Anyone actually have anonymous vsftpd working while protected with selinux?

ironmike · 08-20-2006, 01:54 PM

I am using Fedora Core 4, vsftpd, anonymous ftp. All works well except I can't upload files anonymously, I get '553 Could not create file'. I have selinux protection enabled for the vsftpd server.

I've checked many, many threads and found users with the same error, and the solution was usually to disable selinux protection for the vsftpd daemon.

Does ANYONE out there have selinux protection enabled on a Fedore Core 4 system, AND have anonymous FTP working with vsftpd?

My /etc/vsftpd/vsftpd.conf:

Code:

anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chown_uploads=YES
chown_username=qrdbupdt
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
nopriv_user=ftpsecure
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
dirlist_enable=NO
hide_ids=YES
download_enable=YES

unSpawn · 08-20-2006, 07:30 PM

found users with the same error
Could you post some related (avc) error lines from your syslog?

ironmike · 08-21-2006, 12:55 PM

I don't see any messages at all that are related to selinux, or any other security messages for that matter. I'm looking in /var/log/messages

A brief anonymous FTP session, sanitized for your protection:

Code:

ftp ftp.xxxxxxx.com
Connected to updates.xxxxxxx.com.
220 Welcome to .........
Name (ftp.xxxxxxx.com): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put sorts.rexx
local: sorts.rexx remote: sorts.rexx
200 PORT command successful. Consider using PASV.
553 Could not create file.
ftp>

directory permissions are 777 on the directory that FTP users are thrown into first. Security context for that directory is system_u: object_r: public_content_t. chown information is 'ftpsecure' as owner and group both. 'ftpsecure' is the ftp daemon insecure userid.

unSpawn · 08-21-2006, 06:53 PM

chown_username=qrdbupdt
Does this user exist of have you filled this in with garbage?

xferlog_file=/var/log/vsftpd.log
Any clues from here?

nopriv_user=ftpsecure
Does this user exist?
Has user ftpsecure got write access to the dir your user is dumped in?

local: sorts.rexx remote: sorts.rexx
Does the file exist?
Are you trying to overwrite the file with itself (local $PWD == remote $PWD)?

I have selinux protection enabled for the vsftpd server.
Do you run strict or targetted policy?
Do you have any ftpd related booleans?

ironmike · 08-23-2006, 09:06 AM

Pressures at work have made me abandon anonymous FTP for now. I kept selinux enabled in target policy mode, but I turned off anonymous FTP and instead now force entry of a userid/password for FTP, but I then keep each such user in a chroot sandbox. Vsfptd seems to be very good @ this.

Many thanks to unSpawn for caring enough to reply and help me. I may revisit anonymous FTP later.

To answer your questions, file sorts.rexx did exist, ftpsecure did have write access to the directories question (at the user, not group level),and userid qrdbupdt does exist. I saw nothing in the vsftpd log to indicate what the failure reason was.

unSpawn · 08-23-2006, 09:20 AM

Pressures at work have made me abandon anonymous FTP for now.
OK. So be it. If you want to tackle the problem again just add to this thread or reference it (efficiency).

Many thanks
You're welcome. It's what we're here for.