|
VSFTPD Anonymous Root Problem
I'm having great difficulty changing the anon_root directory for my newly installed ftp box. I cannot change the directory to /ftp/pub. I can change the directory to a /usr/ftp/ or /var/ftp/test/ folder without a problem.
I have tried the chmod 755 /ftp/pub and chown root.root /ftp/pub/ commands with no success. What am I missing here? I don't understand a whole lot about permissions but this definitely feels like a permissions problem. I have exhausted all other resources. Any help is greatly appreciated. |
Hi,
You didn't mention your distro, nor how you installed vsftpd, but anyway make sure your config meets the following: The anon_root has to be no writable and must be owned by the anonymous user (depending on distro this username is usually ftp). So try: Code:
chown ftp:ftp /ftp/pubRegards |
Hey thanks for the reply. I'm running fedora 15 64bit. To be honest I can't remember how I installed VSFTPD anymore. I think originally I installed the package during install but then I removed it and did yum install vsftpd or something like that to reinstall it just to make sure that it wasnt a bad package that was causing the problem. The vsftpd.config page is set to its default values with the exception of this: anon_root=/ftp/pub/ which I added to change the anonymous root dir.
Anyway, I tried your suggestions and still I get the "500 OOPS: cannot change directory:/ftp/pub/" error message when trying to access it from filezilla. |
Hi,
Since it's fedora, then I guess the problem is related to SELinux. Have a look here to see what you need to do. Regards |
You are a genius thank you.
All I was missing was: Code:
# setsebool -P allow_ftpd_full_access 1 |
i use code:chmod 777 /ftp/pub so no question.
you can try it. |
Well now that I have successfully configured the FTP server to work, I have an entirely different set of problems.
I created an FTP server with the following criteria in mind: 1) allow anonymous ftp access so that I can share certain files all of the time without the need of creating a username/password. The anon user should be rooted to prevent unauthorized access to other files and directories. DONE 2) allow real users to access the FTP server and have access to whatever files and directories that he/she normally has access to. DONE 3) allow virtual users to access the FTP so that I can share certain files with certain people and restrict them to just those files. The virtual users should be rooted to prevent unauthorized access to other files and directories. DONE 4) the FTP server should be easily accessible (webbrowsers, ftpclients, etc.). PENDING 5) the FTP server should be secure. PENDING ------------------------------------------------------------ So now I'm stuck. If I allow real users access to the ftp server I'm compromising the security of the server because without SSL turned on I'm practically sending the passwords across the internet in clear-text. If I turn on SSL for all real users then accessing the ftp site from webbrowsers (without installing additional add-ons, plug-ins, etc.) is not possible. It seems to me (unless I'm missing something) that I only have two choices here: a) focus on accessibility b) focus on security I can either remove SSL and prevent real users from logging on or I can retain SSL and forget about logging on from web-browsers. Im hoping someone here can help me see something I have missed. |
Quote:
Quote:
|
Hi,
I'm sorry I don't have any solution to your issues, but just a thought: how about running 2 instances of FTP server on different ports for Anon and local users, so then you can configure it differently to suit the needs. My apology again for no solution submitted. |
Hangdog: I was afraid that this was going to be the case. I'm going to have to think about this one for a little bit before I can make a decision. Do I really need real users to log on to the FTP? Does it really matter whether I log onto the FTP via an FTP client or a webbrowser? Once I've answered these questions I will be able to make my decision.
lithos: Thats actually pretty ingenius. Thanks I'm going to consider it. |
Just something to think about....
The dual server solution may seem appealing, but it doesn't get around the security issue. No matter how you configure it, if a client can't deal with SSL, then usernames and passwords are going to be sent out as clear text. The only thing I can think of to address the security angle would be to add a layer. Something like forcing the FTP users onto a secure channel like a VPN before allowing them FTP access. |
Hey Hangdog cant I simply force SSL login on one the ftp server's .conf files? I know vsftpd has the ability to do so.
|
I can confirm you that and it's working - Configuring_vsftpd_for_secure_connections_%28TLS/SSL/SFTP%29 and configure-vsfptd-secure-connections-via-ssl-tls
|
Quote:
Maybe I'm misunderstanding what you're after. From what you've posted, I'm assuming that you don't want to mess around with making the FTP clients SSL capable for your real users. Yeah, you certainly can force SSL from the server side, but if the client can't handle SSL, the user won't be able to log in. And if you don't force SSL on your real users, then they will be sending usernames and passwords in the clear. Am I missing something in what you're after? However, if you're happy with forcing real users onto SSL and keeping anonymous users in the clear, then a 2 server solution is a good one. @lithos - I don't think anyone is arguing that vsftd can't operate with SSL. The problem (at least as I understand it) is that some/many of the wzards real users would want access using FTP clients that aren't SSL capable. |
I'm sorry for misunderstanding, I was just trying to point to how-to example of configuring for FTP with ssl, I just overlooked the clients maybe don't want it.
|
| All times are GMT -5. The time now is 08:03 PM. |