ftpd and PAM

Paul Howarth paul at city-fan.org
Tue Jun 26 14:36:58 UTC 2007


Daniel J Walsh wrote:
> Paul Howarth wrote:
>> Daniel J Walsh wrote:
>>> Paul Howarth wrote:
>>>> Paul Howarth wrote:
>>>>> The PAM config files for vsftpd and prpftpd look like this:
>>>>>
>>>>> #%PAM-1.0
>>>>> session    optional     pam_keyinit.so    force revoke
>>>>> auth       required     pam_listfile.so item=user sense=deny 
>>>>> file=/etc/vsftpd/ftpusers onerr=succeed
>>>>> auth       required     pam_shells.so
>>>>> auth       include      system-auth
>>>>> account    include      system-auth
>>>>> session    include      system-auth
>>>>> session    required     pam_loginuid.so
>>>>>
>>>>> So it makes sense for ftpd_t to be able to set the login uid and 
>>>>> create a session keyring:
>>>>>
>>>>> logging_set_loginuid(ftpd_t)
>>>>> allow ftpd_t self:key { write search link };
>>>>>
>>>>>
>>>>> Curiously, I've done this locally but still get this AVC when 
>>>>> logging in on proftpd, with an open dovecot IMAP session on the 
>>>>> same server:
>>>>>
>>>>> type=AVC msg=audit(1182853960.377:103383): avc:  denied  { link } 
>>>>> for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 
>>>>> tcontext=root:system_r:dovecot_t:s0 tclass=key
>>>>
>>>> FWIW, I'm also getting in /var/log/secure:
>>>>
>>>> Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() 
>>>> failed: Operation not permitted
>>>> Jun 26 12:09:42 goalkeeper proftpd[25559]: 
>>>> goalkeeper.intra.city-fan.org 
>>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error
>>>> Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): 
>>>> session closed for user paul
>>>> Jun 26 12:09:42 goalkeeper proftpd[25559]: 
>>>> goalkeeper.intra.city-fan.org 
>>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): 
>>>> System error
>>>> Jun 26 12:09:42 goalkeeper proftpd[25559]: 
>>>> goalkeeper.intra.city-fan.org 
>>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.
>>>>
>>>> I don't see any AVCs to go with these, and adding:
>>>>
>>>> logging_send_audit_msg(ftpd_t)
>>>>
>>>> doesn't seem to help.
>>>>
>>>> Paul.
>>>>
>>> This could be caused by proftp not running as root and not having the 
>>> auth_write capability.  So a DAC error could be causing this problem.
>>
>> Proftpd runs as nobody out of the box; what would I need to change to 
>> fix this? Which object's DAC permissions are the problem?
> proftpd would need to start as root and then setuid to "nobody"  When it 
> does setuid it would need to keep AUDIT_WRITE capability.

OK thanks. It does most of this already. There's a proftpd module 
mod_cap that gets built by default and allows the specification of 
capabilities to retain, but unfortunately CAP_AUDIT_WRITE isn't one of 
the capabilities it manipulates. However, a quick patch fixed that and 
now it seems OK:

Jun 26 14:33:44 goalkeeper proftpd: pam_unix(proftpd:session): session 
opened for user paul by (uid=0)
Jun 26 14:33:44 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org 
(::ffff:192.168.2.20[::ffff:192.168.2.20]) - USER paul: Login successful.
Jun 26 14:33:48 goalkeeper proftpd: pam_unix(proftpd:session): session 
closed for user paul
Jun 26 14:33:48 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org 
(::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed.

Paul.




More information about the fedora-selinux-list mailing list