pure-ftpd and capabilities

[markc]

I've upgraded my VPS to etch and tried to install pure-ftpd but run into a capabilites issue. When trying to start pure-ftpd I get...

Code:

pure-ftpd: [ERROR] Unable to switch capabilities : Operation not permitted

Some googling turned up a page about this problem when used in a VPS situation. A possible workaround was suggested...

Code:

# first, apt-get install vzctl
#!/bin/bash
set -x

VPSID=123
for CAP in CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE
do
  vzctl set $VPSID --capability ${CAP}:on --save
done

But then the error is...

Code:

Unable to open /dev/vzctl: No such file or directory
Please check that vzdev kernel module is loaded and you have sufficient permissions to access the file.

and there is indeed no /dev/vzctl, but there is a /dev/vzfs. Would anyone know more about this or how to workaround not having to recompile pure-ftpd to work --without-capabilities ?

The post of interest was: http://forum.openvz.org/?t=msg&goto=4268

[matta]

That is very weird... it should just work. cPanel uses PureFTPD and that runs perfectly without modification under VPS accounts.

[markc]

Perhaps cpanel provides for RPM based packages that are compiled --without-capabilities (wild guess). I'm not the only one to have bumped into something like this, from the linked forum post above...

I'm trying to get pureftpd running inside a Debian sarge VPS. There seems to be a problem with Linux capabilities. What can be done to solve that issue without recompiling pureftpd with "--without-capabilities"?

With some testing of the vzctl and lcap packages I notice...

Code:

# cat /proc/sys/kernel/cap-bound
cat: /proc/sys/kernel/cap-bound: Operation not permitted

even though the -r------- permission is set, so another possibility is that the VPS I happen to have does not have the ability to have capabilities altered on the parent server.

I'm trying to avoid setting up any build tools (gcc etc), let alone having to custom build any package at all, so I'd have to set up Debian etch on a local box to be able to build my own patched pure-ftpd.

Can anyone else running ubuntu/debian try an install of pure-ftpd and see if it runs at all please?

[barge]

Quote:

Originally Posted by markc

Can anyone else running ubuntu/debian try an install of pure-ftpd and see if it runs at all please?

Running Debian sarge; it installed apparently OK as standalone, but fails to start up.

syslog: pure-ftpd: (?@?) [ERROR] Unable to switch capabilities : Operation not permitted

[markc]

Thanks for that Barge. I really do suspect the CentOS/Fedora RPM based packages of pure-ftpd are compiled --without-capabilities so it works with cPanel just fine. An ldd of my pure-ftpd binary shows...

Code:

        libcap.so.1 => /lib/libcap.so.1 (0xb7e36000)

whereas I just installed proftpd and it runs and is not compiled with the above lib, but it still seems to have some "capabilities". This is using getpcaps from thelibcap-bin package...

Code:

# px proftpd
proftpd  25709  0.0  0.4   5092  1248 ?        Ss   22:00   0:00 proftpd: (accepting connections)

# /sbin/getpcaps 25709
Capabilities for `25709': =ip cap_setpcap,cap_net_admin,cap_sys_module,cap_sys_rawio,cap_sys_pacct,cap_sys_admin,cap_sys_time-ip

All fun and games on a VPS. At least proftpd works. Thanks again barge and matta.