On Fri, 30 Aug 2013, Stuart Henderson wrote:
> On 2013/08/30 14:22, Brad Smith wrote:
> > On 26/08/13 10:17 AM, Donovan Watteau wrote:
> > >Hello,
> > >
> > >net/pure-ftpd creates the following user and group:
> > >@newgroup _pure-ftpd:642
> > >@newuser _pure-ftpd:642:_pure-ftpd:daemon:pure-ftpd
> > >user:/nonexistent:/sbin/nologin
> > >
> > >but then, /etc/rc.d/pure_ftpd has:
> > >daemon_flags="-A -B -H -u1000"
> > >
> > >so, with this default configuration, users below 1000 can't log in.
> > >
> > >Hence, if I create a user this way:
> > ># pure-pw useradd myuser -u _pure-ftpd -d /whatever
> > ># pure-pw mkdb
> > >
> > >I can't log in with it ("account disabled"), unless I use something
> > >like "-u600".
> > >
> > >Am I missing something about the purpose of the _pure-ftpd user here,
> > >or should the -u parameter in daemon_flags be lowered by default in the
> > >provided package?
> >
> > I'm looking back at this and to be honest I don't even know why the
> > port creates the user/group. I understand why the rc script is the
> > way it is.
> >
> > Stuart, do you remember why the user / group was added?
>
> This user/group is used for privilege separation, see the section from the
> README I've pasted below.
>
> $ ps wwaxu|grep pure
> root 13008 0.0 0.0 608 1340 ?? Ss 8:01PM 0:00.01 pure-ftpd:
> -pure-ftpd (SERVER) (pure-ftpd)
> _pure-ftpd 20890 0.0 0.0 624 1204 ?? S 8:02PM 0:00.00
> pure-ftpd: -pure-ftpd (PRIV) (pure-ftpd)
> ftp 24033 0.0 0.0 620 1432 ?? S 8:02PM 0:00.07 pure-ftpd:
> -pure-ftpd (IDLE) (pure-ftpd)
>
> I use a separate account with uid >=1000 as a file owner for anonymous
> ftp or as account owner for virtual users.
>
>
>
> ...snip...
>
> ------------------------ PRIVILEGE SEPARATION ------------------------
>
>
> When privilege separation is enabled, each session will spawn two processes :
> a "privileged" process running as root, but that can only do very basic
> and trusted actions (binding a port and remove the ftpwho scoreboard) and
> the "client" process. The "client" process definitely revokes all privileges
> after authentication and chroot() and punctually communicates with the
> parent over a private channel.
>
> Privilege separation decreases performance of loaded servers, but it
> increases security and reliability. Enabling it is recommended.
>
Ah, I had thought about privsep, but I wasn't seeing any process using the
"_pure-ftpd" user, and nothing in the port configuring _pure-ftpd as the
privsep user. So I thought it was meant to be used for another purpose.
But actually, there *is* a process using _pure-ftpd, which only appears
when there's a connection open (when I ran "ps" there was no connection).
And pure-ftpd uses the "_pure-ftpd" user name by default, in its source
code, that's why PLIST is the only place where it appears...
Next time I'll grep through the port source first... Sorry.
Thanks.
