Re: vsftpd not changing security context while dropping privileges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/30/2009 03:58 PM, Fernando Magro wrote:
> Hi,
> 
> I noticed vsftpd starts running with UID 0 and MLS s0. When a user
> logs in, a new process is spawn (forked) from vsftpd and UID is
> changed to match the user. The problem is that MLS stays in s0, so if
> the user has a different MLS it will make everything fail. Starting
> vsftpd with s0-s0:c0.c1023 would be an option, but will then bypass
> per-user MLS security. So IMHO vsftpd should be patched to change
> security context when forking a new process.
> 
> You can reproduce the problem by running:
> # semanage user -m -r s0-s0:c0.c1023 user_u
> # groupadd testing
> # useradd -m -g testing -Z user_u testing
> # semanage login -m -r s0:c3 testing
> # chcon -R -l s0:c3 /home/testing
> # /etc/init.d/vsftpd start
> # lftp
> open -u testing,password localhost
> ls
> 
> Daniel Walsh said at https://bugzilla.redhat.com/show_bug.cgi?id=518569 :
> Lets bring this up for discussion on the SELinux list.
> 
> There are two possibilities, here,  One is to just change the level on the
> vstfpd process to run at the appropriate level of the user.  The second would
> be to change the type, in order to run as a type appropriate for the user.  IE
> With different privs then the vsftpd server.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
Fernando, I meant the Developers SELinux list which is selinux@xxxxxxxxxxxxx

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux