Red Hat Summit2.2.6.2. Anonymous Access
The presence of the
/var/ftp/ directory activates the anonymous account.
The easiest way to create this directory is to install the
vsftpd package. This package establishes a directory tree for anonymous users and configures the permissions on directories to read-only for anonymous users.
By default the anonymous user cannot write to any directories.
Warning
If enabling anonymous access to an FTP server, be aware of where sensitive data is stored.
Procedure 2.1. Anonymous Upload
- To allow anonymous users to upload files, it is recommended to create a write-only directory within the
/var/ftp/pub/directory. Run the following command as root to create such directory named/upload/:mkdir /var/ftp/pub/upload
~]# mkdir /var/ftp/pub/uploadCopy to Clipboard Copied! - Next, change the permissions so that anonymous users cannot view the contents of the directory:
chmod 730 /var/ftp/pub/upload
~]# chmod 730 /var/ftp/pub/uploadCopy to Clipboard Copied! A long format listing of the directory should look like this:ls -ld /var/ftp/pub/upload
~]# ls -ld /var/ftp/pub/upload drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/uploadCopy to Clipboard Copied! Note
Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software. - Under
vsftpd, add the following line to the/etc/vsftpd/vsftpd.conffile:anon_upload_enable=YES
anon_upload_enable=YESCopy to Clipboard Copied! - In Red Hat Enterprise Linux, the SELinux is running in Enforcing mode by default. Therefore, the
allow_ftpd_anon_writeBoolean must be enabled in order to allowvsftpdto upload files:setsebool -P allow_ftpd_anon_write=1
~]# setsebool -P allow_ftpd_anon_write=1Copy to Clipboard Copied! - Label the
/upload/directory and its files with thepublic_content_rw_tSELinux context:semanage fcontext -a -t public_content_rw_t '/var/ftp/pub/upload(/.*)'
~]# semanage fcontext -a -t public_content_rw_t '/var/ftp/pub/upload(/.*)'Copy to Clipboard Copied! Note
Thesemanageutility is provided by the policycoreutils-python package, which is not installed by default. To install it, use the following command as root:yum install policycoreutils-python
~]# yum install policycoreutils-pythonCopy to Clipboard Copied! - Use the
restoreconutility to change the type of/upload/and its files:restorecon -R -v /var/ftp/pub/upload
~]# restorecon -R -v /var/ftp/pub/uploadCopy to Clipboard Copied! The directory is now properly labeled withpublic_content_rw_tso that SELinux in Enforcing mode allows anonymous users to upload files to it:ls -dZ /var/ftp/pub/upload
~]$ ls -dZ /var/ftp/pub/upload drwx-wx---. root root unconfined_u:object_r:public_content_t:s0 /var/ftp/pub/upload/Copy to Clipboard Copied! For further information about using SELinux, see the Security-Enhanced Linux User Guide and Managing Confined Services guides.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}