Daniel,
You are right, ftp daemon need access to passwd to read and validade users.
Thanks.
Fred
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/14/2014 06:27 PM, Frederico Madeira wrote:
> thanks Joe. Chroot is a possibility, but if I want to block this access, I
> need to change that rules or I can write a specific rule denying this
> access ?
>
> Att,
Well the way to block the access would be to create a new label like
passwd_file_t (Which is used in latest fedoras) And then not allow the domain
that your ftp user is logging in with to read. The problem with this is ftp
needs to read /etc/passwd to allow the login in the first place, and I believe
we do not change the label of the logged in user.
>
>
> *Frederico Madeira * fred@madeira.eng.br <mailto:fred@madeira.eng.br>
> www.madeira.eng.br <http://www.madeira.eng.br> Cisco CCNA, LPIC-1, LPIC-2
>
> Registered GNU/Linux nš 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint =
> C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
>
> MSN: fttmadeira@hotmail.com <mailto:fttmadeira@hotmail.com>
> GTalk:fmadeira@gmail.com <mailto:GTalk%3Afmadeira@gmail.com> SKYPE:
> fred_madeira
>
>
>
> 2014/1/14 Joe Nall <joe@nall.com <mailto:joe@nall.com>>
>
>
> On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred@madeira.eng.br
> <mailto:fred@madeira.eng.br>> wrote:
>
>> Hi guys,
>>
>> I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
>>
>> I've set boolean to allow users to connect to their home dir
>>
>> [root@seg_linux-2 /]# getsebool -a | grep ftp allow_ftpd_anon_write -->
>> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off
>> allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off
>> ftpd_use_fusefs --> off ftpd_use_passive_mode --> off
>> httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs -->
>> off tftp_use_nfs --> off
>>
>> My problem is that when a user connect to my server, he is able to
>> change
> dir to /etc and get passwd file.
>>
>> The domain of passwd file is etc_t and domain for vsftpd process is
>> ftp_t.
> Why users can download passwd file if subject and object belongs to
> different domains ?
>
> sesearch -A -s ftpd_t -t etc_t -p read
>
> will show you the allow rules that permit the read. There are quite a few.
> Can you chroot the users to their home directory?
>
> joe
>
>
>>
>> [root@seg_linux-2 /]# ls -Z /etc/passwd -rw-r--r--. root root
>> system_u:object_r:etc_t:s0 /etc/passwd
>>
>> [root@seg_linux-2 /]# ps -eZ | grep vsftp
>> unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
>>
>>
>> Frederico Madeira fred@madeira.eng.br <mailto:fred@madeira.eng.br>
>> www.madeira.eng.br <http://www.madeira.eng.br> Cisco CCNA, LPIC-1,
>> LPIC-2
>>
>> Registered GNU/Linux nš 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint
>> = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
>>
>> MSN: fttmadeira@hotmail.com <mailto:fttmadeira@hotmail.com>
>> GTalk:fmadeira@gmail.com <mailto:GTalk%3Afmadeira@gmail.com> SKYPE:
>> fred_madeira
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> <mailto:selinux@lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLWhlgACgkQrlYvE4MpobNCqgCfRBzNuC8yXi6Ea27JYNjLxq7s
iVUAoKnOQjxjJy638yguUw7XuSoylKSq
=Ya2M
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux