-----------------------------------------------------------------------------
TJ Saunders <tj@castaglia.org>
2002-04-05

-------------------------------------------------------------------------
 Problem
------------------------------------------------------------------------

  One of the requirements imposed by RFC959, the RFC that defines FTP, is
  that the source port for the data channel used for active transfers
  be L-1, where L is the number of the server port.  Meaning that for
  most FTP servers that listen on port 21 (the FTP control port), the
  source port for active transfers back to the client *must* be port 20.
  Any port could be used as the source port; however, many firewalls and
  clients that are FTP-aware enforce this L-1 restriction, and would break
  if proftpd were to use a high-numbered source port.
 
  This requires that the server maintain root privileges, then, during a
  session, in order to have the privileges necessary to bind to that
  low-numbered port whenever the client requests.  Ideally, those root
  privileges should be dropped as soon as authentication of the user
  has taken place.  That those privileges are retained, even if by
  necessity, is a security hazard.

  If those root privileges are dropped, and the server is listening on
  a port less than 1025, then by necessity active transfers (triggered
  by clients using the PORT command) will be denied.  This may or may not
  be desirable, depending on your site's needs.

----------------------------------------------------------------------------
 Solution
----------------------------------------------------------------------------

  Introduce a new configuration directive that allows administrators to
  cause proftpd to drop or "revoke" root privileges after authentication.

    RootRevoke

    Syntax: RootRevoke on|off
    Default: off
    Context: server config, <VirtualHost>, <Global>, <Anonymous>
    Module: mod_auth
    Compatibility: 1.2.5rc1 and later

    The RootRevoke directive causes all root privileges to be dropped
    once a user is authenticated.  This will also cause active transfers
    to be disabled, if the server is listening on a port less than 1025.
    Note that this only affects active transfers; passive transfers will
    not be blocked.

----------------------------------------------------------------------------
 Comments
----------------------------------------------------------------------------

  This patch was generated against a CVS snapshot of the proftpd-1.2 source
  tree, taken at 2002-12-30.

---------------------------------------------------------------------------
 Affected Files
---------------------------------------------------------------------------
  
  modules/mod_auth.c
  modules/mod_core.c

------------------------------------------------------------------------------