Home / server / Questions / 247096
Accepted
user15318
Asked: 2011-03-15 03:14:46 +0800 CST

Allow anonymous upload for Vsftpd?

  • 772

I need a basic FTP server on Linux (CentOS 5.5) without any security measure, since the server and the clients are located on a test LAN, not connected to the rest of the network, which itself uses non-routable IP's behind a NAT firewall with no incoming access to FTP.

Some people recommend Vsftpd over PureFTPd or ProFTPd. No matter what I try, I can't get it to allow an anonymous user (ie. logging as "ftp" or "anonymous" and typing any string as password) to upload a file:

# yum install vsftpd

# mkdir /var/ftp/pub/upload

# cat vsftpd.conf
listen=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
xferlog_file=YES

#anonymous users are restricted (chrooted) to anon_root
#directory was created by root, hence owned by root.root
anon_root=/var/ftp/pub/incoming
anon_upload_enable=YES
anon_mkdir_write_enable=YES

#chroot_local_user=NO
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
chown_uploads=YES

When I log on from a client, here's what I get:

500 OOPS: cannot change directory:/var/ftp/pub/incoming

I also tried "# chmod 777 /var/ftp/incoming/", but get the same error.

Does someone know how to configure Vsftpd with minimum security?

Thank you.

Edit: SELinux is disabled and here are the file permissions:

# cat /etc/sysconfig/selinux
SELINUX=disabled
SELINUXTYPE=targeted
SETLOCALDEFS=0

# sestatus
SELinux status:                 disabled
# getenforce
Disabled

# grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

# ll /var/
drwxr-xr-x  4 root root 4096 Mar 14 10:53 ftp

# ll /var/ftp/
drwxrwxrwx 2 ftp ftp 4096 Mar 14 10:53 incoming
drwxr-xr-x 3 ftp ftp 4096 Mar 14 11:29 pub

Edit: latest vsftpd.conf:

listen=YES
local_enable=YES
write_enable=YES
xferlog_file=YES

#anonymous users are restricted (chrooted) to anon_root
anonymous_enable=YES
anon_root=/var/ftp/pub/incoming
anon_upload_enable=YES
anon_mkdir_write_enable=YES

#500 OOPS: bad bool value in config file for: chown_uploads
chown_uploads=YES
chown_username=ftp

Edit: with trailing space removed from "chown_uploads", err 500 is solved, but anonymous still doesn't work:

client> ./ftp server
Connected to server.
220 (vsFTPd 2.0.5)
Name (server:root): ftp
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/var/ftp/pub/incoming
Login failed.
ftp> bye

With user "ftp" listed in /etc/passwd with home directory set to "/var/ftp" and access rights to /var/ftp set to "drwxr-xr-x" and /var/ftp/incoming to "drwxrwxrwx"...could it be due to PAM maybe? I don't find any FTP log file in /var/log to investigate.

Edit: Here's a working configuration to let ftp/anonymous connect and upload files to /var/ftp:

listen=YES
anonymous_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
linux ftp upload vsftpd anonymous

6 Answers

  1. Best Answer

    You have created a dir called pub/upload:

    # mkdir /var/ftp/pub/upload

    But then you configured uploads to go to pub/incoming:

    anon_root=/var/ftp/pub/incoming

    So it's a simple path mismatch, all the rest seems OK.

    • 6

    1. For anonymous logins, change the "ftp" users home directory in /etc/passwd.

      ftp:x:119:131:ftp daemon,,,:/var/ftp/pub/:/bin/false

    2. And add this to your /etc/vsftpd.conf file.

      allow_writeable_chroot=YES

    3. And make sure that the ftp user has access (chmod 755) to enter every directory up to the location /var/ftp/pub/

    I was fighting this problem for hours. vsftpd doesn't give clear help or suggestions for errors.

    • 1

  3. You probably have SE linux enabled. Rather than disable the whole thing you can use

    /usr/sbin/setsebool -P ftp_home_dir 1

    to allow ftp to work correctly.

    EDIT Looking over this again, if the commands above are what you really typed then /var/ftp/pub/incomming doesn't exist so make sure it does then try again.

    • 0

  4. You probably have userlist_deny=NO in your conf file. Change it to YES and make sure that the username you're using isn't in /etc/vsftpd/user_list or in /etc/vsftpd/ftpusers.

    • 0

  5. here is what worked for me (he said, while mentally strangling a developer)

    vsftpd.conf:

    anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_root=/var/ftp/

    create/chown Directories 

    mkdir /var/ftp
chown nobody:nogroup /var/ftp
mkdir /var/ftp/uploads
chown ftp:ftp /var/ftp/uploads
#edit for good measure also (gave me grief with pure-ftpd)
chmod 777 /var/ftp/uploads

    change homedir in

    /etc/passwd:

    ftp:x:116:124:ftp daemon,,,:/var/ftp:/usr/sbin/nologin

    (default home dir on debian is /srv/ftp so you can make yo life easier sticking to that dir)

    uploads are possible to /var/ftp/uploads SElinux/Apparmor is disabled on this system, debian 10.3

    Note: vsftp will throw an errormessage if the initial homedirectory has rw rights (aka chown ftp:ftp) on /var/ftp directly

    Edit note: with the faint hope, this whole text is somewhat understandable. Klaus

    • 0

  6. Is SE linux enabled. Folks in that forum were able to resolve the issue by disabling SE linux.

    http://rackerhacker.com/2007/06/14/500-oops-error-from-vsftpd/

    • -1