Package: libpam-modules
Version: 0.79-4
Severity: normal
pam_chroot.so does not seem to be invoked when a user is authenticated as
anonymous by pam_ftp. I am not sure if the bug lies with pam_ftp,
pam_chroot, or pure-ftpd.
Consider the config below. When a regular authenticated user logs in, they
are herded into their chroot environment. When the anonymous FTP user logs
in, they are *not* chrooted before the session is handed off to pure-ftpd.
Not a *huge* deal for me, since my ftp isn't writable anyways, I just mount
--bind'ed it outside of it's chroot jail... but it is a little bit annoying
and I can see this causing security problems in other setups.
Thanks,
Tyler
# PAM config for pure-ftpd
# allow anonymous users
auth sufficient pam_ftp.so
auth required pam_unix_auth.so shadow use_first_pass
# /etc/ftpusers contain user list with DENIED access
auth required pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
# Uncomment next line to allow non-anonymous ftp access ONLY for users,
# listed in /etc/ftpallow
#auth required pam_listfile.so item=user sense=allow
#file=/etc/ftpallow onerr=fail
# standard
auth required pam_shells.so
account required pam_unix.so
session required pam_unix.so
session required pam_chroot.so
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Versions of packages libpam-modules depends on:
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libcap1 1:1.10-14 support for getting/setting POSIX.
ii libdb4.3 4.3.29-6 Berkeley v4.3 Database Libraries [
ii libpam0g 0.79-4 Pluggable Authentication Modules l
ii libselinux1 1.32-3 SELinux shared libraries
libpam-modules recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
