Description of problem: In FTP, data connections (for get, put, ls, etc) can either be passive or active. If they're passive, then client initiates both the control and data connections to the server. This works well for clients behind NATting gateways (as opposed to proper firewalls which do stateful deep-inspection of the control connection). And if the connections are active, then the client opens a listening socket and passes its address and port # back to the server, and waits for the server to connect. This works when used with proper stateful firewalls or for clients not behind NAT nor a firewall. A proper FTP server is required to support both operating modes, as not all clients implement PASV correctly (or may have other administrative restrictions requiring them to use active mode). The default behavior of selinux-policy-targeted should be to support active connections. Version-Release number of selected component (if applicable): 3.10.0-72 How reproducible: On a MacOS client I do: % ftp -A ftp Connected to ftp.redfish-solutions.com. 220 FTP Server ready. Name (ftp:philipp): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230- *** Welcome to this anonymous ftp server! *** You are user 1 out of a maximum of 10 authorized anonymous logins. The current time here is Sat Jan 28 13:30:33 2012. If you experience any problems here, contact : root@localhost 230 Anonymous login ok, restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 EPRT command successful 425 Unable to build data connection: Permission denied ftp> and on the Fedora server doing tail -f /var/log/audit/audit.log I see: type=AVC msg=audit(1327782634.323:35432): avc: denied { name_connect } for pid=19122 comm="proftpd" dest=61563 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1327782634.323:35432): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7fff11d397bc a2=10 a3=7fff11d3979c items=0 ppid=31445 pid=19122 auid=4294967295 uid=0 gid=50 euid=14 suid=14 fsuid=14 egid=50 sgid=50 fsgid=50 tty=(none) ses=4294967295 comm="proftpd" exe=2F7573722F7362696E2F70726F66747064202864656C6574656429 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) Steps to Reproduce: 1. as per above. 2. 3. Actual results: Outbound connection fails as above. Expected results: Outbound connection should not be blocked. Additional info:
We have a boolean for this. # setsebool -P ftpd_connect_all_unreserved 1
It would be best if we could document this in the config file if possible. Is there a mechanism to enable/disable Non PASV Connections. We were having a discussion via EMAIL on this.
I see this has also cropped up in Bug #782177 The email discussion that preceded this bug report suggested the possibility of detecting whether ftpd_connect_all_unreserved is enabled or not and then blocking active transfers in the configuration file if the boolean is not set. technically, this would be possible by adding this to the configuration file: # Block active FTP transfers <IfDefine NO_ACTIVE_TRANSFERS> <Limit EPRT PORT> DenyAll </Limit> </IfDefine> ... and then setting the NO_ACTIVE_TRANSFERS symbol at daemon startup. However, I don't want to do that. The client's experience is just as bad as before: ftp> pass off Passive mode off. ftp> ls 501 EPRT: Operation not permitted 500 LPRT not understood ftp: bind: Address already in use ftp> So I'd prefer to go Dan's way and document in proftpd.conf (where they're most likely to be noticed by the server admin) the SELinux booleans that affect proftpd: * allow_ftpd_anon_write * allow_ftpd_full_access * allow_ftpd_use_cifs * allow_ftpd_use_nfs * ftp_home_dir * ftpd_connect_all_unreserved * ftpd_connect_db What do you think, Philip? Which Fedora/RHEL releases have these booleans? I think ftpd_connect_all_unreserved is quite recent? Are ones that are not currently present on old releases likely to be backported?
No. We don't usually back port booleans. BTW I have updated Fedora 17 with lots of man pages, that document how SELinux interacts with domains, including booleans.
Which of these booleans have been introduced after EL-5? If a boolean isn't universally applicable, I'd like to note it in the config file.
Greping RHEL5 I see. tunable_policy(`ftp_home_dir',` ftp.te:gen_tunable(ftpd_connect_db, false) ftp.te:tunable_policy(`allow_ftpd_anon_write',` ftp.te:tunable_policy(`allow_ftpd_use_cifs',` ftp.te:tunable_policy(`allow_ftpd_use_nfs',` ftp.te:tunable_policy(`allow_ftpd_full_access',` ftp.te:tunable_policy(`ftpd_is_daemon',` ftp.te: tunable_policy(`ftp_home_dir',`
(In reply to comment #3) > I see this has also cropped up in Bug #782177 > > The email discussion that preceded this bug report suggested the possibility of > detecting whether ftpd_connect_all_unreserved is enabled or not and then > blocking active transfers in the configuration file if the boolean is not set. > technically, this would be possible by adding this to the configuration file: > > # Block active FTP transfers > <IfDefine NO_ACTIVE_TRANSFERS> > <Limit EPRT PORT> > DenyAll > </Limit> > </IfDefine> > > ... and then setting the NO_ACTIVE_TRANSFERS symbol at daemon startup. > > However, I don't want to do that. The client's experience is just as bad as > before: > > ftp> pass off > Passive mode off. > ftp> ls > 501 EPRT: Operation not permitted > 500 LPRT not understood > ftp: bind: Address already in use > ftp> > > So I'd prefer to go Dan's way and document in proftpd.conf (where they're most > likely to be noticed by the server admin) the SELinux booleans that affect > proftpd: > > * allow_ftpd_anon_write > * allow_ftpd_full_access > * allow_ftpd_use_cifs > * allow_ftpd_use_nfs > * ftp_home_dir > * ftpd_connect_all_unreserved > * ftpd_connect_db > > What do you think, Philip? I think that proftpd.conf would be a good place, since we can no longer do it with a configuration variable in /etc/sysconfig/proftpd that would activate the boolean... at least not in f16 and later.
Here is the text I propose to add near the top of proftpd,conf. Comments welcome. # Security-Enhanced Linux (SELinux) Notes: # # In Fedora and Red Hat Enterprise Linux, ProFTPD runs confined by SELinux # in order to mitigate the effects of an attacker taking advantage of an # unpatched vulnerability and getting control of the ftp server. By default, # ProFTPD cannot read or write most files on a system nor connect to many # external network services, but these restrictions can be relaxed by # setting SELinux booleans as follows: # # setsetbool -P allow_ftpd_anon_write=1 # This allows the ftp daemon to write to files and directories labelled # with the public_content_rw_t context type; the daemon would only have # read access to these files normally. Files to be made available by ftp # but not writeable should be labelled public_content_t. # # setsetbool -P allow_ftpd_full_access=1 # This allows the ftp daemon to read and write all files on the system. # # setsetbool -P allow_ftpd_use_cifs=1 # This allows the ftp daemon to read and write files on CIFS-mounted # filesystems. # # setsetbool -P allow_ftpd_use_nfs=1 # This allows the ftp daemon to read and write files on NFS-mounted # filesystems. # # setsetbool -P ftp_home_dir=1 # This allows the ftp daemon to read and write files in users' home # directories. # # setsetbool -P ftp_connect_all_unreserved=1 # This setting is only available from Fedora 16/RHEL-7 onwards, and is # necessary for active-mode ftp transfers to work reliably with non-Linux # clients (see http://bugzilla.redhat.com/782177), which may choose to # use port numbers outside the "ephemeral port" range of 32768-61000. # # setsetbool -P ftp_connect_db=1 # This setting allows the ftp daemon to connect to commonly-used database # ports over the network, which is necessary if you are using a database # back-end for user authentication, etc. # # setsebool -P ftpd_is_daemon=1 # This setting is available only in Fedora releases 4 to 6 and Red Hat # Enterprise Linux 5. It should be set if ProFTPD is running in standalone # mode, and unset if running in inetd mode. # # setsebool -P ftpd_disable_trans=1 # This setting is available only in Fedora releases 4 to 6 and Red Hat # Enterprise Linux 5, and when set it removes the SELinux confinement of the # ftp daemon. Needless to say, its use is not recommended. # # See also the "ftpd_selinux" manpage. # # Note that the "-P" option to setsebool makes the setting permanent, i.e. # it will still be in effect after a reboot; without the "-P" option, the # effect only lasts until the next reboot. # # Restrictions imposed by SELinux are on top of those imposed by ordinary # file ownership and access permissions; in normal operation, the ftp daemon # will not be able to read and/or write a file unless *all* of the ownership, # permission and SELinux restrictions allow it.
You might want to fix the few places where you typed "setsetbool"...
Oh, also it's "ftpd_connect_all_unreserved", not "ftp_connect_all_unreserved"... and "ftpd_connect_db", not "ftp_connect_db"... double-check the names. And it's a space, not an equals, between the name and value. I'd also consider showing the default value in square brackets, assuming that it's consistent across versions.
(In reply to comment #9) > You might want to fix the few places where you typed "setsetbool"... Hum, the *many* places... fixed. (In reply to comment #10) > Oh, also it's "ftpd_connect_all_unreserved", not > "ftp_connect_all_unreserved"... Fixed. > ... and "ftpd_connect_db", not "ftp_connect_db"... > double-check the names. Fixed. > And it's a space, not an equals, between the name and value. Ah, I'm right this time! You can also use an equals sign, and I often do, such as after updating my server box to the current Fedora, where I then do: # setsebool -P ftp_home_dir=1 \ ftpd_connect_all_unreserved=1 \ httpd_builtin_scripting=1 \ httpd_can_network_connect=1 \ httpd_can_sendmail=1 \ httpd_enable_cgi=1 \ httpd_enable_homedirs=1 \ httpd_unified=0 \ spamassassin_can_network=1 \ spamd_enable_home_dirs=1 \ squid_connect_any=1 > I'd also consider showing the default value in square brackets, assuming that > it's consistent across versions. I think all of these ftp booleans default to "off", don't they Dan?
(In reply to comment #11) > I think all of these ftp booleans default to "off", don't they Dan? getsebool -a on a pristine box will give you the default values.
Yes they should be off by default.
BTW Checkout the autogenerated man pages in F17. man ftpd_selinux
proftpd-1.3.4a-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/proftpd-1.3.4a-5.fc17
proftpd-1.3.4a-5.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/proftpd-1.3.4a-5.fc16
You might want to yank this for now. There's another issue (upstream bug 3615) that needs to be included as well.
(In reply to comment #17) > You might want to yank this for now. > > There's another issue (upstream bug 3615) that needs to be included as well. Sure about that number? That bug was a configuration issue and closed nearly a year ago.
You should read the package changelog by the way - there's loads of fixes from upstream included in this release.
(In reply to comment #18) > (In reply to comment #17) > > You might want to yank this for now. > > > > There's another issue (upstream bug 3615) that needs to be included as well. > > Sure about that number? That bug was a configuration issue and closed nearly a > year ago. No, I'm not sure. :-) http://bugs.proftpd.org/show_bug.cgi?id=3751
Like I said, check the changelog. You'll like it.
(In reply to comment #19) > You should read the package changelog by the way - there's loads of fixes from > upstream included in this release. Yeah, just pulled... seeing that now.
proftpd-1.3.4a-5.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.4a-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.