Tuesday, February 15, 2011

VSFTPD & SELinux

This can be a fun combo to work with. SELinux, or Security Enhanced Linux, is the life of any party. And Google searches about SELinux-related problems makes it pretty evident that very few people have taken the time to understand how this program works. I ran across numerous people simply suggesting that you turn off SELinux if it is getting in the way.

Well, I didn't buy into this wholesale approach to getting things to work. Besides, I want a secure system and if SELinux is going to help me in the long run, I want it enabled.

VSFTPD, or Very Secure FTP Daemon, is a pretty standard FTP server. You can install it on CentOS systems (or RHEL, for that matter) by running "yum install vsftpd" from the command line. Once you get it installed you can make changes to the configuration file at "/etc/vsftpd/vsftpd.conf" using a file editor. Also, to make sure it is always running in the background run "chkconfig vsftpd on" and "service vsftpd restart" from the command line.

Make sure the configuration file is set up properly. Only give FTP access to a limited number of users (never include root), disable anonymous access and make sure users can only access the files they need (I recommend chroot-ing them).

This is only half the battle. Now that VSFTPD is running, how do you allow users to access their home directories? SELinux usually will get in the way of this. Well, there is a SELinux setting for this called "ftp_home_dir" and this will allow users to access their home directory via FTP. To set this, from the command line run
setsebool -P ftp_home_dir 1

Be sure to also check file permissions and file ownership, if you run into problems. A file must be writable for everyone if they do not specifically own it.

If this fails to grant you FTP access where you need it, or your set-up is slightly different, you can always allow the FTP daemon full access to all files by running
setsebool -P allow_ftpd_full_access 1

This is granting a bit more power to the FTP daemon than is necessary, but it is much better than just disabling SELinux all-together.

By the way, here is a great intro to CentOS & SELinux.

6 comments:

Anonymous said...

Thank you so much! Fixed a big issue I was having!

Anonymous said...

Great, this solved my problem. I had the users home in the apache directory and this conflicted with what i was trying to do. Thanks to this post I realised what the problem was.

DJ Sonitus said...

this is an awesome piece of information. I use a special NFS mount for the ftp users' home dir, so I had to set allow_ftpd_full_access to true. If I can specify the directory for vsftpd to have access, it would be even better, but this is def more secure than turning selinux off.

Grond said...

I did both above commands...
Still can't create a directory from FTP client...
Really getting sick of SELinux!

Anonymous said...

I was working through this myself and eventually got to your post just to find the correct name of 'allow_ftpd_full_access'. Originally I was following instructions that make use of audit2allow which is nice but messsy. I'm ok with this b/c login user is still restricted to the home directory where I want him to have full access. Grond wait for setsebool to complete then also possibly try restarting your daemon.

Victor Trevor said...

Well said, I agree that there are far too many people advocating a "just turn it off" approach to SELinux. Thanks for the article.