vsftpd FTP Server Installation

May 23, 2006 by Isaac

HEAD BEATING
Technically, my job description is Test Lead, however, I seem to spend most of my time acting as the System Administrator. In my latest conquest I figured out how to get vsftpd anonymous logins working (nearly) how I want.

Here's basically what I wanted to do.... I've got a server that houses all the system-level test scripts. On this server I want a directory called /transfer (yes, we're talking Linux here). I want to export this as a Samba mount, so that Windows users can mount the shared directory. I also wanted to make this the home directory for anonymous ftp users. The permissions should allow everyone to read/write/delete or otherwise screw up anything inside of this directory, and allow them to do so in any way they want (Samba, NFS, FTP).

To start, I created the transfer directory and changed permissions to allow full access:

mkdir /transfer
chmod 777 /transfer

SAMBA
The first task, of creating the Samba mount point was not hard, just frustrating. Here's a snippet from my Samba config:

[transfer]
comment = Place where you can put your file transfers
path = /transfer
writeable = yes
read only = no
public = yes
guest ok = yes
create mask = 777

Adding this entry to the config was not all that hard. There were two things, however, that were maddening. First, I had to poke a hole in the firewall. A quick search revealed that I needed to open TCP ports 137-139. Once I did that I could magically see my new share. However, even though I explicitly enabled the public and guest attributes of the Samba share, it kept asking for a username/password, but failed to authenticate even when supplied with valid credentials. Finally, after much head beating, I found the answer. I changed the global security setting to share-level. The particular Samba config directive is:

[global]
...
security = share
...

Finally, Samba started letting in anonymous connections and allowing full read/write permissions.

ANONYMOUS FTP
I am using vsftpd for my FTP server and true to it's name (the VS stands for Very Secure) it made me jump through some hoops to open full read/write access to anonymous users....hmmm...imagine that.

After several iterations of internet searches, server restarts, and trial ftp sessions I assembled the following for my vsftpd configuration (non-relevant stuff removed):

anonymous_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_umask=000
no_anon_password=YES

Those config directives are enough to allow full read/write access to the ftp directory by any anonymous user....or so I thought. It didn't seem to matter what I did, but anonymous users could not create or upload files. The problem is that vsftpd will not run if the home directory is world writeable. Since /transfer has to be I figured that I'd have to use a less secure ftp server. Then I found that key word, the "parent" directory cannot be world writeable. This means that child directories can!

So, I did some quick reconfiguring and changed the Samba share to point to /var/ftp/transfer. The ftp home was changed to /var/ftp, and the permissions were set as:

chmod 777 /var/ftp/transfer
chmod 755 /var/ftp

That did it! Although the directory is not in the location I originally intended the functionality I wanted is there now.

SO WHAT
So, what's this good for? After all, enabling full anonymous read/write access to that directory is risky.

Well, not really. I mean, the worst they could do is upload many GB of data and fill up the hard drive. But, we're behind a corporate firewall so anyone logging in should be from "the inside." Also, I needed a quick and dirty way for testers to transfer data files or scripts to/from this machine. The only thing I have left is to enable a NFS share, but that will have to wait for another day. It's time to go home.

Posted in Linux