Home / server / Questions / 535807
Accepted
GioMac
Asked: 2013-09-03 23:29:07 +0800 CST

proftpd is accessing my.cnf

  • 772

I use proftpd for virtual FTP hosting with MySQL.

I've started writing fine-grained SELinux policies and found that it's trying to access my.cnf files.

Question is what for and why?

type=AVC msg=audit(1378191337.059:153431): avc:  denied  { getattr } for  pid= comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1378191337.059:153432): avc:  denied  { read } for  pid=50590 comm="proftpd" name="my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1378191337.059:153432): avc:  denied  { open } for  pid=50590 comm="proftpd" path="/etc/my.cnf" dev="dm-1" ino=1180081 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file

Output of ps auxwf|grep 50590 is empty now - process doesn't exist anymore. Looks like it's trying to do that on every login attempt.

Update: Filed bug/feature request, patch submitted by developer: http://bugs.proftpd.org/show_bug.cgi?id=3971

security

3 Answers

  1. MySQL clients which link against libmysqlclient read global options from the [client] section of /etc/my.cnf. This is a typical behavior for such clients, and ProFTPD is such a client when you use its MySQL module.

    The SELinux boolean ftpd_full_access will allow this access, but it also effectively disables SELinux for the entire FTP daemon's operations, so it should not be used without extreme caution.

    If it were me, I would file a feature request against selinux-policy requesting that a boolean to allow this access be added, or perhaps to add it to the ftpd_connect_db boolean.

    • 3

  2. From the off doc

    Question: How do I configure mod_sql so that it will use encrypted connections (e.g. SSL/TLS) to the backend database server?
    Answer: If you are using MySQL, then you can configure this in the [client] section of your my.cnf configuration file.

    That's why proftpd try to read /etc/my.cnf

    • 1
  3. Best Answer

    Just to add that the source code also mentions this:

    I have checked a recent snapshot. Specifically, proftpd-cvs-20130903/contrib/mod_sql_mysql.c:

    485   /* Make sure the MySQL config files are read in.  This will read in
486    * options from group "client" in the MySQL .cnf files.
487    */
488   mysql_options(conn->mysql, MYSQL_READ_DEFAULT_GROUP, "client");
    • 1