Chapter 4. File Transfer Protocol
vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. Its ability to handle large numbers of connections efficiently and securely is why
vsftpdis the only stand-alone FTP distributed with Red Hat Enterprise Linux.
rpm -q vsftpdcommand to see if vsftpd is installed:
rpm -q vsftpd
yum install vsftpd
4.1. FTP and SELinux
vsftpdFTP daemon runs confined by default. SELinux policy defines how
vsftpdinteracts with files, processes, and with the system in general. For example, when an authenticated user logs in via FTP, they cannot read from or write to files in their home directories: SELinux prevents
vsftpdfrom accessing user home directories by default. Also, by default,
vsftpddoes not have access to NFS or CIFS volumes, and anonymous users do not have write access, even if such write access is configured in
/etc/vsftpd/vsftpd.conf. Booleans can be enabled to allow the previously mentioned access.
- Run the
rpm -q ftpcommand to see if the ftp package is installed. If it is not, run the
yum install ftpcommand as the root user to install it.
- Run the
rpm -q vsftpdcommand to see if the vsftpd package is installed. If it is not, run the
yum install vsftpdcommand as the root user to install it.
- In Red Hat Enterprise Linux,
vsftpdonly allows anonymous users to log in by default. To allow authenticated users to log in, edit
/etc/vsftpd/vsftpd.confas the root user. Make sure the
local_enable=YESoption is uncommented:
# Uncomment this to allow local users to log in. local_enable=YES
- Run the
service vsftpd startcommand as the root user to start
vsftpd. If the service was running before editing
vsftpd.conf, run the
service vsftpd restartcommand as the root user to apply the configuration changes:
service vsftpd startStarting vsftpd for vsftpd: [ OK ]
- Run the
ftp localhostcommand as the user you are currently logged in with. When prompted for your name, make sure your user name is displayed. If the correct user name is displayed, press Enter, otherwise, enter the correct user name:
ftp localhostConnected to localhost (127.0.0.1). 220 (vsFTPd 2.1.0) Name (localhost:username): 331 Please specify the password. Password: Enter your password 500 OOPS: cannot change directory:/home/username Login failed. ftp>
- An SELinux denial similar to the following is logged:
setroubleshoot: SELinux is preventing the ftp daemon from reading users home directories (username). For complete SELinux messages. run sealert -l c366e889-2553-4c16-b73f-92f36a1730ce
- Access to home directories has been denied by SELinux. This can be fixed by activating the
ftp_home_dirBoolean. Enable this
ftp_home_dirBoolean by running the following command as the root user:
setsebool -P ftp_home_dir=1
NoteDo not use the -P option if you do not want changes to persist across reboots.Try to log in again. Now that SELinux is allowing access to home directories via the
ftp_home_dirBoolean, logging in will succeed.