[rsbac] AUTH module - suid root needed ?

Amon Ott rsbac@rsbac.org
Thu Apr 11 09:46:01 2002

On Thursday, 11. April 2002 00:47, Kim Scholte wrote:
> I was wondering if an executable has to be set suid root to permit user
> changes? I tried to change the su program to root.root and perm 0755, with
> AUTH May Setuid turned on, which gives the following error:
>     su: cannot set groups: Operation not permitted

This is Linux access control: You need the SETUID / SETGID Posix 
Capabilities, which you can get through suid root (along with all others).

In 1.2.0, you can use CAP module to set the CAPs for the binary.

> So it seems it can not change groups, or maybe I overlooked something?
> The reason I checked this is because I want to make a ftp user, called ftp
> of the group daemons, which then runs the proftpd program without any need
> for root access.

proftpd currently does not setuid to the login id anyway, only to ftp when 
accessed anonymously. This is due to the binding problem for service ports.

You might do the following:

- use RSBAC 1.2.0-pre6 (which seems to be pretty stable)
- include RC and CAP modules
- set CAP NET_BIND_SERVICE, if you need anonymous login, and do not run 
proftpd as user ftp, also SETUID
- Create an RC type for your FTP area
- Create an RC role with appropiate settings
- Assign the RC role as force role to proftpd
- Run proftpd as normal user, e.g. ftp

If you need full, but RSBAC controlled filesystem access by the users through 
FTP, you might have to patch proftpd to do a real setuid.