FTPRecipes

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 06:15, 15 January 2010 (edit)
GeoffHull (Talk | contribs)
(Hosting user directories using FTP)
← Previous diff
Current revision (18:30, 31 August 2010) (edit) (undo)
Jaxelson (Talk | contribs)
(added category)
 
Line 110: Line 110:
This will allow our FTP server to network connect to MySQL and PostgreSQL database servers. This will allow our FTP server to network connect to MySQL and PostgreSQL database servers.
 +
 +
 +[[Category:Recipes]]

Current revision

File Transfer Protocol (FTP) daemons can be configured to serve different purposes. SELinux restricts FTP daemons to the minimum privileges required.

There are different FTP daemons available but most of these servers provide similar functionality. Generally speaking all FTP servers should be able to operate in the ftpd_t SELinux domain.

The following examples demonstrate how SELinux can be configured to allow FTP only what is required to operate successfully.

Contents

[edit] Executing a FTP daemon in the ftpd_t SELinux domain for FTP servers

The current SELinux module for FTP by default supports several common FTP daemons that are available like ProFTPd, vsFTPd and MuddleFTPd.

If you have installed and configured a FTP daemon that is not yet protected by SELinux, then you can simply add a file context specification for the FTP Daemon executable file to the list of system-wide file context specifications, and restore the file context of the FTP daemon executable file to the context that was specified.

To specify a file context for the "myftpd" FTP daemon executable file:

sudo /usr/sbin/semanage fcontext -a -t ftpd_exec_t /usr/sbin/myftpd  

To restore the context of the "myftpd" FTP daemon executable file to the file context that was specified:

sudo /sbin/restorecon -v /usr/sbin/myftpd

The labelling of objects that are part of FTP daemon not supported by default is not limited to just executable files.

If your FTP daemon is a init daemon and comes with an init script, then this init script file should be labelled similar:

sudo /usr/sbin/semodule fcontext -a -t ftpd_initrc_exec_t "/etc/rc.d/init.d/myftpd"
sudo /sbin/restorecon -v /etc/rc.d/init.d/myftpd

The same applies to PID files and log files that may be part of your FTP server package. The type to be used for FTP daemon PID files is ftpd_var_run_t, and the type to be used for FTP server log files is xferlog_t.

[edit] Reading and writing objects through FTP

FTP servers read and write objects on behalf of remote users that connect to FTP servers using FTP Clients.

To allow the FTP server to read files on behalf of clients, objects should be labeled type public_content_t.

sudo /usr/sbin/semanage fcontext -a -f -d -t public_content_t /srv/myftproot
sudo /sbin/restorecon -v /srv/myftproot

This allows the FTP daemon for read the /srv/myftproot on behalf of the FTP client

The FTP daemon SELinux policy can be configured to manage how the FTP daemon can interact with objects. FTP daemons can read object that are labelled type public_content_t.

In the example above we labelled the directory /srv/myftproot with type public_content_t which allows our FTP service to read this directory. In the next example the location /srv/myftproot/public and everything below this path, will be labelled with the type that our FTP daemon can read.

sudo /usr/sbin/semanage fcontext -a -t public_content_t "/srv/myftproot/public(/.*)?"
sudo /sbin/restorecon -R -v /srv/myftproot/public

All files that are places below /srv/myftproot/public will be readible by our FTP server. The ftpd_t SELinux domain type is allowed to read object with type public_content_t.

To allow our FTP daemon to write to a location, requires different rules. In the next example the location /srv/myftproot/incoming and everything below this location will be labelled with the type that our FTP daemon can write.

sudo /usr/sbin/semanage fcontext -a -t public_content_rw_t "/srv/myftproot/incoming(/.*)?"
sudo /sbin/restorecon -R -v /srv/myftproot/incoming

For SELinux to allow the FTP daemon SELinux domain to write to this location, the policy has to be tuned. The SELinux policy can be tuned on-the-fly to allow our FTP daemon to write to paths that are labelled public_content_rw_t by toggling a SELinux boolean called "allow_ftpd_anon_write".

sudo /usr/sbin/semanage boolean -m --on allow_ftpd_anon_write

This will allow our FTP server to write to the /srv/myftproot/incoming directory.

If the FTP content is located on a NFS or Samba share we can instruct SELinux to allow our FTP daemon to read this content as well.

sudo /usr/sbin/semanage boolean -m --on allow_ftpd_use_cifs

This allows our FTP server to read samba shares.

sudo /usr/sbin/semanage boolean -m --on allow_ftpd_use_nfs

This allows our FTP server to read NFS shares.

To instruct SELinux to allow our FTP service to also write to Samba or NFS locations, we would also be required to toggle to "allow_ftpd_anon_write" boolean.

[edit] Hosting user directories using FTP

FTP daemons can be configured to serve user directories. Unlike public FTP servers, clients are required to authenticate when a FTP daemon is configured to host Linux user directories. These clients log in using their Linux login password and have their own user directory on the FTP server.

SELinux can be configured to allow this functionality if required. By toggling a boolean we can instruct SELinux to allow our FTP daemon SELinux domain to read and write user content.

sudo /usr/sbin/semanage boolean -m --on ftp_home_dir

This will allow our FTP daemon to log clients into their user directory and read and write user content as well as read all the files that are required to make the user authentication succeed with the exception of the /etc/shadow file.

Currently this also allows our FTP service to search directories that store system web content.

Optionally our FTP server can be allowed to just manage almost every file. The use of this functionality is not encouraged but may be required in some scenarios.

sudo /usr/sbin/semanage boolean -m --on allow_ftpd_full_access

This will allow our FTP server to read and write all files except the file /etc/shadow.

SELinux can also be configured to allow our FTP daemon to support "old style" samba and NFS home directories. If our user directories are mounted with NFS or Samba we can instruct SELinux to allow our FTP daemon to read and write that content.

sudo /usr/sbin/semanage boolean -m --on use_nfs_home_dirs
sudo /usr/sbin/semanage boolean -m --on ftp_home_dir

This will allow our FTP daemon to read and write NFS mounted user directories and it will also allow the FTP server to read the files that are required to authenticate Linux users.

sudo /usr/sbin/semanage boolean -m --on use_samba_home_dirs
sudo /usr/sbin/semanage boolean -m --on ftp_home_dir

Similar to above this will allow our FTP daemon to read and write Samba mounted directories and it will also allow the FTP server to read the files that are required to authenticate Linux users.

[edit] Storing virtual FTP users in a database

FTP daemons can also be configured to use virtual users. These clients have to authenticate, but instead of using Linux logins, authentication is done by the FTP server. The FTP daemon can be configured to store the authentication information in a database.

To instruct SELinux to allow our FTP daemon access to connect to database network ports we are required to toggle a boolean.

sudo /usr/sbin/semanage boolean -m --on ftpd_connect_db

This will allow our FTP server to network connect to MySQL and PostgreSQL database servers.

Personal tools