Bug 785443

Summary: SElinux breaks ftpd active connections
Product: [Fedora] Fedora Reporter: Philip Prindeville <philipp>
Component: proftpdAssignee: Matthias Saou <matthias>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh, matthias, mgrepl, paul, philipp
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: proftpd-1.3.4a-5.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-08 21:28:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Philip Prindeville 2012-01-29 00:15:04 UTC
Description of problem:

In FTP, data connections (for get, put, ls, etc) can either be passive or active.

If they're passive, then client initiates both the control and data connections to the server. This works well for clients behind NATting gateways (as opposed to proper firewalls which do stateful deep-inspection of the control connection).

And if the connections are active, then the client opens a listening socket and passes its address and port # back to the server, and waits for the server to connect. This works when used with proper stateful firewalls or for clients not behind NAT nor a firewall.

A proper FTP server is required to support both operating modes, as not all clients implement PASV correctly (or may have other administrative restrictions requiring them to use active mode).

The default behavior of selinux-policy-targeted should be to support active connections.


Version-Release number of selected component (if applicable):

3.10.0-72

How reproducible:

On a MacOS client I do:

% ftp -A ftp
Connected to ftp.redfish-solutions.com.
220 FTP Server ready.
Name (ftp:philipp): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-
                *** Welcome to this anonymous ftp server! ***

     You are user 1 out of a maximum of 10 authorized anonymous logins.
     The current time here is Sat Jan 28 13:30:33 2012.
     If you experience any problems here, contact : root@localhost


230 Anonymous login ok, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful
425 Unable to build data connection: Permission denied
ftp>


and on the Fedora server doing tail -f /var/log/audit/audit.log I see:

type=AVC msg=audit(1327782634.323:35432): avc:  denied  { name_connect } for  pid=19122 comm="proftpd" dest=61563 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1327782634.323:35432): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7fff11d397bc a2=10 a3=7fff11d3979c items=0 ppid=31445 pid=19122 auid=4294967295 uid=0 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=4294967295 comm="proftpd" exe=2F7573722F7362696E2F70726F66747064202864656C6574656429 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)


Steps to Reproduce:
1. as per above.
2.
3.
  
Actual results:

Outbound connection fails as above.

Expected results:

Outbound connection should not be blocked.

Additional info:

Comment 1 Miroslav Grepl 2012-01-30 12:03:09 UTC
We have a boolean for this.

# setsebool -P ftpd_connect_all_unreserved 1

Comment 2 Daniel Walsh 2012-01-30 19:26:21 UTC
It would be best if we could document this in the config file if possible.  Is there a mechanism to enable/disable Non PASV Connections.

We were having a discussion via EMAIL on this.

Comment 3 Paul Howarth 2012-02-24 18:30:07 UTC
I see this has also cropped up in Bug #782177

The email discussion that preceded this bug report suggested the possibility of detecting whether ftpd_connect_all_unreserved is enabled or not and then blocking active transfers in the configuration file if the boolean is not set. technically, this would be possible by adding this to the configuration file:

  # Block active FTP transfers
  <IfDefine NO_ACTIVE_TRANSFERS>
    <Limit EPRT PORT>
      DenyAll
    </Limit>
  </IfDefine>

... and then setting the NO_ACTIVE_TRANSFERS symbol at daemon startup.

However, I don't want to do that. The client's experience is just as bad as before:

ftp> pass off
Passive mode off.
ftp> ls
501 EPRT: Operation not permitted
500 LPRT not understood
ftp: bind: Address already in use
ftp>

So I'd prefer to go Dan's way and document in proftpd.conf (where they're most likely to be noticed by the server admin) the SELinux booleans that affect proftpd:

* allow_ftpd_anon_write
* allow_ftpd_full_access
* allow_ftpd_use_cifs
* allow_ftpd_use_nfs
* ftp_home_dir
* ftpd_connect_all_unreserved
* ftpd_connect_db

What do you think, Philip?

Which Fedora/RHEL releases have these booleans? I think ftpd_connect_all_unreserved is quite recent? Are ones that are not currently present on old releases likely to be backported?

Comment 4 Daniel Walsh 2012-02-24 19:00:15 UTC
No. We don't usually back port booleans.

BTW I have updated Fedora 17 with lots of man pages, that document how SELinux interacts with domains, including booleans.

Comment 5 Paul Howarth 2012-02-24 19:09:21 UTC
Which of these booleans have been introduced after EL-5? If a boolean isn't universally applicable, I'd like to note it in the config file.

Comment 6 Daniel Walsh 2012-02-24 19:26:00 UTC
Greping  RHEL5 I see.


tunable_policy(`ftp_home_dir',`
ftp.te:gen_tunable(ftpd_connect_db, false)
ftp.te:tunable_policy(`allow_ftpd_anon_write',`
ftp.te:tunable_policy(`allow_ftpd_use_cifs',`
ftp.te:tunable_policy(`allow_ftpd_use_nfs',`
ftp.te:tunable_policy(`allow_ftpd_full_access',`
ftp.te:tunable_policy(`ftpd_is_daemon',`
ftp.te:	tunable_policy(`ftp_home_dir',`

Comment 7 Philip Prindeville 2012-02-27 07:02:30 UTC
(In reply to comment #3)
> I see this has also cropped up in Bug #782177
> 
> The email discussion that preceded this bug report suggested the possibility of
> detecting whether ftpd_connect_all_unreserved is enabled or not and then
> blocking active transfers in the configuration file if the boolean is not set.
> technically, this would be possible by adding this to the configuration file:
> 
>   # Block active FTP transfers
>   <IfDefine NO_ACTIVE_TRANSFERS>
>     <Limit EPRT PORT>
>       DenyAll
>     </Limit>
>   </IfDefine>
> 
> ... and then setting the NO_ACTIVE_TRANSFERS symbol at daemon startup.
> 
> However, I don't want to do that. The client's experience is just as bad as
> before:
> 
> ftp> pass off
> Passive mode off.
> ftp> ls
> 501 EPRT: Operation not permitted
> 500 LPRT not understood
> ftp: bind: Address already in use
> ftp>
> 
> So I'd prefer to go Dan's way and document in proftpd.conf (where they're most
> likely to be noticed by the server admin) the SELinux booleans that affect
> proftpd:
> 
> * allow_ftpd_anon_write
> * allow_ftpd_full_access
> * allow_ftpd_use_cifs
> * allow_ftpd_use_nfs
> * ftp_home_dir
> * ftpd_connect_all_unreserved
> * ftpd_connect_db
> 
> What do you think, Philip?

I think that proftpd.conf would be a good place, since we can no longer do it with a configuration variable in /etc/sysconfig/proftpd that would activate the boolean... at least not in f16 and later.

Comment 8 Paul Howarth 2012-02-28 12:55:48 UTC
Here is the text I propose to add near the top of proftpd,conf. Comments welcome.

# Security-Enhanced Linux (SELinux) Notes:
#
# In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux
# in order to mitigate the effects of an attacker taking advantage of an
# unpatched vulnerability and getting control of the ftp server. By default,
# ProFTPD cannot read or write most files on a system nor connect to many
# external network services, but these restrictions can be relaxed by
# setting SELinux booleans as follows:
#
# setsetbool -P allow_ftpd_anon_write=1
#   This allows the ftp daemon to write to files and directories labelled
#   with the public_content_rw_t context type; the daemon would only have
#   read access to these files normally. Files to be made available by ftp
#   but not writeable should be labelled public_content_t.
#
# setsetbool -P allow_ftpd_full_access=1
#   This allows the ftp daemon to read and write all files on the system.
#
# setsetbool -P allow_ftpd_use_cifs=1
#   This allows the ftp daemon to read and write files on CIFS-mounted
#   filesystems.
#
# setsetbool -P allow_ftpd_use_nfs=1
#   This allows the ftp daemon to read and write files on NFS-mounted
#   filesystems.
#
# setsetbool -P ftp_home_dir=1
#   This allows the ftp daemon to read and write files in users' home
#   directories.
#
# setsetbool -P ftp_connect_all_unreserved=1
#   This setting is only available from Fedora 16/RHEL-7 onwards, and is
#   necessary for active-mode ftp transfers to work reliably with non-Linux
#   clients (see http://bugzilla.redhat.com/782177), which may choose to
#   use port numbers outside the "ephemeral port" range of 32768-61000.
#
# setsetbool -P ftp_connect_db=1
#   This setting allows the ftp daemon to connect to commonly-used database
#   ports over the network, which is necessary if you are using a database
#   back-end for user authentication, etc.
#
# setsebool -P ftpd_is_daemon=1
#   This setting is available only in Fedora releases 4 to 6 and Red Hat
#   Enterprise Linux 5. It should be set if ProFTPD is running in standalone
#   mode, and unset if running in inetd mode.
#
# setsebool -P ftpd_disable_trans=1
#   This setting is available only in Fedora releases 4 to 6 and Red Hat
#   Enterprise Linux 5, and when set it removes the SELinux confinement of the
#   ftp daemon. Needless to say, its use is not recommended.
#
# See also the "ftpd_selinux" manpage.
#
# Note that the "-P" option to setsebool makes the setting permanent, i.e.
# it will still be in effect after a reboot; without the "-P" option, the
# effect only lasts until the next reboot.
#
# Restrictions imposed by SELinux are on top of those imposed by ordinary
# file ownership and access permissions; in normal operation, the ftp daemon
# will not be able to read and/or write a file unless *all* of the ownership,
# permission and SELinux restrictions allow it.

Comment 9 Philip Prindeville 2012-02-28 17:14:45 UTC
You might want to fix the few places where you typed "setsetbool"...

Comment 10 Philip Prindeville 2012-02-28 17:21:18 UTC
Oh, also it's "ftpd_connect_all_unreserved", not "ftp_connect_all_unreserved"... and "ftpd_connect_db", not "ftp_connect_db"...  double-check the names. And it's a space, not an equals, between the name and value.

I'd also consider showing the default value in square brackets, assuming that it's consistent across versions.

Comment 11 Paul Howarth 2012-02-28 18:33:14 UTC
(In reply to comment #9)
> You might want to fix the few places where you typed "setsetbool"...

Hum, the *many* places... fixed.

(In reply to comment #10)
> Oh, also it's "ftpd_connect_all_unreserved", not
> "ftp_connect_all_unreserved"...

Fixed.

> ... and "ftpd_connect_db", not "ftp_connect_db"... 
> double-check the names.

Fixed.

> And it's a space, not an equals, between the name and value.

Ah, I'm right this time! You can also use an equals sign, and I often do, such as after updating my server box to the current Fedora, where I then do:

# setsebool -P ftp_home_dir=1 \
        ftpd_connect_all_unreserved=1 \
        httpd_builtin_scripting=1 \
        httpd_can_network_connect=1 \
        httpd_can_sendmail=1 \
        httpd_enable_cgi=1 \
        httpd_enable_homedirs=1 \
        httpd_unified=0 \
        spamassassin_can_network=1 \
        spamd_enable_home_dirs=1 \
        squid_connect_any=1

> I'd also consider showing the default value in square brackets, assuming that
> it's consistent across versions.

I think all of these ftp booleans default to "off", don't they Dan?

Comment 12 Philip Prindeville 2012-02-28 19:01:21 UTC
(In reply to comment #11)
> I think all of these ftp booleans default to "off", don't they Dan?

getsebool -a

on a pristine box will give you the default values.

Comment 13 Daniel Walsh 2012-02-28 19:41:23 UTC
Yes they should be off by default.

Comment 14 Daniel Walsh 2012-02-28 19:42:33 UTC
BTW Checkout the autogenerated man pages in F17.

man ftpd_selinux

Comment 15 Fedora Update System 2012-02-28 22:11:34 UTC
proftpd-1.3.4a-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/proftpd-1.3.4a-5.fc17

Comment 16 Fedora Update System 2012-02-28 22:11:52 UTC
proftpd-1.3.4a-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/proftpd-1.3.4a-5.fc16

Comment 17 Philip Prindeville 2012-02-28 22:19:21 UTC
You might want to yank this for now.

There's another issue (upstream bug 3615) that needs to be included as well.

Comment 18 Paul Howarth 2012-02-28 22:24:57 UTC
(In reply to comment #17)
> You might want to yank this for now.
> 
> There's another issue (upstream bug 3615) that needs to be included as well.

Sure about that number? That bug was a configuration issue and closed nearly a year ago.

Comment 19 Paul Howarth 2012-02-28 22:25:57 UTC
You should read the package changelog by the way - there's loads of fixes from upstream included in this release.

Comment 20 Philip Prindeville 2012-02-28 22:35:11 UTC
(In reply to comment #18)
> (In reply to comment #17)
> > You might want to yank this for now.
> > 
> > There's another issue (upstream bug 3615) that needs to be included as well.
> 
> Sure about that number? That bug was a configuration issue and closed nearly a
> year ago.

No, I'm not sure. :-)

http://bugs.proftpd.org/show_bug.cgi?id=3751

Comment 21 Paul Howarth 2012-02-28 22:38:05 UTC
Like I said, check the changelog. You'll like it.

Comment 22 Philip Prindeville 2012-02-28 22:40:33 UTC
(In reply to comment #19)
> You should read the package changelog by the way - there's loads of fixes from
> upstream included in this release.

Yeah, just pulled... seeing that now.

Comment 23 Fedora Update System 2012-03-06 20:27:10 UTC
proftpd-1.3.4a-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2012-03-08 21:25:49 UTC
proftpd-1.3.4a-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.