On 3/2/2015 2:34 PM, John R Pierce wrote:> step 1) delete FTPD, and use ssh/scp/rscp instead.errr, I meant, sftp, not rscp -- john r pierce 37N 122W somewhere on the middle of the left coast
> > errr, I meant, sftp, not rscpHeh.. yeah. But the client isn't gonna go for that. LOL. Any way to allow regular ol' FTP using SELinux? Or does that just defeat the purpose of having a secure SELlinux server entirely? Thanks Tim On Mon, Mar 2, 2015 at 5:35 PM, John R Pierce <pierce at hogranch.com> wrote:> On 3/2/2015 2:34 PM, John R Pierce wrote: > >> step 1) delete FTPD, and use ssh/scp/rscp instead. >> > > errr, I meant, sftp, not rscp > > > > > -- > john r pierce 37N 122W > somewhere on the middle of the left coast > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > Heh.. yeah. But the client isn't gonna go for that. LOL. Any way to allow > regular ol' FTP using SELinux? Or does that just defeat the purpose of > having a secure SELlinux server entirely? >Maybe use FTP in a jail? Or Linux containers?
2015-03-03 0:43 GMT+02:00 Tim Dunphy <bluethundr at gmail.com>:> > > > errr, I meant, sftp, not rscp > > > Heh.. yeah. But the client isn't gonna go for that. LOL. Any way to allow > regular ol' FTP using SELinux? Or does that just defeat the purpose of > having a secure SELlinux server entirely? >FTP is not safe as it does not encrypt username(s) and password(s) or traffic during transfer. RHEL/Centos provides SELinux booleans and settings at least for vsftpd (very secure ftpd). Please use it, if possible. -- Eero
On Mar 2, 2015, at 3:43 PM, Tim Dunphy <bluethundr at gmail.com> wrote:> >> >> errr, I meant, sftp, not rscp > > But the client isn't gonna go for that. LOL.Why not? SFTP clients are now as readily available as FTP clients. Unless you?re going to tell me it needs to be done from a box you absolutely positively cannot install any new software on, I simply don?t believe that you cannot use anything but FTP.> Or does that just defeat the purpose of > having a secure SELlinux server entirely?Not exactly, but it fights the same set of goals that SELinux was created to support. The point of SELinux is to erect walls that prevent a lesser breach from turning into a total breach of the system?s security. Allowing FTP doesn?t prevent SELinux from working. If FTP exposes one of your user?s passwords to the wide world, *theoretically* that means you have done nothing worse than providing unauthorized users access to that user?s account. (Not that that isn?t bad enough.) Unfortunately, local root-escalation exploits pop up from time to time which allow anyone with a login on that box to turn themselves into superuser, which allows them to defeat SELinux. Incidentally, it is possible to configure SSH to allow SFTP but not interactive logins. You should also chroot SFTP users. This thread seems to have the details you need: https://www.centos.org/forums/viewtopic.php?t=2080 By doing that, even a bad user who gives away their login credentials to a bad actor isn?t opening you to a risk of a local root escalation exploit.
On Mon, Mar 2, 2015 at 4:43 PM, Tim Dunphy <bluethundr at gmail.com> wrote:>> >> errr, I meant, sftp, not rscp > > > Heh.. yeah. But the client isn't gonna go for that. LOL. Any way to allow > regular ol' FTP using SELinux? Or does that just defeat the purpose of > having a secure SELlinux server entirely?What is the context here? The big problem with ftp is that it passes the user credentials in the clear. There is nothing particularly wrong with an anonymous ftp download area where the files are put in place with something more secure - but it is usually easier to use http for that and you'll have less trouble with firewalls. -- Les Mikesell lesmikesell at gmail.com