8

I need a basic FTP server on Linux (CentOS 5.5) without any security measure, since the server and the clients are located on a test LAN, not connected to the rest of the network, which itself uses non-routable IP's behind a NAT firewall with no incoming access to FTP.

Some people recommend Vsftpd over PureFTPd or ProFTPd. No matter what I try, I can't get it to allow an anonymous user (ie. logging as "ftp" or "anonymous" and typing any string as password) to upload a file:

# yum install vsftpd

# mkdir /var/ftp/pub/upload

# cat vsftpd.conf
listen=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
xferlog_file=YES

#anonymous users are restricted (chrooted) to anon_root
#directory was created by root, hence owned by root.root
anon_root=/var/ftp/pub/incoming
anon_upload_enable=YES
anon_mkdir_write_enable=YES

#chroot_local_user=NO
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
chown_uploads=YES

When I log on from a client, here's what I get:

500 OOPS: cannot change directory:/var/ftp/pub/incoming

I also tried "# chmod 777 /var/ftp/incoming/", but get the same error.

Does someone know how to configure Vsftpd with minimum security?

Thank you.

Edit: SELinux is disabled and here are the file permissions:

# cat /etc/sysconfig/selinux
SELINUX=disabled
SELINUXTYPE=targeted
SETLOCALDEFS=0

# sestatus
SELinux status:                 disabled
# getenforce
Disabled

# grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

# ll /var/
drwxr-xr-x  4 root root 4096 Mar 14 10:53 ftp

# ll /var/ftp/
drwxrwxrwx 2 ftp ftp 4096 Mar 14 10:53 incoming
drwxr-xr-x 3 ftp ftp 4096 Mar 14 11:29 pub

Edit: latest vsftpd.conf:

listen=YES
local_enable=YES
write_enable=YES
xferlog_file=YES

#anonymous users are restricted (chrooted) to anon_root
anonymous_enable=YES
anon_root=/var/ftp/pub/incoming
anon_upload_enable=YES
anon_mkdir_write_enable=YES

#500 OOPS: bad bool value in config file for: chown_uploads
chown_uploads=YES
chown_username=ftp

Edit: with trailing space removed from "chown_uploads", err 500 is solved, but anonymous still doesn't work:

client> ./ftp server
Connected to server.
220 (vsFTPd 2.0.5)
Name (server:root): ftp
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/var/ftp/pub/incoming
Login failed.
ftp> bye

With user "ftp" listed in /etc/passwd with home directory set to "/var/ftp" and access rights to /var/ftp set to "drwxr-xr-x" and /var/ftp/incoming to "drwxrwxrwx"...could it be due to PAM maybe? I don't find any FTP log file in /var/log to investigate.

Edit: Here's a working configuration to let ftp/anonymous connect and upload files to /var/ftp:

listen=YES
anonymous_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Castaglia
  • 3,239
  • 3
  • 19
  • 40
user15318
  • 255
  • 1
  • 3
  • 7

6 Answers6

6

You have created a dir called pub/upload:

# mkdir /var/ftp/pub/upload

But then you configured uploads to go to pub/incoming:

anon_root=/var/ftp/pub/incoming

So it's a simple path mismatch, all the rest seems OK.

Oldskool
  • 2,005
  • 1
  • 16
  • 26
1

  1. For anonymous logins, change the "ftp" users home directory in /etc/passwd.

    ftp:x:119:131:ftp daemon,,,:/var/ftp/pub/:/bin/false

  2. And add this to your /etc/vsftpd.conf file.

    allow_writeable_chroot=YES

  3. And make sure that the ftp user has access (chmod 755) to enter every directory up to the location /var/ftp/pub/

I was fighting this problem for hours. vsftpd doesn't give clear help or suggestions for errors.

user206746
  • 186
  • 1
  • 3
0

here is what worked for me (he said, while mentally strangling a developer)

vsftpd.conf:

anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_root=/var/ftp/

create/chown Directories 

mkdir /var/ftp
chown nobody:nogroup /var/ftp
mkdir /var/ftp/uploads
chown ftp:ftp /var/ftp/uploads
#edit for good measure also (gave me grief with pure-ftpd)
chmod 777 /var/ftp/uploads

change homedir in

/etc/passwd:

    ftp:x:116:124:ftp daemon,,,:/var/ftp:/usr/sbin/nologin

(default home dir on debian is /srv/ftp so you can make yo life easier sticking to that dir)

uploads are possible to /var/ftp/uploads SElinux/Apparmor is disabled on this system, debian 10.3

Note: vsftp will throw an errormessage if the initial homedirectory has rw rights (aka chown ftp:ftp) on /var/ftp directly

Edit note: with the faint hope, this whole text is somewhat understandable. Klaus

knurpsl
  • 1
  • 2
0

You probably have SE linux enabled. Rather than disable the whole thing you can use

/usr/sbin/setsebool -P ftp_home_dir 1

to allow ftp to work correctly.

EDIT Looking over this again, if the commands above are what you really typed then /var/ftp/pub/incomming doesn't exist so make sure it does then try again.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • Thanks for the tip, but SELinux is disabled: # /usr/sbin/setsebool -P ftp_home_dir 1 : "setsebool: SELinux is disabled." – user15318 Mar 14 '11 at 11:35
0

You probably have userlist_deny=NO in your conf file. Change it to YES and make sure that the username you're using isn't in /etc/vsftpd/user_list or in /etc/vsftpd/ftpusers.

Kevin M
  • 2,302
  • 1
  • 16
  • 21
-1

Is SE linux enabled. Folks in that forum were able to resolve the issue by disabling SE linux.

http://rackerhacker.com/2007/06/14/500-oops-error-from-vsftpd/

Sameer
  • 4,070
  • 2
  • 16
  • 11
  • Thanks for the tip, but still no go: SELinux is disabled, and the dir/file permissions seems OK. I edited the question. – user15318 Mar 14 '11 at 11:32
  • Disabling SELinux is a bad idea, especially when it's blindly used to "solve" a problem with configuration. – ILMostro_7 Jan 24 '18 at 15:34