2.2.6.2. Anonymous Access

Procedure 2.1. Anonymous Upload

1. To allow anonymous users to upload files, it is recommended to create a write-only directory within the /var/ftp/pub/ directory. Run the following command as root to create such directory named /upload/:

   ~]# mkdir /var/ftp/pub/upload

2. Next, change the permissions so that anonymous users cannot view the contents of the directory:

   ~]# chmod 730 /var/ftp/pub/upload

   A long format listing of the directory should look like this:

   ~]# ls -ld /var/ftp/pub/upload
   drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/upload

   Note

   Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software.
3. Under vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file:

   anon_upload_enable=YES

4. In Red Hat Enterprise Linux, the SELinux is running in Enforcing mode by default. Therefore, the allow_ftpd_anon_write Boolean must be enabled in order to allow vsftpd to upload files:

   ~]# setsebool -P allow_ftpd_anon_write=1

5. Label the /upload/ directory and its files with the public_content_rw_t SELinux context:

   ~]# semanage fcontext -a -t public_content_rw_t '/var/ftp/pub/upload(/.*)'

   Note

   The semanage utility is provided by the policycoreutils-python package, which is not installed by default. To install it, use the following command as root:

   ~]# yum install policycoreutils-python

6. Use the restorecon utility to change the type of /upload/ and its files:

   ~]# restorecon -R -v /var/ftp/pub/upload

   The directory is now properly labeled with public_content_rw_t so that SELinux in Enforcing mode allows anonymous users to upload files to it:

   ~]$ ls -dZ /var/ftp/pub/upload
   drwx-wx---. root root unconfined_u:object_r:public_content_t:s0 /var/ftp/pub/upload/
   

   For further information about using SELinux, see the Security-Enhanced Linux User Guide and Managing Confined Services guides.