *J***J** ftp 195.130.185.92 Fri Apr 7 23:12 - 23:14 (00:01) *J***J** ftp megazh-d-56.agri Fri Apr 7 21:15 - 21:15 (00:00) *J***J** ftp orion.www-hostin Fri Apr 7 14:13 - 14:14 (00:00) *J***J** ftp orion.www-hostin Fri Apr 7 14:11 - 14:12 (00:00) wxcff.97 ftp 147.78.21.30 Fri Apr 7 13:37 - 13:38 (00:01) wxcff.97 ftp 147.78.21.30 Fri Apr 7 13:34 - 13:35 (00:01) wxcff.97 ftp 147.78.21.30 Fri Apr 7 13:31 - 13:31 (00:00) Af773,r ftp sulzer.ch Fri Apr 7 11:51 - 11:52 (00:00) wxcff.97 ftp 147.78.21.30 Fri Apr 7 10:39 - 10:39 (00:00) wxcff.97 ftp 147.78.21.30 Fri Apr 7 10:38 - 10:38 (00:00)
Are these (really practical btw) modules not maintained ? Logging the password to the wtmp is just an *huge* security hog... :(
At 15:36 10/04/2000 +0400, **Roman Korolyov**, has written a message, and here is the reply : >Hi! >I'm trying to replace my current ftpd/realusers with proftpd/sqlpw auth >and I get the following problem with mod_sqlpw set to non-authoritative: Sorry this is not an answer, but after checking my archive I found this ----- ProFTPD and mod_sqlpw create a security hole ---------------------------------------------------------------------------- ----
SUMMARY Compiling the mod_sqlpw module into ProFTPD makes it possible for local users to view the passwords of users who have connected to the ftp server. When the module is used, it writes information to wtmp. Unfortunately, it writes the password to wtmp where the username should be. The passwords can be seen when a command such as 'last' is used locally. DETAILS Solution: Adding the following to your ProFTPd configuration file should solve this problem: <Global> Wtemplog off </Global> Wtmplog details below: WtmpLog Syntax: WtmpLog on|off|NONE Default: WtmpLog on Context: server config, <VirtualHost>, <Anonymous>, <Global> Compatibility: 1.1.7 and later The WtmpLog directive controls proftpd's logging of ftp connections to the host system's wtmp file (used by such commands as `last'). By default, all connections are logged via wtmp. ADDITIONAL INFORMATION The mentioned vulnerability has been discovered by: <mailto:toddc@NET-LINK.NET> Todd C. Campbell.
http://bugs.proftpd.org/show_bug.cgi?id=108 *** shadow/108 Thu Apr 6 12:01:58 2000 --- shadow/108.tmp.7160 Thu Apr 6 13:58:46 2000 *************** *** 23,25 **** --- 23,39 ---- 1) references missing flags.c program, need to remove references to flags.* 2) modmysql does not have the ".o" extension in the file. That needs ot be added... + + ------- Additional Comments From hamster@hamster.wibble.org 04/06/00 13:58 ------- + I think the "flags" stuff is a result of the wording in the FAQ, I'll amend the + FAQ to make this clearer. + + It should be + configure --with-modules='mod_sqlpw:mod_mysql' + + not + + configure --with-modules='mod_sqlpw:mod_mysql flags' + + flags' +
http://bugs.proftpd.org/show_bug.cgi?id=109 *** shadow/109 Thu Apr 6 12:06:53 2000 --- shadow/109.tmp.7078 Thu Apr 6 12:06:53 2000 *************** *** 0 **** --- 1,27 ---- + Bug#: 109 + Product: ProFTPD + Version: 1.2.0pre10 + Platform: PC + OS/Version: Linux + Status: NEW + Resolution: + Severity: normal + Priority: P2 + Component: mod_sqlpw + AssignedTo: proftpd-devel@proftpd.org + ReportedBy: mgrabenstein@mac.com + URL: + Summary: mod_sqlpw (mysql): Make.rules needs libaries and includes specified. + + In Make.rules, The definition for LIBS needs to have -lmysqlclient added to it. + LDFLAGS needs the path to your mysql library added. CPPFLAGS needs the location + of your mysql include files added. + Depending on installation they should look like: + LIBS=-lsupp -ldl -lcrypt -lm -lmysqlclient -lpam + LDFLAGS=-L/home/builds/proftpd-1.2.0pre10/lib -L/usr/local/mysql/lib/mysql + CPPFLAGS= $(DEFAULT_PATHS) $(PLATFORM) -I.. -I$(top_srcdir)/include + -I/usr/local/mysql/include/mysql + + Would be nice if there was a readme somwhere in the distribution that hinted at + these things... + Would be best if configure would do this...
http://bugs.proftpd.org/show_bug.cgi?id=108 *** shadow/108 Thu Apr 6 11:57:28 2000 --- shadow/108.tmp.7054 Thu Apr 6 12:01:34 2000 *************** *** 11,19 **** AssignedTo: proftpd-devel@proftpd.org ReportedBy: mgrabenstein@mac.com URL: ! Summary: reference to flags.c needs to be removed to compile mod_sqlpw (mysql) To get mod_sqlpw to compile. You must first edit the Make.modules file and remove the references to flags.c. Or is it missing from the pre10 distribution ? mod_sqlpw seems work fine with ou it. :-) --- 11,25 ---- AssignedTo: proftpd-devel@proftpd.org ReportedBy: mgrabenstein@mac.com URL: ! Summary: mmod_sqlpw (mysql) in Make.modules, remove flag.* and add .o to modmysql To get mod_sqlpw to compile. You must first edit the Make.modules file and remove the references to flags.c. Or is it missing from the pre10 distribution ? mod_sqlpw seems work fine with ou it. :-) + + ------- Additional Comments From mgrabenstein@mac.com 04/06/00 12:01 ------- + Two problems in Make.modules: + 1) references missing flags.c program, need to remove references to flags.* + 2) modmysql does not have the ".o" extension in the file. That needs ot be + added...
http://bugs.proftpd.org/show_bug.cgi?id=108 *** shadow/108 Thu Apr 6 12:01:34 2000 --- shadow/108.tmp.7065 Thu Apr 6 12:01:58 2000 *************** *** 11,17 **** AssignedTo: proftpd-devel@proftpd.org ReportedBy: mgrabenstein@mac.com URL: ! Summary: mmod_sqlpw (mysql) in Make.modules, remove flag.* and add .o to modmysql To get mod_sqlpw to compile. You must first edit the Make.modules file and remove the references to flags.c. --- 11,17 ---- AssignedTo: proftpd-devel@proftpd.org ReportedBy: mgrabenstein@mac.com URL: ! Summary: mod_sqlpw (mysql) in Make.modules, remove flag.* and add .o to modmysql To get mod_sqlpw to compile. You must first edit the Make.modules file and remove the references to flags.c.
http://bugs.proftpd.org/show_bug.cgi?id=107 *** shadow/107 Thu Apr 6 11:54:53 2000 --- shadow/107.tmp.7006 Thu Apr 6 11:54:53 2000 *************** *** 0 **** --- 1,24 ---- + Bug#: 107 + Product: ProFTPD + Version: 1.2.0pre10 + Platform: PC + OS/Version: Linux + Status: NEW + Resolution: + Severity: major + Priority: P2 + Component: mod_sqlpw + AssignedTo: proftpd-devel@proftpd.org + ReportedBy: mgrabenstein@mac.com + URL: + Summary: Atempts to log in after the first failure always fail with mod_sqlpw (mysql) + + When I ftp to my host, if I type in the user id and password the first time + everything is fine and I am able to log in. + If I make a typo in the password and the log in fails. I can use the "user" + command in the ftp client to attempt logging in again. Problem is now, that no + matter what I type it will fail. + Work around: Get it right the first time, in other words: if you fail the first + time, quit ftp and re-start your ftp client. + This was noticed when ftp'ing from RedHat v6.1 and from Solaris 2.6 to my RedHat + v6.1 box...
http://bugs.proftpd.org/show_bug.cgi?id=105 *** shadow/105 Thu Apr 6 11:33:59 2000 --- shadow/105.tmp.6990 Thu Apr 6 11:50:29 2000 *************** *** 11,17 **** AssignedTo: proftpd-devel@proftpd.org ReportedBy: mgrabenstein@mac.com URL: ! Summary: DefaultRoot does not work as advertised with mod_sqlpw OtherBugsDependingOnThis: 52[NEW] DefaultRoot does not work as advertised. It will now --- 11,17 ---- AssignedTo: proftpd-devel@proftpd.org ReportedBy: mgrabenstein@mac.com URL: ! Summary: DefaultRoot does not work as advertised with mod_sqlpw (mysql) OtherBugsDependingOnThis: 52[NEW] DefaultRoot does not work as advertised. It will now
http://bugs.proftpd.org/show_bug.cgi?id=105 *** shadow/105 Thu Apr 6 11:33:37 2000 --- shadow/105.tmp.6930 Thu Apr 6 11:33:37 2000 *************** *** 0 **** --- 1,21 ---- + Bug#: 105 + Product: ProFTPD + Version: 1.2.0pre10 + Platform: PC + OS/Version: Linux + Status: NEW + Resolution: + Severity: major + Priority: P2 + Component: mod_sqlpw + AssignedTo: proftpd-devel@proftpd.org + ReportedBy: mgrabenstein@mac.com + URL: + Summary: DefaultRoot does not work as advertised with mod_sqlpw + + DefaultRoot does not work as advertised. It will now + chroot in 1.2pre10, but the group expression field does not work. Specifing + something can disable DefaultRoot. (DefaultRoot ~ !mygroup == is not respected, + but Default root does chroot, where as DefaultRoot ~ ! mygroup == (with a space + between ! and group) seems to disable chroot.) Also DefaultRoot ~ does work (if + the group expression is blank).
http://bugs.proftpd.org/show_bug.cgi?id=108 *** shadow/108 Thu Apr 6 11:57:28 2000 --- shadow/108.tmp.7017 Thu Apr 6 11:57:28 2000 *************** *** 0 **** --- 1,19 ---- + Bug#: 108 + Product: ProFTPD + Version: 1.2.0pre10 + Platform: PC + OS/Version: Linux + Status: NEW + Resolution: + Severity: normal + Priority: P2 + Component: mod_sqlpw + AssignedTo: proftpd-devel@proftpd.org + ReportedBy: mgrabenstein@mac.com + URL: + Summary: reference to flags.c needs to be removed to compile mod_sqlpw (mysql) + + To get mod_sqlpw to compile. You must first edit the Make.modules file and + remove the references to flags.c. + Or is it missing from the pre10 distribution ? mod_sqlpw seems work fine with ou + it. :-)
http://bugs.proftpd.org/show_bug.cgi?id=106 *** shadow/106 Thu Apr 6 11:50:13 2000 --- shadow/106.tmp.6979 Thu Apr 6 11:50:13 2000 *************** *** 0 **** --- 1,19 ---- + Bug#: 106 + Product: ProFTPD + Version: 1.2.0pre10 + Platform: PC + OS/Version: Linux + Status: NEW + Resolution: + Severity: normal + Priority: P2 + Component: mod_sqlpw + AssignedTo: proftpd-devel@proftpd.org + ReportedBy: mgrabenstein@mac.com + URL: + Summary: inetd not working with mod_sqlpw (mysql) + + Using inetd to spawn proftpd with mod_sqlpw loaded resulted in: + "421 Service not available, remote server has closed connection" + Changing the proftpd.conf so the server was "standalone" and disabling ftp in + inetd.conf. Allows me to start a working server.
http://bugs.proftpd.org/show_bug.cgi?id=105 *** shadow/105 Thu Apr 6 11:33:37 2000 --- shadow/105.tmp.6941 Thu Apr 6 11:33:59 2000 *************** *** 12,17 **** --- 12,18 ---- ReportedBy: mgrabenstein@mac.com URL: Summary: DefaultRoot does not work as advertised with mod_sqlpw + OtherBugsDependingOnThis: 52[NEW] DefaultRoot does not work as advertised. It will now chroot in 1.2pre10, but the group expression field does not work. Specifing
http://bugs.proftpd.org/show_bug.cgi?id=52 *** shadow/52 Tue Feb 15 14:26:57 2000 --- shadow/52.tmp.6948 Thu Apr 6 11:34:00 2000 *************** *** 1,6 **** Bug#: 52 Product: ProFTPD ! Version: 1.2.0preX Platform: All OS/Version: All Status: NEW --- 1,6 ---- Bug#: 52 Product: ProFTPD ! Version: 1.2.0pre9 Platform: All OS/Version: All Status: NEW *************** *** 12,17 **** --- 12,18 ---- ReportedBy: wigstah@akitanet.co.uk URL: Summary: chroot'ing to user's home directory doesn't work when mod_mysql is in use + BugsThisDependsOn: 105[NEW] Hi,
+------ "Mark Renouf" wrote (Fri, 7-Jan-00, 18:21 -0500): | | ns1:/usr/local/mysql/var# /usr/sbin/proftpd --version | ProFTPD Version 1.2.0pre8 | | I'm running with mod_sqlpw and mod_mysql | | wtmp is logging ftp logins VERY incorrectly | | example: a login by=20 | user: ftpuser=20 | password: mypassword | | [should show:] | | ns1:/usr/local/mysql/var# last -1 | ftpuser ftp nrwc-sh7-port89 Fri Jan 7 12:36 - 12:51 = | (00:15) | | [but instead shows like this:] | | ns1:/usr/local/mysql/var# last -1 | mypassword ftp nrwc-sh7-port89 Fri Jan 7 12:36 - 12:51 = | (00:15) | | Can anyone confirm this? Should I try pre9 ? Is this related the problem previously reported last November? AFAIK, neither pre9 nor CVS (but I haven't looked in a few days) includes a fix. It sounds similar though slightly different. +------ "Charles Seeger" wrote (Thu, 30-Dec-99, 11:25 -0500): | | o Passwords are logged to wtmp by mod_sqlpw! | http://www.proftpd.org/proftpd-l-archive/99-11/msg00212.html | http://www.proftpd.org/proftpd-l-archive/99-11/msg00216.html | http://www.proftpd.org/proftpd-l-archive/99-11/msg00217.html | http://www.proftpd.org/proftpd-l-archive/99-11/msg00221.html | (includes a fix to mod_sqlpw.c:_checkpass function to prevent | logging the correct and wrong password in debug mode) | http://www.proftpd.org/proftpd-l-archive/99-11/msg00235.html | http://www.proftpd.org/proftpd-l-archive/99-11/msg00242.html Looks like it bears further investigation.
Uhmmmm Yes, the problem remains in pre9... The workaround is to disable that type of logging.
http://www.iusb.edu/~awalton/pro-mysql.txt that should help. -Andy ----- Original Message ----- From: "Mitch Vincent" <mitch@venux.net> To: <proftpd@proftpd.org> Sent: Saturday, March 11, 2000 2:00 PM Subject: [ProFTPD] Compile error with pre 10 > modules/mod_sqlpw.o: In function `auth_cmd_getpwnam': > /usr/source/proftpd-1.2.0pre10/modules/mod_sqlpw.c(.text+0x44a): undefined > reference to `mysql_escape_string' > modules/mod_sqlpw.o: In function `auth_cmd_auth': > /usr/source/proftpd-1.2.0pre10/modules/mod_sqlpw.c(.text+0x76c): undefined > reference to `mysql_escape_string' > *** Error code 1 > > > I'm trying to compile in mod_mysql and mod_sqlpw, however I get the above > error... Also, I couldn't find any documentation on the table layouts and > such require for mod_sqlpw and mod_mysql to work, could anyone point me to > it? >