Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-24-2006, 12:27 PM
|
#1
|
LQ Newbie
Registered: Jun 2006
Posts: 5
Rep:
|
selinux with vsftpd and httpd
Hi,
I'm setting up a FedoraCore5 server and I want to give my friends access to their own virtual web sites.
I've configured httpd okay, serving out of their home directories. I want to also give them FTP access so they can upload their content.
I've installed vsftpd and had it working okay with chroot jail to prevent them going outside their home dir. I've also set their shell to /sbin/nologin so they cannot ssh onto the box.
My problem is getting httpd and vsftpd working at the same time.
I've done
setsebool -P ftp_home_dir 1
so that I can make dirs when ftping.
I've done
chcon -R -h -t httpd_sys_content_t /home/myuser/public_html
so that httpd can serve the html content.
I think though that this last step stops me from being able to FTP now. Is there an easy way to give httpd and vsftpd access to the same directory at the same time?
(I don't know much about SELinux)
|
|
|
06-24-2006, 01:53 PM
|
#2
|
Senior Member
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,191
Rep:
|
I am assuming you have only two users on the system. Ones you.
You could just enable "local_enable=YES" in the vsftpd.conf file and set the virtual host directory in the httpd.conf as the home directory of the user.
So whenever the guy logson he goes to /home/us3r/ but cannot login into shell as he has /sbin/nologin.
|
|
|
06-26-2006, 08:13 AM
|
#3
|
LQ Newbie
Registered: Jun 2006
Posts: 5
Original Poster
Rep:
|
Thanks for the response, but I have the web server and ftp server set up fine - the web root is the <user home directory>/public_html and the ftp server chroot() jails them to their home.
My problem has been with SELinux and allowing both httpd and ftpd access to the content in the user home at the same time.
I can do it independently. i.e I can get vsftpd working okay, but then when I give httpd access using
chcon -R -h -t httpd_sys_content_t /home/blah/public_html
then vsftpd is denied.
and visa versa.
The only solution I have for now is to disable SELinux for ftpd using
setsebool -P ftpd_disable_trans 1
Then I can get both working at the same time.
Not knowing SELinux I would have thought I could cumulatively add permissions to a directory. That is, permit httpd and then add ftpd so they both had access.
Thanks.
|
|
|
06-26-2006, 05:34 PM
|
#4
|
Red Hat India
Registered: Nov 2004
Location: Kerala/Pune,india
Distribution: RedHat, Fedora
Posts: 260
Rep:
|
Hello swpr,
You don't need to enable SELinux for your configuration to work. Your configuration will work fine and all the restrictions will get imposed. The FTP default login directory can be set in the vsftpd.conf file and the HTTP login folder can be done as you have configured.
Thanks..
|
|
|
06-28-2006, 06:49 AM
|
#5
|
LQ Newbie
Registered: Jun 2006
Posts: 5
Original Poster
Rep:
|
I know I don't *need* SELinux, but I can get them both running one at a time, but not both together - am I not explaining this clearly enough.
I shouldn't have to fully disable SELinux to allow ftpd and httpd access to the same directory should I? It should be real simple to allow both process access to this one directory.
I've seen a lot of comments on the web about how hard SELinux is, and how everyone just seems to turn it off because they can't figure out how to make it play nice, so thats what I'm going to have to do.
|
|
|
All times are GMT -5. The time now is 06:41 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|