VSFTPD - Cannot download files when directory listing is disabled

YortheHunter · 02-09-2015, 03:11 PM

I am trying to setup a 'blind' server to use for customers downloading beta level code or fixes from our support team. I have configured the server with multiple options, but as long as I leave the ability to list the directories, everything works fine. As soon as I disable the directory listing, uploads still function with no issue, but downloads cease to function. This is the error message I get when I try to download files with command line ftp when the server is blind :

Code:

ftp> mget CentOS-Media.repo
Permission denied.

server side (vsftpd.log) :

Code:

Mon Feb  9 10:47:22 2015 [pid 12426] [lenovodown] FTP response: Client "172.21.40.34", "331 Please specify the password."
Mon Feb  9 10:47:26 2015 [pid 12426] [lenovodown] FTP command: Client "172.21.40.34", "PASS <password>"
Mon Feb  9 10:47:26 2015 [pid 12425] [lenovodown] OK LOGIN: Client "172.21.40.34"
Mon Feb  9 10:47:26 2015 [pid 12427] [lenovodown] FTP response: Client "172.21.40.34", "230 Login successful."
Mon Feb  9 10:47:26 2015 [pid 12427] [lenovodown] FTP command: Client "172.21.40.34", "SYST"
Mon Feb  9 10:47:26 2015 [pid 12427] [lenovodown] FTP response: Client "172.21.40.34", "215 UNIX Type: L8"
Mon Feb  9 10:47:28 2015 [pid 12427] [lenovodown] FTP command: Client "172.21.40.34", "TYPE I"
Mon Feb  9 10:47:28 2015 [pid 12427] [lenovodown] FTP response: Client "172.21.40.34", "200 Switching to Binary mode."
Mon Feb  9 10:47:31 2015 [pid 12427] [lenovodown] FTP command: Client "172.21.40.34", "TYPE A"
Mon Feb  9 10:47:31 2015 [pid 12427] [lenovodown] FTP response: Client "172.21.40.34", "200 Switching to ASCII mode."
Mon Feb  9 10:47:31 2015 [pid 12427] [lenovodown] FTP command: Client "172.21.40.34", "PASV"
Mon Feb  9 10:47:31 2015 [pid 12427] [lenovodown] FTP response: Client "172.21.40.34", "227 Entering Passive Mode (172,21,40,34,40,85)."
Mon Feb  9 10:47:31 2015 [pid 12427] [lenovodown] FTP command: Client "172.21.40.34", "NLST CentOS-Media.repo"
Mon Feb  9 10:47:31 2015 [pid 12427] [lenovodown] FTP response: Client "172.21.40.34", "550 Permission denied."
Mon Feb  9 10:52:31 2015 [pid 12427] [lenovodown] FTP response: Client "172.21.40.34", "421 Timeout."

and xferlog has no messages pertaining to the downloads

I'm currently working on a test server while I hammer out the config file syntax, so I apologize for everything being thrown together.
vsftpd.conf :

Code:

download_enable=YES
write_enable=YES
chroot_local_user=YES
connect_from_port_20=YES
pasv_enable=YES
pasv_max_port=10330
pasv_min_port=10320
port_enable=YES
xferlog_enable=YES
dual_log_enable=YES
xferlog_file=/var/log/xferlog
log_ftp_protocol=YES
ftpd_banner=Unauthorized access is prohibited
listen=YES
pam_service_name=vsftpd
local_enable=YES
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
dirlist_enable=NO

Does anyone know if this is a design choice/limitation of vsftpd? (Also as a side note, does anyone know what character to use for carriage returns in the vsftpd login message?)

Currently I am running :
vsftpd: version 2.2.2
vsftpd-2.2.2-11.el6_4.1.x86_64

This is the CentOS 6 Update 5 pre-packaged version. Does anyone know if this is fixed in a newer release?

YortheHunter · 02-09-2015, 03:13 PM

Sorry about the <code> tags, I thought this forum allowed them to be used for formatting purposes, and I was trying to keep the logs and config file easily separated

Keith Hedger · 02-09-2015, 07:07 PM

Same syntax but use '[' an ']' instead of '<' and '>' you can edit a post if you need to change somthing

YortheHunter · 02-10-2015, 06:57 AM

Quote:

Originally Posted by YortheHunter

Sorry about the <code> tags, I thought this forum allowed them to be used for formatting purposes, and I was trying to keep the logs and config file easily separated

**Fixed the code tags, thanks Keith**

Keith Hedger · 02-10-2015, 07:08 AM

Your welcome sorry I can't help with your real problem

bathory · 02-10-2015, 07:59 AM

Quote:

...does anyone know what character to use for carriage returns in the vsftpd login message?)

You can create a file with a login message and use the following option:

Code:

banner_file=/path/to/login-message.txt

Regarding your main problem, using "dirlist_enable=NO" doesn't block file downloading

YortheHunter · 02-12-2015, 03:53 PM

Quote:

Originally Posted by bathory

Regarding your main problem, using "dirlist_enable=NO" doesn't block file downloading

Thanks for the reply bathory, but if it doens't block file downloads, then why am I able to download the files when I have directory listing enabled, but by changing nothing other than the dirlist option in my vsftpd.conf, my download ability is broken? From the logs it seemed that the file downloads could not execute without the NLST option being allowed (which I am guessing is what that option toggles), and when I use the cmds_allowed option, deny LIST (by not listing it), and allow NLST explicitly, it seems to work? Would this be a permissions issue somewhere?
I have a 'blind' upload directory with 300 permissions, and a 'blind' download directory with 500 permissions. I have played with changing these, but have not been able to curb the results other than the users being able to login to the ftp server or not since I have the users chrooted to those dirs.

Can you provide a little bit more explanation on your statement? (Where are you getting this information, what does that option do, and/or any other relevant details you feel like sharing)
=]

bathory · 02-13-2015, 02:15 AM

Quote:

From the logs it seemed that the file downloads could not execute without the NLST option being allowed (which I am guessing is what that option toggles), and when I use the cmds_allowed option, deny LIST (by not listing it), and allow NLST explicitly, it seems to work? Would this be a permissions issue somewhere?

I guess it's your client, or you're doing something wrong. I see that you have a 5min gap before the connection timeouts. So the server waits for your input. Maybe you need to start a manual transfer from your client.

Quote:

Can you provide a little bit more explanation on your statement? (Where are you getting this information, what does that option do, and/or any other relevant details you feel like sharing)

I've tested this setup either from CLI and with filezilla (that uses LIST and not NLST) and it works as expected. Also I've searched a bit and didn't find anyone else having this problem.