Do you have SELinux enabled?
To check: sestatus
If SELinuxstatus = on & Current mode = enforcing, it's all enabled... so lets turn it to permissive mode.
Permissive mode: setenforce 0
Check sestatus again, and it should be Current mode = permissive. This basically leaves SELinux on, but in a log only manner.
With selinux in permissive mode, try your FTP things again, and see if the problems have magically gone away. If they have, you have issues with SELinux. Check /var/log/audit for reasons. Best thing to do is clear the log files, do your FTP thing, then check the logs as they'll then only contain what's related to your FTP issue.
If SELinux is to blame, there's a few SELinux booleans worth looking at.
Best start is: getsebool -a | grep ftp
You'll see something like
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
Not all of these are relevant to vsftpd, for example the httpd_enable_ftp_server is for Apache running FTP, and tftp_anon_write is for tftpd. I'd start with:
setsebool -P allow_ftpd_full_access on
setsebool -P ftp_home_dir on
The first one of allow_ftpd_anon_write is needed if you want every joe blow out there to be able to upload files to the anonymous folder... seriously discourage you doing that, unless it's internal only. If this is publicly accessibly, it will be found and it will be abused.
Next you'll need to make sure that the home folders have the right settings enabled.
Check policy bits: ls -alZ /home
Chances are if you just created the home folders they have the wrong settings, so you can just reset them as follows:
First run it to see what it'll change, but without it changing anything: restorecon -nvvr /home
-n = don't do anything, report only
-vv = very verbose
-r = recursive (do /home and everything under it)
You might want to run this on /home/udo, /home/ftp-docs and /home/ftpuser instead of all of /home
If you're happy with what it wants to do: restorecon -vvr /home
Same command with no -n, so it'll do it's actions.
Next stick SELinux back into enforcing mode:
setenforce 1
Check it is with sestatus (current mode = enforcing).
Try FTP again, and if it's broken once more check the audit logs to see what else is going on. Might be missing some settings, which you can sort out using chcon. Use -Z on various commands to work out what the current selinux policies in play are (ps -Z, ls -Z, and so on).
There's a few tools out there to turn the audit log into something more human readable, together with suggestions on what to do to fix it. Never used any of them so I can't speak much about them in anyway.
No comments:
Post a Comment