What is linux-privs? What is the proftpd mod_linuxprivs module?
The linux-privs project is a project aimed at providing the POSIX.1e security model under Linux. Documentation on the project as a whole can be found at:

  ftp://linux.kernel.org/pub/linux/libs/security/linux-privs

The best part of the whole story is that Linux development kernels (2.1) already have two important facets of the security model in place, namely capabilities and capability sets. Using these features allows a user-land program to specifically drop capabilities (which can be thought of as "privileges") which it does not need. Once such capabilities are completely dropped, neither the user-land program or any binary it should spawn will be allowed to perform privileged operations, regardless of whether the program is running as root or not. Essentially, this limits the power of root to only those specific functions that are necessary, with the end effect of making the program much more secure.

A non-supported contributed module has been added in the proftpd distribution, named mod_linuxprivs. It can be found in the contrib/ directory, Because Linux 2.1 is a development kernel, the module is not compiled by default.

Additionally, a small library is included in contrib/: libcap. This library provides the interface between mod_linuxprivs and the capability syscalls present in Linux 2.1 kernels. (Note that this library is simply a slightly modified version of the libcap library which can be found at linux.kernel.org). Building proftpd with the mod_linuxprivs module included (see below for instructions on how to do this) will automatically build and link in the required libcap library.

When proftpd runs with mod_linuxprivs installed, its operation changes slightly:

• 1. The master proftpd process runs per normal (with full capabilities).
• 2. Child proftpd processes (or those run from inetd) drop all capabilities except for cap_net_bind_service (which allows a process to bind to ports < 1024) immediately after a client has authenticated. Additionally, switching back and forth between root and the authenticated user is no longer necessary, so uid swapping is disabled.

  Once the additional capabilities have been dropped, proftpd (or any programs it should exec()) is not capable of performing any other privileged functions (including chroot, chown, mknod or mount). If proftpd should somehow be "coerced" into exec()ing another binary, the kernel will drop all capabilities (including cap_net_bind_service), and the binary that is exec'd will be incapable of performing "dangerous" syscalls, regardless of the user it runs as. With capabilities and capability sets, root isn't necessarily "all powerful" any more. ;)

What do I need to do to run mod_linuxprivs?
mod_linuxprivs currently requires that you be running a Linux kernel version 2.1.104 or newer. It's been tested and verified to work with 2.1.122. Should the kernel interface change in newer versions, we'll try to get the libcap library updated as quickly as possible. ;)

Steps to building proftpd with mod_linuxprivs:

1. Verify you are running at LEAST kernel 2.1.104
2. Make absolutely sure that /usr/src/linux is a symlink to your 2.1.* kernel source tree. This is required by libcap.
3. Run the top-level configure script using the --with-modules argument to include mod_linuxprivs. Example:

      ./configure --prefix=/usr --with-modules=mod_linuxprivs
   

   If you're compiling in multiple modules (such as mod_ratio), you would:

      ./configure --prefix=/usr --with-modules=mod_ratios:mod_linuxprivs
   

4. Run make from the top-level directory just as you normally would. This will build and link the library in contrib/libcap automatically.
5. , etc, etc.