| View previous topic :: View next topic |
| Author |
Message |
ahadley
n00b
Joined: 08 Jan 2004
Posts: 45
Location: UK
|
 Posted: Sun Jan 09, 2005 12:40 pm Post subject: ftp server (vsftpd) anon write access [solved] |
 |
|
I am running (just setting up) vsftpd to allow anonymous write access (so people can upload pictures in bulk for a gallery site...), however, i can have anon log on, and ls and the like, but cannot mkdir or put unless i chmod the ftp folder to 777 on the server, 775 or 755 wont let anonymous do that.
Now, i am fairly new to the server game, and am concerned that 777ing it would allow anon users to execute scripts on my server, am i right in this, and if so does anyone have any suggestions?
thanks in advance,
alex
_________________
Common sense is the collection of prejudices acquired by age eighteen.
Albert Einstein
Last edited by ahadley on Wed Jan 12, 2005 3:16 pm; edited 1 time in total |
|
| Back to top |
|
 |
benjones
n00b
Joined: 15 Mar 2003
Posts: 14
Location: London
|
| Posted: Sun Jan 09, 2005 1:59 pm Post subject: re: ftp server (vsftpd) anon write access |
|
|
| Make sure anon_upload_enable and write_enable are set in vsftpd.conf. Set anon_mkdir_write_enable if you want users to be able to create directories. Then just chown the ftp area so that the ftp user (or something else if you set it with ftp_username in vsftpd.conf) has write access, and you should be ok. No need for 777. |
|
| Back to top |
|
|
ahadley
n00b
Joined: 08 Jan 2004
Posts: 45
Location: UK
|
| Posted: Mon Jan 10, 2005 12:11 am Post subject: |
|
|
I tried chown /path/to/ftp/area to ftp_user and also tried to ftp_group (both exist and have been entered in the conf) but to no avail.
| Code: |
anonymous_enable=YES
#local_enable=YES
write_enable=YES
local_umask=077
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
connect_from_port_20=YES
# recommended!
#chown_uploads=YES
#chown_username=whoever
xferlog_enable=YES
#xferlog_std_format=YES
xferlog_file=/server/ftp/vsftpd.log
#idle_session_timeout=600
#data_connection_timeout=120
nopriv_user=ftp_user
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd/vsftpd.banned_emails
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
#ls_recurse_enable=YES
anon_root=/path/to/ftp/area
|
I have also tried various chowns, currently:
| Code: |
ls -l
drwxrwxr-x 3 ftp_user ftp_group 160 Jan 9 12:25 ftp
|
but to no avail either.
I appologies for being a pain,
and thanks for the help thus far.
Alex
_________________
Common sense is the collection of prejudices acquired by age eighteen.
Albert Einstein |
|
| Back to top |
|
|
benjones
n00b
Joined: 15 Mar 2003
Posts: 14
Location: London
|
| Posted: Mon Jan 10, 2005 10:08 pm Post subject: |
|
|
Hmmm, from man vsftpd.conf -
| Code: |
ftp_username
This is the name of the user we use for handling anonymous FTP.
The home directory of this user is the root of the anonymous FTP
area.
Default: ftp
|
You seem to have your ftp dir chowned to ftp_user. How about adding:
| Code: |
ftp_username=ftp_user
|
I see that you've set nopriv_user to ftp_user, but that is the user that vsftpd itself drops to when it doesn't need to run as root. |
|
| Back to top |
|
|
ahadley
n00b
Joined: 08 Jan 2004
Posts: 45
Location: UK
|
| Posted: Tue Jan 11, 2005 12:07 pm Post subject: |
|
|
Cheers for the insight,
I set
and also added
| Code: | | ftp_username=ftp_user |
but now have a privaleges problem:
When logging on with ftp folder as anything such as 700, 755, 777 or the like it gives:
| Code: | 500 OOPS: vsftpd: refusing to run with writable anonymous root
Login failed.
|
but logging on as anything like 500 lets me get on but won't even let me ls or mkdir or the like... e.g.
| Code: | ls
Transfer done (but failed to open directory). |
The only way i can find to work is to:
| Code: | chmod 500 ftp
ftp localhost
chmod 700 ftp (whilst ftp'd on in another session) |
that way i can get on and also actually do stuff when on...
but this obviously isn't possible for remote users
_________________
Common sense is the collection of prejudices acquired by age eighteen.
Albert Einstein |
|
| Back to top |
|
|
benjones
n00b
Joined: 15 Mar 2003
Posts: 14
Location: London
|
| Posted: Wed Jan 12, 2005 9:06 am Post subject: |
|
|
Oh yeah, your ftp / can't be writeable, I think vsftpd considers that insecure (and it is the very secure ftpd after all). Create an /incoming, and allow that to be writeable by ftp_user.
See the third Q in the FAQ at www.polarhome.com:793/manual/vsftpd-1.1.3/FAQ |
|
| Back to top |
|
|
ahadley
n00b
Joined: 08 Jan 2004
Posts: 45
Location: UK
|
| Posted: Wed Jan 12, 2005 3:16 pm Post subject: |
|
|
Thankyou indeed... this was the key information i was looking for,
sorry for not being a little more sensible... oh well, we live and learn,
Thanks,
Alex
_________________
Common sense is the collection of prejudices acquired by age eighteen.
Albert Einstein |
|
| Back to top |
|
|
ahadley
n00b
Joined: 08 Jan 2004
Posts: 45
Location: UK
|
| Posted: Wed Jan 12, 2005 3:17 pm Post subject: |
|
|
have changed title to solved to reflect this fact.
thanks again Ben
_________________
Common sense is the collection of prejudices acquired by age eighteen.
Albert Einstein |
|
| Back to top |
|
|
|
Networking & Security
