PDA

View Full Version : Setting up VSFTPD in RedHat 8



Chilling_Silently
26-05-2003, 12:10 PM
Im working on getting FTP going.. easy way to transfer over the LAN I guess.. but Im getting ADSL soon and would like to be able to put up files for other users to download etc. and perhaps have uploads facilities for certain users.

Ive got AnonFTP (I think), VSFTP, and ProFTP installed.

I'd like to get VSFTP sussed out..
Ive run redhat-config-services and enabled it in there, only enable it in one runlevel and it enables it in them all.
That I can live with, but why does it not have the option to start, stop or restart?
I enable it and reboot.. try to login as anonymous or josiah (My user) and I have no joy.

Permission denied, make sure the network connection is something or rather..

What do I need to do here?
I wouldnt honestly have a clue where to begin?!

Cheers


Chill.

Chilling_Silently
26-05-2003, 12:14 PM
Okay, I was a little off, here's what it really gives me when I type in ftp://192.168.0.2 into IE:

Windows cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder.

Details:
A connection with the server could not be established

This is no matter what I run (Tried ProFTP, disabled it then tried rebooting after enabling VSFTP). This is RedHat 8 so VSFTPD must be run under XINETD.

Thanks


Chilling_Silence

b1naryb0y
26-05-2003, 01:31 PM
Sounds like a firewall issue.

login as root, open a terminal and type setup

Select "Firewall Configuration"

Under Security Level, select "High"

Select "Customize"

Under Trusted Devices, select "eth0" (or whatever device your internal network is on)

Under Allow Incoming, select only the services you are running. For your example make sure "FTP" is selected.
There is also a section labelled Other Ports where you can specify what other ports you would like to open up.

Chilling_Silently
26-05-2003, 06:42 PM
Im pretty sure I dont have a firewall setup at all on it!

I disabled the main one during setup, and I didnt install any others.

For now, ProFTP is working.. I can connect in an FTP Client on LocalHost, and also on the Gateway, I can use Phoenix to connect to ProFTP, but cannot connect within IE, even with a username and password specified?

Seems odd?

Anyways, for now Im gonna look into the issues with IE, and I'll look into any extra firewalls that may be setup!

Cheers


Chill.

Chilling_Silently
26-05-2003, 09:39 PM
Well..
I checked, and it said the firewall was set to high rules, but still, why would it work from the gateway in Phoenix and CuteFTP but not IE?

Anyways.. I realised something rather frightening..
I havent blocked them from going up a level and accessing my other files..
Go up two levels and you're at my root folder, and Im in the poo coz there's my who HDD shared there, all 3 mounted plus my DVD....

So Im off to look up how to stop that in ProFTP, but I still cant figure out why IE doesnt like it?
I cant ask for outsiders help right now coz PortMapper isnt working for some reason..
Trying to route port requests from 21 to 192.168.0.2 but its not working :(

Does anybody have another app that'll do what I want (Redirect all requests to port 21 from the Gateway to my PC on the LAN)?

Cheers


Chill.

joey
27-05-2003, 01:58 PM
Hey Chill, In RH 8.0 vsftpd runs under xinetd therefore you canít stop start etc. You have to stop/start xinetd. If you install v 9.0 it installs it correctly as a full stand alone service.

You donít need to run any other ftp daemons, if youíre running vsftp. It will do both anon and secure connections. Have a look at the config files that I sent you, thereís example of both in there.

Note to turn off firewalling disable ipchains and iptables with the service commands.

Vsftpd can restrict users to there home dirs as well as let some roam. Be careful with these settings. Likewiese be vary carefull with anon access.

Connections to FTP outside your router are very tricky! Do some research here on active and passive connections. Itís very hard to setup an FTP server inside a router using NAT because of the way that the secondary connections are made.

Joey

joey
27-05-2003, 02:01 PM
Oh with your IE problem. You say you can connect with other FTP clients. Can you connect and do a dir listing?

Chilling_Silently
27-05-2003, 02:48 PM
I cannot connect in IE at all, it comes up with that immediately before I can even do a DIR listing.

I can connect fine CuteFTP and list the contents etc. and Phoenix does it fine also...
Scary thing is CuteFTP can go up a dir as well, and ftp in Linux also connects and goes up a few dirs.

I'll check the emails, and have a look :-)

Thanks!


Chill.

Chilling_Silently
27-05-2003, 09:47 PM
Okay, cool, and I figured out that IE is thinking its a Website.. Online.. Internet.. and so Ive gotta be on the net to use IE.. stupid thing.

Ive found the email with the vsftpd conf examples (Thanks), but how do I make a user that can go down folders into subdirectories (Ive made three or four links to other directories on the HDD) but not up above the /home folder?

Also.. im wanting a user who can upload files/folders and create/edit those, but not in folders it hasnt made (So I could make a link to another folder and have the user only receive Read access to the contents of that folder).

Thanks a lot :-)

Cheers


Chill.

joey
28-05-2003, 12:17 PM
Ok Chill, itís all explained in #man vsftpd.conf

Hereís a summary below.

# Uncomment this to allow local users to log in.
local_enable=YES

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
chroot_local_user=YES

# People that can browse the operating system
chroot_list_file=/etc/vsftpd.chroot_list

# Block users in this list
# /etc/vsftp.user_list
userlist_enable=YES


If you use the setting above as I have then the following is true.

People in this file can move out of their directories.
/etc/vsftpd.chroot_list

Users that are allowed. Note: include anonymous and Anonymous if anon required.
/etc/vsftpd.user_list

Now to create users that FTP into the different location you need to change the home dir in /etc/passwd. Thatís where theyíll FTP to.

As far as having a user access the server adding/changing files etc, thatís easy give them write access to the folder. Then if you want directories that he/she can only read and not write, just give them read access and not write access. So youíd create a read only link or directory on the file system. Simple :)

Joey

Chilling_Silently
28-05-2003, 01:00 PM
Cheers, I only needed to change the following:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=NO
chroot_local_user=NO

And they can now browse my subdirectories fine.. but they can also go Up...
Ive used #ln -s to /mnt/hdb5 (My FAT32 Partition) to link to it, and a couple of other places on the HDD.

They now have Read-Only access to those folders, which I want.. but they also have Read-Only access to any folder on the HDD..

I think Im a little lost here.. I want them so they cannot go Up from their home folder, but can browse the linked folders at their pleasing!

What have I configured wrong?

Thanks joey



Chill.

Chilling_Silently
28-05-2003, 01:02 PM
Cheers, I only needed to change the following:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=NO
chroot_local_user=NO

And they can now browse my subdirectories fine.. but they can also go Up...
Ive used #ln -s to /mnt/hdb5 (My FAT32 Partition) to link to it, and a couple of other places on the HDD.

They now have Read-Only access to those folders, which I want.. but they also have Read-Only access to any folder on the HDD..

I think Im a little lost here.. I want them so they cannot go Up from their home folder, but can browse the linked folders at their pleasing!

What have I configured wrong?

Thanks joey



Chill.

joey
28-05-2003, 01:03 PM
If you've got these three lines then they should be able to browse.

chroot_list_enable=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd.chroot_list

Only users in the vsftpd.chroot_list should be able to browse out of thieir home dirs.

joey
28-05-2003, 01:06 PM
Oops, If you've got these three lines then they SHOULDN'T be able to browse.

Chilling_Silently
28-05-2003, 01:13 PM
Okay, so its:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
chroot_local_user=YES

# Put people in this file that need to be locked to thier home directories
chroot_list_file=/etc/vsftpd.chroot_list

and vsftpd.chroot_list contains:

josiah
muffy


Josiah is my main desktop user, and muffy is a user I simply made for FTP..
But I muffy is still allowed to view /home, /, /etc, /mnt and anything else muffy wants to!
That's the part I want to stop... But I cant?

Chilling_Silently
28-05-2003, 01:17 PM
How about I avoid confusion and post the following:

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are very paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
#
# Allow anonymous FTP?
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=180
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=anon
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
josiah
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=180
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=anon
#
# Note on anonymous users.
# Default user is "ftp". The ftp users home dir is defined in /etc/passwd
# The home dir must note be owned or writeable by the "ftp" user


Ive got a user called anon who has one or two files.. not a neccesary user.. just made it to fill in the gaps there...

Here's /etc/vsftpd.ftpusers

# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody

# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd.ftpusers
# for users that are denied.
anon
josiah
muffy


/etc/vsftpd.chroot_list

josiah
muffy

Now Im sure Im missing something obvious here.. im just not sure what ;-)

joey
28-05-2003, 01:26 PM
Can you paste you conf file again, I think you missed some.

You can email me if it's easier.

Chilling_Silently
28-05-2003, 01:32 PM
Okay, will do...

Hey, and its gone Bold?

I didnt do that?!

Thanks