[Apparmor-general] AppArmor2 and Vsftpd question
Vishwanath Callikan
vcallikan at yahoo.co.uk
Mon Feb 26 03:56:26 MST 2007
Hello all
I've been playing around AppArmor 2 for a while now and was recently asked if it was possible to effectively profile the vsftpd process if it is configured to accept chrooted ftp connections.
While I can see that this is possible as AppArmor can seemingly profile any process, this request did raise concerns with regards to the security that the AppArmor profile would provide for the vsftpd process itself if ever a hacker took advantage of some zero day exploit and managed to gain control over the application.
To illustrate the point, lets take the following scenario, a user (ftp-user1) logs on to the ftp server and successfully authenticates and is dropped into a chroot and puts/gets some files on the server, This seems like typical FTP usage and AppArmor is configured to profile the process while it is running and gathers and analyses these events - until now everything looks great - however, AppArmor would capture and record that the ftp-user1 would access the "/" directory and need to both read and write to that directory (which is in-fact the user's home directory masqueraded as the root filesystemi by chroot()). This is the part that worries me as if a hacker breaks in and gains control over vsftpd he would essentially have the ability to read/write to the "/" filesystem (provided he has the mandatory access rights) and this is obviously very dangerous.
I have come across the sample vsftpd profile that comes with AppArmor 2 (/etc/apparmor/profiles/extras/usr.sbin.vsftpd) and this seems to have some entries which use the tunable home file and implement the HOMEDIRS parameter to define where the user home directories are actually found (or at least that is what I understood from the documentation). So my question is this - Is it possible to circumvent this potential flaw by using the HOMEDIR setting or am I simply making a meal out of this and the implications and ramifications are only minor?
Thanks for any help in clarifying these queries
-Pavan
___________________________________________________________
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://forge.novell.com/pipermail/apparmor-general/attachments/20070226/1ffd1d8b/attachment.html
More information about the Apparmor-general
mailing list