viki - vsftpd Wiki

You are here :

 Anymous FTP on SELinux

Wednesday, 21. January 2009 21:21:00, by Igor Galić



Considering vsftpd's default configuration is anonymous, you would think extending it to incorporate anonymous upload must be a straight-forward task -- even on SELinux enabled systems such as Fedora/RHEL/CentOS.

Well, you thought wrongly. But here's hope and salvation:

First of all we have to consider that vsftpd does NOT allow you to configure the root of your anonymous FTP to be writable by the ftp user itself, so just doing a chown ftp /var/ftp or chmod -R 777 /var/ftp[1] is not the solution.

The config

We'll actually have to touch the config. I prefer a clean start, so my config start out as empty files, and end up small and easy to read:

[igor@fordix]~% sudo cat /etc/vsftpd/vsftpd.conf

We're being explicit here, setting anon_root=/var/ftp, even though it default's to ftp's $HOME, so it's all self-documenting.
Next we enable upload, and mkdir -- but none of that is any good, if you do not actually write_enable=YES.

Directory Permissions

Just to keep you on track, the directory permissions should read somethething like this:

[igor@fordix]~% ls -lZa /var/ftp
drwxr-xr-x  root root system_u:object_r:public_content_t:s0 .
drwxr-xr-x  root root system_u:object_r:var_t:s0       ..
drwxr-xr-x  root root system_u:object_r:public_content_t:s0 pub
drwxr-xr-x  ftp root unconfined_u:object_r:public_content_t:s0 upload

I kept everything as it came from the vanilla Fedora vsftpd install (however vanilla that is), and only mkdir -p /var/ftp/upload and chown ftp /var/ftp/upload.

SELinux settings

And finally, we have to toggle one sebool setting:

[igor@fordix]~% sudo setsebool -P allow_ftpd_full_access on

to read:

[igor@fordix]~% sudo getsebool -a|grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off

Toggling allow_ftpd_anon_write has no effect whatsoever, btw, if you were hoping for a simple and intuitive way to handle this ;)

That's all folks!


[1]It is absolutely never appropriate to chmod 777 anything. 1777@ has it's purpose and it's place (/tmp), but 777@@ does not. And don't say it's just a test server.

No comments yet