Product SiteDocumentation Site

11.4. File Transfer Protocol

From the Red Hat Enterprise Linux 5 Deployment Guide:
File Transfer Protocol (FTP) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands.[32]
The Very Secure FTP Daemon (vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. Its ability to handle large numbers of connections efficiently and securely is why vsftpd is the only stand-alone FTP distributed with Red Hat Enterprise Linux.[33]
In Fedora, the vsftpd package provides the Very Secure FTP daemon. Run rpm -q vsftpd to see if vsftpd is installed:
$ rpm -q vsftpd
If you want an FTP server and the vsftpd package is not installed, run the following command as the root user to install it:
yum install vsftpd

11.4.1. FTP and SELinux

When running SELinux, the FTP server, vsftpd, runs confined by default. SELinux policy defines how vsftpd interacts with files, processes, and with the system in general. For example, when an authenticated user logs in via FTP, they can not read from or write to files in their home directories: SELinux prevents vsftpd from accessing user home directories by default. Also, by default, vsftpd does not have access to NFS or CIFS file systems, and anonymous users do not have write access, even if such write access is configured in /etc/vsftpd/vsftpd.conf. Booleans can be turned on to allow the previously mentioned access.
The following example demonstrates an authenticated user logging in, and an SELinux denial when trying to view files in their home directory:
  1. Run rpm -q vsftpd to see if the vsftpd package is installed. If it is not, run yum install vsftpd as the root user to install it.
  2. In Fedora, vsftpd only allows anonymous users to log in by default. To allow authenticated users to log in, edit /etc/vsftpd/vsftpd.conf as the root user. Uncomment the local_enable=YES option:
    # Uncomment this to allow local users to log in.
    local_enable=YES
    
  3. Run service vsftpd start as the root user to start vsftpd. If the service was running before editing vsftpd.conf, run service vsftpd restart as the root user to apply the configuration changes:
    service vsftpd start
    Starting vsftpd for vsftpd:                                [  OK  ]
    
  4. Run ftp localhost as the user you are currently logged in with. When prompted for your name, make sure your username is displayed. If the correct username is displayed, press Enter, otherwise, enter the correct username:
    $ ftp localhost
    Connected to localhost (127.0.0.1).
    220 (vsFTPd 2.1.0)
    Name (localhost:username):
    331 Please specify the password.
    Password: Enter your password
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp>
    
  5. Run the ls command from the ftp prompt. With the ftp_home_dir Boolean off, SELinux prevents vsftpd access to home directories, resulting in this command failing to return a directory listing:
    ftp> ls
    227 Entering Passive Mode (127,0,0,1,225,210).
    150 Here comes the directory listing.
    226 Transfer done (but failed to open directory).
    
    An SELinux denial similar to the following is logged to /var/log/messages:
    setroubleshoot: SELinux is preventing the ftp daemon from reading users home directories (username). For complete SELinux messages. run sealert -l c366e889-2553-4c16-b73f-92f36a1730ce
    
  6. Enable the ftp_home_dir Boolean by running the following command as the root user:
    # setsebool -P ftp_home_dir=1
    

    Note

    Do not use the -P option if you do not want changes to persist across reboots.
    Run the ls command again from the ftp prompt. Now that SELinux is allowing home directory browsing via the ftp_home_dir Boolean, the directory is displayed:
    ftp> ls
    227 Entering Passive Mode (127,0,0,1,56,215).
    150 Here comes the directory listing.
    -rw-rw-r--    1 501      501             0 Mar 30 09:22 file1
    -rw-rw-r--    1 501      501             0 Mar 30 09:22 file2
    226 Directory Send OK.
    ftp>
    
    


[32] The first paragraph of "Chapter 23. FTP" of the Red Hat Enterprise Linux 5 Deployment Guide: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-ftp.html. Copyright © 2007 Red Hat, Inc.
[33] The first paragraph of the "23.2.1. vsftpd" section of the Red Hat Enterprise Linux 5 Deployment Guide: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-ftp-servers.html#s2-ftp-servers-vsftpd. Copyright © 2007 Red Hat, Inc.