Hello all,

My server is CentOS 6.4 final. I am having problem using VSFTPD with SELinux enabled. VSFTPD is running. I can access the directory /var/www/html. When I tried to upload files to the directory, I was not able to. The error message was "Critical file transfer error". I went ahead and disabled SELinux by running vi /etc/selinux/config and changed it from enforcing to disabled. After that, I tried again and this time I was able to upload files. Is there a way to have SELinux enabled or enforced and yet be able to upload files using vsftpd? Thank you

grep /var/log/audit/audit.log for "ftp" and run that through 'audit2allow', then post the output here between [code][/code] tags.

Hello,

Thank you for quick response. Yes I will put this info. I had to start a fresh install and I am updating the system. I have two questions. 1- Please tell me if this is a good practice using FTP. I created a user called test. I made the test user home directory to /var/www/html by vi /etc/passwd file. And then just to be able to access the /var/www/html via FTP I ran these two commands; chown -R test /var/www/html/ chmod -R +rw /var/www/html/. If I didn't run these commands, I would not be able to even access to that directory via FTP. Is it good practice or I can do things differently? This is the only way I know. 2- You mentioned to run /var/log/audit/audit.log through 'audit2allow'. Do I do this as root? How do run through 'audit2allow'. I don't understand 'audit2allow' is. Thank you.

Why?


No. Bad practice: unlearn that ASAP. Users should have unique names. "test" is an account name an automated script would scan for.
*Often when admins name a user "test" they'll give it an easy password too.


No. Bad practice: unlearn that ASAP. Either distro-centric UI tools like system-config-users or the distro-agnostic tools vipw and vigr.


No. Bad practice: unlearn that ASAP. There is a reason /var/www and files are owned by a certain.


Use ACLs instead ('man acl; man getfacl; man setfacl'), see for example http://stackoverflow.com/questions/4...rmission-issue


Yes.


then read / post / pastebin / attach as plain text.


Run 'man audit2allow' as unprivileged user.

You'll also want to read these:
Rute Tutorial & Exposition
Enterprise Linux Deployment Guide (Centos)
Centos Wiki OS protection
Linux Newbie Administrator Guide (2003)
The Linux System Administrator's Guide (2003)
and maybe see Linux Documentation Project and LinuxSelfHelp

Thank you for all advices you gave me. I did install fresh because I think but I am not sure 100% that this messed up the system; by running setsebool -P ftp_home_dir 1 and setsebool -P allow_ftpd_full_access 1. The system became very slow responding to any inquiries. I searched and found on this page; http://firelitdesign.blogspot.com/20...ux-apache.html. This web server I am talking about is in an isolated network and that's why I chose test as a user. It is like a sand box. Once I manage to configure it correctly, then I want to mimic a real server in a production environment. My challenge so far has been to make FTP working. I don't know which FTP servers are the best? VSFTPD or Pure FTP? Basically I want to be able to connect to FTP server, upload files to /var/www/html. My problem is now that I am lost because of overwhelming information I got from the links you provided and I don't know where to start. Especially when I tried to learn distro-centric UI tools, system-config-users or the distro-agnostic tools vipw and vigr. And for that matter when I did man acl; man getfacl; man setfacl. Are there any quick solutions so I can follow step by step to make the FTP working for now. Thank you again

Slow system response should be measured (top, htop, atop, warnings in /var/log log files, etc) and shown. The setsebool commands should not break your system. You should research what they do though before enabling them ('man ftpd_selinux'). And VSFTP should work OK with the ACLs posted in http://stackoverflow.com/questions/4...rmission-issue.

Hi Thank you for your response.

I have made some progress following the steps here. http://ostechnix.wordpress.com/2013/...fic-linux-6-x/

Any users are able to upload any files to their own home directory using ftp filezilla even though SELinux is enabled/enforced. Now I want to designate one user who can login to ftp and his home directory would land to /var/www/html. Do you think it is a good idea to follow the steps from here; http://stackoverflow.com/questions/6...ific-directory. Or to this regard, how can I use ACL? Can you show me a command example please?

Here is the output of that command;

[root@php ~]# grep -i ftp /var/log/audit/audit.log | audit2allow 2>&1>/tmp/suggestion.txt; getsebool -a|grep ftp
bash: audit2allow: command not found
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
[root@php ~]#

Hello all,

I have done some changes and it seems that I still struggle to make this work. here are the changes I have made;

useradd -m -s /bin/bash webadmin
Then I set a password for user; passwd webadmin
Changed user's directory to; usermod -d /var/www/html/httpdocs/ webadmin
then I set acl to httpdocs directory; setfacl -m user:webadmin:rwx httpdocs/
I can login via FTP with webadmin user. The home directory is /var/www/html/httpdocs but I cannot upload files to the httpdocs directory. Anybody knows what I have missed? Thank you

Well I already pointed you to http://stackoverflow.com/questions/4...rmission-issue. Did you actually try those commands (from the reply that starts with "It's always same problem", not that idiot "chmod 777" reply)?

Hello,

Thank you for your response. If I disable SELinux or run setenforce 0 I can upload files to that directory /var/www/html/httpdocs. setenforce 0 command doesn't work after system being locked or when I sign off as root and if I try to upload files again, I have to run the setenforce 0 command again which I think it is not a smart solution. I did everything from the link http://stackoverflow.com/questions/4...rmission-issue. Here is how I did;
[root@php ~]# mkdir /var/www/html/httpdocs
[root@php ~]# cd /var/www/html/
[root@php html]# ls -l
total 4
drwxr-xr-x. 2 root root 4096 Jun 2 09:12 httpdocs
root@php html]# useradd webadmin
[root@php html]# chown webadmin:webadmin /var/www/html/httpdocs/

ls -la /var/www/html/httpdocs/
total 8
drwxr-xr-x. 2 webadmin webadmin 4096 Jun 2 09:12 .
drwxr-xr-x. 3 root root 4096 Jun 2 09:12 ..

[root@php html]# setfacl -d -m u:apache:rwx /var/www/html/httpdocs/
[root@php html]# setfacl -d -m g:apache:rwx /var/www/html/httpdocs/
I did this also because I still had problem just running the two above commands!!
[root@php html]# setfacl -d -m u:webadmin:rwx /var/www/html/httpdocs/

[root@php html]# getfacl /var/www/html/httpdocs/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/httpdocs/
# owner: webadmin
# group: webadmin
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:group:apache:rwx
default:user:webadmin:rwx
default:mask::rwx
defaultther::r-x

This is when I do cat /etc/passwd for webadmin;
webadmin:x:501:501::/home/webadmin:/bin/bash. He is able to login via ftp and upload any file to his home directory but I want him to be able to upload to /var/www/html/httpdocs directory. When I changed his home directory to /var/www/html/httpdocs by running this command usermod -d /var/www/html/httpdocs/ webadmin, he can login and directory listing is successful but I get critical file transfer error when I try to upload a file.