On 03/22/2018 07:55 AM, Paul Howarth wrote:
I've seen a few reports that proftpd's sftp support isn't
working with
SELinux in enforcing mode:
https://bugzilla.redhat.com/show_bug.cgi?id=1529576
https://github.com/proftpd/proftpd/issues/659
Using strace, it appears that proftpd is rejecting logins after failing
to access /etc/shadow, but why would it be doing that at all, rather
than using the unix_chkpwd helper?
Googling this, the only similar issue I saw was this:
http://blog.siphos.be/2014/12/why-does-it-access-etcshadow/
but this seems to be different because ftpd policy does include
auth_use_pam.
Any thoughts on this? I did try this locally and couldn't reproduce it,
so it seems to be configuration/environment-specific rather than
something being fundamentally wrong.
Is it possible that proftpd is running in a chroot environment with a read-only or
non-exisitent selinuxfs mount,
faking libselinux into believing that SELinux is disabled (and thus pam doesn't bother
trying to run unix_chkpwd
when it runs with uid 0)?