ftpd and PAM
Paul Howarth
paul at city-fan.org
Tue Jun 26 14:36:58 UTC 2007
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> Daniel J Walsh wrote:
>>> Paul Howarth wrote:
>>>> Paul Howarth wrote:
>>>>> The PAM config files for vsftpd and prpftpd look like this:
>>>>>
>>>>> #%PAM-1.0
>>>>> session optional pam_keyinit.so force revoke
>>>>> auth required pam_listfile.so item=user sense=deny
>>>>> file=/etc/vsftpd/ftpusers onerr=succeed
>>>>> auth required pam_shells.so
>>>>> auth include system-auth
>>>>> account include system-auth
>>>>> session include system-auth
>>>>> session required pam_loginuid.so
>>>>>
>>>>> So it makes sense for ftpd_t to be able to set the login uid and
>>>>> create a session keyring:
>>>>>
>>>>> logging_set_loginuid(ftpd_t)
>>>>> allow ftpd_t self:key { write search link };
>>>>>
>>>>>
>>>>> Curiously, I've done this locally but still get this AVC when
>>>>> logging in on proftpd, with an open dovecot IMAP session on the
>>>>> same server:
>>>>>
>>>>> type=AVC msg=audit(1182853960.377:103383): avc: denied { link }
>>>>> for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0
>>>>> tcontext=root:system_r:dovecot_t:s0 tclass=key
>>>>
>>>> FWIW, I'm also getting in /var/log/secure:
>>>>
>>>> Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message()
>>>> failed: Operation not permitted
>>>> Jun 26 12:09:42 goalkeeper proftpd[25559]:
>>>> goalkeeper.intra.city-fan.org
>>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error
>>>> Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session):
>>>> session closed for user paul
>>>> Jun 26 12:09:42 goalkeeper proftpd[25559]:
>>>> goalkeeper.intra.city-fan.org
>>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session):
>>>> System error
>>>> Jun 26 12:09:42 goalkeeper proftpd[25559]:
>>>> goalkeeper.intra.city-fan.org
>>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
>>>>
>>>> I don't see any AVCs to go with these, and adding:
>>>>
>>>> logging_send_audit_msg(ftpd_t)
>>>>
>>>> doesn't seem to help.
>>>>
>>>> Paul.
>>>>
>>> This could be caused by proftp not running as root and not having the
>>> auth_write capability. So a DAC error could be causing this problem.
>>
>> Proftpd runs as nobody out of the box; what would I need to change to
>> fix this? Which object's DAC permissions are the problem?
> proftpd would need to start as root and then setuid to "nobody" When it
> does setuid it would need to keep AUDIT_WRITE capability.
OK thanks. It does most of this already. There's a proftpd module
mod_cap that gets built by default and allows the specification of
capabilities to retain, but unfortunately CAP_AUDIT_WRITE isn't one of
the capabilities it manipulates. However, a quick patch fixed that and
now it seems OK:
Jun 26 14:33:44 goalkeeper proftpd: pam_unix(proftpd:session): session
opened for user paul by (uid=0)
Jun 26 14:33:44 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org
(::ffff:192.168.2.20[::ffff:192.168.2.20]) - USER paul: Login successful.
Jun 26 14:33:48 goalkeeper proftpd: pam_unix(proftpd:session): session
closed for user paul
Jun 26 14:33:48 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org
(::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
Paul.
More information about the fedora-selinux-list
mailing list