ftp upload, was Re: vsftpd and ~/public_html
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 29 19:42:02 UTC 2005
gnu not unix wrote:
>>>[y4kk0 at X ~]$ ls -Zd public_html/
>>>drwxrwxrwx y4kk0 users system_u:object_r:httpd_user_content_t
>>>public_html/
>>>[y4kk0 at X ~]$
>>>
>>>
>
>
>
>>>selinux-policy-targeted-1.25.4-10
>>>system: Fedora Core 4
>>>
>>>
>
>
>
>>>Maybe default policy should allow ftp server to enter this directory
>>>so users would be able to upload their WWW stuff via ftp?
>>>
>>>
>
>
>
>>Sounds reasonable, I will add it.
>>
>>
>
>Ouch, this seems like opening up an attack vector to me.
>Shouldn't ftp *upload* be to a write-only "holding cell"
>at least?
>
>../Steven
>
This is only for ftp being allowed to modify users homedirs. If the
user sets boolean
ftp_home_dir then the user can modify and read most contents of the
users home dir. This just adds public_html. If you want to protect the
users home dir from ftp, I would not turn on that boolean. Without this
change a hacker could put something in the .bashrc or other startup
files and next time the real user logs in it would manipulate the
public_html directory.
--
More information about the fedora-selinux-list
mailing list