FTP file permissions behavour

I am facing a wierd behavour on my FTP setup which i dont know if this is normal.

I have setup an ftp server on a Centos6 machine using vsftpd. This service is just a demo in order for me to tests various "staff".

My setup allows anonymous connections to the ftp server with upload and download rights. The folder i am sharing is

Code:

/var/ftp/ftpshares

I changed the group of the folder to

Code:

ftp group

and gave permission of 775:

Code:

ll -la
total 16
drwxr-xr-x.  4 root root 4096 Dec 22 06:35 .
drwxr-xr-x. 24 root root 4096 Nov 29 14:18 ..
drwxr-xr-x.  2 root ftp  4096 Dec 22 06:42 ftpshares
drwxr-xr-x.  2 root root 4096 Mar  6  2015 pub

With the above permissios, when i login to fpt as anonymous i can
a) view the contents of directory
b) cannot upload (write)


Now when i change ftpshares folder to 775 i can also upload files as anonymous:

Code:

#ls -la
total 16
drwxr-xr-x.  4 root root 4096 Dec 22 06:35 .
drwxr-xr-x. 24 root root 4096 Nov 29 14:18 ..
drwxrwxr-x.  2 root ftp  4096 Dec 22 06:44 ftpshares
drwxr-xr-x.  2 root root 4096 Mar  6  2015 pub

I belive this is normal since i am giving "write" permissions to the group (ftp) of the folder. I assume that these permissions are only reflect the group permissions of the folder which is the group ftp.

Now where it gets wierd (at least for me), is that when i remove the "others" read permissions from the folder then when i login to the ftp server as anonymous i cannot view/list the file within the folder. Permissions are set as bellow:

Code:

[root@server ftp]# ls -la
total 16
drwxr-xr-x.  4 root root 4096 Dec 22 06:35 .
drwxr-xr-x. 24 root root 4096 Nov 29 14:18 ..
drwxrwxr-x.  2 root ftp  4096 Dec 22 06:44 ftpshares
drwxr-xr-x.  2 root root 4096 Mar  6  2015 pub
[root@server ftp]# chmod -R 771 ftpshares/
[root@server ftp]# ls -la
total 16
drwxr-xr-x.  4 root root 4096 Dec 22 06:35 .
drwxr-xr-x. 24 root root 4096 Nov 29 14:18 ..
drwxrwx--x.  2 root ftp  4096 Dec 22 06:44 ftpshares
drwxr-xr-x.  2 root root 4096 Mar  6  2015 pub
[root@rhce-server ftp]#

With the above permissions i can write/upload files but i CANNOT view contents of folder.

Why is this happening, why the anonymous user loses the rights to ls/read the contents of the ftp directory if read permission is removed from the "others restriction".

As far as i know anonymous users are "bound" to the ftp user wihtin the system hence when an anoymous user logins on the server the permissions would have been thus of "group" permissions assigned to the folder.

I dont understand how both "group" and "other" permissions affect the behavour of ftp folder to be shared.

Anyone came across with this?

Check your SELinux permissions. By default (I don't use ftp...) the defined permissions are:

Code:

$ getsebool -a | grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off

Unless sftpd_anon_write is allowed the ftp server is prevented from writing.

Anonymous FTP is known to be a security problem, thus the added constraints on the server (reference the manpage on sftpd_selinux).

As for the inability of the anonymous user to read directories: I believe it is because the anonymous user is the user "nobody", and without world read access that user cannot read the directory.

Quote:

Originally Posted by jpollard Check your SELinux permissions. By default (I don't use ftp...) the defined permissions are: Code: $ getsebool -a | grep ftp ftp_home_dir --> off ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off sftpd_anon_write --> off sftpd_enable_homedirs --> off sftpd_full_access --> off sftpd_write_ssh_home --> off tftp_anon_write --> off tftp_home_dir --> off Unless sftpd_anon_write is allowed the ftp server is prevented from writing. Anonymous FTP is known to be a security problem, thus the added constraints on the server (reference the manpage on sftpd_selinux). As for the inability of the anonymous user to read directories: I believe it is because the anonymous user is the user "nobody", and without world read access that user cannot read the directory.

I have enabled all SELinux settings in order for anonymous users to have write access on the ftp share. I think anonymous user uses the ftp user because the folder group ownership is set to ftp. When i remove the write permissions on the particular folder from the group (fp), then i cannot upload as anonymous. When i give write permissions (g+w) then anonymous can upload hence I concluded that anonymous users are assigned as "ftp" user. Also, uploaded files from anonymous user have ftp:ftp.

If indeed this is the case, and folder permissions affecting ftp services are this of the "group" (Assuming folder is owned by group ftp) why does the "world" read permission also affect the ftp user...