proftpd is accessing my.cnf

Question

I use proftpd for virtual FTP hosting with MySQL.

I've started writing fine-grained SELinux policies and found that it's trying to access my.cnf files.

Question is what for and why?

type=AVC msg=audit(1378191337.059:153431): avc:  denied  { getattr } for  pid= comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1378191337.059:153432): avc:  denied  { read } for  pid=50590 comm="proftpd" name="my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1378191337.059:153432): avc:  denied  { open } for  pid=50590 comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file

Output of ps auxwf|grep 50590 is empty now - process doesn't exist anymore. Looks like it's trying to do that on every login attempt.

Update: Filed bug/feature request, patch submitted by developer: http://bugs.proftpd.org/show_bug.cgi?id=3971

are you using `mod_sql`? `proftpd` might be trying to read `my.cnf` files because of that. — dawud, Sep 03 '13 at 07:35
because you [can store credentials in those files](http://dev.mysql.com/doc/refman/5.7/en/password-security-user.html). — dawud, Sep 03 '13 at 07:41
Must be, there is nothing else to do, but credentials are specified in `proftpd.conf` as `SQLConnectInfo`. It's checking my.cnf for that anyway by default? — GioMac, Sep 03 '13 at 07:43

Michael Hampton · Answer 1 · 2013-09-03T14:59:59.260

3

MySQL clients which link against libmysqlclient read global options from the [client] section of /etc/my.cnf. This is a typical behavior for such clients, and ProFTPD is such a client when you use its MySQL module.

The SELinux boolean ftpd_full_access will allow this access, but it also effectively disables SELinux for the entire FTP daemon's operations, so it should not be used without extreme caution.

If it were me, I would file a feature request against selinux-policy requesting that a boolean to allow this access be added, or perhaps to add it to the ftpd_connect_db boolean.

edited Sep 03 '13 at 14:59

answered Sep 03 '13 at 08:27

Michael Hampton

244,070
43
506
972

http://fpaste.org/36805/37823064/ – GioMac Sep 03 '13 at 17:50
FYI http://bugs.proftpd.org/show_bug.cgi?id=3971 – GioMac Sep 04 '13 at 01:06
I suggested you file a bug against SELinux (in Red Hat). – Michael Hampton Sep 04 '13 at 01:09
and how it's gonna solve the problem? technically – GioMac Sep 04 '13 at 01:12
That depends on how you define the problem. I don't see reading `my.cnf` as a problem; it's generally a good idea. – Michael Hampton Sep 04 '13 at 01:13
I define problem this way: If I don't want to allow it to read it, then my logs get filled. – GioMac Sep 04 '13 at 01:14

score 1 · Answer 2 · answered Sep 03 '13 at 08:40

From the off doc

Question: How do I configure mod_sql so that it will use encrypted connections (e.g. SSL/TLS) to the backend database server?
Answer: If you are using MySQL, then you can configure this in the [client] section of your my.cnf configuration file.

That's why proftpd try to read /etc/my.cnf

score 1 · Accepted Answer · answered Sep 03 '13 at 10:48

1

Just to add that the source code also mentions this:

I have checked a recent snapshot. Specifically, proftpd-cvs-20130903/contrib/mod_sql_mysql.c:

485   /* Make sure the MySQL config files are read in.  This will read in
486    * options from group "client" in the MySQL .cnf files.
487    */
488   mysql_options(conn->mysql, MYSQL_READ_DEFAULT_GROUP, "client");

answered Sep 03 '13 at 10:48

dawud

15,096
3
42
61

FYI http://bugs.proftpd.org/show_bug.cgi?id=3971 – GioMac Sep 04 '13 at 01:06

proftpd is accessing my.cnf

3 Answers3