login
Search
I am struggling to get vsftpd to perform a documented feature and I am at wits end. I have scoured the Internet, read the FAQ, and believe that I have configured the vsftpd.conf file correctly but still do not have the correct functionality. I am running Fedora Core 4, with vsftpd-2.0.3-1.
I have setup vsftpd.conf for anonymous uploads to /var/ftp/pub/upload. The permissions on the upload directory are drwxrwx-wx. The permissions on /var/ftp/ and all other subdirectories below it, excluding /var/ftp/pub/upload, are drwxrwxr-x. In vsftpd.conf I have also set:
local_umask=0022
anon_umask=0007
file_open_mode=0777
Normal FTP download functions work fine and anonymous uploads work. I have two questions.
1. If I change the permissions on /var/ftp/pub/upload to drwxrwx-w-, uploads cease to function. The documentation shows that this should work but does not. Should it not work with drwxrwx-w- or do I have a problem?
2. On anonymous upload to /var/ftp/pub/upload, the uploaded file permissions come back as -rw------- with a group name of ftp. All efforts to change those permissions using anon_umask and file_open_mode have failed. I want the permissions on uploaded files to be rwxrwx--- with a group name of ftp-users. What can I do make this work?
A copy of my full vsftpd.conf file is listed below. Any help would be greatly appreciated.
Best regards,
-- mache
------------------------------------------
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
#local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=0022
anon_umask=0007
file_open_mode=0777
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
chown_uploads=YES
chown_username=mache
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=NO
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=digit FTP
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
I don't see how a w permissio
I don't see how a w permission without x permission on a directory could be of any use ever. I mean the w permission allows you to remove, rename or create directory entries, but in order to do so you would have to specify a path for the files, and for that you would need the x permission. You cannot address the files you want to create/rename/delete without the x permission.
best regards
Steffen
Regarding "wx" vs. "w" permis
Regarding "wx" vs. "w" permissions, it could be a security issue. Someone could upload an executable file of their own creation. It may then be possible to execute it on the server within the upload directory.
- mache
Huh?
Huh?
no
as the parent said, 'executing' a directory just means searching it or using it 'as a directory', i.e. putting a "/" behind its name to access its contents. if an executable inside a directory can be executed, is only controlled by its _own_ executable bit (i.e. by the umask the program which created it used to mask off dangerous bits). and the mount options of the partitions. and of course you have to be able to find it, if you shut off the directory completely (by removing its "x" bit) you lose the ability to read, write, execute or do any other things with its contents, because they just 'don't exist'.
Re: Regarding "wx" vs. "w" permis
The execute bit on a directory means ``search'', not execute as in execve. Anything requiring a search such as open, unlink, stat, chdir will fail without the execute bit.
I have a question.
Finally I thought that I was going to get an answer to my problem but every one got off topic. My problem being:
I can't upload or create files or folders to /var/ftp/pub/./ via vsftpd.
not with a user not anon. but I can login as a user and mkdir rmdir and such in my home dir but not in /var/ftp/pub/./ although I have access to
././pub locally. I'm stumped. any ideas?
I have already tried:
chmod 777 /var/ftp*
chown ftp /var/ftp*
chown root /var/ftp*
chown $USER /var/ftp* not root [$USER == "Current user"]
I know my conf file is configed correctly because I matched it up to my old conf file. and every thing works on that machine. only diff is that my /var is a mounted partition apposed to local dir. That and old sys is FC5, I'm now running FC6. Any ideas?
maybe your mount is read only
maybe your mount is read only?
It could be because of
It could be because of SELinux. Try disabling SELinux using 'System|Administration|Security Levels and Firewall' and set SELinux to 'Disabled'. Do a 'chmod 777 /var/ftp/upload' and add this to vsftpd.conf
file_open_mode=0777
anon_umask=0777
This should remove most restrictions and allow your upload to pass. If you get the upload working, remove the execute and read permissions as needed.
For me this solved the
For me this solved the problem:
local_umask=022
#anon_umask=0007
#file_open_mode=0777
vsftp anonymous upload file attribute (mask) 0600
johnwei said:
Following are the common errors you will encounter when setting anonymous vsftp-2.0.5
4) error: need to access to a designated dir for anonymous ftp
Set following:
anon_root=/var/www/html/docs
5) error: 500 OOPS: vsftpd: refusing to run with writable anonymous root
sympton:
[root@localhost ~]# ftp 70.234.256.239
Connected to 70.234.256.239.
220 Welcome to My FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (70.234.256.239:root): anonymous
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable anonymous root
Login failed.
Reason:
Change attribute of ftp directory from
drwxrwxrwx 3 root root 4096 Jun 13 18:42 docs
To
dr-xr-xr-x 3 root root 4096 Jun 13 18:42 docs
6) error: 553 Could not create file.
Sympton:
ftp> put t.txt
local: t.txt remote: t.txt
227 Entering Passive Mode (192,168,1,103,245,163)
553 Could not create file.
Reason:
You need to create a sub dir under ftp dir with 0777 attribute as
drwxrwxrwx 2 ftp ftp 4096 Jun 15 00:40 pub
7) error: anonymously uploaded file has attribute (mask) 0600,
these files could not be downloaded
rw------- 3 root root 4096 Jun 13 18:42 t.txt
Reason:
anon_umask=0133 does not take effect in the code.
In the file "postlogin.c", make following changes:
//vsf_sysutil_fchmod(new_file_fd, 0600); //jwei removes
vsf_sysutil_fchmod(new_file_fd, 0777^tunable_anon_umask); //jwei adds
recompile and cp to /usr/local/sbin/vsftpd
8) error: 425 Security: Bad IP connecting.
ftp>ls
425 Security: Bad IP connecting.
Reason:
Set following:
pasv_promiscuous=YES
follow-up
this is my problem.
7) error: anonymously uploaded file has attribute (mask) 0600,
these files could not be downloaded
I am trying to install from source (2.0.5 / 2.0.6) but I am stuck in the process of Make. It is saying sysutil.o has an error. What could be the problem?