Hi guys,
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs --> off tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to change dir to /etc and get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is ftp_t. Why users can download passwd file if subject and object belongs to different domains ?
[root@seg_linux-2 /]# ls -Z /etc/passwd -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
* Frederico Madeira * fred@madeira.eng.br www.madeira.eng.br Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@hotmail.com GTalk:fmadeira@gmail.com SKYPE: fred_madeira
On Jan 14, 2014, at 1:36 PM, Frederico Madeira fred@madeira.eng.br wrote:
Hi guys,
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs --> off tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to change dir to /etc and get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is ftp_t. Why users can download passwd file if subject and object belongs to different domains ?
sesearch -A -s ftpd_t -t etc_t -p read
will show you the allow rules that permit the read. There are quite a few. Can you chroot the users to their home directory?
joe
[root@seg_linux-2 /]# ls -Z /etc/passwd -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
Frederico Madeira fred@madeira.eng.br www.madeira.eng.br Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@hotmail.com GTalk:fmadeira@gmail.com SKYPE: fred_madeira
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
thanks Joe. Chroot is a possibility, but if I want to block this access, I need to change that rules or I can write a specific rule denying this access ?
Att,
* Frederico Madeira * fred@madeira.eng.br www.madeira.eng.br Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@hotmail.com GTalk:fmadeira@gmail.com SKYPE: fred_madeira
2014/1/14 Joe Nall joe@nall.com
On Jan 14, 2014, at 1:36 PM, Frederico Madeira fred@madeira.eng.br wrote:
Hi guys,
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs --> off tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to
change dir to /etc and get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is
ftp_t. Why users can download passwd file if subject and object belongs to different domains ?
sesearch -A -s ftpd_t -t etc_t -p read
will show you the allow rules that permit the read. There are quite a few. Can you chroot the users to their home directory?
joe
[root@seg_linux-2 /]# ls -Z /etc/passwd -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
Frederico Madeira fred@madeira.eng.br www.madeira.eng.br Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@hotmail.com GTalk:fmadeira@gmail.com SKYPE: fred_madeira
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/14/2014 06:27 PM, Frederico Madeira wrote:
thanks Joe. Chroot is a possibility, but if I want to block this access, I need to change that rules or I can write a specific rule denying this access ?
Att,
Well the way to block the access would be to create a new label like passwd_file_t (Which is used in latest fedoras) And then not allow the domain that your ftp user is logging in with to read. The problem with this is ftp needs to read /etc/passwd to allow the login in the first place, and I believe we do not change the label of the logged in user.
*Frederico Madeira * fred@madeira.eng.br mailto:fred@madeira.eng.br www.madeira.eng.br http://www.madeira.eng.br Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@hotmail.com mailto:fttmadeira@hotmail.com GTalk:fmadeira@gmail.com mailto:GTalk%3Afmadeira@gmail.com SKYPE: fred_madeira
2014/1/14 Joe Nall <joe@nall.com mailto:joe@nall.com>
On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred@madeira.eng.br mailto:fred@madeira.eng.br> wrote:
Hi guys,
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs --> off tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to change
dir to /etc and get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is ftp_t.
Why users can download passwd file if subject and object belongs to different domains ?
sesearch -A -s ftpd_t -t etc_t -p read
will show you the allow rules that permit the read. There are quite a few. Can you chroot the users to their home directory?
joe
[root@seg_linux-2 /]# ls -Z /etc/passwd -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
Frederico Madeira fred@madeira.eng.br mailto:fred@madeira.eng.br www.madeira.eng.br http://www.madeira.eng.br Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@hotmail.com mailto:fttmadeira@hotmail.com GTalk:fmadeira@gmail.com mailto:GTalk%3Afmadeira@gmail.com SKYPE: fred_madeira
-- selinux mailing list selinux@lists.fedoraproject.org mailto:selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org mailto:selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Daniel,
You are right, ftp daemon need access to passwd to read and validade users.
Thanks.
Fred Em 15/01/2014 10:00, "Daniel J Walsh" dwalsh@redhat.com escreveu:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/14/2014 06:27 PM, Frederico Madeira wrote:
thanks Joe. Chroot is a possibility, but if I want to block this access,
I
need to change that rules or I can write a specific rule denying this access ?
Att,
Well the way to block the access would be to create a new label like passwd_file_t (Which is used in latest fedoras) And then not allow the domain that your ftp user is logging in with to read. The problem with this is ftp needs to read /etc/passwd to allow the login in the first place, and I believe we do not change the label of the logged in user.
*Frederico Madeira * fred@madeira.eng.br mailto:fred@madeira.eng.br www.madeira.eng.br http://www.madeira.eng.br Cisco CCNA, LPIC-1,
LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key
fingerprint =
C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@hotmail.com mailto:fttmadeira@hotmail.com GTalk:fmadeira@gmail.com mailto:GTalk%3Afmadeira@gmail.com SKYPE: fred_madeira
2014/1/14 Joe Nall <joe@nall.com mailto:joe@nall.com>
On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred@madeira.eng.br mailto:fred@madeira.eng.br> wrote:
Hi guys,
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off ftpd_use_fusefs --> off ftpd_use_passive_mode --> off httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs
-->
off tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to change
dir to /etc and get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is ftp_t.
Why users can download passwd file if subject and object belongs to different domains ?
sesearch -A -s ftpd_t -t etc_t -p read
will show you the allow rules that permit the read. There are quite a
few.
Can you chroot the users to their home directory?
joe
[root@seg_linux-2 /]# ls -Z /etc/passwd -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
Frederico Madeira fred@madeira.eng.br mailto:fred@madeira.eng.br www.madeira.eng.br http://www.madeira.eng.br Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key
fingerprint
= C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira@hotmail.com mailto:fttmadeira@hotmail.com GTalk:fmadeira@gmail.com mailto:GTalk%3Afmadeira@gmail.com SKYPE: fred_madeira
-- selinux mailing list selinux@lists.fedoraproject.org mailto:selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org mailto:selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLWhlgACgkQrlYvE4MpobNCqgCfRBzNuC8yXi6Ea27JYNjLxq7s iVUAoKnOQjxjJy638yguUw7XuSoylKSq =Ya2M
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Frederico Madeira -
Joe Nall