I'm having great difficulty changing the anon_root directory for my newly installed ftp box. I cannot change the directory to /ftp/pub. I can change the directory to a /usr/ftp/ or /var/ftp/test/ folder without a problem.

I have tried the chmod 755 /ftp/pub and chown root.root /ftp/pub/ commands with no success.

What am I missing here? I don't understand a whole lot about permissions but this definitely feels like a permissions problem.

I have exhausted all other resources. Any help is greatly appreciated.

Hi,

You didn't mention your distro, nor how you installed vsftpd, but anyway make sure your config meets the following:
The anon_root has to be no writable and must be owned by the anonymous user (depending on distro this username is usually ftp). So try:
If you want to use /ftp as anon_root and /ftp/pub as an anonymous upload directory, change to 555 /ftp and to 755 /ft/pub

Regards

Hey thanks for the reply. I'm running fedora 15 64bit. To be honest I can't remember how I installed VSFTPD anymore. I think originally I installed the package during install but then I removed it and did yum install vsftpd or something like that to reinstall it just to make sure that it wasnt a bad package that was causing the problem. The vsftpd.config page is set to its default values with the exception of this: anon_root=/ftp/pub/ which I added to change the anonymous root dir.


Anyway, I tried your suggestions and still I get the "500 OOPS: cannot change directory:/ftp/pub/" error message when trying to access it from filezilla.

Hi,

Since it's fedora, then I guess the problem is related to SELinux. Have a look here to see what you need to do.

Regards

You are a genius thank you.

All I was missing was:

That link in priceless btw, I wish I would have had that days ago! Thanks.

i use code:chmod 777 /ftp/pub so no question.

you can try it.

Well now that I have successfully configured the FTP server to work, I have an entirely different set of problems.

I created an FTP server with the following criteria in mind:

1) allow anonymous ftp access so that I can share certain files all of the time without the need of creating a username/password. The anon user should be rooted to prevent unauthorized access to other files and directories. DONE

2) allow real users to access the FTP server and have access to whatever files and directories that he/she normally has access to. DONE

3) allow virtual users to access the FTP so that I can share certain files with certain people and restrict them to just those files. The virtual users should be rooted to prevent unauthorized access to other files and directories. DONE

4) the FTP server should be easily accessible (webbrowsers, ftpclients, etc.). PENDING

5) the FTP server should be secure. PENDING

------------------------------------------------------------

So now I'm stuck. If I allow real users access to the ftp server I'm compromising the security of the server because without SSL turned on I'm practically sending the passwords across the internet in clear-text. If I turn on SSL for all real users then accessing the ftp site from webbrowsers (without installing additional add-ons, plug-ins, etc.) is not possible.

It seems to me (unless I'm missing something) that I only have two choices here:

a) focus on accessibility

b) focus on security

I can either remove SSL and prevent real users from logging on or I can retain SSL and forget about logging on from web-browsers. Im hoping someone here can help me see something I have missed.

Allow me to re-frame your dilemma just a bit: Basically, if you allow non-secure clients to access FTP, you can't enforce security. This is one of those things that really isn't a server/software problem, but rather a policy problem, and the answer is really going to depend on how much of tradeoff you want to make between security and convenience. Yes, if you allow non-secure clients, then you are transmitting usernames and passwords in the clear. If you can't live with this, then the only alternative is to have your users use clients that can handle SSL. You haven't missed anything, this is one of those cases where there isn't a middle ground.


You've put 777 permissions on an internet-facing anonymous accessible directory? Are you serious? I honestly can't think of a single worse idea than this.

1 members found this post helpful.

Hi,
I'm sorry I don't have any solution to your issues, but just a thought: how about running 2 instances of FTP server on different ports for Anon and local users, so then you can configure it differently to suit the needs.
My apology again for no solution submitted.

Hangdog: I was afraid that this was going to be the case. I'm going to have to think about this one for a little bit before I can make a decision. Do I really need real users to log on to the FTP? Does it really matter whether I log onto the FTP via an FTP client or a webbrowser? Once I've answered these questions I will be able to make my decision.

lithos: Thats actually pretty ingenius. Thanks I'm going to consider it.

Just something to think about....

The dual server solution may seem appealing, but it doesn't get around the security issue. No matter how you configure it, if a client can't deal with SSL, then usernames and passwords are going to be sent out as clear text.

The only thing I can think of to address the security angle would be to add a layer. Something like forcing the FTP users onto a secure channel like a VPN before allowing them FTP access.

Hey Hangdog cant I simply force SSL login on one the ftp server's .conf files? I know vsftpd has the ability to do so.

I can confirm you that and it's working - Configuring_vsftpd_for_secure_connections_%28TLS/SSL/SFTP%29 and configure-vsfptd-secure-connections-via-ssl-tls

Maybe I'm misunderstanding what you're after. From what you've posted, I'm assuming that you don't want to mess around with making the FTP clients SSL capable for your real users. Yeah, you certainly can force SSL from the server side, but if the client can't handle SSL, the user won't be able to log in. And if you don't force SSL on your real users, then they will be sending usernames and passwords in the clear. Am I missing something in what you're after?

However, if you're happy with forcing real users onto SSL and keeping anonymous users in the clear, then a 2 server solution is a good one.

@lithos - I don't think anyone is arguing that vsftd can't operate with SSL. The problem (at least as I understand it) is that some/many of the wzards real users would want access using FTP clients that aren't SSL capable.

I'm sorry for misunderstanding, I was just trying to point to how-to example of configuring for FTP with ssl, I just overlooked the clients maybe don't want it.