0

I need to deploy an FTP server for intranet usages (anonymous only) and I've selected Vsftpd who seems to be easy to configure. Here's my configuration :

listen=YES
local_enable=NO
write_enable=YES

anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
no_anon_password=YES

anon_root=/srv/ftp/anon

And the directories permissions :

drwxr-xr-x  3 root root 4096 déc.  20 16:00 srv
r-xr-xr-x  3 root root 4096 déc.  20 16:03 ftp
dr-xr-xr-x 2 root root 4096 déc.  20 16:03 anon

With this configuration I'm able to connect as anonymous and consult /srv/ftp/anon content, download files but unable to upload anything, create folders or delete files (errors 530 & 550). Vsftpd log file is not so explicit and didn't help. I've also tried to change anon to 777, but it results as 500 OOPS: vsftpd: refusing to run with writable root inside chroot() when I tried to connect to the server.

Thank you :)

codingNoob
  • 1
  • 1

1 Answers1

1

It seems, that vsftpd is trying to chroot to /srv/ftp/anon directory. In this case, its trying to prevent you to shoot into your own leg by refusing to write there (yes, they know, what they are doing and why).

So you should better set a directory structure, where there is a read-only directory and the writable one is inside, e.g. /srv/ftp would be writable only by root, and this will be the anon_root. Make another one, let say /srv/ftp/public and chown ftp /srv/ftp/public (or to whatever user is vsftp using). I am using a few more directives in the similar scenario:

allow_writeable_chroot=YES
nopriv_user=ftp
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
d.c.
  • 257
  • 1
  • 2
  • 8
  • Seem to work thanks, but can't directly be in anon directory when I connect as anonymous ? – codingNoob Dec 21 '20 at 12:46
  • You can give up write support or you can (try to) make vsftpd not to chroot. – d.c. Dec 21 '20 at 21:49
  • I removed `secure_chroot_dir` from the example, as it is not related to the problem and shell be set otherwise ( e. g. `/usr/share/empty`) or left out to have a compile-time default value. – d.c. Dec 21 '20 at 21:52
  • Well I've tried to remove `anon_root=/srv/ftp/anon` and change permissions for ftp home directory (/srv/ftp) and same error : 500.. Maybe what I want to do is not possible using VSFTPD package – codingNoob Dec 23 '20 at 22:41
  • Well the question IMHO shrinks to a not-so-simple one: can we force vsftpd not to chroot ftp/anonymous user? `anon_root` is all right. The home of ftp user shouldn't be the login dir anyway. I haven't find any specific directive to tell vsftpd not to chroot anonymous user. I may have a look into the sourcecode, but later... – d.c. Dec 24 '20 at 12:57