LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-12-2011, 03:09 PM   #1
mickaleen
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Rep: Reputation: Disabled
vsftpd, file permissions and chroot jail


Hi,

I'm trying to configure vsftpd. I'm trying to access my home directory /home/mike on an FC11 box running version 2.1.2. I can get a directory listing and transfer a file from /var/ftp/pub/ but not /home/mike. The file permissions in both cases are drwxr-xr-x all the way down. The message I get from vsftpd.log is:
Quote:
Mon Sep 12 17:48:43 2011 [pid 6] [mike] FTP response: Client "192.168.1.101", "226 Transfer done (but failed to open directory)."
My vsftpd.conf file is:
Quote:
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
#*local_enable=YES
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# chroot_list_enable=NO
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
# chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
#
# 070911
log_ftp_protocol=YES
#anon_root=/var/ftp/pub
At the moment I am trying to run with no chroot jail but eventually what I want to do is mike in a chroot jail and all other access blocked. At the moment /etc/vsftpd/chroot_list contains simply 'mike'.

I'd be very grateful for any help.

Cheers, Mike
 
Old 09-12-2011, 04:52 PM   #2
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,748

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
@ Reply

Hi there,

Welcome to LQ!!

Comment out chroot_local_user=YES as follows:

#chroot_local_user=YES

and then restart vsftpd.

Once done give it a shot.
 
Old 09-12-2011, 05:12 PM   #3
mickaleen
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi,

Nope that doesn't do it. If I comment it out I can't cd into /var or /home, etc. but I can cd into /bin but then when I do ls I get the same 'Transfer done (but failed to open directory)' error.

Cheers, Mike
 
Old 09-12-2011, 05:25 PM   #4
mickaleen
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi T3RM1NVT0R,

Sorry but I forgot to say that /bin is also drwxr-xr-x. (I really don't get it.)

Cheers, Mike
 
Old 09-12-2011, 05:35 PM   #5
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,748

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
@ Reply

Well I tried it on my server and it works fine. Here is my vsftpd.conf file. I have used the same configuration as you are using. How you are trying to download / upload the file?

Did you check your local directory (lcd) and present working directory (pwd) before using mget or mput?

Your lcd should be /home/mike and pwd should be /var/ftp/pub/ if you are trying to download from ftp.

lcd /home/mike
pwd /var/ftp/pub

and then execute mget or mput

Last edited by T3RM1NVT0R; 09-12-2011 at 05:36 PM.
 
Old 09-12-2011, 05:56 PM   #6
mickaleen
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi T3RM1NVT0R,

I'm not sure we're talking about the same thing. For testing purposes what I am doing is using the ftp command in cygwin on a Windows XP Pro box behind my router (thus the 192.168.1.x IP addresses) which has an IP address of 192.168.1.101. I'm trying to ftp into my FC11 box which has an IP address of 192.168.1.100. With 'chroot_local_user=YES' uncommented lcd gives me /home/User which is correct for cygwin (and Windows) and pwd gives me /home/mike which is correct for the FC11 box. (I get equivalent behaviour using Windows Filezilla Client directly from Windows.) With it commented lcd still gives /home/User and pwd gives / and I can't cd into /var or /home but can into /bin but can't get a listing as before.

I really appreciate your help.

Cheers, Mike
 
Old 09-12-2011, 06:25 PM   #7
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,748

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
@ Reply

Alright Mike. As I can understand you are trying to ftp your FC11 box from your Windows box which is running cygwin. Using cygwin you are trying to FTP FC11.

When I tried, I tried to ftp my sles box with chroot_local_user=YES uncommented ( I used the same configuration as you mentioned in your first post) from my Ubuntu machine and I was able to get listing of both lcd and pwd.

As you said router is there. I would like to know if router is between these machines or both of them are on one side of the router? Another thing if router is in between do we have both port 20 and 21 open on the router. I guess yes because earlier you were able to get the listing.

Could you please let me know the step by step procedure that you are following and I will see if I can help you with that.
 
Old 09-12-2011, 07:47 PM   #8
mickaleen
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi T3RM1NVT0R,

Both machines sit behind the router. On the other side is the internet. (The router is one of these multi-function things including a broadband router.)

When you say:
Quote:
Alright Mike. As I can understand you are trying to ftp your FC11 box from your Windows box which is running cygwin. Using cygwin you are trying to FTP FC11.
you are right.

Step by step it looks like:
Quote:
$ ftp 192.168.1.100
Connected to 192.168.1.100.
220 (vsFTPd 2.1.2)
Name (192.168.1.100:User): mike
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd
Local directory now /home/User
ftp> pwd
257 "/"
ftp> cd /home
550 Failed to change directory.
ftp> cd /var
550 Failed to change directory.
ftp> cd /bin
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp> quit
This is what the file system looks like:
Quote:
[root@desktop vsftpd]# ls -l /
total 122
drwxr-xr-x. 2 root root 4096 2010-08-24 03:31 bin
drwxr-xr-x. 5 root root 1024 2010-02-20 03:26 boot
drwxr-xr-x. 19 root root 5020 2011-09-13 01:18 dev
drwxr-xr-x. 133 root root 12288 2011-09-13 01:18 etc
drwxr-xr-x. 6 root root 4096 2011-06-20 23:25 home
drwxr-xr-x. 18 root root 12288 2010-08-26 03:12 lib
drwx------. 2 root root 16384 2009-06-14 03:48 lost+found
drwxr-xr-x. 4 root root 4096 2011-09-06 18:05 media
drwxr-xr-x. 2 root root 4096 2009-03-04 13:13 mnt
drwxr-xr-x. 7 root root 4096 2011-01-16 08:14 opt
dr-xr-xr-x. 131 root root 0 2011-09-13 01:17 proc
drwxr-x---. 81 root root 12288 2011-09-13 01:22 root
drwxr-xr-x. 2 root root 12288 2010-08-26 03:12 sbin
drwxr-xr-x. 7 root root 0 2011-09-13 01:17 selinux
drwxr-xr-x. 2 root root 4096 2009-03-04 13:13 srv
drwxr-xr-x. 12 root root 0 2011-09-13 01:17 sys
drwxrwxrwt. 21 root root 20480 2011-09-13 01:18 tmp
drwxr-xr-x. 13 root root 4096 2009-06-14 03:57 usr
drwxr-xr-x. 22 root root 4096 2011-09-06 22:07 var
drwxr-xr-x. 2 root root 4096 2011-07-21 16:08 X
[root@desktop vsftpd]# ls -l /home
<snip>
drwxr-xr-x. 137 mike mike 32768 2011-09-12 18:10 mike
[root@desktop vsftpd]# ls -l /var
total 80
<snip>
drwxr-xr-x. 3 root root 4096 2011-09-06 22:07 ftp
<snip>
[root@desktop vsftpd]# ls -l /var/ftp
total 4
drwxr-xr-x. 2 root root 4096 2011-09-09 18:07 pub
[root@desktop vsftpd]# ls -l /var/ftp/pub
total 4
-rw-r--r--. 1 root root 15 2011-09-09 18:07 test.txt
-rw-r--r--. 1 root root 0 2011-09-09 18:07 test.txt~
If I uncomment 'chroot_local_user=YES' step by step it looks like:
Quote:
$ ftp 192.168.1.100
Connected to 192.168.1.100.
220 (vsFTPd 2.1.2)
Name (192.168.1.100:User): mike
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd
Local directory now /home/User
ftp> pwd
257 "/home/mike"
ftp> cd /var
250 Directory successfully changed.
ftp> cd ftp
250 Directory successfully changed.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 15 Sep 09 17:07 test.txt
-rw-r--r-- 1 0 0 0 Sep 09 17:07 test.txt~
226 Directory send OK.
ftp> get test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (15 bytes).
226 File send OK.
15 bytes received in 0 seconds (15 bytes/s)
ftp> cd /home
250 Directory successfully changed.
ftp> cd mike
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp> quit
221 Goodbye.
Hope this helps.

Thanks.

Cheers, Mike
 
Old 09-13-2011, 08:07 AM   #9
mickaleen
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi T3RM1NVT0R,

FWIW here are my iptables and ip6tables.

iptables:
Quote:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
ip6tables:
Quote:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m ipv6header --header ah -j ACCEPT
-A INPUT -m ipv6header --header esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
Both are running. I don't have an ipv6 network set up.

Hope that helps.

Thanks.

Cheers, Mike
 
Old 09-13-2011, 01:48 PM   #10
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,748

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
@ Reply

Hi Mike,

Yeah that explain the things. Following are the suggestions:

1. Open up port tcp port 20 in your iptables.
2. Type the following and then give ftp a try: modprobe ip_conntrack_ftp

Could you please paste the output of following commands:

1. sestatus
2. getsebool -a | grep ftp
 
Old 09-13-2011, 02:56 PM   #11
mickaleen
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi T3RM1NVT0R,

Before I saw your last post I reinstalled vsftpd and installed system-config-vsftpd. (I didn't know there was one. My apologies.) I believe all I changed in system-config-vsftpd was to enable local users and disable anonymous users. The diff between the old and new vsftpd.conf's is here:
Quote:
# diff ~mike/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf
15d14
< #*local_enable=YES
96,98c95
< #chroot_local_user=YES
< chroot_list_enable=NO
< # chroot_list_enable=NO
---
> #chroot_list_enable=YES
100,101c97
< chroot_list_file=/etc/vsftpd/chroot_list
< # chroot_list_file=/etc/vsftpd/chroot_list
---
> #chroot_list_file=/etc/vsftpd/chroot_list
122,125c118
< #
< # 070911
< log_ftp_protocol=YES
< #anon_root=/var/ftp/pub
\ No newline at end of file
---
> pasv_max_port=1024
Also here are the two pastes you requested:
Quote:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Quote:
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Should I still add port 20 to iptables and do the modprobe?

Thanks very much for your help.

Cheers, Mike
 
Old 09-13-2011, 03:06 PM   #12
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,748

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
@ Reply

Hi Mike

Here is the abstract from your first vsftpd.conf and I can see that anonymous logins were disabled and local user logins were enabled. So which change you are talking about?

Quote:
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
#*local_enable=YES
local_enable=YES
Yes you should allow port 20 in iptables. Before you do modprobe ip_conntrack_ftp I would suggest you to make the following change in selinux rule and give it a try.

Code:
 setsebool -P ftp_home_dir=on
Check the selinux settings for FTP once again and make sure it says ftp_home_dir=on. You can check using getsebool -a | grep ftp.

Remember setsebool -P takes a bit of time so please be patient don't try to stop it using ctrl+z.
 
Old 09-13-2011, 04:00 PM   #13
mickaleen
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hi T3RM1NVT0R,

I used system-config-firewall to open port 20 (since I was getting paranoid). It appeared to add only the line:
Quote:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
to iptables. This seemed to allow everything to work except for ls, get or mget within a directory under /home although I could cd all I liked.

I then did the setsebool command you suggested and checked that ftp_home_dir was on and it worked! Thanks very much for your help!

I will try the chroot jail stuff later.

Cheers, Mike
 
Old 09-13-2011, 04:11 PM   #14
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,748

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
@ Reply

Hi Mike,

Great!!! Glad to hear that it worked. Enjoy linux.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] chroot jail problem: 'empty' jail MatrixS_Master Linux - Security 4 03-27-2010 06:25 AM
Container/Dir/File encryption ofr chroot jail The_JinJ Linux - Security 4 12-17-2005 11:40 AM
chroot jail for the vsftpd daemon -not internal to program snowmedia Linux - Networking 2 06-30-2004 09:32 AM
vsftpd, combining chroot jail & links? Whz Linux - Software 0 07-25-2003 04:31 PM
Help with chroot jail - vsFTPd r042wal Linux - Software 1 06-05-2003 04:21 PM


All times are GMT -5. The time now is 12:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration