Summary: | net-ftp/proftpd-1.3.2b, while compiled with the "kerberos" USE flag, is unable to load the mod_auth_gss module | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Raphaël Barrois <gentoo> |
Component: | [OLD] Server | Assignee: | Gentoo's FTP Packages Maintainers <net-ftp> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | bernd |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Raphaël Barrois
2009-11-26 17:24:00 UTC
Thanks for your report. Please verify that the ProFTPD 1.3.2b ebuild is installing the mod_auth_gss module into your system. Execute: equery files proftpd | grep 'auth_gss' While loading modules ProFTPD should be root. Because of that it should have permissions to all files and hence I think that the module is missing. By the way: ProFTPD 1.3.3 is not affected by this issue because all modules are compiled into ProFTPD and a 'LoadModule' is not needed anymore for using the mod_auth_gss module. Yes, those modules are installed ; and available to all users. # qlist proftpd | grep 'auth_gss' /usr/libexec/mod_auth_gss.so /usr/libexec/mod_auth_gss.a /usr/libexec/mod_auth_gss.la # ls -l /usr/libexec/mod_auth_gss.* -rw-r--r-- 1 root root 8.6K 2009-11-26 18:09 /usr/libexec/mod_auth_gss.a -rwxr-xr-x 1 root root 1007 2009-11-26 18:09 /usr/libexec/mod_auth_gss.la -rwxr-xr-x 1 root root 11K 2009-11-26 18:09 /usr/libexec/mod_auth_gss.so Does this error still occurs with ProFTPD 1.3.2c? It is still marked as unstable but please try this version with your failing configuration. Otherwise please start the ProFTPD server in foreground with debug enabled as root and post the output: # proftpd -n -d 10 Further please post your active USE-flags, your failing configuration and the `proftpd -V` and `proftpd -l` output. (In reply to comment #3) > Does this error still occurs with ProFTPD 1.3.2c? It is still marked as > unstable but please try this version with your failing configuration. > Otherwise please start the ProFTPD server in foreground with debug enabled as > root and post the output: > # proftpd -n -d 10 > Further please post your active USE-flags, your failing configuration and the > `proftpd -V` and `proftpd -l` output. > proftpd -V : Compile-time Settings: Version: 1.3.2b (maint) Platform: LINUX Built: Thu Nov 26 18:09:03 CET 2009 Built With: configure '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--sbindir=/usr/sbin' '--localstatedir=/var/run' '--sysconfdir=/etc/proftpd' '--enable-shadow' '--enable-autoshadow' '--enable-ctrls' '--with-modules=mod_ratio:mod_readme:mod_ctrls_admin:mod_auth_pam:mod_tls:mod_wrap:mod_ldap:mod_sql:mod_sql_mysql' '--disable-facl' '--enable-auth-file' '--enable-ipv6' '--enable-ncurses' '--enable-nls' '--with-includes=/usr/include/mysql' '--enable-auth-unix' '--enable-dso' '--with-shared=mod_gss:mod_auth_gss' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -march=k8 -pipe -DUSE_LDAP_TLS' 'LDFLAGS=-Wl,-O1' 'LIBS= -lresolv' CFLAGS: -O2 -march=k8 -pipe -DUSE_LDAP_TLS -Wall LDFLAGS: -L$(top_srcdir)/lib -Wl,-O1 LIBS: -lssl -lcrypto -lcap -lm -lmysqlclient -lz -lldap -llber -lwrap -lnsl -lssl -lcrypto -lpam -lsupp -lcrypt -ldl -lresolv Files: Configuration File: /etc/proftpd/proftpd.conf Pid File: /var/run/proftpd.pid Scoreboard File: /var/run/proftpd/proftpd.scoreboard Header Directory: /usr/include/proftpd Shared Module Directory: /usr/libexec Features: + Autoshadow support + Controls support + curses support - Developer support + DSO support + IPv6 support + Largefile support - Lastlog support + ncurses support + NLS support + OpenSSL support - POSIX ACL support + Shadow file support + Sendfile support + Trace support Tunable Options: PR_TUNABLE_BUFFER_SIZE = 1024 PR_TUNABLE_GLOBBING_MAX = 8 PR_TUNABLE_HASH_TABLE_SIZE = 40 PR_TUNABLE_NEW_POOL_SIZE = 512 PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80 PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30 PR_TUNABLE_SELECT_TIMEOUT = 30 PR_TUNABLE_TIMEOUTIDENT = 10 PR_TUNABLE_TIMEOUTIDLE = 600 PR_TUNABLE_TIMEOUTLINGER = 30 PR_TUNABLE_TIMEOUTLOGIN = 300 PR_TUNABLE_TIMEOUTNOXFER = 300 PR_TUNABLE_TIMEOUTSTALLED = 3600 PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10 proftpd -l : Compiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c mod_auth_file.c mod_auth.c mod_ls.c mod_log.c mod_site.c mod_delay.c mod_facts.c mod_dso.c mod_ident.c mod_ratio.c mod_readme.c mod_ctrls_admin.c mod_auth_pam.c mod_tls.c mod_wrap.c mod_ldap.c mod_sql.c mod_sql_mysql.c mod_cap.c mod_ctrls.c mod_lang.c proftpd -n -d 10 : - using TCP receive buffer size of 87380 bytes - using TCP send buffer size of 16384 bytes - testing Unix domain socket using S_ISFIFO - testing Unix domain socket using S_ISSOCK - using S_ISSOCK macro for Unix domain socket detection - mod_tls/2.2.1: using OpenSSL 0.9.8l 5 Nov 2009 - mod_ldap/2.8.20-20090124: compiled using LDAP vendor 'OpenLDAP', LDAP API version 3001 - loading 'mod_gss.c' - <IfModule>: using 'mod_gss.c' section at line 9 - GSSAPI GSSOption AllowFWNAT set - GSSAPI GSSOption AllowCCC set - GSSAPI GSSOption AllowFWCCC set - loading 'mod_auth_gss.c' - mod_dso/0.4: unable to dlopen 'mod_auth_gss.c': file not found (Operation not permitted) - mod_dso/0.4: defaulting to 'self' for symbol resolution - mod_dso/0.4: unable to find module symbol 'auth_gss_module' in 'mod_auth_gss.c' - Fatal: LoadModule: error loading module 'mod_auth_gss.c': Permission denied on line 17 of '/etc/proftpd/proftpd.conf' # cat /etc/proftpd/proftpd.conf # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. CommandBufferSize 1023 LoadModule mod_gss.c <IfModule mod_gss.c> GSSEngine on GSSLog /var/log/proftpd/kerberos.log GSSKeytab /etc/proftpd/krb5.keytab GSSRequired off GSSOptions AllowFWNAT AllowCCC AllowFWCCC #GSSPrincipal ftp </IfModule> LoadModule mod_auth_gss.c ServerName "Xel/Zaloris" ServerType standalone DefaultServer on # Login RequireValidShell off RootLogin off # Set the user and group under which the server will run. User proftpd Group proftpd AuthOrder mod_auth_gss.c mod_ldap.c mod_auth_file.c AuthPAM off AuthGroupFile /etc/proftpd/groups AuthUserFile /etc/proftpd/users # Logs TransferLog /var/log/proftpd/xfer.log SystemLog /var/log/proftpd/proftpd.log # Port 21 is the standard FTP port. Port 21 PassivePorts 49152 65534 # Don't use IPv6 support by default. UseIPv6 off # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd). MaxInstances 30 # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ # Normally, we want files to be overwriteable. AllowOverwrite on <IfModule mod_ctrls.c> ControlsEngine on ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsACLs all allow user xelnor,root ControlsSocketOwner proftpd proftpd ControlsSocketACL allow user xelnor,root ControlsSocket /var/run/proftpd/proftpd.sock <IfModule mod_ctrls_admin.c> AdminControlsEngine on AdminControlsACLs all allow user xelnor,root </IfModule> </IfModule> <IfModule mod_ldap.c> LDAPServer localhost LDAPSearchScope "ou=users,dc=xelnor,dc=net" LDAPDNInfo "uid=proftpd,ou=services,dc=xelnor,dc=net" "UWa2jctV4JqhA" LDAPDoAuth on "ou=users,dc=xelnor,dc=net" "(&(uid=%v)(&(objectclass=inetOrgPerson)(xelHasFTP=TRUE)))" LDAPAuthBinds on LDAPDoGIDLookups on "ou=groups,dc=xelnor,dc=net" "(&(cn=%v)(objectclass=posixGroup))" "(&(gidNumber=%v)(objectclass=posixGroup))" "(&(member=uid=%v,ou=users,dc=xelnor,dc=net)(objectclass=posixGroup))" LDAPDefaultUID 21 LDAPDefaultGID 21 #LDAPForceDefaultGID on LDAPForceDefaultUID on LDAPForceGeneratedHomedir on LDAPGenerateHomedirPrefix /home/ftpusers LDAPGenerateHomedirPrefixNoUsername on LDAPGenerateHomedir on </IfModule> CreateHome on <Directory /home/ftpusers> <Limit All> IgnoreHidden on AllowAll </Limit> HideNoAccess on </Directory> # Bar use of SITE CHMOD by default <Limit SITE_CHMOD> DenyAll </Limit> # A basic anonymous configuration, no upload directories. If you do not # want anonymous users, simply delete this entire <Anonymous> section. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous> (In reply to comment #3) I have posted the results of those commands for my current version of proftpd ; my USE flags haven't changed since I pasted the emerge --info ; for proftpd, I have the following USE flags : ================================================================= Package Settings ================================================================= net-ftp/proftpd-1.3.2b was built with the following: USE="authfile ipv6 kerberos ldap (multilib) mysql ncurses nls pam ssl tcpd -acl -ban -case -clamav -deflate -hardened -ifsession -noauthunix -opensslcrypt -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd" CFLAGS="-O2 -march=k8 -pipe -DUSE_LDAP_TLS" I will try proftpd-1.3.2c tomorrow. (In reply to comment #6) > I will try proftpd-1.3.2c tomorrow. > Well, I still have exactly the same problem for proftpd-1.3.2c (In reply to comment #7) > (In reply to comment #6) > > I will try proftpd-1.3.2c tomorrow. > > > > Well, I still have exactly the same problem for proftpd-1.3.2c > Actually, proftpd-1.3.2c doesn't have the "LoadModule" configuration option anymore, and the mod_auth_gss works without it, so I'm considering my issue fixed. Yes, since ProFTPD 1.3.3 all modules are directly built into the ProFTPD server and hence it is not necessary (and possible) to load any module with the "LoadModule" directive. Thus this problem is solved and this bug report can be closed. |