[Techtalk] Re: LIDS and CAPSET woes

Mandi mandi at linuxchick.org
Tue Jan 7 23:57:23 EST 2003 

Sweet!  I'm glad you got it working.  Now you can give us the low down on 
LIDS, right?  someone asked the linuxsecurity.com mailing list about it 
last week i think, but the discussion i was hoping for never came.  right 
now i don't have a machine that my users wouldn't get cranky about me 
locking down, so i've been reluctant to hijack anything with it. 
You'd think I was asking to schedule world war 3 when i ask to 
reboot a server for a kernel upgrade....

--mandi

On Tue, 7 Jan 2003, Raven Alder wrote:

> Heya --
> 
> 	Thankyouthankyouthankyou!  [grin] 
> 
> Quoth Mandi (Tue, Jan 07, 2003 at 05:52:19PM -0500):
> > (disclaimer:  i am not a kernel hacker...where's VAL when you need her?!?)
> 
> 	Your post gave me enough information to solve my problem.  So
> have a happy glowy moment.
>  
> > there is one call to capset, in sysdeputil.c in the vsftpd source.  It 
> > looks like it's calling for CAP_CHOWN and CAP_NET_BIND_SERVICE.  chown is 
> > probably the one you don't have in your LIDS conf.
> 
> 	Yep -- I gave the vsftp daemon the ability to CAP_CHOWN and
> CAP_NET_BIND_SERVICE for ports 20 and 21, and suddenly everything was
> coming up roses.  (For anyone googling this later:)
> 
> root at batcat ~ $ lidsconf -A -s /usr/local/sbin/vsftpd -o CAP_CHOWN -j
> GRANT
> root at batcat ~ $ lidsconf -A -s /usr/local/sbin/vsftpd -o
> CAP_NET_BIND_SERVICE 20 -j GRANT
> root at batcat ~ $ lidsconf -A -s /usr/local/sbin/vsftpd -o
> CAP_NET_BIND_SERVICE 21 -j GRANT
> 
> ...
> 
> raven at batcat ~ $ ftp localhost
> Connected to localhost.
> 220 (vsFTPd 1.1.3)
> Name (localhost:raven): anonymous
> 331 Please specify the password.
> Password:
> 230 Login successful. Have fun.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 200 PORT command successful. Consider using PASV.
> 150 Here comes the directory listing.  [and so forth]
>  
> > (oh, and btw, next time you build your kernel, you can change the 
> > EXTRAVERSION in the Makefile so as not to overwrite your working system.  
> > ;) )
> 
> 	Yeah, I ran into that just exactly too late.  [grin]  Oh well,
> I learned something new for next time.  Thanks so much for your very
> prompt help! 
> 
> Cheers,
> Raven 
>  
> "Mug the Traveller."
>   -- advice from the box of an Irish tea cup
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list