LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-30-2015, 11:06 AM   #1
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Rep: Reputation: 48
550 permission denied vsftpd


Hi, I'm having trouble configuring my vsftpd version 2.2.2 on Centos 6.6. I successfully log in, but I cannot make any changes (creating files, directories, whatever):
ftp> mkdir t
550 Permission denied.
ftp>

This is how my vsftp.conf looks:
Code:
anonymous_enable=NO
local_enable=YES
local_umask=022
dirmessage_enable=YES
listen=YES
pam_service_name=virtual-ftp
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
tcp_wrappers=YES
write_enable=YES
guest_enable=YES
guest_username=ftp
local_root=/mnt/storage/ftp
All users are mapped to the ftp user. /mnt/storage/ftp is owned by ftp and there are no permission problems (the mount point is /mnt/storage). I use pam for authentication, which seems to be working fine from what I can tell from the logs and the fact that I can log in, of course.

/mnt/storage is a linux partition and it's mounted like this:
/dev/sdb5 /mnt/storage ext4 defaults 0 0

Which is really unimportant, because I tried to use the root partition also, and I get the same problem.

On some site someone suggested allow_writeable_chroot=YES, but this directive is not identified by vsftpd.

I kind of ran out of ideas. Any suggestions?
 
Old 03-30-2015, 01:06 PM   #2
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
You are not able to create any directory and you get permission denied. So it is good to assume that you are not able to upload anything on your ftp server as well. Right?

What output do you get when you logged into FTP server and try to run ls command?

Also share the output of uname -a.
 
Old 03-30-2015, 03:36 PM   #3
zafar_dandoti
Member
 
Registered: Dec 2005
Location: India
Distribution: centos
Posts: 169

Rep: Reputation: Disabled
Selinux may be the issue here.

Code:
chcon -t public_content_t /mnt/storage/ftp
Enable ftp home directories

Code:
setsebool -P ftp_home_dir on
Restart vsftpd
 
Old 03-30-2015, 07:03 PM   #4
thegwer
Member
 
Registered: Jan 2012
Location: San Antonio. TX
Distribution: CentOS. Ubuntu
Posts: 48

Rep: Reputation: Disabled
Also check /etc/pam/ I installed vsftp the other day and even though my config files and permissions were set correctly a PAM file for vsftp was blocking me from writing anything.

T
 
1 members found this post helpful.
Old 03-31-2015, 11:30 AM   #5
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
I forgot to say that SELinux is disabled, so that's not the case.

Yes, I cannot upload anything. I tried it with filezilla.

this is the output of ls:
Code:
ftp> ls
229 Entering Extended Passive Mode (|||25415|).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Mar 20 16:37 see
226 Directory send OK.
"see" is an empty directory that I've created.

Code:
uname -a:
Linux myhost.host 2.6.32-504.12.2.el6.x86_64 #1 SMP Wed Mar 11 22:03:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
@thegwer
What do I need to check exactly in /etc/pam? You're too ambiguous for me.
If it's important, this is how my /etc/pam.d/virtual-ftp file looks like:

Code:
auth required /lib64/security/pam_userdb.so db=/etc/hash_vsftpd
account required /lib64/security/pam_userdb.so db=/etc/hash_vsftpd

Last edited by vincix; 03-31-2015 at 11:31 AM.
 
Old 03-31-2015, 01:09 PM   #6
zafar_dandoti
Member
 
Registered: Dec 2005
Location: India
Distribution: centos
Posts: 169

Rep: Reputation: Disabled
What are directory permissions?
Are they writable to user ftp?
Code:
ls -l /mnt/storage
 
Old 03-31-2015, 01:25 PM   #7
thegwer
Member
 
Registered: Jan 2012
Location: San Antonio. TX
Distribution: CentOS. Ubuntu
Posts: 48

Rep: Reputation: Disabled
@vincix

I was in a hurry and didn't feel like messing with it, I ended up moving the file virtual-ftp out of /et/pam.d and then restarted vsftpd and it worked fine. I have not since had the time to play anymore with the PAM authentication.
 
Old 03-31-2015, 02:22 PM   #8
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by thegwer View Post
@vincix

I was in a hurry and didn't feel like messing with it, I ended up moving the file virtual-ftp out of /et/pam.d and then restarted vsftpd and it worked fine. I have not since had the time to play anymore with the PAM authentication.

If I move it somewhere else, I cannot log in anymore, as one would expect. The file is essential for login credentials through pam. I make use of pam, as you can see from my vsftpd.conf.

Do you recommend any other authentication modes for vsftpd that I can use, then? And if so, can you instruct me?
 
Old 03-31-2015, 02:34 PM   #9
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
There is one test you can try just to narrow down the issue. Is it possible for you to set 777 on ftp directory which is owned by ftp. Once done try to upload to FTP by logging in via command line or filezilla and try to upload. If it works then it is file permission issue.

If even after setting 777 it doesn't work then it has something to do with authentication which is indeed not propagating the file system permission to user mapped to ftp user or ftp user itself.

Another simple test would be login as normal user on the system, switch to ftp user using su - ftp and then try to browse using simple cd command: cd /mnt/storage/ftp just to be double sure about filesystem permissions.
 
1 members found this post helpful.
Old 03-31-2015, 03:01 PM   #10
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by T3RM1NVT0R View Post
There is one test you can try just to narrow down the issue. Is it possible for you to set 777 on ftp directory which is owned by ftp. Once done try to upload to FTP by logging in via command line or filezilla and try to upload. If it works then it is file permission issue.

If even after setting 777 it doesn't work then it has something to do with authentication which is indeed not propagating the file system permission to user mapped to ftp user or ftp user itself.

Another simple test would be login as normal user on the system, switch to ftp user using su - ftp and then try to browse using simple cd command: cd /mnt/storage/ftp just to be double sure about filesystem permissions.

The ftp user has /sbin/nologin set in /etc/passwd. That's how it was set up by default and, from what I've read, this is how it should be. So I'm really not sure if this is a real test. However, just for the sake of it, I did change the line to /bin/bash so that I could log in directly and had no permission problems - I could create directories, etc., but when logging in to ftp, I get the same 550 permission error.

I did change the permission to 777, but the problem remains.

I'm quite stuck, and I don't understand, 'cause it should be a little more straightfoward, given that I'm only trying to set up a rather basic configuration of vsftpd, just to make it work and later to add maybe some other more advanced configurations.

@zafar. You can see from the post previous to yours what the folder permissions are. So the answer is yes, it's 755 (which is consistent with the vsftpd.conf directive local_umask=022)

Last edited by vincix; 03-31-2015 at 03:05 PM.
 
Old 03-31-2015, 03:15 PM   #11
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
Alright let us give this a try, make a backup of your exiting vsftpd.conf file. Make the following changes:

1. Append the following to vsftpd.conf file:

Code:
virtual_use_local_privs=YES
2. Restart vsftpd service

Check and see if you are able to upload.

If it does not work, then modify the following line in vsftpd.conf file:

1. pam_service_name=virtual-ftp to pam_service_name=ftp

2. Restart vsftpd and then give it a try.

If that also doesn't work then it will be a good idea to revert to orginal config and then take a packet trace to see if there is anything in there.
 
1 members found this post helpful.
Old 03-31-2015, 04:52 PM   #12
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
This is interesting. After inserting the directive you suggested, I get another different error when I try to create a folder:

Code:
ftp> mkdir t
550 Create directory operation failed.
So the error description is different this time (the previous one was: 550 Permission denied.). So it must have triggered something.

Changing the pam_service_name directive to ftp makes me unable to log in anymore, 'cause the file is /etc/pam.d/virtual-ftp - I know you know that, but I suppose you wanted to verify if pam doesn't append a prefix or anything.

What should I do next exactly? What would you suggest exactly for traffic analyzing?
 
Old 03-31-2015, 05:06 PM   #13
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
Before we go ahead with packet trace the last thing you could is to make sure that /mnt/storage/ftp which is owned by ftp:ftp is set to 775 or 770 doesn't matter, the only thing we are interested in is that both group and user have read, write and execute access. The reason I am saying so because it might be possible that though ftp user has got full access but group permission is pulling him down. Most restrictive permissions prevail.

Edit: Incase if the above mentioned plan doesn't work then you can run tcpdump -i <ethX> -w /tmp/packet_trace.pcap. Once packet capture is started on FTP then you can try accessing FTP server to generate that error which will be captured in the trace. Then we can have a look at the trace what server is responding with when requesting to create directory. To stop packet capture just hit ctrl+c on the terminal.

Last edited by T3RM1NVT0R; 03-31-2015 at 06:46 PM.
 
1 members found this post helpful.
Old 03-31-2015, 07:01 PM   #14
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by T3RM1NVT0R View Post
Before we go ahead with packet trace the last thing you could is to make sure that /mnt/storage/ftp which is owned by ftp:ftp is set to 775 or 770 doesn't matter, the only thing we are interested in is that both group and user have read, write and execute access. The reason I am saying so because it might be possible that though ftp user has got full access but group permission is pulling him down. Most restrictive permissions prevail.

Edit: Incase if the above mentioned plan doesn't work then you can run tcpdump -i <ethX> -w /tmp/packet_trace.pcap. Once packet capture is started on FTP then you can try accessing FTP server to generate that error which will be captured in the trace. Then we can have a look at the trace what server is responding with when requesting to create directory.
Ok, I am slightly (or more) stupid. Before I inserted the virtual_use_local_privs=YES directive, I created the empty directory called "t" with the ftp user that I logged in with (after changing the default shell in /etc/passwd), then I logged in and tried to create AGAIN the directory "t", having forgotten that I had already created it. So the reason why the error description was different was not a matter of permission, but of a duplicate.

So now it works just fine.

Thank you for your help, the directive made all the difference.
 
Old 03-31-2015, 07:03 PM   #15
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
You're welcome. Thanks for marking the thread as solved!

Enjoy Linux!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] vsftpd error 550 permission denied when trying to create file / folder George_ Linux - Software 2 09-13-2013 05:18 AM
vsftpd; 550 permission denied for upload t0bias Linux - Server 8 04-01-2011 01:39 AM
vsftpd 550 Access Denied on CentOS 5 iLinx Linux - Server 4 07-22-2010 10:51 AM
vsftpd - 550 permition denied vlad_t Linux - Server 3 05-03-2010 12:27 PM
VSFTPD - 550: Permission denied. myubuntu Linux - Newbie 1 04-13-2010 03:25 PM


All times are GMT -5. The time now is 10:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration