-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While I cannot answer with 100% confidence I do not know how easy this
will be. AppArmor's (and SELinux's as the backend is the same) strength
is in confining an application in general and not confining it based on
who is using it at the time. As you have found you can tell your FTP
server to not write anything outside /home (though you will probably want
an exception to that for logs and maybe temporary file locations.... who
knows) and you can keep it from reading anything outside its own system
files. This means that if somehow your FTP server is completely
compromised it will not damage the rest of your system no matter how far
gone it is. With that said AppArmor will let userA do bad things to userB
if the FTP service itself has access to both, though typically that is
handled by the server and would be identifiable via the logs or other
trails. Depending on how the service loads and runs perhaps it runs as
root or perhaps it runs as the user actually logging in and in the latter
case the filesystem is actually enforcing the permissions regardless of
what the user does to the FTP service's process, but I imagine it just
runs as 'root' in either case and does things from there. You can
probably tell better than anybody how that works but in the end AppArmor
is best at limiting the process outside its normal mode of operation.
If you can find a way to make it work based on a parameter at runtime that
would be interesting to know about. If somebody else knows better than I
do (very possible) hopefully they'll post as much.
Good luck.
martinhruska wrote:
> Hi,
>
> I would like to secure my multiuser ftp server. Many users can log in
> and they are locked to their home dirs, where they could read and write
> files.
>
> But what happens if there is a bug inside ftp server, which let users
> leave their homedirs?? So I would like to secure this situation with
> AppArmor.
>
> I though that I will be able to create different AppArmor profile for
> every user, which will force their access only into their homedir. But
> how to do it? I can create only one profile for ftp server, which will
> allow access to every homedir!
>
> But there is that change_hat and change_profile funcionality. I think
> that if there's a ftp server, which call these functions based on the
> logged in user, I will be able to get what I want: different AppArmor
> profile for every user.
>
> It seems that this would require to change ftp server source somehow or
> that there should be some ftp server with AppArmor support.
>
> So my question is: am I right? Is there any ftp server with AppArmor
> support? Or can be some ftp server modified to call change_profile
> funciton? Or I am not right and there is other way to do what I need?
>
> Thanks for any hint..
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJKyfjyAAoJEF+XTK08PnB5+s8P/A9vYvSXaVlPj0qTzlxlbKHL
CsP9b3wBEBru3pO2coh5lyE1gBz3YLcri2ObTeTQgtsuCQkIZp tpb/j99X4XkyMY
fO1S5mdvQQuaNrvYR68/K5mkDygJJepZFJ4EGuwPYSHJKtc/QdvUbOh9rPWubOaK
0JhL3vAT/p2SYMftbNwp9zJZBRHQFoxGGXvbn4bQoQcDt8bNYN4jOkgZt+b t60pX
bSmtt7/aJE3z/DecD6gRxihcTj417kURoE694jTBTBUDLY80uDF9gUX+JikB20d u
YAVld56s7R4I+2YYqCcF1OmhaxwxgYvUj/6H+IPICA7BgGdR4ceoceDpbxATOLC1
Wt4zk8UkqrH3+TPQycaASa3zY/QltqQgRyGh7uMCs5+wFrmQC8v5mozT/lEV5ADU
mBvFxvzQGHgyr37LpntKOOC425IzwFK+qFz5NkzNweEUmVJ0GM ZGpWaOBrIukqq8
szMz2t4hqEA/bqNJ0bnNWUSMPCO0XsMUW4iowWrpfyhXGErLsC+YWmevWBtRfs Fe
eHFH9bYEjRxNhL5nAuWYJIUF6eTNpq7o7IZhp4dkRxfJ1V10QD GIOYv/0uX5KMWC
Y/iLB94rTL69JoZY1k+tPFhU601cIK5tQKipyU8Bd4F0xkPgi9ME Ahn24MlZi+nK
5ClE8Hn/5Ysep12VzZh5
=XWy2
-----END PGP SIGNATURE-----
Re: ftp server with apparmor support and change_profile
Threaded Mode
