gnu not unix wrote:
>>[y4kk0@X ~]$ ls -Zd public_html/
>>drwxrwxrwx y4kk0 users system_u:object_r:httpd_user_content_t
>>public_html/
>>[y4kk0@X ~]$
>>
>>
>>selinux-policy-targeted-1.25.4-10
>>system: Fedora Core 4
>>
>>
>>Maybe default policy should allow ftp server to enter this directory
>>so users would be able to upload their WWW stuff via ftp?
>>
>>
>Sounds reasonable, I will add it.
>
>
Ouch, this seems like opening up an attack vector to me.
Shouldn't ftp *upload* be to a write-only "holding cell"
at least?
../Steven
This is only for ftp being allowed to modify users homedirs. If the
user sets boolean
ftp_home_dir then the user can modify and read most contents of the
users home dir. This just adds public_html. If you want to protect the
users home dir from ftp, I would not turn on that boolean. Without this
change a hacker could put something in the .bashrc or other startup
files and next time the real user logs in it would manipulate the
public_html directory.
--