Download passwd using ftp

Frederico Madeira fred at madeira.eng.br
Tue Jan 14 23:27:25 UTC 2014 

thanks Joe.
Chroot is a possibility, but if I want to block this access, I need to
change that rules or I can write a specific rule denying this access ?

Att,


* Frederico Madeira *
fred at madeira.eng.br
www.madeira.eng.br
Cisco CCNA, LPIC-1, LPIC-2

Registered GNU/Linux nº 206120
GPG-Key-ID: 1024D/0F0A721D
Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D

MSN: fttmadeira at hotmail.com
GTalk:fmadeira at gmail.com
SKYPE: fred_madeira



2014/1/14 Joe Nall <joe at nall.com>

>
> On Jan 14, 2014, at 1:36 PM, Frederico Madeira <fred at madeira.eng.br>
> wrote:
>
> > Hi guys,
> >
> > I'm running a centos 6.5 with vsftpd.vsftpd-2.2.2-11.el6_4.1.i686
> >
> > I've set boolean to allow users to connect to their home dir
> >
> > [root at seg_linux-2 /]# getsebool -a | grep ftp
> > allow_ftpd_anon_write --> off
> > allow_ftpd_full_access --> off
> > allow_ftpd_use_cifs --> off
> > allow_ftpd_use_nfs --> off
> > ftp_home_dir --> on
> > ftpd_connect_db --> off
> > ftpd_use_fusefs --> off
> > ftpd_use_passive_mode --> off
> > httpd_enable_ftp_server --> off
> > tftp_anon_write --> off
> > tftp_use_cifs --> off
> > tftp_use_nfs --> off
> >
> > My problem is that when a user connect to my server, he is able to
> change dir to /etc and get passwd file.
> >
> > The domain of passwd file is etc_t and domain for vsftpd process is
> ftp_t. Why users can download passwd file if subject and object belongs to
> different domains  ?
>
> sesearch -A -s ftpd_t -t etc_t -p read
>
> will show you the allow rules that permit the read. There are quite a few.
> Can you chroot the users to their home directory?
>
> joe
>
>
> >
> > [root at seg_linux-2 /]# ls -Z /etc/passwd
> > -rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/passwd
> >
> > [root at seg_linux-2 /]# ps -eZ | grep vsftp
> > unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 1086 ? 00:00:00 vsftpd
> >
> >
> > Frederico Madeira
> > fred at madeira.eng.br
> > www.madeira.eng.br
> > Cisco CCNA, LPIC-1, LPIC-2
> >
> > Registered GNU/Linux nº 206120
> > GPG-Key-ID: 1024D/0F0A721D
> > Key fingerprint = C424 D86B 57D5 BE55 767A 6ED1 53F8 254E 0F0A 721D
> >
> > MSN: fttmadeira at hotmail.com
> > GTalk:fmadeira at gmail.com
> > SKYPE: fred_madeira
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140114/5ce95daf/attachment.html>

More information about the selinux mailing list