vsftp - can browse but cannot put
Bret Stern
bret_stern at machinemanagement.com
Wed Jan 11 18:28:23 UTC 2006
-----Original Message-----
From: Rick Stevens [mailto:rstevens at vitalstream.com]
Sent: Wednesday, January 11, 2006 9:55 AM
To: Getting started with Red Hat Linux; bret_stern at machinemanagement.com
Subject: RE: vsftp - can browse but cannot put
On Wed, 2006-01-11 at 08:57 -0800, Bret Stern wrote:
>
> -----Original Message-----
> From: Rick Stevens [mailto:rstevens at vitalstream.com]
> Sent: Tuesday, January 10, 2006 10:11 AM
> To: Getting started with Red Hat Linux;
> bret_stern at machinemanagement.com
> Subject: Re: vsftp - can browse but cannot put
>
> On Tue, 2006-01-10 at 09:52 -0800, Bret Stern wrote:
> > I can connect and browse to vsftp on FC4, but cannot put files.
>
> You can only upload files to directories you have write access to. By
> "you", I mean the user you logged into FTP as.
>
> > Ideally, I would like to only allow a specific system user (not
> > root) to login and put files.
> >
> > Suggestions.. here's my vsftpd.conf.
> >
> > Thank you
> >
> > Bret Stern
> >
> > # Example config file /etc/vsftpd/vsftpd.conf # # The default
> > compiled in settings are fairly paranoid. This sample file # loosens
> > things up a bit, to make the ftp daemon more usable.
> > # Please see vsftpd.conf.5 for all compiled in defaults.
> > #
> > # READ THIS: This example file is NOT an exhaustive list of vsftpd
> options.
> > # Please read the vsftpd.conf.5 manual page to get a full idea of
> > vsftpd's # capabilities.
> > #
> > # Allow anonymous FTP? (Beware - allowed by default if you comment
> > this out).
> > anonymous_enable=NO
> > #
> > # Uncomment this to allow local users to log in.
> > local_enable=YES
> > #
> > # Uncomment this to enable any form of FTP write command.
> > write_enable=YES
> > #
> > # Default umask for local users is 077. You may wish to change this
> > to 022, # if your users expect that (022 is used by most other
> > ftpd's)
> > local_umask=022
> > #
> > # Uncomment this to allow the anonymous FTP user to upload files.
> > This only # has an effect if the above global write enable is activated.
> > Also, you will # obviously need to create a directory writable by
> > the FTP user.
> > #uncommented 12-23-2005 bret stern
> > anon_upload_enable=YES
>
> Why do you have this enabled when you have "anonymous_enable" disabled?
> If you want anonymous FTP, do you really understand how to set that up?
> If you don't, then I'd either comment this out or set it to "NO".
>
> > #
> > # Uncomment this if you want the anonymous FTP user to be able to
> > create # new directories.
> > #anon_mkdir_write_enable=YES
> > #
> > # Activate directory messages - messages given to remote users when
> > they # go into a certain directory.
> > dirmessage_enable=YES
> > #
> > # Activate logging of uploads/downloads.
> > xferlog_enable=YES
> > #
> > # Make sure PORT transfer connections originate from port 20 (ftp-data).
> > connect_from_port_20=YES
> > #
> > # If you want, you can arrange for uploaded anonymous files to be
> > owned by # a different user. Note! Using "root" for uploaded files
> > is not # recommended!
> > #chown_uploads=YES
> > #chown_username=whoever
> > #
> > # You may override where the log file goes if you like. The default
> > is shown # below.
> > #xferlog_file=/var/log/vsftpd.log
> > #
> > # If you want, you can have your log file in standard ftpd xferlog
> > format xferlog_std_format=YES # # You may change the default value
> > for timing out an idle session.
> > #idle_session_timeout=600
> > #
> > # You may change the default value for timing out a data connection.
> > #data_connection_timeout=120
> > #
> > # It is recommended that you define on your system a unique user
> > which the # ftp server can use as a totally isolated and unprivileged
user.
> > #nopriv_user=ftpsecure
> > #
> > # Enable this and the server will recognise asynchronous ABOR
> > requests. Not # recommended for security (the code is non-trivial).
> > Not enabling it, # however, may confuse older FTP clients.
> > #async_abor_enable=YES
> > #
> > # By default the server will pretend to allow ASCII mode but in fact
> > ignore # the request. Turn on the below options to have the server
> > actually do ASCII # mangling on files when in ASCII mode.
> > # Beware that turning on ascii_download_enable enables malicious
> > remote parties # to consume your I/O resources, by issuing the
> > command "SIZE /big/file" in # ASCII mode.
> > # These ASCII options are split into upload and download because you
> > may wish # to enable ASCII uploads (to prevent uploaded scripts etc.
> > from breaking), # without the DoS risk of SIZE and ASCII downloads.
> > ASCII mangling should be # on the client anyway..
> > #ascii_upload_enable=YES
> > #ascii_download_enable=YES
> > #
> > # You may fully customise the login banner string:
> > #ftpd_banner=Tracert has recorded your login map # # You may specify
> > a file of disallowed anonymous e-mail addresses.
> > Apparently
> > # useful for combatting certain DoS attacks.
> > #deny_email_enable=YES
> > # (default follows)
> > #banned_email_file=/etc/vsftpd/banned_emails
> > #
> > # You may specify an explicit list of local users to chroot() to
> > their home # directory. If chroot_local_user is YES, then this list
> > becomes a list of # users to NOT chroot().
> > #chroot_list_enable=YES
> > # (default follows)
> > #chroot_list_file=/etc/vsftpd/chroot_list
> > #
> > # You may activate the "-R" option to the builtin ls. This is
> > disabled by # default to avoid remote users being able to cause
> > excessive I/O on large # sites. However, some broken FTP clients
> > such as "ncftp" and
> "mirror"
> > assume
> > # the presence of the "-R" option, so there is a strong case for
> > enabling it.
> > #ls_recurse_enable=YES
> >
> > pam_service_name=vsftpd
> > userlist_enable=YES
> > #enable for standalone mode
> > listen=YES
> > tcp_wrappers=YES
>
> Ok, what do you have in your /etc/vsftpd.user_list file? It should
> contain the usernames that are allowed to use FTP, one per line.
>
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
> - VitalStream, Inc. http://www.vitalstream.com -
> - -
> - When in doubt, mumble. -
> ----------------------------------------------------------------------
>
> I commented out the: anon_upload_enable=YES line
>
> my user is 'mm'
>
> my home directory (/home/mm) is where I land when I connect I set
> chmod 777 to the directory
>
> I have port 20 and 21 open on my firewall
That may not be enough. Remember that FTP uses a different port than you
think, depending on if you're using PASV or not. Since PASV is enabled by
default on vsftpd and you don't have it explicitly disabled in your config,
this may be your problem.
> I added userlist_deny=NO to vsftpd.conf I added mm to the
> /etc/vsftpd/user_list file
>
> I can connect, but cannot upload to the /home/mm folder
Can you do an "ls"? This is also affected by PASV and the FTP data port
selection. If you can't do an "ls" on the client end, your firewall may be
in the way.
> Is selinux overriding my setup?
It is possible, but let's make sure of the firewall first. You didn't say
if the firewall is at the server or the client end (or both). Which is it,
and what kind of firewalls are involved?
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- The world is coming to an end ... SAVE YOUR FILES!!! -
----------------------------------------------------------------------
I can do a "ls".
I have a D-Link 624 router/firewall
The machine i'm on (XP) has no firewall active.
Even when I had : anon_upload_enable=YES
I was unable to put..
Does the user mm need to belong to the ftp group?
Will xferlog or other log indicate anything?
Can I config SELinux with vi to test any conflict? (no monitor is on my
server)
Sorry for the kitchen sink
Bret
More information about the Redhat-install-list
mailing list