LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-13-2011, 11:19 AM   #1
thewzard
LQ Newbie
 
Registered: Jun 2011
Posts: 12

Rep: Reputation: Disabled
VSFTPD Anonymous Root Problem


I'm having great difficulty changing the anon_root directory for my newly installed ftp box. I cannot change the directory to /ftp/pub. I can change the directory to a /usr/ftp/ or /var/ftp/test/ folder without a problem.

I have tried the chmod 755 /ftp/pub and chown root.root /ftp/pub/ commands with no success.

What am I missing here? I don't understand a whole lot about permissions but this definitely feels like a permissions problem.

I have exhausted all other resources. Any help is greatly appreciated.
 
Old 06-13-2011, 12:08 PM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,764

Rep: Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587
Hi,

You didn't mention your distro, nor how you installed vsftpd, but anyway make sure your config meets the following:
The anon_root has to be no writable and must be owned by the anonymous user (depending on distro this username is usually ftp). So try:
Code:
chown ftp:ftp /ftp/pub
chmod 555 /ftp/pub
If you want to use /ftp as anon_root and /ftp/pub as an anonymous upload directory, change to 555 /ftp and to 755 /ft/pub

Regards
 
Old 06-13-2011, 01:33 PM   #3
thewzard
LQ Newbie
 
Registered: Jun 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
Hey thanks for the reply. I'm running fedora 15 64bit. To be honest I can't remember how I installed VSFTPD anymore. I think originally I installed the package during install but then I removed it and did yum install vsftpd or something like that to reinstall it just to make sure that it wasnt a bad package that was causing the problem. The vsftpd.config page is set to its default values with the exception of this: anon_root=/ftp/pub/ which I added to change the anonymous root dir.


Anyway, I tried your suggestions and still I get the "500 OOPS: cannot change directory:/ftp/pub/" error message when trying to access it from filezilla.
 
Old 06-13-2011, 02:20 PM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,764

Rep: Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587Reputation: 1587
Hi,

Since it's fedora, then I guess the problem is related to SELinux. Have a look here to see what you need to do.

Regards
 
Old 06-13-2011, 05:44 PM   #5
thewzard
LQ Newbie
 
Registered: Jun 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
You are a genius thank you.

All I was missing was:

Code:
# setsebool -P allow_ftpd_full_access 1
# chcon -R -t public_content_t /ftp/pub/
That link in priceless btw, I wish I would have had that days ago! Thanks.
 
Old 06-13-2011, 10:04 PM   #6
kudingstar
LQ Newbie
 
Registered: May 2011
Posts: 2

Rep: Reputation: Disabled
i use code:chmod 777 /ftp/pub so no question.

you can try it.
 
Old 06-24-2011, 08:25 AM   #7
thewzard
LQ Newbie
 
Registered: Jun 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
Well now that I have successfully configured the FTP server to work, I have an entirely different set of problems.

I created an FTP server with the following criteria in mind:

1) allow anonymous ftp access so that I can share certain files all of the time without the need of creating a username/password. The anon user should be rooted to prevent unauthorized access to other files and directories. DONE

2) allow real users to access the FTP server and have access to whatever files and directories that he/she normally has access to. DONE

3) allow virtual users to access the FTP so that I can share certain files with certain people and restrict them to just those files. The virtual users should be rooted to prevent unauthorized access to other files and directories. DONE

4) the FTP server should be easily accessible (webbrowsers, ftpclients, etc.). PENDING

5) the FTP server should be secure. PENDING

------------------------------------------------------------

So now I'm stuck. If I allow real users access to the ftp server I'm compromising the security of the server because without SSL turned on I'm practically sending the passwords across the internet in clear-text. If I turn on SSL for all real users then accessing the ftp site from webbrowsers (without installing additional add-ons, plug-ins, etc.) is not possible.

It seems to me (unless I'm missing something) that I only have two choices here:

a) focus on accessibility

b) focus on security

I can either remove SSL and prevent real users from logging on or I can retain SSL and forget about logging on from web-browsers. Im hoping someone here can help me see something I have missed.
 
Old 06-24-2011, 11:54 AM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by thewzard
So now I'm stuck. If I allow real users access to the ftp server I'm compromising the security of the server because without SSL turned on I'm practically sending the passwords across the internet in clear-text. If I turn on SSL for all real users then accessing the ftp site from webbrowsers (without installing additional add-ons, plug-ins, etc.) is not possible.
Allow me to re-frame your dilemma just a bit: Basically, if you allow non-secure clients to access FTP, you can't enforce security. This is one of those things that really isn't a server/software problem, but rather a policy problem, and the answer is really going to depend on how much of tradeoff you want to make between security and convenience. Yes, if you allow non-secure clients, then you are transmitting usernames and passwords in the clear. If you can't live with this, then the only alternative is to have your users use clients that can handle SSL. You haven't missed anything, this is one of those cases where there isn't a middle ground.


Quote:
Originally Posted by kudingstar
i use code:chmod 777 /ftp/pub so no question.

you can try it.
You've put 777 permissions on an internet-facing anonymous accessible directory? Are you serious? I honestly can't think of a single worse idea than this.
 
1 members found this post helpful.
Old 06-24-2011, 05:37 PM   #9
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
Hi,
I'm sorry I don't have any solution to your issues, but just a thought: how about running 2 instances of FTP server on different ports for Anon and local users, so then you can configure it differently to suit the needs.
My apology again for no solution submitted.
 
Old 06-24-2011, 07:55 PM   #10
thewzard
LQ Newbie
 
Registered: Jun 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
Hangdog: I was afraid that this was going to be the case. I'm going to have to think about this one for a little bit before I can make a decision. Do I really need real users to log on to the FTP? Does it really matter whether I log onto the FTP via an FTP client or a webbrowser? Once I've answered these questions I will be able to make my decision.

lithos: Thats actually pretty ingenius. Thanks I'm going to consider it.

Last edited by thewzard; 06-24-2011 at 07:56 PM.
 
Old 06-25-2011, 06:29 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Just something to think about....

The dual server solution may seem appealing, but it doesn't get around the security issue. No matter how you configure it, if a client can't deal with SSL, then usernames and passwords are going to be sent out as clear text.

The only thing I can think of to address the security angle would be to add a layer. Something like forcing the FTP users onto a secure channel like a VPN before allowing them FTP access.
 
Old 06-25-2011, 02:14 PM   #12
thewzard
LQ Newbie
 
Registered: Jun 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
Hey Hangdog cant I simply force SSL login on one the ftp server's .conf files? I know vsftpd has the ability to do so.
 
Old 06-25-2011, 03:59 PM   #13
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
I can confirm you that and it's working - Configuring_vsftpd_for_secure_connections_%28TLS/SSL/SFTP%29 and configure-vsfptd-secure-connections-via-ssl-tls

Last edited by lithos; 06-25-2011 at 04:01 PM.
 
Old 06-26-2011, 08:30 AM   #14
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by thewzard View Post
Hey Hangdog cant I simply force SSL login on one the ftp server's .conf files? I know vsftpd has the ability to do so.

Maybe I'm misunderstanding what you're after. From what you've posted, I'm assuming that you don't want to mess around with making the FTP clients SSL capable for your real users. Yeah, you certainly can force SSL from the server side, but if the client can't handle SSL, the user won't be able to log in. And if you don't force SSL on your real users, then they will be sending usernames and passwords in the clear. Am I missing something in what you're after?

However, if you're happy with forcing real users onto SSL and keeping anonymous users in the clear, then a 2 server solution is a good one.

@lithos - I don't think anyone is arguing that vsftd can't operate with SSL. The problem (at least as I understand it) is that some/many of the wzards real users would want access using FTP clients that aren't SSL capable.
 
Old 06-26-2011, 11:25 AM   #15
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
I'm sorry for misunderstanding, I was just trying to point to how-to example of configuring for FTP with ssl, I just overlooked the clients maybe don't want it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsFTPd - Anonymous dir write problem felipefv Linux - Server 2 12-09-2010 07:38 PM
vsftpd error: refusing to run with writable anonymous root abd_bela Debian 2 04-15-2008 05:42 AM
vsFTPd - Anonymous Only... schiu Linux - Software 9 07-13-2007 08:43 AM
Problem with SSL and vsftpd, receiving error "530 This FTP Server is Anonymous Only" Phoenix_Zero Linux - Server 12 06-28-2007 05:22 PM
Anonymous upload with vsftpd 1.1.0 Jesus0190 Linux - Software 0 01-04-2003 05:40 PM


All times are GMT -5. The time now is 03:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration