http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
Better handling of proftpd
Added handling of sftpd from sshd
On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>
> Better handling of proftpd
Why does ftpd_t need sys_admin?
The change for ftp_home_dir is not acceptable. Enabling that tunable
shouldn't allow access to all files.
Why does ftp need to connect to a db?
> Added handling of sftpd from sshd
Otherwise merged.
--
Chris PeBenito
Tresys Technology, LLC
I don't know in relation to this policy, but I know ProFTPD can use a
mysql db for authentication.
Later,
Chris
On 04/26/2010 02:20 PM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
>
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>>
>> Better handling of proftpd
>>
> Why does ftpd_t need sys_admin?
>
> The change for ftp_home_dir is not acceptable. Enabling that tunable
> shouldn't allow access to all files.
>
> Why does ftp need to connect to a db?
>
>
>> Added handling of sftpd from sshd
>>
> Otherwise merged.
>
>
On Mon, 26 Apr 2010 14:36:26 -0500
Chris Richards <[email protected]> wrote:
> I don't know in relation to this policy, but I know ProFTPD can use a
> mysql db for authentication.
>
> Later,
> Chris
>
> On 04/26/2010 02:20 PM, Christopher J. PeBenito wrote:
> > On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
> >
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
> >>
> >> Better handling of proftpd
> >>
> > Why does ftpd_t need sys_admin?
> >
> > The change for ftp_home_dir is not acceptable. Enabling that
> > tunable shouldn't allow access to all files.
> >
> > Why does ftp need to connect to a db?
Not just ProFTPd. See discussion here:
http://lists.fedoraproject.org/pipermail/selinux/2009-February/010463.html
Paul.
On 04/26/2010 03:02 PM, Paul Howarth wrote:
> Not just ProFTPd. See discussion here:
>
> http://lists.fedoraproject.org/pipermail/selinux/2009-February/010463.html
>
> Paul.
>
This probably isn't a discussion to have here, but I've really got toask: wouldn't we be better served using PAM with the mysql plugin forthis kind of stuff?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/26/2010 03:20 PM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>>
>> Better handling of proftpd
>
> Why does ftpd_t need sys_admin?
mounting file system on login?
>
> The change for ftp_home_dir is not acceptable. Enabling that tunable
> shouldn't allow access to all files.
>
Perhaps we need another boolean, to allow full access. If some wants to
allow an ftp server to provide access to all files on the machine.
> Why does ftp need to connect to a db?
>
You can use a mysql database as a back end for ftp.
>> Added handling of sftpd from sshd
>
> Otherwise merged.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvW3rYACgkQrlYvE4MpobNmXACg6tElqZUPBgxM7sRM52ApIjpv
pvsAn3NodMz+sw+ysgmqU67O3B0MI/ZT
=RXkF
-----END PGP SIGNATURE-----
On 04/27/2010 02:55 PM, Daniel J Walsh wrote:
> On 04/26/2010 03:20 PM, Christopher J. PeBenito wrote:
>> On Tue, 2010-02-23 at 17:12 -0500, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_ftp.patch
>>>
>>> Better handling of proftpd
>
>> Why does ftpd_t need sys_admin?
> mounting file system on login?
>
>> The change for ftp_home_dir is not acceptable. Enabling that tunable
>> shouldn't allow access to all files.
>
> Perhaps we need another boolean, to allow full access. If some wants to
> allow an ftp server to provide access to all files on the machine.
Looks like that is already in place:
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
auth_manage_all_files_except_shadow(sftpd_t)
')
>> Why does ftp need to connect to a db?
>
> You can use a mysql database as a back end for ftp.
>>> Added handling of sftpd from sshd
>
>> Otherwise merged.
>
>
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100427/f8dd513d/attachment.bin