CentOS - Mar 2015 - selinux allow FTP

On Mar 3, 2015, at 2:30 PM, Brian Mathis <brian.mathis+centos at
betteradmin.com> wrote:
> 
> people are bound by corporate restrictions
That seems like an awfully convenient rug to sweep problems under.

Can?t fix a security problem?  Corporate restrictions!

Can?t require sensible security defaults restrictions by default?  Corporate
restrictions!

Can?t move off IE6?  Corporate restrictions!

This seems like code for ?We?d really rather computing in 2015 worked like
computing in 1995.?

I?d say this continued ?dead horse beating? is helpful.  No one should come away
from proposing a solution based on FTP in 2015 without being chastised for it.

Guys,

 I hear all your arguments against using FTP. I completely get all that.
But I am making things a little bit safer by using virtual users that have
no access to the file system. The ftp user account has a shell of
/bin/false. And I was able to get proftpd working with SELinux
using setsebool -P ftp_home_dir on.

The client is recalcitrant to using any technology he doesn't know. I have
tried explaining to him that SFTP would make things safer. But in the end
it's his money and his choice. He owns all the content he's uploading,
so
it's really his neck if it gets owned. But I think I've done a
reasonable
job of keeping things safe. Still open to criticism of course. And I
appreciate all your input.

Thanks,
Tim

On Tue, Mar 3, 2015 at 5:56 PM, Warren Young <wyml at etr-usa.com> wrote:
> On Mar 3, 2015, at 2:30 PM, Brian Mathis <
> brian.mathis+centos at betteradmin.com> wrote:
> >
> > people are bound by corporate restrictions
>
> That seems like an awfully convenient rug to sweep problems under.
>
> Can?t fix a security problem?  Corporate restrictions!
>
> Can?t require sensible security defaults restrictions by default?
> Corporate restrictions!
>
> Can?t move off IE6?  Corporate restrictions!
>
> This seems like code for ?We?d really rather computing in 2015 worked like
> computing in 1995.?
>
> I?d say this continued ?dead horse beating? is helpful.  No one should
> come away from proposing a solution based on FTP in 2015 without being
> chastised for it.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

>
>  I hear all your arguments against using FTP. I completely get all that.
> But I am making things a little bit safer by using virtual users that have
> no access to the file system. The ftp user account has a shell of
> /bin/false. And I was able to get proftpd working with SELinux
> using setsebool -P ftp_home_dir on.

Oh and one important point I forgot to mention, is that the FTP user's home
directory is jailed.

Thanks!!
Tim

On Wed, Mar 4, 2015 at 10:04 PM, Tim Dunphy <bluethundr at gmail.com>
wrote:
> Guys,
>
>  I hear all your arguments against using FTP. I completely get all that.
> But I am making things a little bit safer by using virtual users that have
> no access to the file system. The ftp user account has a shell of
> /bin/false. And I was able to get proftpd working with SELinux
> using setsebool -P ftp_home_dir on.
>
> The client is recalcitrant to using any technology he doesn't know. I
have
> tried explaining to him that SFTP would make things safer. But in the end
> it's his money and his choice. He owns all the content he's
uploading, so
> it's really his neck if it gets owned. But I think I've done a
reasonable
> job of keeping things safe. Still open to criticism of course. And I
> appreciate all your input.
>
> Thanks,
> Tim
>
> On Tue, Mar 3, 2015 at 5:56 PM, Warren Young <wyml at etr-usa.com>
wrote:
>
>> On Mar 3, 2015, at 2:30 PM, Brian Mathis <
>> brian.mathis+centos at betteradmin.com> wrote:
>> >
>> > people are bound by corporate restrictions
>>
>> That seems like an awfully convenient rug to sweep problems under.
>>
>> Can?t fix a security problem?  Corporate restrictions!
>>
>> Can?t require sensible security defaults restrictions by default?
>> Corporate restrictions!
>>
>> Can?t move off IE6?  Corporate restrictions!
>>
>> This seems like code for ?We?d really rather computing in 2015 worked
>> like computing in 1995.?
>>
>> I?d say this continued ?dead horse beating? is helpful.  No one should
>> come away from proposing a solution based on FTP in 2015 without being
>> chastised for it.
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B