freebsd security - Mar 2015 - ftpd don't record login in utmpx

On 31-3-2015 05:44, Slawa Olhovchenkov wrote:
> On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
>>
>>> ftpd from FreeBSD-10 and up don't record ftp logins to utmpx
database
>>> (for case of chrooted login).
>>> This is lack security information.
>>> I found this is done by r202209 and r202604.
>>> I can't understand reason of this.
>>> Can somebody explain?
>>
>> Having a jail log into the base system is a security issue in the
>> making. Can't you do this in a safer way by doing remote logging to
the
>> base system rather than having the jail hold on to a file handle that
>> belongs outside the jail?
>
> Jail? Why I you talk about jail?
>
>> It's certainly possible to maintain these kinds of capabilities,
but
>> you would have to convince code reviewers that the same results
can't be
>> achieved some other way that's easier to secure.
I might have just too many miles on the clock already....

It used to liek this: to be able to do anything usefull in a chroot, 
you'd rebuild those parts of the system tree that you need in under the 
chrootdir.
Eg. including ls(1) and all the libs it needed to function in ftpd.
Some for apaches that ran chrooted, you'd carry/duplicate all you needed 
into the chroot env

So in this case you probably need
	${CHROOTDIR/var/log
and create the database there.

A Jail is no different in that, other than that it does this by default 
in some of the packages: eg. ezjail.

--WjW

On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote:
> On 31-3-2015 05:44, Slawa Olhovchenkov wrote:
> > On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> >>
> >>> ftpd from FreeBSD-10 and up don't record ftp logins to
utmpx database
> >>> (for case of chrooted login).
> >>> This is lack security information.
> >>> I found this is done by r202209 and r202604.
> >>> I can't understand reason of this.
> >>> Can somebody explain?
> >>
> >> Having a jail log into the base system is a security issue in the
> >> making. Can't you do this in a safer way by doing remote
logging to the
> >> base system rather than having the jail hold on to a file handle
that
> >> belongs outside the jail?
> >
> > Jail? Why I you talk about jail?
> >
> >> It's certainly possible to maintain these kinds of
capabilities, but
> >> you would have to convince code reviewers that the same results
can't be
> >> achieved some other way that's easier to secure.
> 
> I might have just too many miles on the clock already....
> 
> It used to liek this: to be able to do anything usefull in a chroot, 
> you'd rebuild those parts of the system tree that you need in under the
> chrootdir.
> Eg. including ls(1) and all the libs it needed to function in ftpd.
> Some for apaches that ran chrooted, you'd carry/duplicate all you
needed
> into the chroot env
> 
> So in this case you probably need
> 	${CHROOTDIR/var/log
> and create the database there.
I have many ftp acconts, than need be isolated by ftp.
I need united database about login and logout.
FreeBSD 1.x-9.x do this.
Why this removed in 10.x?