vsftpd anonymous user upload and download the configuration method

Seeing that many friends cannot upload and download vsftpd using anonymous users (create directories or delete or rename folders), this article mainly addresses the issue of configuring vsftpd's anonymous user permissions.

The configuration should be noted in 3 parts, please refer to 11 carefully:

1, vsftpd. conf file configuration (vi etc/vsftpd/vsftpd conf)

# Allow anonymous users to log in to FTP anonymous_enable=YES # to open anonymous users' upload permissions anon_upload_enable=YES # to open anonymous users' create directory permissions anon_mkdir_write_enable=YES # to open anonymous users' delete and rename permissions (if needed, anon_other_write_enable=YES # mask of anonymous user (if necessary, add it by yourself, meaning: if umask is 022, then create a file with permissions of 666, the actual permissions of the file are 666-022=644) anon_umask=022

2, ftp directory permissions Settings

By default, the root directory of ftp is /var/ftp, and for security purposes, this directory is not allowed to be set to 777 permissions by default, otherwise ftp will not be accessible. But if we want to upload files anonymously, we need "other" users' write permission. The correct way to do it is:

Create an upload (name yourself) folder in /var/ftp and set the permissions for each folder to 777 (as required). In the folder upload, anonymous users can upload files, create folders, delete files and so on.

vsftpd enhances security checks so that if a user is restricted to their home directory, that user's home directory can no longer have write permissions

You can use the command chmod ES59en-ES60en /var/ftp to remove write permissions from the user's home directory

1 So far, vsftpd anonymous user uploads and downloads. If not, here's the problem.

3. Configuration of selinux

SELinux(Security-ES73en Linux) is the NATIONAL Security Agency's (NSA) implementation of mandatory access control and is the most prominent new security subsystem on Linux. NSA developed an access control system with the help of the Linux community. Under this access control system, a process can only access the files it needs for its tasks. SELinux is installed by default on Fedora and Red Hat Enterprise Linux, and is also available as an easy package to install on other distributions.

The easiest way is to close selinux

Method 1: Use the command setenforce 0 without restarting. (setenforce format: setenforce [Enforcing | Permissive | 1 | 0])

Method 2: Add selinux=0 to the start parameter of lilo or grub, or close selinux.

Use getenforce to see if selinux is currently running.

Without turning off selinux, set the ftp permissions for selinux.

1. Use getsebool-a | grep ftp to check the setting status of ftp. We will set allow_ftpd_anon_write to on.

2. Use ES124en-ES125en for setting. Example: ES126en-ES127en allow_ftpd_anon_write=on.

Or use togglesebool to reverse the bool value, such as toggleseboolallow_ftpd_anon_write.

3. To modify the selinux security context, first introduce two commands:

Command 1, ES147en-ES148en-ES149en-ES150en # can see the SELinux properties of the file, process and user, respectively

Command 2, #chcon changes the SELinux security context

chcon-u [user] object-ES161en [role] -ES163en [type] -ES165en recursion --reference source file destination file # copy security context

Usage:

Step 1, ls - Zd var/ftp/upload/usually will see:

drwxr-xr-x ftp root system_u:object_r:public_content_t /var/ftp/upload/

Step 2, chcon R - t public_content_rw_t/var/ftp upload /

Step 3, ls - Zd/var/ftp/went OK upload/if you see the following information:

drwxr-xr-x ftp root system_u:object_r:public_content_rw_t /var/ftp/upload/

Finally, reboot selinux and vsftpd. It doesn't matter if you don't reboot. Logging back in to ftp should fix the problem.

Also, the selinux graphical interface can be accessed by the ES210en-ES211en-ES212en command.