11:09 a.m.
Hi!
I have silly problem: I'm not able to enter ~/public_html directory
using ftp client. I found this AVC messages in /var/log/audit/audit.log:
type=AVC msg=audit(1125243640.479:279): avc: denied { search } for
pid=10731 comm="vsftpd" name="public_html" dev=hda6 ino=229557
scontext=root:system_r:ftpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=SYSCALL msg=audit(1125243640.479:279): arch=40000003 syscall=12
success=no exit=-13 a0=8927908 a1=0 a2=fd2524 a3=bfbfa5bc items=1
pid=10731 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500
egid=100 sgid=100 fsgid=100 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1125243640.479:279): cwd="/home/y4kk0"
type=PATH msg=audit(1125243640.479:279): item=0 name="public_html"
flags=3 inode=229557 dev=03:06 mode=040777 ouid=500 ogid=100 rdev=00:00
[y4kk0@X ~]$ ls -Zd public_html/
drwxrwxrwx y4kk0 users system_u:object_r:httpd_user_content_t
public_html/
[y4kk0@X ~]$
selinux-policy-targeted-1.25.4-10
system: Fedora Core 4
Maybe default policy should allow ftp server to enter this directory so
users would be able to upload their WWW stuff via ftp?
Regards,
Dawid Gajownik
--
^_*
12:04 p.m.
Dawid Gajownik wrote:
Hi!
I have silly problem: I'm not able to enter ~/public_html
directory using ftp client. I found this AVC messages in
/var/log/audit/audit.log:
type=AVC msg=audit(1125243640.479:279): avc: denied { search } for
pid=10731 comm="vsftpd" name="public_html" dev=hda6 ino=229557
scontext=root:system_r:ftpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=SYSCALL msg=audit(1125243640.479:279): arch=40000003 syscall=12
success=no exit=-13 a0=8927908 a1=0 a2=fd2524 a3=bfbfa5bc items=1
pid=10731 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500
egid=100 sgid=100 fsgid=100 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1125243640.479:279): cwd="/home/y4kk0"
type=PATH msg=audit(1125243640.479:279): item=0 name="public_html"
flags=3 inode=229557 dev=03:06 mode=040777 ouid=500 ogid=100 rdev=00:00
[y4kk0@X ~]$ ls -Zd public_html/
drwxrwxrwx y4kk0 users system_u:object_r:httpd_user_content_t
public_html/
[y4kk0@X ~]$
selinux-policy-targeted-1.25.4-10
system: Fedora Core 4
Maybe default policy should allow ftp server to enter this directory
so users would be able to upload their WWW stuff via ftp?
Regards,
Dawid Gajownik
Sounds reasonable, I will add it.
--
1:14 p.m.
New subject: ftp upload, was Re: vsftpd and ~/public_html
> [y4kk0@X ~]$ ls -Zd public_html/
> drwxrwxrwx y4kk0 users system_u:object_r:httpd_user_content_t
> public_html/
> [y4kk0@X ~]$
> selinux-policy-targeted-1.25.4-10
> system: Fedora Core 4
> Maybe default policy should allow ftp server to enter this
directory
> so users would be able to upload their WWW stuff via ftp?
Sounds reasonable, I will add it.
Ouch, this seems like opening up an attack vector to me.
Shouldn't ftp *upload* be to a write-only "holding cell"
at least?
../Steven
2:42 p.m.
New subject: ftp upload, was Re: vsftpd and ~/public_html
gnu not unix wrote:
>>[y4kk0@X ~]$ ls -Zd public_html/
>>drwxrwxrwx y4kk0 users system_u:object_r:httpd_user_content_t
>>public_html/
>>[y4kk0@X ~]$
>>
>>
>>selinux-policy-targeted-1.25.4-10
>>system: Fedora Core 4
>>
>>
>>Maybe default policy should allow ftp server to enter this directory
>>so users would be able to upload their WWW stuff via ftp?
>>
>>
>Sounds reasonable, I will add it.
>
>
Ouch, this seems like opening up an attack vector to me.
Shouldn't ftp *upload* be to a write-only "holding cell"
at least?
../Steven
This is only for ftp being allowed to modify users homedirs. If the
user sets boolean
ftp_home_dir then the user can modify and read most contents of the
users home dir. This just adds public_html. If you want to protect the
users home dir from ftp, I would not turn on that boolean. Without this
change a hacker could put something in the .bashrc or other startup
files and next time the real user logs in it would manipulate the
public_html directory.
--
6814
days inactive
6815
days old
selinux@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Daniel J Walsh -
Dawid Gajownik -
gnu not unix