Hi all,

Trying to set up VSFTPD on the CentOS 5 box at work, which is an internal web development server. I'm leaving soon, and all knowledge of or desire to learn SSH is going with me so the other employees will need to be able to access the web root using FTP clients.

Essentially there is no need for special user accounts or privileges, it's an internal server in a tiny company. I've got the LocalRoot set to /var/www/ which I can log in to and read all files via FTP, however despite setting everything to 777 in /var/www/ and below, I still can't get any write privileges on the FTP server.

Soooo, what can I try?

Thanks in advance for any help or advice

Is SELinux active?
Try by doing 'getenforce'. If it says 'Enforcing' your access is being prevented by SELinux. Being an internal server, you can safely disable SELinux.

Edit /etc/sysconfig/selinux for that (SELINUX=Disabled in stead of SELINUX=Enforcing).

Perform a reboot to apply the change.

Mode 777 is something you really would like to revert, by the way.

Hope this helps..

Yes ultimately I don't want 777 or to disable SELinux, as there must be a way to allow a particular FTP user write access to the /var/www/ folder without compromising everything else. As it's an internal server I can be reckless with security, but I'd certainly prefer not to be.

/usr/sbin/getenforce does report Enforcing. I'm almost entirely unfamiliar with SELinux, is there no way to set exceptions for it. I'm guess that's it's sole purpose is not to block FTP users from accessing the /var/www/ folder

Thanks though, I'll give this a try

EDIT: Yes that worked thanks, I've set SELinux to Permissive for the time being.

Additionally, as I was hoping not to have to reboot, this came in handy:

http://www.revsys.com/writings/quick...f-selinux.html

The purpose for SELinux is to allow only the access that is needed. This goes beyond FTP indeed. But is also important for servers likely to be accessed from the (big bad) internet. For internal servers it is less likely to be hacked (main purpose of SELinux is to prevent access for processes that they do not need to function properly).

You can do a number of things:
- Decide that SELinux is way too secure for an internal server and disable it.. no hassle anymore, you remain with a standard Linux server most people can work with.
- Relocate /var/www to a location where ftp can have access to by default.
- Create a different context for the /var/www location where ftp can have access to.
- Possibly the easiest: allow ftp to access outside its own context.

Rebooting isn't necessary, as you can turn SELinux in permissive mode indeed.. It only creates a lot of SVC errors in /var/log/audit/audit.log (as it logs what would have been denied by SELinux, while when Disabled, it wouldn't log at all). For long term, either of the solutions above would suffice.

Option 1 is easy, as I described above.
Option 2 .. is a bit more tricky, as SELinux (afaik) does not provide a default location where both apache and vsftpd can have (read/write) access to. - not per default, that is.
Option 3 is possible using semanage. eg 'semanage fcontext -a -t public_content_rw_t '/var/www(/.*)?' to enable write.. Don't know if FTP has write access to this context.. could be another type you need. read option 4 .
Option 4 would be my favorite. try 'setsebool -P allow_ftpd_full_access 1' and see what happens. This boolean enables the ftp server to access files (r/w) outside the default locations. To verify, make sure SELinux is enforced or watch /var/log/audit/audit.log closely.

Hope this helps.