version 1.0.0, 2014-07-09 : Initial version
Configure vsftpd for anonymous write access in /var/ftp/pub
This is how you can configure write access to a directory in a RHEL, Centos or a Fedora.Today we’ll see how to simply configure write access to anonymous user in /var/ftp/pub on a Red Hat based system via FTP using the vsftpd daemon.
1. Prerequisites
First of all, you need to install vsftpd:
yum -y install vsftpd
2. Configure vsftpd
Edit youd vsftpd configuration file (/etc/vsftpd/vsftpd.conf
) and ensure the
following lines are uncommented and with these values:
anonymous_enable=YES anon_upload_enable=YES
And if you want your anonymous users to create directories, you will need:
anon_mkdir_write_enable=YES
Don’t forget to restart the service after any modification:
service vsftpd restart
3. Configure iptables
To be able to use passive mode in FTP, you will need to make iptables load the
ip_conntrack_ftp
module. To do this, edit the IPTABLES_MODULES
in the
/etc/sysconfig/iptables-config
file. If no other modules were already loaded,
the line should finally look like:
IPTABLES_MODULES="ip_conntrack_ftp"
Then enable the correct ports (you will certainly limit the sources here for security. This example is the simplest):
iptables -I INPUT 5 -p tcp -m tcp --dport 20 -j ACCEPT iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT # Check that the REJECT rule is AFTER the rules you just added iptables -L -n # Save and restart service iptables save service iptables restart # And check again that everything is ok iptables -L -n -v
4. Configure SELinux
Ensure your SELinux is set to Enforcing (getenforce
). If not, you should
consider set it to Enforcing for more security (setenforce 1
).
You need to set the SELinux allow_ftpd_anon_write
boolean set to on
:
setsebool -P allow_ftpd_anon_write on
# And check that the change is correctly made
getsebool allow_ftpd_anon_write
5. Configure permissions
The directory we want the anonymous user to put files in is /var/ftp/pub
so we
will ensure that this folder is writable by the ftp user:
chown ftp /var/ftp/pub chown 755 /var/ftp/pub
And you should ensure that your dirctory has the correct SELinux context:
chcon -t public_content_rw_t /var/www/pub
# And check that it's correctly applied:
ll -Z
Now test from any client that should be able to connect and put a dummy_file (I’m using lftp here but you could test with any other client).
lftp my_ftp_server cd pub put dummy_file bye