[Apparmor-general] AppArmor2 and Vsftpd question
Seth Arnold
seth.arnold at suse.de
Mon Feb 26 18:22:46 MST 2007
On Mon, Feb 26, 2007 at 10:56:26AM +0000, Vishwanath Callikan wrote:
> I've been playing around AppArmor 2 for a while now and was recently
> asked if it was possible to effectively profile the vsftpd process if
> it is configured to accept chrooted ftp connections.
...
> chroot()). This is the part that worries me as if a hacker breaks in
> and gains control over vsftpd he would essentially have the ability to
> read/write to the "/" filesystem (provided he has the mandatory access
> rights) and this is obviously very dangerous.
Indeed, the current AppArmor chroot handling is far from ideal, for this
very reason. It would be best to configure confined applications to not
use chroot, for the time being.
> documentation). So my question is this - Is it possible to circumvent
> this potential flaw by using the HOMEDIR setting or am I simply making
> a meal out of this and the implications and ramifications are only
> minor?
Sorry, the variables are just syntactic sugar; they can't help you out of
this situation. They would be useful if you put all your home directories
under /mnt/homes/ or something like that; no help at all if your process
changes the meaning of '/'.
I'd recommend trying vsftp under apparmor without chroot; see if you can
configure the profile to allow exactly what you want. If not, then go
ahead and use chrooted vsftpd, knowing that if an attacker -does- break
vsftpd such that the chroot doesn't happen, AppArmor will at least confine
the attacker's privileges to only files explicitely listed in the profile.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070226/f182a204/attachment.pgp
More information about the Apparmor-general
mailing list