3

I have a server with centos 6.2 with httpd and vsftpd.

I have few web site in /var/www and i want to add a ftp user for each site.

My user1 home directory is /home/user1 and can read/write to it folder from ftp. (it's the user i use to ssh and almost everything)

I made user2 which home is /var/www/site2 and bash setting /bin/nologin (because i want it to be just a ftp user)

I can log in the FTP with the user2 and download file, but i can't upload file or mkdir...

The permission are :

for /var/www :

drwxrwxr-x. 13 root root 4096 Aug 21 14:08 .

for /var/www/site2 :

drwxrwxrwx. 2 user2 user2 4096 Aug 21 14:35 site2

(the 777 was just for testing...)

My vsftpd.conf is :

 anonymous_enable=NO 
 local_enable=YES
 write_enable=YES 
 local_umask=022
 dirmessage_enable=YES
 xferlog_enable=YES
 connect_from_port_20=YES
 xferlog_std_format=NO
 log_ftp_protocol=YES
 chroot_local_user=YES
 listen=YES
 pam_service_name=vsftpd
 userlist_enable=YES
 tcp_wrappers=YES
 banner_file=/etc/vsftpd/banner

My iptables is currently stop for testing, so the problem is not my firewall either...

SELinux is enabled :

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

When i disabled it, it's working! :) How can I enabled it and keep my vsftpd working?

Thank in advance for your help

Castaglia
  • 3,477
  • 3
  • 24
  • 46
frank
  • 133

2 Answers2

1

What are the rights on /var/www/site2?

User2 will need write access to this directory at the file system level. For instance /var/www/site2 needs to be something like:

ls /var/www
<snip>
drxwr-xr-x user2  www-data     site2/

Make sure SELinux is disabled as well

 setsebool -P allow_ftpd_full_access 1
TheFiddlerWins
  • 3,009
  • 1
  • 16
  • 23
0

I don't think making sure that SELinux is disabled is the best approach for this situation.

You need context like public_content_rw_t to allow vsftp (etc) to write to the folder with SELinux.

So set the context and then verify with

chcon -t public_content_rw_t /var/www/site2
ls -ldZ /var/www/site2/

Then check the /var/log/audit.log for clues if you still fail. If you still get permission denied issues, and they are getting logged in /var/log/audit.log, look into using audit2allow if you can't figure out what else might help.

Petter H
  • 3,451