vsftpd non-anonymous chrooting
Ted Rule
ejtr at layer3.co.uk
Mon Aug 8 17:42:37 UTC 2005
Whilst using vsftpd in chroot'ed mode for non-anonymous usage, I've
found that I appear to have to add this to my SELinux strict policy:
allow ftpd_t self:capability { dac_override dac_read_search };
or possibly just this:
allow ftpd_t self:capability { dac_read_search };
Without at least the dac_read_search, an ftp login always seems to fail.
The description of these "dac" permissions on Tresys' site suggests to
me that vsftpd is being too "greedy" in requiring these permissions to
chroot successfully. Since anonymous ftp with SELinux surely works Ok
without this capability, (or too many other people would have
complained ), does this mean that the correct fix for this is a minor
rewrite to vsftpd, rather than a change in SELinux policy?
My current ftpd/SELinux/chroot related configuration:
$ sudo grep ftp /etc/selinux/strict/booleans
ftpd_is_daemon=1
ftp_home_dir=1
$
$ sudo grep chroot /etc/vsftpd/vsftpd.conf | grep -v "^#"
chroot_list_enable=YES
passwd_chroot_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_user_list
userlist_file=/etc/vsftpd/vsftpd.chroot_user_list
$
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
More information about the fedora-selinux-list
mailing list