3

I have a server with centos 6.2 with httpd and vsftpd.

I have few web site in /var/www and i want to add a ftp user for each site.

My user1 home directory is /home/user1 and can read/write to it folder from ftp. (it's the user i use to ssh and almost everything)

I made user2 which home is /var/www/site2 and bash setting /bin/nologin (because i want it to be just a ftp user)

I can log in the FTP with the user2 and download file, but i can't upload file or mkdir...

The permission are :

for /var/www :

drwxrwxr-x. 13 root root 4096 Aug 21 14:08 .

for /var/www/site2 :

drwxrwxrwx. 2 user2 user2 4096 Aug 21 14:35 site2

(the 777 was just for testing...)

My vsftpd.conf is :

 anonymous_enable=NO 
 local_enable=YES
 write_enable=YES 
 local_umask=022
 dirmessage_enable=YES
 xferlog_enable=YES
 connect_from_port_20=YES
 xferlog_std_format=NO
 log_ftp_protocol=YES
 chroot_local_user=YES
 listen=YES
 pam_service_name=vsftpd
 userlist_enable=YES
 tcp_wrappers=YES
 banner_file=/etc/vsftpd/banner

My iptables is currently stop for testing, so the problem is not my firewall either...

SELinux is enabled :

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

When i disabled it, it's working! :) How can I enabled it and keep my vsftpd working?

Thank in advance for your help

Castaglia
  • 3,239
  • 3
  • 19
  • 40
frank
  • 133
  • 1
  • 1
  • 5
  • Ug. Doesn't matter what your problem is, it's probably the fault of selinux. I disable it whenever I add anything new, so that I get the brief experience of it working before I re-enable selinux and it kills it. – Satanicpuppy Aug 23 '13 at 20:51

2 Answers2

1

What are the rights on /var/www/site2?

User2 will need write access to this directory at the file system level. For instance /var/www/site2 needs to be something like:

ls /var/www
<snip>
drxwr-xr-x user2  www-data     site2/

Make sure SELinux is disabled as well

 setsebool -P allow_ftpd_full_access 1
TheFiddlerWins
  • 2,973
  • 1
  • 14
  • 22
  • /var/www **drwxrwxr-x. 13 root root 4096 Aug 21 14:08 .** /var/www/site2 **drwxrwxrwx. 2 user2 user2 4096 Aug 21 14:35 site2** – frank Aug 22 '13 at 16:18
  • Do you have SELinux enabled? – TheFiddlerWins Aug 22 '13 at 18:43
  • yes SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted – frank Aug 22 '13 at 19:15
  • Please try disabling SELinux for (just to verify that is/is not the problem). – TheFiddlerWins Aug 22 '13 at 19:26
  • You did it! If SELinux is disable, it's working :) but how can i enable SELinux and having my vsftpd working? – frank Aug 23 '13 at 12:52
  • Please mark the question as answered. To modify your SELinux policy take a look at http://wiki.centos.org/HowTos/SELinux#head-aa437f65e1c7873cddbafd9e9a73bbf9d102c072 but I can't answer, I use Debian :D – TheFiddlerWins Aug 23 '13 at 13:45
  • FYI, I had to set the bool allow_ftpd_full_access to 1 with the command : **setsebool -P allow_ftpd_full_access 1** – frank Aug 23 '13 at 19:25
0

I don't think making sure that SELinux is disabled is the best approach for this situation.

You need context like public_content_rw_t to allow vsftp (etc) to write to the folder with SELinux.

So set the context and then verify with

chcon -t public_content_rw_t /var/www/site2
ls -ldZ /var/www/site2/

Then check the /var/log/audit.log for clues if you still fail. If you still get permission denied issues, and they are getting logged in /var/log/audit.log, look into using audit2allow if you can't figure out what else might help.

Petter H
  • 3,383
  • 1
  • 14
  • 18