Today on the fatmin we are going to setup an ftp server on RHEL6 that accepts anonymous uploads. We are going to do so with SELinux support and will be making modifications to iptables as well. Sounds fun, right?

Installation:

First and formost we need to install vsftpd

# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on

Our anonymous upload directory will be /var/ftp/anon, and we need to change group ownership to the ftp group and then change permissions so that the members of that group can write to it. Note that no one other than root can read or execute anything under /var/ftp/anon.

# chgrp ftp /var/ftp/anon
# chmod 730 /var/ftp/anon
# ls -ld /var/ftp/anon
drwx-wx—. 3 root ftp 4096 Oct 19 13:34 /v1

SELinux Support:

Next we need to configure SELinux support and assign the correct context to the /v1 directory and its future contents. Note -a is add -t is type.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’

Now lets go ahead and apply the new context. Note -vv is verbose, -F force and R is recursive

# restorecon -vvFR /var/ftp/anon

Now we need to get and set the allow_ftpd_anon_write boolean

# setsebool -P allow_ftpd_anon_write=1

Now lets check to make sure the setting “stuck”.

# getsebool -a | grep allow_ftpd_anon_write
allow_ftpd_anon_write –> on

Configure Vsftpd:

Now vi /etc/vsftpd/vsftpd.conf and ensure that the following configuration values are set and un-commented. Note that I had to add the last line to my config file.

anonymous_enable=YES

anon_upload_enable=YES

chown_uploads=YES

chown_username=daemon

anon_umask=077

Configure iptables:

Add the following to /etc/sysconfig/iptables-config. In my case I only needed to add the ip_nat_ftp part to the line

IPTABLES_MODULES=”nf_conntrack_ftp ip_nat_ftp”

Now you are going to want to make sure that these two lines exist in /etc/sysconfig/iptables.

-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp –dport 21 -j ACCEPT

Now restart iptables

Addendum:

Note that I ran into issues with the semanage command below.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’

It seems that the context assigned to the /var/ftp/anon directory was not changing correctly from public_content_t to public_content_rw_t.

# ls -Zd /var/ftp
drwxrwxrwx. root root system_u:object_r:public_content_t:s0 /var/ftp

However when I checked the file_contexts file all looked correct.

# cat /etc/selinux/targeted/contexts/files/file_contexts.local/var/ftp/anon(/.*)    system_u:object_r:public_content_rw_t:s0

So I ran the chon command seen below and did not run the restorecon command. This worked as afterwards the context on the directory /var/ftp/anon was correct.

# chcon -R -t public_content_rw_t /var/ftp/anon