Considering vsftpd's default configuration is anonymous, you would think extending it to incorporate anonymous upload must be a straight-forward task -- even on SELinux enabled systems such as Fedora/RHEL/CentOS.
Well, you thought wrongly. But here's hope and salvation:
First of all we have to consider that vsftpd does NOT allow you to configure the root of your anonymous FTP to be writable by the ftp user itself, so just doing a chown ftp /var/ftp or chmod -R 777 /var/ftp[1] is not the solution.
The config
We'll actually have to touch the config. I prefer a clean start, so my config start out as empty files, and end up small and easy to read:
[igor@fordix]~% sudo cat /etc/vsftpd/vsftpd.conf write_enable=YES anonymous_enable=YES anon_root=/var/ftp local_umask=022 anon_upload_enable=YES anon_mkdir_write_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES
We're being explicit here, setting anon_root=/var/ftp, even though it default's to ftp's $HOME, so it's all self-documenting.
Next we enable upload, and mkdir -- but none of that is any good, if you do not actually write_enable=YES.
Directory Permissions
Just to keep you on track, the directory permissions should read somethething like this:
[igor@fordix]~% ls -lZa /var/ftp drwxr-xr-x root root system_u:object_r:public_content_t:s0 . drwxr-xr-x root root system_u:object_r:var_t:s0 .. drwxr-xr-x root root system_u:object_r:public_content_t:s0 pub drwxr-xr-x ftp root unconfined_u:object_r:public_content_t:s0 upload
I kept everything as it came from the vanilla Fedora vsftpd install (however vanilla that is), and only mkdir -p /var/ftp/upload and chown ftp /var/ftp/upload.
SELinux settings
And finally, we have to toggle one sebool setting:
[igor@fordix]~% sudo setsebool -P allow_ftpd_full_access on
to read:
[igor@fordix]~% sudo getsebool -a|grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> on allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off httpd_enable_ftp_server --> off tftp_anon_write --> off
Toggling allow_ftpd_anon_write has no effect whatsoever, btw, if you were hoping for a simple and intuitive way to handle this ;)
That's all folks!
Remarks
[1]It is absolutely never appropriate to chmod 777 anything. 1777@ has it's purpose and it's place (/tmp), but 777@@ does not. And don't say it's just a test server.
No comments yet