Bug 785443
Summary: | SElinux breaks ftpd active connections | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Philip Prindeville <philipp> |
Component: | proftpd | Assignee: | Matthias Saou <matthias> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | dwalsh, matthias, mgrepl, paul, philipp |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | proftpd-1.3.4a-5.fc16 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-03-08 21:28:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Philip Prindeville
2012-01-29 00:15:04 UTC
We have a boolean for this. # setsebool -P ftpd_connect_all_unreserved 1 It would be best if we could document this in the config file if possible. Is there a mechanism to enable/disable Non PASV Connections. We were having a discussion via EMAIL on this. I see this has also cropped up in Bug #782177 The email discussion that preceded this bug report suggested the possibility of detecting whether ftpd_connect_all_unreserved is enabled or not and then blocking active transfers in the configuration file if the boolean is not set. technically, this would be possible by adding this to the configuration file: # Block active FTP transfers <IfDefine NO_ACTIVE_TRANSFERS> <Limit EPRT PORT> DenyAll </Limit> </IfDefine> ... and then setting the NO_ACTIVE_TRANSFERS symbol at daemon startup. However, I don't want to do that. The client's experience is just as bad as before: ftp> pass off Passive mode off. ftp> ls 501 EPRT: Operation not permitted 500 LPRT not understood ftp: bind: Address already in use ftp> So I'd prefer to go Dan's way and document in proftpd.conf (where they're most likely to be noticed by the server admin) the SELinux booleans that affect proftpd: * allow_ftpd_anon_write * allow_ftpd_full_access * allow_ftpd_use_cifs * allow_ftpd_use_nfs * ftp_home_dir * ftpd_connect_all_unreserved * ftpd_connect_db What do you think, Philip? Which Fedora/RHEL releases have these booleans? I think ftpd_connect_all_unreserved is quite recent? Are ones that are not currently present on old releases likely to be backported? No. We don't usually back port booleans. BTW I have updated Fedora 17 with lots of man pages, that document how SELinux interacts with domains, including booleans. Which of these booleans have been introduced after EL-5? If a boolean isn't universally applicable, I'd like to note it in the config file. Greping RHEL5 I see. tunable_policy(`ftp_home_dir',` ftp.te:gen_tunable(ftpd_connect_db, false) ftp.te:tunable_policy(`allow_ftpd_anon_write',` ftp.te:tunable_policy(`allow_ftpd_use_cifs',` ftp.te:tunable_policy(`allow_ftpd_use_nfs',` ftp.te:tunable_policy(`allow_ftpd_full_access',` ftp.te:tunable_policy(`ftpd_is_daemon',` ftp.te: tunable_policy(`ftp_home_dir',` (In reply to comment #3) > I see this has also cropped up in Bug #782177 > > The email discussion that preceded this bug report suggested the possibility of > detecting whether ftpd_connect_all_unreserved is enabled or not and then > blocking active transfers in the configuration file if the boolean is not set. > technically, this would be possible by adding this to the configuration file: > > # Block active FTP transfers > <IfDefine NO_ACTIVE_TRANSFERS> > <Limit EPRT PORT> > DenyAll > </Limit> > </IfDefine> > > ... and then setting the NO_ACTIVE_TRANSFERS symbol at daemon startup. > > However, I don't want to do that. The client's experience is just as bad as > before: > > ftp> pass off > Passive mode off. > ftp> ls > 501 EPRT: Operation not permitted > 500 LPRT not understood > ftp: bind: Address already in use > ftp> > > So I'd prefer to go Dan's way and document in proftpd.conf (where they're most > likely to be noticed by the server admin) the SELinux booleans that affect > proftpd: > > * allow_ftpd_anon_write > * allow_ftpd_full_access > * allow_ftpd_use_cifs > * allow_ftpd_use_nfs > * ftp_home_dir > * ftpd_connect_all_unreserved > * ftpd_connect_db > > What do you think, Philip? I think that proftpd.conf would be a good place, since we can no longer do it with a configuration variable in /etc/sysconfig/proftpd that would activate the boolean... at least not in f16 and later. Here is the text I propose to add near the top of proftpd,conf. Comments welcome. # Security-Enhanced Linux (SELinux) Notes: # # In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux # in order to mitigate the effects of an attacker taking advantage of an # unpatched vulnerability and getting control of the ftp server. By default, # ProFTPD cannot read or write most files on a system nor connect to many # external network services, but these restrictions can be relaxed by # setting SELinux booleans as follows: # # setsetbool -P allow_ftpd_anon_write=1 # This allows the ftp daemon to write to files and directories labelled # with the public_content_rw_t context type; the daemon would only have # read access to these files normally. Files to be made available by ftp # but not writeable should be labelled public_content_t. # # setsetbool -P allow_ftpd_full_access=1 # This allows the ftp daemon to read and write all files on the system. # # setsetbool -P allow_ftpd_use_cifs=1 # This allows the ftp daemon to read and write files on CIFS-mounted # filesystems. # # setsetbool -P allow_ftpd_use_nfs=1 # This allows the ftp daemon to read and write files on NFS-mounted # filesystems. # # setsetbool -P ftp_home_dir=1 # This allows the ftp daemon to read and write files in users' home # directories. # # setsetbool -P ftp_connect_all_unreserved=1 # This setting is only available from Fedora 16/RHEL-7 onwards, and is # necessary for active-mode ftp transfers to work reliably with non-Linux # clients (see http://bugzilla.redhat.com/782177), which may choose to # use port numbers outside the "ephemeral port" range of 32768-61000. # # setsetbool -P ftp_connect_db=1 # This setting allows the ftp daemon to connect to commonly-used database # ports over the network, which is necessary if you are using a database # back-end for user authentication, etc. # # setsebool -P ftpd_is_daemon=1 # This setting is available only in Fedora releases 4 to 6 and Red Hat # Enterprise Linux 5. It should be set if ProFTPD is running in standalone # mode, and unset if running in inetd mode. # # setsebool -P ftpd_disable_trans=1 # This setting is available only in Fedora releases 4 to 6 and Red Hat # Enterprise Linux 5, and when set it removes the SELinux confinement of the # ftp daemon. Needless to say, its use is not recommended. # # See also the "ftpd_selinux" manpage. # # Note that the "-P" option to setsebool makes the setting permanent, i.e. # it will still be in effect after a reboot; without the "-P" option, the # effect only lasts until the next reboot. # # Restrictions imposed by SELinux are on top of those imposed by ordinary # file ownership and access permissions; in normal operation, the ftp daemon # will not be able to read and/or write a file unless *all* of the ownership, # permission and SELinux restrictions allow it. You might want to fix the few places where you typed "setsetbool"... Oh, also it's "ftpd_connect_all_unreserved", not "ftp_connect_all_unreserved"... and "ftpd_connect_db", not "ftp_connect_db"... double-check the names. And it's a space, not an equals, between the name and value. I'd also consider showing the default value in square brackets, assuming that it's consistent across versions. (In reply to comment #9) > You might want to fix the few places where you typed "setsetbool"... Hum, the *many* places... fixed. (In reply to comment #10) > Oh, also it's "ftpd_connect_all_unreserved", not > "ftp_connect_all_unreserved"... Fixed. > ... and "ftpd_connect_db", not "ftp_connect_db"... > double-check the names. Fixed. > And it's a space, not an equals, between the name and value. Ah, I'm right this time! You can also use an equals sign, and I often do, such as after updating my server box to the current Fedora, where I then do: # setsebool -P ftp_home_dir=1 \ ftpd_connect_all_unreserved=1 \ httpd_builtin_scripting=1 \ httpd_can_network_connect=1 \ httpd_can_sendmail=1 \ httpd_enable_cgi=1 \ httpd_enable_homedirs=1 \ httpd_unified=0 \ spamassassin_can_network=1 \ spamd_enable_home_dirs=1 \ squid_connect_any=1 > I'd also consider showing the default value in square brackets, assuming that > it's consistent across versions. I think all of these ftp booleans default to "off", don't they Dan? (In reply to comment #11) > I think all of these ftp booleans default to "off", don't they Dan? getsebool -a on a pristine box will give you the default values. Yes they should be off by default. BTW Checkout the autogenerated man pages in F17. man ftpd_selinux proftpd-1.3.4a-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/proftpd-1.3.4a-5.fc17 proftpd-1.3.4a-5.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/proftpd-1.3.4a-5.fc16 You might want to yank this for now. There's another issue (upstream bug 3615) that needs to be included as well. (In reply to comment #17) > You might want to yank this for now. > > There's another issue (upstream bug 3615) that needs to be included as well. Sure about that number? That bug was a configuration issue and closed nearly a year ago. You should read the package changelog by the way - there's loads of fixes from upstream included in this release. (In reply to comment #18) > (In reply to comment #17) > > You might want to yank this for now. > > > > There's another issue (upstream bug 3615) that needs to be included as well. > > Sure about that number? That bug was a configuration issue and closed nearly a > year ago. No, I'm not sure. :-) http://bugs.proftpd.org/show_bug.cgi?id=3751 Like I said, check the changelog. You'll like it. (In reply to comment #19) > You should read the package changelog by the way - there's loads of fixes from > upstream included in this release. Yeah, just pulled... seeing that now. proftpd-1.3.4a-5.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. proftpd-1.3.4a-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |