[selinux-policy: 940/3172] Added configurations for testing tcpd.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:26:17 UTC 2010 

commit 5211b057aa977b35fced23722c821145b7aeb9ae
Author: Ryan Haggerty <rhaggerty at tresys.com>
Date:   Wed Nov 9 21:36:09 2005 +0000

    Added configurations for testing tcpd.

 testing/tcpd/README       |    9 +++
 testing/tcpd/proftpd.conf |  139 +++++++++++++++++++++++++++++++++++++++++++++
 testing/tcpd/xproftpd     |   16 +++++
 3 files changed, 164 insertions(+), 0 deletions(-)
---
diff --git a/testing/tcpd/README b/testing/tcpd/README
new file mode 100644
index 0000000..b268c96
--- /dev/null
+++ b/testing/tcpd/README
@@ -0,0 +1,9 @@
+put xproftpd in /etc/xinetd.d/
+and put proftpd.conf in /etc/
+
+install proftpd
+
+reload xinetd
+	/etc/init.d/xinetd reload
+
+connect to localhost for ftp service
diff --git a/testing/tcpd/proftpd.conf b/testing/tcpd/proftpd.conf
new file mode 100644
index 0000000..37ffbc3
--- /dev/null
+++ b/testing/tcpd/proftpd.conf
@@ -0,0 +1,139 @@
+# This is the ProFTPD configuration file
+# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $
+
+ServerName			"ProFTPD server"
+ServerIdent			on "FTP Server ready."
+ServerAdmin			root at localhost
+#ServerType			standalone
+ServerType			inetd
+DefaultServer			on
+AccessGrantMsg			"User %u logged in."
+#DisplayConnect			/etc/ftpissue
+#DisplayLogin			/etc/ftpmotd
+#DisplayGoAway			/etc/ftpgoaway
+DeferWelcome			off
+
+# Use this to excude users from the chroot
+DefaultRoot			~ !adm
+
+# Use pam to authenticate (default) and be authoritative
+AuthPAMConfig			proftpd
+AuthOrder			mod_auth_pam.c* mod_auth_unix.c
+
+# Do not perform ident nor DNS lookups (hangs when the port is filtered)
+IdentLookups			off
+UseReverseDNS			off
+
+# Port 21 is the standard FTP port.
+Port				21
+
+# Umask 022 is a good standard umask to prevent new dirs and files
+# from being group and world writable.
+Umask				022
+
+# Default to show dot files in directory listings
+ListOptions			"-a"
+
+# See Configuration.html for these (here are the default values)
+#MultilineRFC2228		off
+#RootLogin			off
+#LoginPasswordPrompt		on
+#MaxLoginAttempts		3
+#MaxClientsPerHost		none
+#AllowForeignAddress		off	# For FXP
+
+# Allow to resume not only the downloads but the uploads too
+AllowRetrieveRestart		on
+AllowStoreRestart		on
+
+# To prevent DoS attacks, set the maximum number of child processes
+# to 30.  If you need to allow more than 30 concurrent connections
+# at once, simply increase this value.  Note that this ONLY works
+# in standalone mode, in inetd mode you should use an inetd server
+# that allows you to limit maximum number of processes per service
+# (such as xinetd)
+MaxInstances			20
+
+# Set the user and group that the server normally runs at.
+User				nobody
+Group				nobody
+
+# This is where we want to put the pid file
+ScoreboardFile			/var/run/proftpd.score
+
+# Normally, we want users to do a few things.
+<Global>
+  AllowOverwrite		yes
+  <Limit ALL SITE_CHMOD>
+    AllowAll
+  </Limit>
+</Global>
+
+# Define the log formats
+LogFormat			default	"%h %l %u %t \"%r\" %s %b"
+LogFormat			auth	"%v [%P] %h %t \"%r\" %s"
+
+# TLS
+# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
+#TLSEngine			on
+#TLSRequired			on
+#TLSRSACertificateFile		/usr/share/ssl/certs/proftpd.pem
+#TLSRSACertificateKeyFile	/usr/share/ssl/certs/proftpd.pem
+#TLSCipherSuite			ALL:!ADH:!DES
+#TLSOptions			NoCertRequest
+#TLSVerifyClient		off
+##TLSRenegotiate		ctrl 3600 data 512000 required off timeout 300
+#TLSLog				/var/log/proftpd/tls.log
+
+# A basic anonymous configuration, with an upload directory.
+<Anonymous ~ftp>
+  User				ftp
+  Group				ftp
+  AccessGrantMsg		"Anonymous login ok, restrictions apply."
+
+  # We want clients to be able to login with "anonymous" as well as "ftp"
+  UserAlias			anonymous ftp
+
+  # Limit the maximum number of anonymous logins
+  MaxClients			10 "Sorry, max %m users -- try again later"
+
+  # Put the user into /pub right after login
+  DefaultChdir			/pub
+
+  # We want 'welcome.msg' displayed at login, '.message' displayed in
+  # each newly chdired directory and tell users to read README* files. 
+  DisplayLogin			/welcome.msg
+  DisplayFirstChdir		.message
+  DisplayReadme			README*
+
+  # Some more cosmetic and not vital stuff
+  DirFakeUser			on ftp
+  DirFakeGroup			on ftp
+
+  # Limit WRITE everywhere in the anonymous chroot
+  <Limit WRITE SITE_CHMOD>
+    DenyAll
+  </Limit>
+
+  # An upload directory that allows storing files but not retrieving
+  # or creating directories.
+  <Directory uploads/*>
+    AllowOverwrite		no
+    <Limit READ>
+      DenyAll
+    </Limit>
+
+    <Limit STOR>
+      AllowAll
+    </Limit>
+  </Directory>
+
+  # Don't write anonymous accesses to the system wtmp file (good idea!)
+  WtmpLog			off
+
+  # Logging for the anonymous transfers
+  ExtendedLog		/var/log/proftpd/access.log WRITE,READ default
+  ExtendedLog		/var/log/proftpd/auth.log AUTH auth
+
+</Anonymous>
+
diff --git a/testing/tcpd/xproftpd b/testing/tcpd/xproftpd
new file mode 100644
index 0000000..2248e6e
--- /dev/null
+++ b/testing/tcpd/xproftpd
@@ -0,0 +1,16 @@
+# default: off
+# $Id: proftpd-xinetd,v 1.2 2002/06/10 15:35:47 dude Exp $
+# description: The ProFTPD FTP server serves FTP connections. It uses \
+#	normal, unencrypted usernames and passwords for authentication.
+service ftp
+{
+	socket_type		= stream
+	wait			= no
+	user			= root
+	server			= /usr/sbin/in.proftpd
+	server			= /usr/sbin/tcpd
+	log_on_success		+= DURATION USERID
+	log_on_failure		+= USERID
+	nice			= 10
+	disable			= no
+}

More information about the scm-commits mailing list