Friday, May 12, 2006

SELinux vs. ftpd

Fedora comes withs SELinux and by default the settings are quite retrictive, an unfortunate necessity in today's hostile environment. This is particular true when SSL family (ssh, scp, etc.) has gradually replaced its plain-text counterpart (telnet, ftp, rsh, rcp, etc.). The setting for these insecure protocols is very protective.

However, in an intranet environment, when efficiency is more prioritized than security, these old tools still serve well. For example, I frequently have to transport huge files from a machine to another but don't want to use scp for it's very CPU and network bandwidth hungry. I would usually setup a temporary ftp server to do the file transport and turn it off afterwards. This is much faster than adding directory and authentication setting to samba or NFS.

Here I summarize how one can quickly setup vsftpd to accept download and upload.

I choose vsftpd due to its efficiency. I think Fedora made a good choice in making it the default ftp server. Since vsftpd comes in the server package by default, I won't go over the procedure of installing it.  Note that these is tested on FC4 only.  FC5+ may have different policies.

  1. su -
  2. Edit /etc/vsftpd/vsftpd.conf, make sure we have the following lines:
    1. anonymous_enable=NO
    2. write_enable=YES
    3. anon_upload_enable=YES
    4. anon_mkdir_write_enable=YES
    5. nopriv_user=ftp (the default is ftpsecure, but since Fedora has ftp account in /etc/passwd already, I simply use ftp instead)
  3. Give the account ftp a password by "passwd ftp"
  4. Change the security context for our anonymous ftp home directory (/var/ftp)
    1. chcon -R system_u:object_r:ftpd_anon_t /var/ftp (you can verify this by ls -Z)
  5. Make one directory for upload, and change its security context.
    1. mkdir /var/ftp/upload
    2. chcon -t ftpd_anon_rw_t /var/ftp/upload
  6. Turn on the SELinux boolean for ftpd_anon_rw_t
    1. setsebool -P allow_ftpd_anon_write 1
    2. add "allow_ftpd_anon_write=1" to /etc/selinux/targeted/booleans.local
  7. That's it.

Reference: Daniel J Walsh's reply to a discussion on this topic.