Bug 238339
| Summary: | vsftpd tries a search in directory where process was started | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | vsftpd | Assignee: | Maros Barabas <mbarabas> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-04-30 14:15:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I don't think this is a vsftp, but the way that gcc works. Access to the current directory where an application is started, is checked automatically and can trigger these avc's. I don't see there is much we can do about this. I am not sure why it is searching the /home directory, Did you have vsftp setup to login to local accounts. Yes, I'm trying to login as "robert" where the home directory of "robert" is /home/robert - should be a legal combination, shouldn't it? Yes it is legal, but it requires you to set a boolean on your system to allow it. setsebool -P ftp_home_dir=1 You should install setroubleshoot, which would have told you this when SELinux prevented your login. |
Description of problem: vsftpd tries a search in directory where the vsftpd process was started and in (its?) home directory. hurricane:/usr/src/rpm/SPECS # pwd /usr/src/rpm/SPECS hurricane:/usr/src/rpm/SPECS # hurricane:/usr/src/rpm/SPECS # service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] hurricane:/usr/src/rpm/SPECS # So...when now opening a FTP session, the following is in audit logs: --- snipp --- type=AVC msg=audit(1177858462.480:175448): avc: denied { search } for pid=14505 comm="vsftpd" name="SPECS" dev=cciss/c0d0p2 ino=1933315 scontext=user_u:system_r:ftpd_t:s0 tcontext=user_u:object_r:src_t:s0 tclass=dir type=SYSCALL msg=audit(1177858462.480:175448): arch=40000003 syscall=5 success=no exit=-2 a0=9fbbaf8 a1=8000 a2=1b6 a3=9fbbb20 items=0 ppid=14487 pid=14505 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vsftpd" exe="/usr/sbin/vsftpd" subj=user_u:system_r:ftpd_t:s0 key=(null) type=USER_AUTH msg=audit(1177858462.484:175449): user pid=14505 uid=0 auid=500 subj=user_u:system_r:ftpd_t:s0 msg='PAM: authentication acct=robert : exe="/usr/ sbin/vsftpd" (hostname=tux.fedora.local, addr=192.168.0.29, terminal=ftp res=success)' type=USER_ACCT msg=audit(1177858462.488:175450): user pid=14505 uid=0 auid=500 subj=user_u:system_r:ftpd_t:s0 msg='PAM: accounting acct=robert : exe="/usr/ sbin/vsftpd" (hostname=tux.fedora.local, addr=192.168.0.29, terminal=ftp res=success)' type=CRED_ACQ msg=audit(1177858462.488:175451): user pid=14505 uid=0 auid=500 subj=user_u:system_r:ftpd_t:s0 msg='PAM: setcred acct=robert : exe="/usr/sbin/ vsftpd" (hostname=tux.fedora.local, addr=192.168.0.29, terminal=ftp res=success)' type=AVC msg=audit(1177858462.492:175452): avc: denied { search } for pid=14507 comm="vsftpd" name="home" dev=cciss/c0d0p2 ino=2473994 scontext=user_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1177858462.492:175452): arch=40000003 syscall=12 success=yes exit=0 a0=9fb64b8 a1=1f4 a2=4382ec a3=bfbff4f4 items=0 ppid=14505 pid=14507 auid=500 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) comm="vsftpd" exe="/usr/sbin/vsftpd" subj=user_u:system_r:ftpd_t:s0 key=(null) --- snapp --- home_root_t is "HOME_ROOT -d system_u:object_r:home_root_t:s0-s15:c0.c1023" as per base.fc. And searching in SPECS is ABSOLUTELY wrong, so vsftpd should be fixed. Version-Release number of selected component (if applicable): vsftpd-2.0.5-16 How reproducible: Everytime, see above. Actual results: vsftpd tries a search in directory where the vsftpd process was started and in (its?) home directory. Expected results: No avc denied messages. Additional info: I would say, this wrong behaviour is a vsftpd bug, but as I'm not sure, I'm adding a SELinux guy to this report.