LinuxQuestions.org - FTP Server

- Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)

- - FTP Server (http://www.linuxquestions.org/questions/linux-server-73/ftp-server-693650/)

I am in the process of setting up an FTP server my system and ran into an issue and was wondering if someone could offer some advice.

Basically I have setup VSFTPD on our system to allow anonymous uploads/downloads to a directory (/var/ftp/uploads).

1. I can connect fine with credentials Username = ftp Password = ftp (the ftp folder and sub directories are owned by ftp user/group)

2. I can also transfer files transfer to/from the server.

The issue seems to be if I create a new file whether it be on my windows machine (then upload to the server) or even create a new file on the linux box, the new file has permission of –rw-------- resulting in a failed transfer of the file if I try to transfer the file (via ftp). If I manually change the permissions (–rwxrwxrwx) then I am able to then to transfer the files successfully.

Does anyone have any suggestions? At the end of the day the ultimate goal is for an anonymous user to be able to upload/download files from the server.

Not sure if it possible (or most efficient) to have some script/ program run to change the permission of a new file? This was the only idea that came to my mind.

Ray Bonds

You are a little unclear about the files that have the bad permissions. Are these files uploaded to the server in some other way than through FTP? Because right before that you say you can successfully transfer files to and from the server over FTP.

The files are uploaded to the server through ftp.

What I meant by I "I can also transfer files transfer to/from the server." is that if i randomly choose a file of the system and set it in the uploads folder it will transfer. I did this for testing purposes just to see if i could transfer a file.

So you can download a file that is placed in the FTP directory from the local filesystem, but cannot download a file that was actually uploaded through FTP?

In that case it sounds like a mask problem. Try adding the following to your vsftpd.conf file:

Code:

anon_umask=0022

I attempted to add anon_umask=0022 to the code. This however did not work.

To answer your question yes I can download a file already on the filesystem but can't download uploaded files.

Did you make sure to restart VSFTPD after changing the file to reload the configuration? Could you post your vsftpd.conf file?

Yes i restarted the system after making the change to the config file. Note you suggessted that I use 0022 (i tried this first then changed it to 022)

Code:





# Example config file /etc/vsftpd/vsftpd.conf

#

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

#

# READ THIS: This example file is NOT an exhaustive list of vsftpd options.

# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

# capabilities.

#

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=YES

#

# Uncomment this to allow local users to log in.

#local_enable=YES

#

# Uncomment this to enable any form of FTP write command.

write_enable=YES

#

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

local_umask=022

#

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

anon_upload_enable=YES

#

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

anon_mkdir_write_enable=YES

#



#anon_root=/home/ftp/

anon_root=/var/ftp/

#local_umask=022



anon_umask=022



# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=YES

#

# Activate logging of uploads/downloads.

xferlog_enable=YES

#

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

#

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

chown_uploads=YES

chown_username=ftp

#

# You may override where the log file goes if you like. The default is shown

# below.

xferlog_file=/var/log/vsftpd.log

#

# If you want, you can have your log file in standard ftpd xferlog format

xferlog_std_format=YES

#

# You may change the default value for timing out an idle session.

#idle_session_timeout=600

#

# You may change the default value for timing out a data connection.

#data_connection_timeout=120

#

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

nopriv_user=ftp

#

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

#

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that on some FTP servers, ASCII support allows a denial of service

# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

# predicted this attack and has always been safe, reporting the size of the

# raw file.

# ASCII mangling is a horrible feature of the protocol.

#ascii_upload_enable=YES

#ascii_download_enable=YES

#

# You may fully customise the login banner string:

ftpd_banner=Imaging FTP Server

#

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd/banned_emails

#

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

#chroot_list_enable=YES

# (default follows)

#chroot_list_file=/etc/vsftpd/chroot_list

#

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

#ls_recurse_enable=YES

#

# When "listen" directive is enabled, vsftpd runs in standalone mode and 

# listens on IPv4 sockets. This directive cannot be used in conjunction 

# with the listen_ipv6 directive.

listen=YES

#

# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

# sockets, you must run two copies of vsftpd whith two configuration files.

# Make sure, that one of the listen options is commented !!

#listen_ipv6=YES



pam_service_name=vsftpd

userlist_enable=YES

tcp_wrappers=YES

Quote:

Originally Posted by villumanati (Post 3390760)

Yes i restarted the system after making the change to the config file. Note you suggessted that I use 0022 (i tried this first then changed it to 022)

What are the permissions and owner on the /var/ftp and /var/ftp/uploads directories?

Code:

ls -al /var/ftp /var/ftp/uploads

Here is the output from running the following command

[root@ip3d dev]# ls -al /var/ftp /var/ftp/uploads

Code:



[root@ip3d dev]# ls -al /var/ftp /var/ftp/uploads

/var/ftp:

total 36

dr-xr-xr-x  5 ftp  ftp  4096 Dec 26 12:53 .

drwxr-xr-x 27 root root 4096 Dec 26 12:56 ..

dr-xr-xr-x  2 ftp  ftp  4096 Dec 23 15:55 downloads

dr-xr-xr-x  3 ftp  ftp  4096 Dec 23 15:56 .Trash-root

drwxrwxrwx  3 ftp  ftp  4096 Dec 29 15:55 uploads



/var/ftp/uploads:

total 663708

drwxrwxrwx 3 ftp  ftp       4096 Dec 29 15:55 .

dr-xr-xr-x 5 ftp  ftp       4096 Dec 26 12:53 ..

-rwxrwxrwx 1 ftp  ftp    1310930 Dec 26 14:33 #9 Grey 5%ETOH NoWash 20x A Blue Absorbance (Modified).tif

-rwxrwxrwx 1 root root         0 Dec 26 14:30 deleteMe.txt

-rwxrwxrwx 1 ftp  ftp  663617536 Dec 26 15:18 i386-disc2.iso

-rw------- 1 ftp  ftp    9905347 Dec 29 13:22 ImagesWithOverlayOTSU-false.zip

drwxrwxrwx 2 ftp  ftp       4096 Dec 26 15:17 lkj

-rw------- 1 ftp  ftp      90112 Dec 26 15:24 MachineSound_2.xls

-rw------- 1 ftp  ftp     163328 Dec 29 13:17 MachineSound_5.xls

-rw------- 1 ftp  ftp      77257 Dec 29 09:28 TA_E001_I001_M001_WI_SOCK (Threshold 0 - 162).jpg

-rw------- 1 ftp  ftp    3686554 Dec 29 13:16 TA_E001_I001_M001_WI_SOCK (W- Overlay).tif

-rw------- 1 ftp  ftp        788 Dec 29 09:28 TA_E001_I002_M001_WX_SOCK.TIF (COMPOSITE ROI 163 - 165).zip

-rw------- 1 root root         6 Dec 29 09:36 testFilesM.txt

-rw------- 1 root root         0 Dec 29 09:34 testFilesM.txt~

-rwxrwxrwx 1 ftp  ftp        132 Dec 26 13:41 testFile.zip

Well your permissions should be fine as long as you're trying to upload to the upload directory. Try adding these two lines to your config (don't remove any of the other lines.)

Code:

local_enable=YES

local_umask=022

Then stop and start the service again (make sure it is completely down in between.) Upload a file and see what permissions it gets.

(I know you don't want local users in the long run, but your options should be fine otherwise, I'm just testing for a bug I saw once.)

One other thing I might mention and it sounds kinda silly, but make sure you're editing the conf file that controls the actual service and not a sample or a duplicate in an alternate location.

The problem has been semi-solved. I appreciate the input/suggestions from everyone.

I added anon_world_readable_only=NO to the file which allows me to download files that have been uploaded to the server.

Code:

[root@ip3d uploads]# ls -l

total 4

-rw------- 1 ftp ftp 0 Dec 30 09:20 deleteMe.txt

I am still baffled by how even after changing the
file_open_mode=0666
anon_umask=0022

in the config file
files uploaded to /var/ftp/uploads still have -rw------- permission.

Does anyone have any ideas?