Product SiteDocumentation Site

5.4. Configuration Examples

5.4.1. Uploading to an FTP site

The following example creates an FTP site that allows a dedicated user to upload files. It creates the directory structure and the required SELinux configuration changes:
  1. Run setsebool ftp_home_dir=1 as the root user to enable access to FTP home directories.
  2. Run mkdir -p /myftp/pub as the root user to create a new top-level directory.
  3. Set Linux permissions on the /myftp/pub/ directory to allow a Linux user write access. This example changes the owner and group from root to owner user1 and group root. Replace user1 with the user you want to give write access to:
    # chown user1:root /myftp/pub
    # chmod 775 /myftp/pub
    
    The chown command changes the owner and group permissions. The chmod command changes the mode, allowing the user1 user read, write, and execute permissions, and members of the root group read, write, and execute permissions. Everyone else has read and execute permissions: this is required to allow the Apache HTTP Server to read files from this directory.
  4. When running SELinux, files and directories must be labeled correctly to allow access. Setting Linux permissions is not enough. Files labeled with the public_content_t type allow them to be read by FTP, Apache HTTP Server, Samba, and rsync. Files labeled with the public_content_rw_t type can be written to by FTP. Other services, such as Samba, require Booleans to be set before they can write to files labeled with the public_content_rw_t type. Label the top-level directory (/myftp/) with the public_content_t type, to prevent copied or newly-created files under /myftp/ from being written to or modified by services. Run the following command as the root user to add the label change to file-context configuration:
    semanage fcontext -a -t public_content_t /myftp
    
  5. Run restorecon -R -v /myftp/ to apply the label change:
    # restorecon -R -v /myftp/
    restorecon reset /myftp context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
    
  6. Confirm /myftp is labeled with the public_content_t type, and /myftp/pub/ is labeled with the default_t type:
    $ ls -dZ /myftp/
    drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /myftp/
    $ ls -dZ /myftp/pub/
    drwxrwxr-x. user1 root unconfined_u:object_r:default_t:s0 /myftp/pub/
    
  7. FTP must be allowed to write to a directory before users can upload files via FTP. SELinux allows FTP to write to directories labeled with the public_content_rw_t type. This example uses /myftp/pub/ as the directory FTP can write to. Run the following command as the root user to add the label change to file-context configuration:
    semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"
    
  8. Run restorecon -R -v /myftp/pub as the root user to apply the label change:
    # restorecon -R -v /myftp/pub
    restorecon reset /myftp/pub context system_u:object_r:default_t:s0->system_u:object_r:public_content_rw_t:s0
    
  9. The allow_ftpd_anon_write Boolean must be on to allow vsftpd to write to files that are labeled with the public_content_rw_t type. Run the following command as the root user to turn this Boolean on:
    setsebool -P allow_ftpd_anon_write on
    
    Do not use the -P option if you do not want changes to persist across reboots.
The following example demonstrates logging in via FTP and uploading a file. This example uses the user1 user from the previous example, where user1 is the dedicated owner of the /myftp/pub/ directory:
  1. Run cd ~/ to change into your home directory. Then, run mkdir myftp to create a directory to store files to upload via FTP.
  2. Run cd ~/myftp to change into the ~/myftp/ directory. In this directory, create an ftpupload file. Copy the following contents into this file:
    File upload via FTP from a home directory.
    
  3. Run getsebool allow_ftpd_anon_write to confirm the allow_ftpd_anon_write Boolean is on:
    $ getsebool allow_ftpd_anon_write
    allow_ftpd_anon_write --> on
    
    If this Boolean is off, run setsebool -P allow_ftpd_anon_write on as the root user to turn it on. Do not use the -P option if you do not want the change to persist across reboots.
  4. Run service vsftpd start as the root user to start vsftpd:
    # service vsftpd start
    Starting vsftpd for vsftpd:                                [  OK  ]
    
  5. Run ftp localhost. When prompted for a username, enter the the username of the user who has write access, then, enter the correct password for that user:
    $ ftp localhost
    Connected to localhost (127.0.0.1).
    220 (vsFTPd 2.1.0)
    Name (localhost:username):
    331 Please specify the password.
    Password: Enter the correct password
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> cd myftp
    250 Directory successfully changed.
    ftp> put ftpupload 
    local: ftpupload remote: ftpupload
    227 Entering Passive Mode (127,0,0,1,241,41).
    150 Ok to send data.
    226 File receive OK.
    ftp> 221 Goodbye.
    
    The upload succeeds as the allow_ftpd_anon_write Boolean is enabled.