ftpd and PAM
Paul Howarth
paul at city-fan.org
Tue Jun 26 11:55:32 UTC 2007
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> Paul Howarth wrote:
>>> The PAM config files for vsftpd and prpftpd look like this:
>>>
>>> #%PAM-1.0
>>> session optional pam_keyinit.so force revoke
>>> auth required pam_listfile.so item=user sense=deny
>>> file=/etc/vsftpd/ftpusers onerr=succeed
>>> auth required pam_shells.so
>>> auth include system-auth
>>> account include system-auth
>>> session include system-auth
>>> session required pam_loginuid.so
>>>
>>> So it makes sense for ftpd_t to be able to set the login uid and
>>> create a session keyring:
>>>
>>> logging_set_loginuid(ftpd_t)
>>> allow ftpd_t self:key { write search link };
>>>
>>>
>>> Curiously, I've done this locally but still get this AVC when logging
>>> in on proftpd, with an open dovecot IMAP session on the same server:
>>>
>>> type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for
>>> pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0
>>> tcontext=root:system_r:dovecot_t:s0 tclass=key
>>
>> FWIW, I'm also getting in /var/log/secure:
>>
>> Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message()
>> failed: Operation not permitted
>> Jun 26 12:09:42 goalkeeper proftpd[25559]:
>> goalkeeper.intra.city-fan.org
>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error
>> Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session
>> closed for user paul
>> Jun 26 12:09:42 goalkeeper proftpd[25559]:
>> goalkeeper.intra.city-fan.org
>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session):
>> System error
>> Jun 26 12:09:42 goalkeeper proftpd[25559]:
>> goalkeeper.intra.city-fan.org
>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
>>
>> I don't see any AVCs to go with these, and adding:
>>
>> logging_send_audit_msg(ftpd_t)
>>
>> doesn't seem to help.
>>
>> Paul.
>>
> This could be caused by proftp not running as root and not having the
> auth_write capability. So a DAC error could be causing this problem.
Proftpd runs as nobody out of the box; what would I need to change to
fix this? Which object's DAC permissions are the problem?
> type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for
> pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0
> tcontext=root:system_r:dovecot_t:s0 tclass=key
>
> I have no idea what this even means. :^) One of these days I need to
> investigate the kernel keyring.
It doesn't seem to cause any problem, but I would like to know what it
is if you ever figure it out.
Cheers, Paul.
More information about the fedora-selinux-list
mailing list