[CentOS] selinux allow FTP

Tim Dunphy bluethundr at gmail.com
Thu Mar 5 03:07:26 UTC 2015 

>
>  I hear all your arguments against using FTP. I completely get all that.
> But I am making things a little bit safer by using virtual users that have
> no access to the file system. The ftp user account has a shell of
> /bin/false. And I was able to get proftpd working with SELinux
> using setsebool -P ftp_home_dir on.


Oh and one important point I forgot to mention, is that the FTP user's home
directory is jailed.

Thanks!!
Tim

On Wed, Mar 4, 2015 at 10:04 PM, Tim Dunphy <bluethundr at gmail.com> wrote:

> Guys,
>
>  I hear all your arguments against using FTP. I completely get all that.
> But I am making things a little bit safer by using virtual users that have
> no access to the file system. The ftp user account has a shell of
> /bin/false. And I was able to get proftpd working with SELinux
> using setsebool -P ftp_home_dir on.
>
> The client is recalcitrant to using any technology he doesn't know. I have
> tried explaining to him that SFTP would make things safer. But in the end
> it's his money and his choice. He owns all the content he's uploading, so
> it's really his neck if it gets owned. But I think I've done a reasonable
> job of keeping things safe. Still open to criticism of course. And I
> appreciate all your input.
>
> Thanks,
> Tim
>
> On Tue, Mar 3, 2015 at 5:56 PM, Warren Young <wyml at etr-usa.com> wrote:
>
>> On Mar 3, 2015, at 2:30 PM, Brian Mathis <
>> brian.mathis+centos at betteradmin.com> wrote:
>> >
>> > people are bound by corporate restrictions
>>
>> That seems like an awfully convenient rug to sweep problems under.
>>
>> Can’t fix a security problem?  Corporate restrictions!
>>
>> Can’t require sensible security defaults restrictions by default?
>> Corporate restrictions!
>>
>> Can’t move off IE6?  Corporate restrictions!
>>
>> This seems like code for “We’d really rather computing in 2015 worked
>> like computing in 1995.”
>>
>> I’d say this continued “dead horse beating” is helpful.  No one should
>> come away from proposing a solution based on FTP in 2015 without being
>> chastised for it.
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

More information about the CentOS mailing list