Red Hat Summit4.4. Configuration Examples
4.4.1. Uploading to an FTP site
Copy linkLink copied to clipboard!
The following example creates an FTP site that allows a dedicated user to upload files. It creates the directory structure and the required SELinux configuration changes:
- Run the
setsebool ftp_home_dir=1command as the root user to enable access to FTP home directories. - Run the
mkdir -p /myftp/pubcommand as the root user to create a new top-level directory. - Set Linux permissions on the
/myftp/pub/directory to allow a Linux user write access. This example changes the owner and group from root to owneruser1and group root. Replaceuser1with the user you want to give write access to:chown user1:root /myftp/pub chmod 775 /myftp/pub
~]# chown user1:root /myftp/pub ~]# chmod 775 /myftp/pubCopy to Clipboard Copied! Toggle word wrap Toggle overflow Thechowncommand changes the owner and group permissions. Thechmodcommand changes the mode, allowing theuser1user read, write, and execute permissions, and members of the root group read, write, and execute permissions. Everyone else has read and execute permissions, which allows the Apache HTTP Server to read files from this directory. - When running SELinux, files and directories must be labeled correctly to allow access. Setting Linux permissions is not enough. Files labeled with the
public_content_ttype allow them to be read by FTP, Apache HTTP Server, Samba, and rsync. Files labeled with thepublic_content_rw_ttype can be written to by FTP. Other services, such as Samba, require Booleans to be set before they can write to files labeled with thepublic_content_rw_ttype. Label the top-level directory (/myftp/) with thepublic_content_ttype, to prevent copied or newly-created files under/myftp/from being written to or modified by services. Run the following command as the root user to add the label change to file-context configuration:semanage fcontext -a -t public_content_t /myftp
~]# semanage fcontext -a -t public_content_t /myftpCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
restorecon -R -v /myftp/command to apply the label change:restorecon -R -v /myftp/
~]# restorecon -R -v /myftp/ restorecon reset /myftp context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Confirm
/myftpis labeled with thepublic_content_ttype, and/myftp/pub/is labeled with thedefault_ttype:ls -dZ /myftp/ ls -dZ /myftp/pub/
~]$ ls -dZ /myftp/ drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /myftp/ ~]$ ls -dZ /myftp/pub/ drwxrwxr-x. user1 root unconfined_u:object_r:default_t:s0 /myftp/pub/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - FTP must be allowed to write to a directory before users can upload files via FTP. SELinux allows FTP to write to directories labeled with the
public_content_rw_ttype. This example uses/myftp/pub/as the directory FTP can write to. Run the following command as the root user to add the label change to file-context configuration:semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"
~]# semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
restorecon -R -v /myftp/pubcommand as the root user to apply the label change:restorecon -R -v /myftp/pub
~]# restorecon -R -v /myftp/pub restorecon reset /myftp/pub context system_u:object_r:default_t:s0->system_u:object_r:public_content_rw_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - The
allow_ftpd_anon_writeBoolean must be on to allowvsftpdto write to files that are labeled with thepublic_content_rw_ttype. Run the following command as the root user to enable this Boolean:setsebool -P allow_ftpd_anon_write on
~]# setsebool -P allow_ftpd_anon_write onCopy to Clipboard Copied! Toggle word wrap Toggle overflow Do not use the-Poption if you do not want changes to persist across reboots.
The following example demonstrates logging in via FTP and uploading a file. This example uses the
user1 user from the previous example, where user1 is the dedicated owner of the /myftp/pub/ directory:
- Run the
cd ~/command to change into your home directory. Then, run themkdir myftpcommand to create a directory to store files to upload via FTP. - Run the
cd ~/myftpcommand to change into the~/myftp/directory. In this directory, create anftpuploadfile. Copy the following contents into this file:File upload via FTP from a home directory.
File upload via FTP from a home directory.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
getsebool allow_ftpd_anon_writecommand to confirm theallow_ftpd_anon_writeBoolean is on:getsebool allow_ftpd_anon_write
~]$ getsebool allow_ftpd_anon_write allow_ftpd_anon_write --> onCopy to Clipboard Copied! Toggle word wrap Toggle overflow If this Boolean is off, run thesetsebool -P allow_ftpd_anon_write oncommand as the root user to enable it. Do not use the-Poption if you do not want the change to persist across reboots. - Run the
service vsftpd startcommand as the root user to startvsftpd:service vsftpd start
~]# service vsftpd start Starting vsftpd for vsftpd: [ OK ]Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
ftp localhostcommand. When prompted for a user name, enter the user name of the user who has write access, then, enter the correct password for that user:Copy to Clipboard Copied! Toggle word wrap Toggle overflow The upload succeeds as theallow_ftpd_anon_writeBoolean is enabled.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}