Good morning, I am migrating a client’s server to Rock Linux. I have always worked with Debian and this is a new job for me on this system, however I followed the configurations in Proftpd and just like I do in Debian I am struggling.
I released the firewall, I configured it to allow full access
setsebool -P ftpd_full_access=1
however, when logging in anonymously, a message appears to check the permissions on the folder.
In the system I set the anonymous directory /ftp
I gave the folder permission chonw -R ftp:ftp
and I also gave chmod 777 but without success. If by chance someone knows, can you help me, thank you.
First off do this to make sure selinux isn’t the problem:
setenforce 0
then try again. If you still cannot login, then it would mean your proftp configuration is incorrect. If you copied it directly from Debian to the system, then you shouldn’t do that. Best is edit the Rocky configuration to replicate what you used to have on Debian. If you didn’t copy the config from one machine to another, then you can ignore that point.
If after disabling selinux temporarily with the setenforce command it starts to work, then you need to use the selinux tools to see what errors are being thrown up, so:
audit2why -a
and:
audit2allow -a
will give ideas as to what you are missing. It could be selinux contexts on /ftp since the default location is probably /var/lib/proftpd or /var/ftp or similar.
The problem is that the client does not want SELinux to be disabled, so I am getting a lot of criticism because it does not work with this on Debian.
I’m asking you to disable it temporarily so where we can find out where the problem is. This is normal during debugging purposes. The command I gave puts it in permissive mode. Then you can check the log entries for selinux to find out if this is the problem or your proftpd is misconfigured or not.
First, the SELinux can be either disabled or enabled. If it is disabled, then it does nothing.
When SELinux is enabled, it can be either enforcing or permissive.
- Enforcing denies access and can thus log at most the first reason for denial. You can add “allow” rules one by one until whole service does function, but
- Permissive does not deny operation, but does log all steps that the enforcing would have denied. Hence in permissive mode you gather list of things to look at in one go
The setenforce 0 and setenforce 1 toggle between enforcing and permissive modes. The idea is to gather logs in permissive mode, add rules if necessary, and then return to enforcing for production.
You can see (most) relevant(?) existing SELinux rules with:
semanage port -l | grep ftp
semanage fcontext -l | grep ftp
semanage boolean -l | grep ftp
I have used only the ‘vsftpd’ and cannot say anything about the proftpd.
1 Like
To make it even clearer, your diagnostic steps are:
- Set selinux in permissive mode
setenforce 0 - Check if you have anonymous access via proftp
- Set selinux back to enforcing mode
setenforce 1
If point 2 failed when selinux is in permissive mode, then it means your proftpd configuration is wrong and needs fixing.
If anonymous FTP worked in point 2, then it means selinux was the problem and then you need to use the audit2why and audit2allow commands to find out the violations and then fix accordingly based on the suggestions provided with audit2allow.
1 Like
Proftpd does all kinds of security checks, not just selinux, and has different models and ways of locking down what users are allowed to do.
I assume you adjusted the configuration for the new server (not just copied from the old).
How did you install it, maybe you build it from source, maybe not.
What exact command are you using to start it, maybe you set it up as a systemd service, or maybe not.
Show some extracts from the logs at the exact minute you tried to connect to it. Maybe turn on debug logging.
Show the config file that you are using, and how does proftpd find this config file, are you using something like --config /path/2/my/config.conf
Start it running and then type ‘ss -ntl’ in a new terminal
To check for selinux
rpm -q audit
ausearch -i -m AVC
strange the ports that I changed in proftpd did not appear but I released them in the firewall
semanage port -l | grep ftp
ftp_data_port_t tcp 20
ftp_port_t tcp 21, 989, 990
ftp_port_t udp 989, 990
tftp_port_t udp 69
[root@localhost administrador]# semanage fcontext -l | grep ftp
/etc/(x)?inetd\.d/tftp regular file system_u:object_r:tftpd_etc_t:s0
/etc/cron\.monthly/proftpd regular file system_u:object_r:ftpd_exec_t:s0
/etc/proftpd\.conf regular file system_u:object_r:ftpd_etc_t:s0
/etc/rc\.d/init\.d/proftpd regular file system_u:object_r:ftpd_initrc_exec_t:s0
/etc/rc\.d/init\.d/vsftpd regular file system_u:object_r:ftpd_initrc_exec_t:s0
/srv/([^/]*/)?ftp(/.*)? all files system_u:object_r:public_content_t:s0
/tftpboot directory system_u:object_r:tftpdir_t:s0
/tftpboot/.* all files system_u:object_r:tftpdir_t:s0
/usr/bin/ftpd regular file system_u:object_r:publicfile_exec_t:s0
/usr/bin/ftpdctl regular file system_u:object_r:ftpdctl_exec_t:s0
/usr/kerberos/sbin/ftpd regular file system_u:object_r:ftpd_exec_t:s0
/usr/lib/misc/sftp-server regular file system_u:object_r:bin_t:s0
/usr/lib/sftp-server regular file system_u:object_r:bin_t:s0
/usr/lib/systemd/system/proftpd.* regular file system_u:object_r:ftpd_unit_file_t:s0
/usr/lib/systemd/system/vsftpd.* regular file system_u:object_r:ftpd_unit_file_t:s0
/usr/libexec/openssh/sftp-server regular file system_u:object_r:bin_t:s0
/usr/libexec/webmin/vsftpd/webalizer/xfer_log regular file system_u:object_r:xferlog_t:s0
/usr/sbin/atftpd regular file system_u:object_r:tftpd_exec_t:s0
/usr/sbin/ftpwho regular file system_u:object_r:ftpd_exec_t:s0
/usr/sbin/in\.ftpd regular file system_u:object_r:ftpd_exec_t:s0
/usr/sbin/in\.tftpd regular file system_u:object_r:tftpd_exec_t:s0
/usr/sbin/muddleftpd regular file system_u:object_r:ftpd_exec_t:s0
/usr/sbin/proftpd regular file system_u:object_r:ftpd_exec_t:s0
/usr/sbin/vsftpd regular file system_u:object_r:ftpd_exec_t:s0
/var/ftp(/.*)? all files system_u:object_r:public_content_t:s0
/var/ftp/bin(/.*)? all files system_u:object_r:bin_t:s0
/var/ftp/etc(/.*)? all files system_u:object_r:etc_t:s0
/var/ftp/lib(/.*)? all files system_u:object_r:lib_t:s0
/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* regular file system_u:object_r:ld_so_t:s0
/var/lib/tftpboot(/.*)? all files system_u:object_r:tftpdir_rw_t:s0
/var/lib/tftpboot/aarch64(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/boot(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/etc(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/grub(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/images(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/images2(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/memdisk regular file system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/menu\.c32 regular file system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/ppc(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/pxelinux\.0 regular file system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/pxelinux\.cfg(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/s390x(/.*)? all files system_u:object_r:cobbler_var_lib_t:s0
/var/lib/tftpboot/yaboot regular file system_u:object_r:cobbler_var_lib_t:s0
/var/lock/subsys/*.ftpd regular file system_u:object_r:ftpd_lock_t:s0
/var/log/muddleftpd\.log.* regular file system_u:object_r:xferlog_t:s0
/var/log/proftpd(/.*)? all files system_u:object_r:xferlog_t:s0
/var/log/proftpd\.log regular file system_u:object_r:xferlog_t:s0
/var/log/vsftpd.* regular file system_u:object_r:xferlog_t:s0
/var/run/proftpd.* all files system_u:object_r:ftpd_var_run_t:s0
[root@localhost administrador]# semanage boolean -l | grep ftp
ftpd_anon_write (desativado,desativado) Allow ftpd to anon write
ftpd_connect_all_unreserved (desativado,desativado) Allow ftpd to connect all unreserved
ftpd_connect_db (desativado,desativado) Allow ftpd to connect db
ftpd_full_access (ativado,ativado) Allow ftpd to full access
ftpd_use_cifs (desativado,desativado) Allow ftpd to use cifs
ftpd_use_fusefs (desativado,desativado) Allow ftpd to use fusefs
ftpd_use_nfs (desativado,desativado) Allow ftpd to use nfs
ftpd_use_passive_mode (desativado,desativado) Allow ftpd to use passive mode
httpd_can_connect_ftp (desativado,desativado) Allow httpd to can connect ftp
httpd_enable_ftp_server (desativado,desativado) Allow httpd to enable ftp server
tftp_anon_write (desativado,desativado) Allow tftp to anon write
tftp_home_dir (desativado,desativado) Allow tftp to home dir
even using the audit2why -a command I did not have access to the folder
The audit2why creates a human-readable summary from the audit logs. It does not change anything, just tells what did happen. Did it list something that is denied?
The audit2allow does not change anything either, alone. It creates rules that would allow the denied events, if those rules are installed. IIRC, the audit2allow suggests the commands for installation.
If you had SELinux in permissive mode when you had tested ftp connection and particularly if the audit2why shows no denials, then SELinux may not be the reason after all.
1 Like
-
please send the output of
ls -rtld /ftp -
The “anonymous” section of proftpd.conf might be useful too.
[root@localhost /]# ls -rtld /ftp
drwxrwxrwx. 2 ftp ftp 4,0K mar 9 19:19 /ftp
Config proftpd
Config teste:
Include /etc/proftpd/modules.conf
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# Trace logging, disabled by default for performance reasons
TraceLog /var/log/proftpd/trace.log
Trace DEFAULT:0
UseIPv6 off
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
Port 2177
ServerType standalone
AllowOverwrite on
# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot /media/Linux
RequireValidShell off
# Use pam to authenticate (default) and be authoritative
AuthPAM off
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off
# Set the user and group that the server runs as
User nobody
Group nobody
# To prevent DoS attacks, set the maximum number of child processes
# to 20. If you need to allow more than 20 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile off
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
# Don't log hostname or timestamps because systemd will do that for us
LogOptions -Timestamp -Hostname +RoleBasedProcessLabels
# Enable basic controls via ftpdctl
ControlsEngine on
ControlsACLs all allow user root
ControlsSocketACL allow user *
ControlsLog /var/log/proftpd/controls.log
# Enable admin controls via ftpdctl
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
AdminControlsACLs all allow user root
</IfModule>
# Enable mod_vroot by default for better compatibility with PAM
<IfModule mod_vroot.c>
VRootEngine on
</IfModule>
# Enable this with PROFTPD_OPTIONS=-DTLS in /etc/sysconfig/proftpd
<IfDefine TLS>
Include /etc/proftpd/mod_tls.conf
</IfDefine>
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfModule mod_ban.c>
Include /etc/proftpd/mod_ban.conf
</IfModule>
# Set networking-specific "Quality of Service" (QoS) bits on the packets used
<IfModule mod_qos.c>
Include /etc/proftpd/mod_qos.conf
</IfModule>
# Global Config - config common to Server Config and all virtual hosts
<Global>
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable
Umask 022
# Allow users to overwrite files and change permissions
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
#<IfDefine ANONYMOUS_FTP>
#Include /etc/proftpd/anonftp.conf
#</IfDefine>
<Anonymous /ftp>
User ftp
Group nogroup
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Cosmetic changes, all files belongs to ftp user
DirFakeUser on ftp
DirFakeGroup on ftp
RequireValidShell off
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
# Uncomment this if you're brave.
# <Directory incoming>
# # Umask 022 is a good standard umask to prevent new files and dirs
# # (second parm) from being group and world writable.
# Umask 022 022
# <Limit READ WRITE>
# DenyAll
# </Limit>
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>
</Anonymous>
# Include other custom configuration files
Include /etc/proftpd/conf.d/*.conf
Hint: code tags on the post can make the text easier on eyes.
For example, the last lines of your config file in code tags:
# AllowAll
# Include other custom configuration files
Include /etc/proftpd/conf.d/*.conf
Now a question (as I don’t know proftpd), can the last included files override what was set earlier?
If yes, then all your customizations could be conveniently in, say /etc/proftpd/conf.d/lucas.conf
So the way I’m trying to test it is by editing the main proftpd file. In the conf I posted I had to # in the original anonymous and use the one from Debian to get it to work because I edited everything I could and it didn’t give me access. Now the way it is as I posted it granted access but it gives an error that it doesn’t have permission on the folder.
Fixed the formatting on @lucasperegrino last post - please use the formatting tools in the window when posting. I’ve already had to fix one of your posts before when it wasn’t used to format and make it easier to read (the selinux stuff you posted). Thx 
I apologize if the way I’m putting things may be confusing, in this case I’m Brazilian and I’m using a translator to talk to you there because I can’t find where I usually ask for help either, I apologize in advance if I don’t put things correctly.
1 Like
I recommend that you increase the log level for a short time from no logging (DEFAULT:0) to normal logging (DEFAULT:10) and then next you try the failing command and then you check the output in the trace file for any useful information about the permission denied issue ( don’t forget to go back to DEFAULT:0 afterwards …).
The strangest thing is that I put it as requested for 10 but it doesn’t record anything in the log, everything is zero
You didn’t reply to my post from twelve days ago, I don’t think people will be able to help much. without all the details requested.