1:36 p.m.
Hi guys,
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to change
dir to /etc and get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is ftp_t.
Why users can download passwd file if subject and object belongs to
different domains ?
[root@seg_linux-2 /]# ls -Z /etc/passwd
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp
unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
* Frederico Madeira *
fred(a)madeira.eng.br
www.madeira.eng.br
Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120
GPG-Key-ID: 1024D/0F0A721D
Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira(a)hotmail.com
GTalk:fmadeira@gmail.com
SKYPE: fred_madeira
1:54 p.m.
On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred(a)madeira.eng.br> wrote:
Hi guys,
I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
I've set boolean to allow users to connect to their home dir
[root@seg_linux-2 /]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
My problem is that when a user connect to my server, he is able to change dir to /etc and
get passwd file.
The domain of passwd file is etc_t and domain for vsftpd process is ftp_t. Why users can
download passwd file if subject and object belongs to different domains ?
sesearch -A -s ftpd_t -t etc_t -p read
will show you the allow rules that permit the read. There are quite a few. Can you chroot
the users to their home directory?
joe
[root@seg_linux-2 /]# ls -Z /etc/passwd
-rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
[root@seg_linux-2 /]# ps -eZ | grep vsftp
unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
Frederico Madeira
fred(a)madeira.eng.br
www.madeira.eng.br
Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120
GPG-Key-ID: 1024D/0F0A721D
Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira(a)hotmail.com
GTalk:fmadeira@gmail.com
SKYPE: fred_madeira
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
5:27 p.m.
thanks Joe.
Chroot is a possibility, but if I want to block this access, I need to
change that rules or I can write a specific rule denying this access ?
Att,
* Frederico Madeira *
fred(a)madeira.eng.br
www.madeira.eng.br
Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120
GPG-Key-ID: 1024D/0F0A721D
Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira(a)hotmail.com
GTalk:fmadeira@gmail.com
SKYPE: fred_madeira
2014/1/14 Joe Nall <joe(a)nall.com>
On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred(a)madeira.eng.br>
wrote:
> Hi guys,
>
> I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
>
> I've set boolean to allow users to connect to their home dir
>
> [root@seg_linux-2 /]# getsebool -a | grep ftp
> allow_ftpd_anon_write --> off
> allow_ftpd_full_access --> off
> allow_ftpd_use_cifs --> off
> allow_ftpd_use_nfs --> off
> ftp_home_dir --> on
> ftpd_connect_db --> off
> ftpd_use_fusefs --> off
> ftpd_use_passive_mode --> off
> httpd_enable_ftp_server --> off
> tftp_anon_write --> off
> tftp_use_cifs --> off
> tftp_use_nfs --> off
>
> My problem is that when a user connect to my server, he is able to
change dir to /etc and get passwd file.
>
> The domain of passwd file is etc_t and domain for vsftpd process is
ftp_t. Why users can download passwd file if subject and object belongs to
different domains ?
sesearch -A -s ftpd_t -t etc_t -p read
will show you the allow rules that permit the read. There are quite a few.
Can you chroot the users to their home directory?
joe
>
> [root@seg_linux-2 /]# ls -Z /etc/passwd
> -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd
>
> [root@seg_linux-2 /]# ps -eZ | grep vsftp
> unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
>
>
> Frederico Madeira
> fred(a)madeira.eng.br
> www.madeira.eng.br
> Cisco CCNA, LPIC-1, LPIC-2
>
> Registered GNU/Linux nº 206120
> GPG-Key-ID: 1024D/0F0A721D
> Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
>
> MSN: fttmadeira(a)hotmail.com
> GTalk:fmadeira@gmail.com
> SKYPE: fred_madeira
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
7 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/14/2014 06:27 PM, Frederico Madeira wrote:
thanks Joe. Chroot is a possibility, but if I want to block this
access, I
need to change that rules or I can write a specific rule denying this
access ?
Att,
Well the way to block the access would be to create a new label like
passwd_file_t (Which is used in latest fedoras) And then not allow the domain
that your ftp user is logging in with to read. The problem with this is ftp
needs to read /etc/passwd to allow the login in the first place, and I believe
we do not change the label of the logged in user.
*Frederico Madeira * fred(a)madeira.eng.br <mailto:fred@madeira.eng.br>
www.madeira.eng.br <http://www.madeira.eng.br> Cisco CCNA, LPIC-1, LPIC-2
Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint =
C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
MSN: fttmadeira(a)hotmail.com <mailto:fttmadeira@hotmail.com>
GTalk:fmadeira@gmail.com <mailto:GTalk%3Afmadeira@gmail.com> SKYPE:
fred_madeira
2014/1/14 Joe Nall <joe(a)nall.com <mailto:joe@nall.com>>
On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred(a)madeira.eng.br
<mailto:fred@madeira.eng.br>> wrote:
> Hi guys,
>
> I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
>
> I've set boolean to allow users to connect to their home dir
>
> [root@seg_linux-2 /]# getsebool -a | grep ftp allow_ftpd_anon_write -->
> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off
> allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off
> ftpd_use_fusefs --> off ftpd_use_passive_mode --> off
> httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs -->
> off tftp_use_nfs --> off
>
> My problem is that when a user connect to my server, he is able to
> change
dir to /etc and get passwd file.
>
> The domain of passwd file is etc_t and domain for vsftpd process is
> ftp_t.
Why users can download passwd file if subject and object belongs to
different domains ?
sesearch -A -s ftpd_t -t etc_t -p read
will show you the allow rules that permit the read. There are quite a few.
Can you chroot the users to their home directory?
joe
>
> [root@seg_linux-2 /]# ls -Z /etc/passwd -rw-r--r--. root root
> system_u:object_r:etc_t:s0 /etc/passwd
>
> [root@seg_linux-2 /]# ps -eZ | grep vsftp
> unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
>
>
> Frederico Madeira fred(a)madeira.eng.br <mailto:fred@madeira.eng.br>
> www.madeira.eng.br <http://www.madeira.eng.br> Cisco CCNA, LPIC-1,
> LPIC-2
>
> Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key fingerprint
> = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
>
> MSN: fttmadeira(a)hotmail.com <mailto:fttmadeira@hotmail.com>
> GTalk:fmadeira@gmail.com <mailto:GTalk%3Afmadeira@gmail.com> SKYPE:
> fred_madeira
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
<mailto:selinux@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLWhlgACgkQrlYvE4MpobNCqgCfRBzNuC8yXi6Ea27JYNjLxq7s
iVUAoKnOQjxjJy638yguUw7XuSoylKSq
=Ya2M
-----END PGP SIGNATURE-----
9:18 a.m.
Daniel,
You are right, ftp daemon need access to passwd to read and validade users.
Thanks.
Fred
Em 15/01/2014 10:00, "Daniel J Walsh" <dwalsh(a)redhat.com> escreveu:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/14/2014 06:27 PM, Frederico Madeira wrote:
> thanks Joe. Chroot is a possibility, but if I want to block this access,
I
> need to change that rules or I can write a specific rule denying this
> access ?
>
> Att,
Well the way to block the access would be to create a new label like
passwd_file_t (Which is used in latest fedoras) And then not allow the
domain
that your ftp user is logging in with to read. The problem with this is
ftp
needs to read /etc/passwd to allow the login in the first place, and I
believe
we do not change the label of the logged in user.
>
>
> *Frederico Madeira * fred(a)madeira.eng.br <mailto:fred@madeira.eng.br>
> www.madeira.eng.br <http://www.madeira.eng.br> Cisco CCNA, LPIC-1,
LPIC-2
>
> Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key
fingerprint =
> C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
>
> MSN: fttmadeira(a)hotmail.com <mailto:fttmadeira@hotmail.com>
> GTalk:fmadeira@gmail.com <mailto:GTalk%3Afmadeira@gmail.com> SKYPE:
> fred_madeira
>
>
>
> 2014/1/14 Joe Nall <joe(a)nall.com <mailto:joe@nall.com>>
>
>
> On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred(a)madeira.eng.br
> <mailto:fred@madeira.eng.br>> wrote:
>
>> Hi guys,
>>
>> I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
>>
>> I've set boolean to allow users to connect to their home dir
>>
>> [root@seg_linux-2 /]# getsebool -a | grep ftp allow_ftpd_anon_write -->
>> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off
>> allow_ftpd_use_nfs --> off ftp_home_dir --> on ftpd_connect_db --> off
>> ftpd_use_fusefs --> off ftpd_use_passive_mode --> off
>> httpd_enable_ftp_server --> off tftp_anon_write --> off tftp_use_cifs
-->
>> off tftp_use_nfs --> off
>>
>> My problem is that when a user connect to my server, he is able to
>> change
> dir to /etc and get passwd file.
>>
>> The domain of passwd file is etc_t and domain for vsftpd process is
>> ftp_t.
> Why users can download passwd file if subject and object belongs to
> different domains ?
>
> sesearch -A -s ftpd_t -t etc_t -p read
>
> will show you the allow rules that permit the read. There are quite a
few.
> Can you chroot the users to their home directory?
>
> joe
>
>
>>
>> [root@seg_linux-2 /]# ls -Z /etc/passwd -rw-r--r--. root root
>> system_u:object_r:etc_t:s0 /etc/passwd
>>
>> [root@seg_linux-2 /]# ps -eZ | grep vsftp
>> unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
>>
>>
>> Frederico Madeira fred(a)madeira.eng.br <mailto:fred@madeira.eng.br>
>> www.madeira.eng.br <http://www.madeira.eng.br> Cisco CCNA, LPIC-1,
>> LPIC-2
>>
>> Registered GNU/Linux nº 206120 GPG-Key-ID: 1024D/0F0A721D Key
fingerprint
>> = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
>>
>> MSN: fttmadeira(a)hotmail.com <mailto:fttmadeira@hotmail.com>
>> GTalk:fmadeira@gmail.com <mailto:GTalk%3Afmadeira@gmail.com> SKYPE:
>> fred_madeira
>>
>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>> <mailto:selinux@lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLWhlgACgkQrlYvE4MpobNCqgCfRBzNuC8yXi6Ea27JYNjLxq7s
iVUAoKnOQjxjJy638yguUw7XuSoylKSq
=Ya2M
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3240
days inactive
3241
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Daniel J Walsh -
Frederico Madeira -
Joe Nall