[BlueOnyx:23046] Re: CushyCMS and ProFTPD
Michael Stauber
mstauber at blueonyx.it
Tue Jul 30 18:31:02 -05 2019
Hi Ken,
> I looked in var/log/messages and I see a bunch of lines like this, not sure
> what they mean or why the are occurring now and not previously. Customer
> would be using site admin credentials, wouldn't even know root login.
>
> Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254
> (198.74.49.153[198.74.49.153
> ]) - ROOT PRIVS: unable to seteuid(): Operation not permitted
> Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254
Yeah, ProFTPd doesn't allow user "root" and never has. A seteuid() call
happens when a program drops privileges to do something as a lesser user
and when it's done it tries to regain the same UID/GID as before via
seteuid(). It's something I'm sort of sure ProFTPd doesn't allow without
full reauthentication, because from a security point of view it's *very*
tricky to get right. In the nooks and crannies of such code usually
there often is room for exploits and that's why sensible people don't
implement it - unless they really *have* to. And then it's usually the
best audited and most well tested part of the code, because one false
step and it can get exploited.
The last ProFTPd update only changed two things: mod_ban and mod_geoip
got activated by default. Other than that it's just ProFTPd 1.3.6-RC1 vs
ProFTPd-1.3.5.
Are the files in the webspace owned by that siteAdmin or by someone
else? This could be where the seteuid() call comes from. Say the files
are owned by nobody:siteX or apache:siteX and not by the siteAdmin:siteX.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list