freebsd security - Mar 2015 - ftpd don't record login in utmpx

On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote:
> On 31-3-2015 05:44, Slawa Olhovchenkov wrote:
> > On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> >>
> >>> ftpd from FreeBSD-10 and up don't record ftp logins to
utmpx database
> >>> (for case of chrooted login).
> >>> This is lack security information.
> >>> I found this is done by r202209 and r202604.
> >>> I can't understand reason of this.
> >>> Can somebody explain?
> >>
> >> Having a jail log into the base system is a security issue in the
> >> making. Can't you do this in a safer way by doing remote
logging to the
> >> base system rather than having the jail hold on to a file handle
that
> >> belongs outside the jail?
> >
> > Jail? Why I you talk about jail?
> >
> >> It's certainly possible to maintain these kinds of
capabilities, but
> >> you would have to convince code reviewers that the same results
can't be
> >> achieved some other way that's easier to secure.
> 
> I might have just too many miles on the clock already....
> 
> It used to liek this: to be able to do anything usefull in a chroot, 
> you'd rebuild those parts of the system tree that you need in under the
> chrootdir.
> Eg. including ls(1) and all the libs it needed to function in ftpd.
> Some for apaches that ran chrooted, you'd carry/duplicate all you
needed
> into the chroot env
> 
> So in this case you probably need
> 	${CHROOTDIR/var/log
> and create the database there.
I have many ftp acconts, than need be isolated by ftp.
I need united database about login and logout.
FreeBSD 1.x-9.x do this.
Why this removed in 10.x?

On 31-3-2015 10:44, Slawa Olhovchenkov wrote:
> On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote:
>
>> On 31-3-2015 05:44, Slawa Olhovchenkov wrote:
>>> On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote:
>>>
>>>> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
>>>>
>>>>> ftpd from FreeBSD-10 and up don't record ftp logins to
utmpx database
>>>>> (for case of chrooted login).
>>>>> This is lack security information.
>>>>> I found this is done by r202209 and r202604.
>>>>> I can't understand reason of this.
>>>>> Can somebody explain?
>>>>
>>>> Having a jail log into the base system is a security issue in
the
>>>> making. Can't you do this in a safer way by doing remote
logging to the
>>>> base system rather than having the jail hold on to a file
handle that
>>>> belongs outside the jail?
>>>
>>> Jail? Why I you talk about jail?
>>>
>>>> It's certainly possible to maintain these kinds of
capabilities, but
>>>> you would have to convince code reviewers that the same results
can't be
>>>> achieved some other way that's easier to secure.
>>
>> I might have just too many miles on the clock already....
>>
>> It used to liek this: to be able to do anything usefull in a chroot,
>> you'd rebuild those parts of the system tree that you need in under
the
>> chrootdir.
>> Eg. including ls(1) and all the libs it needed to function in ftpd.
>> Some for apaches that ran chrooted, you'd carry/duplicate all you
needed
>> into the chroot env
>>
>> So in this case you probably need
>> 	${CHROOTDIR/var/log
>> and create the database there.
>
> I have many ftp acconts, than need be isolated by ftp.
> I need united database about login and logout.
> FreeBSD 1.x-9.x do this.
> Why this removed in 10.x?
Slawa,

I can't tell you that, but it is in r202209. And you can ask the one 
that removed it (ed@). :)
Like r202209 says 5 years ago:
	Maybe we can address this in the future if it turns out to be a
	real issue.
Hasn't been an issue uptill now, it seems.

But then there  are many flavours of FTP server out there ATM, so freely 
quoted from Andy Tannenbaum:
	If you don't like this version, get another one.

Or write a script that actually unites the output from either the 
database and/or last(8).

--WjW