rhle5 – the fact of real shit

I’m experienced to install VSFTPd and I’m using it for 2/3 years. But for a recent project I need to setup a test linux box and there I install pure-ftpd for test purpose. Its easy to install but when I start the server I face a problem. I’ll tell you that story, but before that story I want to share the experience install pure-ftpd in my linux box.

Everything goes fine with out any problem. I always try to install from source i.e. make and install. And always try to install into default directory if there has no security issue. In this case to install pure-ftpd every thing goes fine as usual. Install complete! Now how can I start the server that I just installed…..?????? Actually in latest version (1.0.29) there has no init script installed. So, I can’t start pure-ftpd by service command!!! So, I search the net, here and there but didn’t find a init script that I can use. So, I decide to make it by myself. For that I go to source directory for getting the default path of the installed program. Owo!!! thats I found the init script. Thanks the pure-ftpd team. But you should write instruction so that our time may saved. So, finally I copy it to “init.d” and started server. Server starting normally. And now the problem arised!!!!!

When I try to get the status of pure-ftpd server for monitoring purpose. It shows following message –

pure-config.pl dead but subsys locked

Ohh, I didn’t mention yet! I use “pure-config.pl” script to start my server. Now, when I get this status message I was worried that I fail to setup properly and start googling on this error. Sad, they all point the wrong direction! Anyway, after 12 hour of searching I realize that it’s not a common problem. Its may be a small mistake that can’t get run pure-ftpd. So, I start to find the problem internally. I find that my server is running well. And I’m able to do ftp through it!!!

Finally, I start digging the init script and perl script for the problem. And find that in init script there has line which checking the status of “pure-config.pl” not pure-ftpd daemon!!! So, I just change to check the status of pure-ftpd instead checking status of “pure-config.pl”.

Actually, what happened there when I try to get status? My init script geting status of pure-config.pl and find that the script is run and not active. But the sub-sys (i.e. pure-ftpd) that start by the script is still running. So, its show status like that!!! And its really confusing, specially for the user of my kind who don’t know linux at all.

The “targeted” policy confines certain network daemons to run in their own specific “security domain”. These daemons include dhcpd, httpd (apache), named, nscd, ntpd, portmap, snmpd, squid, and syslogd.

When I setup apache on a system where it wil be utilized, I have a habit of not using /var/www/html as my starting point for document roots, but rather create a dir at /home/websites and place my document roots in there. In the good ol’ days of Discretionary Access Controls (DAC) just making sure that apache had the perms it needed to read the documents in there was enough (using chmod, chown, and the like).

Not so with SELinux enabled. In addition to the regular DAC we’re all used to, we now have Mandatory Access Controls (MAC) that define security contexts for files/directories etc. Turns out it looks like by default, apache only has access to /var/www/html when it’s fired up…. I’m guessing that and probably /var/log/httpd (which is exactly as it should be). To enable apache to view my files in /home/websites, I had to apply a new security context to these files. The answer to this is the chcon command. To be brief, the full command I executed was:

chcon -R -t httpd_sys_content_t /home/websites

After executing this, apache could read my files.

I like where this SELinux thing is going. Permissions done right, for sure. This doesn’t come with out growing pains though. It’s complex (or so it seems to me after only working with it for a couple days) and will take some time to learn. I’m prepared for some frustration….

Now many of you are probably asking yourself why would anyone (let alone me) want to bother with this? Well I think a simple example of one of the cool things is that even though something like /etc/passwd has DAC octal perms of 644 (rw-r–r–), apache still can’t read it because that file is not with in apache’s security context. So any users on your system can’t write a little script that reads your /etc/passwd file and basically posts it on a web page for the world to see (giving potential crackers a list of valid user accounts on the system).

Actually this is a little bit extra security that provide by SELinux e.g. Security Enhanced!

Ohh, one more tips to change the direcotry live…

chcon --reference=/var/www <your website directory>
chcon --reference=/var/www/html <your public_html directory>

I suggest you to make a shell script to put it together… with following commands…

useradd <your website user name> #password and other necessary staff to point home directory
chmod --reference=/var/www /home/<your website user name>
mkdir /home/<your website user name>/public_html
# most probably the following line need not to execute
chmod --reference=/var/www/html /home/<your website user name>/public_html
# then do other necessary staff for your website suppose add virtual host, ftp user, database user etc.

nJoy…

Tag: rhle5

pure-ftpd status error – pure-config.pl dead but subsys locked

Apache (httpd) 403 errors & SELinux in RHLE5