After an upgrade of Proftpd, it doesn't start anymore, complaining that it isn't able to load the "mod_auth_gss" module anymore : * Checking proftpd configuration ... Checking syntax of configuration file - Fatal: LoadModule: error loading module 'mod_auth_gss.c': Permission denied on line 17 of '/etc/proftpd/proftpd.conf' * Configuration error: please fix your configuration file (/etc/proftpd/proftpd.conf). [ !! ] Reproducible: Always Steps to Reproduce: 1. Upgrade proftpd to 1.3.2b with USE=kerberos 2. Add "LoadModule mod_auth_gss.c" to /etc/proftpd/proftpd.conf 3. Try to start proftpd Actual Results: Proftpd fails to start with the following message : * Checking proftpd configuration ... Checking syntax of configuration file - Fatal: LoadModule: error loading module 'mod_auth_gss.c': Permission denied on line 17 of '/etc/proftpd/proftpd.conf' * Configuration error: please fix your configuration file (/etc/proftpd/proftpd.conf). [ !! ] Expected Results: Proftpd starts correctly (e.g: * Checking proftpd configuration ... Checking syntax of configuration file Syntax check complete. [ ok ] * Starting proftpd ... [ ok ] I am using app-crypt/mit-krb5-1.6.3-r6 Portage 2.1.6.13 (default/linux/amd64/10.0/server, gcc-4.1.2, glibc-2.9_p20081201-r2, 2.6.25-gentoo-r7-zaloris x86_64) ================================================================= System uname: Linux-2.6.25-gentoo-r7-zaloris-x86_64-Intel-R-_Celeron-R-_CPU_220_@_1.20GHz-with-gentoo-1.12.13 Timestamp of tree: Wed, 25 Nov 2009 05:00:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p28 dev-lang/python: 2.5.4-r2, 2.6.4, 3.1.1-r1 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=k8 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -march=k8 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--keep-going --ask" FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.ovh.net/gentoo-distfiles/" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="fr en en_GB en_US" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/xelnor /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl acpi amd64 apache2 bash-completion berkdb bzip2 calendar cli cracklib crypt cups cvs doc documentation dri examples exif fortran gdbm gif git gpm hddtemp iconv imap ipv6 jpeg kerberos ldap lm_sensors logrotate mmx modules mudflap multibit multilib mysql ncurses netboot nls nntp nptl nptlonly openmp pam pcre perl php png pppd python readline reflection sasl session snmp socks5 spell spl sse sse2 ssl subversion svg sysfs tcpd threads tiff truetype unicode vhosts vim-pager vim-syntax xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="fr en en_GB en_US" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Thanks for your report. Please verify that the ProFTPD 1.3.2b ebuild is installing the mod_auth_gss module into your system. Execute: equery files proftpd | grep 'auth_gss' While loading modules ProFTPD should be root. Because of that it should have permissions to all files and hence I think that the module is missing. By the way: ProFTPD 1.3.3 is not affected by this issue because all modules are compiled into ProFTPD and a 'LoadModule' is not needed anymore for using the mod_auth_gss module.
Yes, those modules are installed ; and available to all users. # qlist proftpd | grep 'auth_gss' /usr/libexec/mod_auth_gss.so /usr/libexec/mod_auth_gss.a /usr/libexec/mod_auth_gss.la # ls -l /usr/libexec/mod_auth_gss.* -rw-r--r-- 1 root root 8.6K 2009-11-26 18:09 /usr/libexec/mod_auth_gss.a -rwxr-xr-x 1 root root 1007 2009-11-26 18:09 /usr/libexec/mod_auth_gss.la -rwxr-xr-x 1 root root 11K 2009-11-26 18:09 /usr/libexec/mod_auth_gss.so
Does this error still occurs with ProFTPD 1.3.2c? It is still marked as unstable but please try this version with your failing configuration. Otherwise please start the ProFTPD server in foreground with debug enabled as root and post the output: # proftpd -n -d 10 Further please post your active USE-flags, your failing configuration and the `proftpd -V` and `proftpd -l` output.
(In reply to comment #3) > Does this error still occurs with ProFTPD 1.3.2c? It is still marked as > unstable but please try this version with your failing configuration. > Otherwise please start the ProFTPD server in foreground with debug enabled as > root and post the output: > # proftpd -n -d 10 > Further please post your active USE-flags, your failing configuration and the > `proftpd -V` and `proftpd -l` output. > proftpd -V : Compile-time Settings: Version: 1.3.2b (maint) Platform: LINUX Built: Thu Nov 26 18:09:03 CET 2009 Built With: configure '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--sbindir=/usr/sbin' '--localstatedir=/var/run' '--sysconfdir=/etc/proftpd' '--enable-shadow' '--enable-autoshadow' '--enable-ctrls' '--with-modules=mod_ratio:mod_readme:mod_ctrls_admin:mod_auth_pam:mod_tls:mod_wrap:mod_ldap:mod_sql:mod_sql_mysql' '--disable-facl' '--enable-auth-file' '--enable-ipv6' '--enable-ncurses' '--enable-nls' '--with-includes=/usr/include/mysql' '--enable-auth-unix' '--enable-dso' '--with-shared=mod_gss:mod_auth_gss' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -march=k8 -pipe -DUSE_LDAP_TLS' 'LDFLAGS=-Wl,-O1' 'LIBS= -lresolv' CFLAGS: -O2 -march=k8 -pipe -DUSE_LDAP_TLS -Wall LDFLAGS: -L$(top_srcdir)/lib -Wl,-O1 LIBS: -lssl -lcrypto -lcap -lm -lmysqlclient -lz -lldap -llber -lwrap -lnsl -lssl -lcrypto -lpam -lsupp -lcrypt -ldl -lresolv Files: Configuration File: /etc/proftpd/proftpd.conf Pid File: /var/run/proftpd.pid Scoreboard File: /var/run/proftpd/proftpd.scoreboard Header Directory: /usr/include/proftpd Shared Module Directory: /usr/libexec Features: + Autoshadow support + Controls support + curses support - Developer support + DSO support + IPv6 support + Largefile support - Lastlog support + ncurses support + NLS support + OpenSSL support - POSIX ACL support + Shadow file support + Sendfile support + Trace support Tunable Options: PR_TUNABLE_BUFFER_SIZE = 1024 PR_TUNABLE_GLOBBING_MAX = 8 PR_TUNABLE_HASH_TABLE_SIZE = 40 PR_TUNABLE_NEW_POOL_SIZE = 512 PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80 PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30 PR_TUNABLE_SELECT_TIMEOUT = 30 PR_TUNABLE_TIMEOUTIDENT = 10 PR_TUNABLE_TIMEOUTIDLE = 600 PR_TUNABLE_TIMEOUTLINGER = 30 PR_TUNABLE_TIMEOUTLOGIN = 300 PR_TUNABLE_TIMEOUTNOXFER = 300 PR_TUNABLE_TIMEOUTSTALLED = 3600 PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10 proftpd -l : Compiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c mod_auth_file.c mod_auth.c mod_ls.c mod_log.c mod_site.c mod_delay.c mod_facts.c mod_dso.c mod_ident.c mod_ratio.c mod_readme.c mod_ctrls_admin.c mod_auth_pam.c mod_tls.c mod_wrap.c mod_ldap.c mod_sql.c mod_sql_mysql.c mod_cap.c mod_ctrls.c mod_lang.c proftpd -n -d 10 : - using TCP receive buffer size of 87380 bytes - using TCP send buffer size of 16384 bytes - testing Unix domain socket using S_ISFIFO - testing Unix domain socket using S_ISSOCK - using S_ISSOCK macro for Unix domain socket detection - mod_tls/2.2.1: using OpenSSL 0.9.8l 5 Nov 2009 - mod_ldap/2.8.20-20090124: compiled using LDAP vendor 'OpenLDAP', LDAP API version 3001 - loading 'mod_gss.c' - <IfModule>: using 'mod_gss.c' section at line 9 - GSSAPI GSSOption AllowFWNAT set - GSSAPI GSSOption AllowCCC set - GSSAPI GSSOption AllowFWCCC set - loading 'mod_auth_gss.c' - mod_dso/0.4: unable to dlopen 'mod_auth_gss.c': file not found (Operation not permitted) - mod_dso/0.4: defaulting to 'self' for symbol resolution - mod_dso/0.4: unable to find module symbol 'auth_gss_module' in 'mod_auth_gss.c' - Fatal: LoadModule: error loading module 'mod_auth_gss.c': Permission denied on line 17 of '/etc/proftpd/proftpd.conf'
# cat /etc/proftpd/proftpd.conf # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. CommandBufferSize 1023 LoadModule mod_gss.c <IfModule mod_gss.c> GSSEngine on GSSLog /var/log/proftpd/kerberos.log GSSKeytab /etc/proftpd/krb5.keytab GSSRequired off GSSOptions AllowFWNAT AllowCCC AllowFWCCC #GSSPrincipal ftp </IfModule> LoadModule mod_auth_gss.c ServerName "Xel/Zaloris" ServerType standalone DefaultServer on # Login RequireValidShell off RootLogin off # Set the user and group under which the server will run. User proftpd Group proftpd AuthOrder mod_auth_gss.c mod_ldap.c mod_auth_file.c AuthPAM off AuthGroupFile /etc/proftpd/groups AuthUserFile /etc/proftpd/users # Logs TransferLog /var/log/proftpd/xfer.log SystemLog /var/log/proftpd/proftpd.log # Port 21 is the standard FTP port. Port 21 PassivePorts 49152 65534 # Don't use IPv6 support by default. UseIPv6 off # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd). MaxInstances 30 # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. DefaultRoot ~ # Normally, we want files to be overwriteable. AllowOverwrite on <IfModule mod_ctrls.c> ControlsEngine on ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsACLs all allow user xelnor,root ControlsSocketOwner proftpd proftpd ControlsSocketACL allow user xelnor,root ControlsSocket /var/run/proftpd/proftpd.sock <IfModule mod_ctrls_admin.c> AdminControlsEngine on AdminControlsACLs all allow user xelnor,root </IfModule> </IfModule> <IfModule mod_ldap.c> LDAPServer localhost LDAPSearchScope "ou=users,dc=xelnor,dc=net" LDAPDNInfo "uid=proftpd,ou=services,dc=xelnor,dc=net" "UWa2jctV4JqhA" LDAPDoAuth on "ou=users,dc=xelnor,dc=net" "(&(uid=%v)(&(objectclass=inetOrgPerson)(xelHasFTP=TRUE)))" LDAPAuthBinds on LDAPDoGIDLookups on "ou=groups,dc=xelnor,dc=net" "(&(cn=%v)(objectclass=posixGroup))" "(&(gidNumber=%v)(objectclass=posixGroup))" "(&(member=uid=%v,ou=users,dc=xelnor,dc=net)(objectclass=posixGroup))" LDAPDefaultUID 21 LDAPDefaultGID 21 #LDAPForceDefaultGID on LDAPForceDefaultUID on LDAPForceGeneratedHomedir on LDAPGenerateHomedirPrefix /home/ftpusers LDAPGenerateHomedirPrefixNoUsername on LDAPGenerateHomedir on </IfModule> CreateHome on <Directory /home/ftpusers> <Limit All> IgnoreHidden on AllowAll </Limit> HideNoAccess on </Directory> # Bar use of SITE CHMOD by default <Limit SITE_CHMOD> DenyAll </Limit> # A basic anonymous configuration, no upload directories. If you do not # want anonymous users, simply delete this entire <Anonymous> section. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous>
(In reply to comment #3) I have posted the results of those commands for my current version of proftpd ; my USE flags haven't changed since I pasted the emerge --info ; for proftpd, I have the following USE flags : ================================================================= Package Settings ================================================================= net-ftp/proftpd-1.3.2b was built with the following: USE="authfile ipv6 kerberos ldap (multilib) mysql ncurses nls pam ssl tcpd -acl -ban -case -clamav -deflate -hardened -ifsession -noauthunix -opensslcrypt -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd" CFLAGS="-O2 -march=k8 -pipe -DUSE_LDAP_TLS" I will try proftpd-1.3.2c tomorrow.
(In reply to comment #6) > I will try proftpd-1.3.2c tomorrow. > Well, I still have exactly the same problem for proftpd-1.3.2c
(In reply to comment #7) > (In reply to comment #6) > > I will try proftpd-1.3.2c tomorrow. > > > > Well, I still have exactly the same problem for proftpd-1.3.2c > Actually, proftpd-1.3.2c doesn't have the "LoadModule" configuration option anymore, and the mod_auth_gss works without it, so I'm considering my issue fixed.
Yes, since ProFTPD 1.3.3 all modules are directly built into the ProFTPD server and hence it is not necessary (and possible) to load any module with the "LoadModule" directive. Thus this problem is solved and this bug report can be closed.
