Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to configure vsftpd. I'm trying to access my home directory /home/mike on an FC11 box running version 2.1.2. I can get a directory listing and transfer a file from /var/ftp/pub/ but not /home/mike. The file permissions in both cases are drwxr-xr-x all the way down. The message I get from vsftpd.log is:
Quote:
Mon Sep 12 17:48:43 2011 [pid 6] [mike] FTP response: Client "192.168.1.101", "226 Transfer done (but failed to open directory)."
My vsftpd.conf file is:
Quote:
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
#*local_enable=YES
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# chroot_list_enable=NO
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
# chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
At the moment I am trying to run with no chroot jail but eventually what I want to do is mike in a chroot jail and all other access blocked. At the moment /etc/vsftpd/chroot_list contains simply 'mike'.
Nope that doesn't do it. If I comment it out I can't cd into /var or /home, etc. but I can cd into /bin but then when I do ls I get the same 'Transfer done (but failed to open directory)' error.
Well I tried it on my server and it works fine. Here is my vsftpd.conf file. I have used the same configuration as you are using. How you are trying to download / upload the file?
Did you check your local directory (lcd) and present working directory (pwd) before using mget or mput?
Your lcd should be /home/mike and pwd should be /var/ftp/pub/ if you are trying to download from ftp.
lcd /home/mike
pwd /var/ftp/pub
and then execute mget or mput
Last edited by T3RM1NVT0R; 09-12-2011 at 05:36 PM.
I'm not sure we're talking about the same thing. For testing purposes what I am doing is using the ftp command in cygwin on a Windows XP Pro box behind my router (thus the 192.168.1.x IP addresses) which has an IP address of 192.168.1.101. I'm trying to ftp into my FC11 box which has an IP address of 192.168.1.100. With 'chroot_local_user=YES' uncommented lcd gives me /home/User which is correct for cygwin (and Windows) and pwd gives me /home/mike which is correct for the FC11 box. (I get equivalent behaviour using Windows Filezilla Client directly from Windows.) With it commented lcd still gives /home/User and pwd gives / and I can't cd into /var or /home but can into /bin but can't get a listing as before.
Alright Mike. As I can understand you are trying to ftp your FC11 box from your Windows box which is running cygwin. Using cygwin you are trying to FTP FC11.
When I tried, I tried to ftp my sles box with chroot_local_user=YES uncommented ( I used the same configuration as you mentioned in your first post) from my Ubuntu machine and I was able to get listing of both lcd and pwd.
As you said router is there. I would like to know if router is between these machines or both of them are on one side of the router? Another thing if router is in between do we have both port 20 and 21 open on the router. I guess yes because earlier you were able to get the listing.
Could you please let me know the step by step procedure that you are following and I will see if I can help you with that.
Both machines sit behind the router. On the other side is the internet. (The router is one of these multi-function things including a broadband router.)
When you say:
Quote:
Alright Mike. As I can understand you are trying to ftp your FC11 box from your Windows box which is running cygwin. Using cygwin you are trying to FTP FC11.
you are right.
Step by step it looks like:
Quote:
$ ftp 192.168.1.100
Connected to 192.168.1.100.
220 (vsFTPd 2.1.2)
Name (192.168.1.100:User): mike
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd
Local directory now /home/User
ftp> pwd
257 "/"
ftp> cd /home
550 Failed to change directory.
ftp> cd /var
550 Failed to change directory.
ftp> cd /bin
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp> quit
If I uncomment 'chroot_local_user=YES' step by step it looks like:
Quote:
$ ftp 192.168.1.100
Connected to 192.168.1.100.
220 (vsFTPd 2.1.2)
Name (192.168.1.100:User): mike
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd
Local directory now /home/User
ftp> pwd
257 "/home/mike"
ftp> cd /var
250 Directory successfully changed.
ftp> cd ftp
250 Directory successfully changed.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 15 Sep 09 17:07 test.txt
-rw-r--r-- 1 0 0 0 Sep 09 17:07 test.txt~
226 Directory send OK.
ftp> get test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (15 bytes).
226 File send OK.
15 bytes received in 0 seconds (15 bytes/s)
ftp> cd /home
250 Directory successfully changed.
ftp> cd mike
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp> quit
221 Goodbye.
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
ip6tables:
Quote:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m ipv6header --header ah -j ACCEPT
-A INPUT -m ipv6header --header esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
Both are running. I don't have an ipv6 network set up.
Before I saw your last post I reinstalled vsftpd and installed system-config-vsftpd. (I didn't know there was one. My apologies.) I believe all I changed in system-config-vsftpd was to enable local users and disable anonymous users. The diff between the old and new vsftpd.conf's is here:
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Quote:
# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Should I still add port 20 to iptables and do the modprobe?
Here is the abstract from your first vsftpd.conf and I can see that anonymous logins were disabled and local user logins were enabled. So which change you are talking about?
Quote:
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
#*local_enable=YES
local_enable=YES
Yes you should allow port 20 in iptables. Before you do modprobe ip_conntrack_ftp I would suggest you to make the following change in selinux rule and give it a try.
Code:
setsebool -P ftp_home_dir=on
Check the selinux settings for FTP once again and make sure it says ftp_home_dir=on. You can check using getsebool -a | grep ftp.
Remember setsebool -P takes a bit of time so please be patient don't try to stop it using ctrl+z.
While Mike is good to see his home dir, there is more to the story.
First, I want to thank both Mike for posing this question and T3RM1NVT0R for the various valuable advice. But I want to add to the story, both based on reading this transcript and my experience getting vsftpd to work.
This appears to be the important command provided to Mike, as it allows Mike to see his home directory:
setsebool -P ftp_home_dir=on
From my analysis, since he was able to see directories in /var, there was no problem with firewalls or iptables. The ftpd logic was denying access, based on its implementation using the selinux directives. Note that in addition to /var, other directories may also be visible, such as /etc.
The command from T3RM1NVT0R was helpful to me, as I had a different issue:
getsebool -a | grep ftp
This revealed that there was a setting for ftpd access, and it was off:
allow_ftpd_full_access --> off
This setting refers to access to the filesystem. When set to on, the user logged in via ftp is allowed to use the filesystem under Unix/Linux directory access permissions, as if the user was at a shell command prompt. My application requires the capability to pick up files dropped off by another user. The following command enabled the user to see files where Unix/Linux chown/chmod settings allow.
setsebool -P ftpd_full_access=on
A comment: vsftpd may be a fine server, but both the debug stream capabilities and the installed documentation are unsatisfactory. To our good fortune, this forum thread has the required info.
Peter
Last edited by peterk_linux; 08-28-2015 at 11:15 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.