В доступе отказано Proftpd CentOs7

Я пытаюсь установить FTP-сервер с помощью Proftpd. Мои пользователи являются виртуальными пользователями и управляются Mysql-сервером. Все мои пользователи находятся в папке / srv / ftp, которая получила 777 chmod. Но когда я подключаюсь к своему серверу с одним из моих пользователей, сервер не может создать папку. Команда journalctl -xe возвращает меня:

FTP-сессия открыта.

Ошибка создания '/srv/ftp/test': разрешение отклонено

уведомление: невозможно использовать DefaultRoot '~/' [разрешено в '/srv/ftp/test/']: нет файла или каталога sush

Ошибка теста chdir("/"): нет файла или каталога sush

FTP-сессия закрыта.


Proftpd имеет пользователя с именем ftpuser с uid 2001, который находится внутри группы с именем ftpgroup с guid 2001.

Это прекрасно работает на Debian, но я не могу заставить его работать на Centos.

Спасибо.

Версия ProFTPD: 1.3.5e (maint) Версия табло: 01040003 Дата постройки: Ср 3 мая 2017 14:58:47 UTC

Загруженные модули:
mod_quotatab_sql.c
mod_quotatab / 1.3.1
mod_sql_mysql / 4.0.8
mod_sql / 4,3
mod_vroot / 0.9.2
mod_ctrls_admin / 0.9.7
mod_lang / 1,0
mod_ctrls / 0.9.5
mod_cap / 1.1
mod_memcache / 0,1
mod_tls / 2,6
mod_auth_pam / 1.2
mod_readme / 1,0
mod_ident / 1,0
mod_dso / 0,5
mod_facts / 0,4
mod_delay / 0,7
mod_site.c
mod_log.c
mod_ls.c
mod_auth.c
mod_auth_file / 1,0
mod_auth_unix.c
mod_rlimit / 1,0
mod_xfer.c
mod_core.c

ServerName          "ProFTPD server"
ServerIdent         on "FTP Server ready."
ServerAdmin         root@localhost
DefaultServer           on

# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot         ~ !adm

# Use pam to authenticate (default) and be authoritative
#AuthPAMConfig          proftpd
#AuthOrder          mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd       off

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS           off

# Set the user and group that the server runs as
User                nobody
Group               nobody

# To prevent DoS attacks, set the maximum number of child processes
# to 20.  If you need to allow more than 20 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances            20

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile         off

# Define the log formats
LogFormat           default "%h %l %u %t \"%r\" %s %b"
LogFormat           auth    "%v [%P] %h %t \"%r\" %s"

LoadModule mod_vroot.c

ModuleControlsACLs      insmod,rmmod allow user root
ModuleControlsACLs      lsmod allow user *

# Enable basic controls via ftpdctl
# (http://www.proftpd.org/docs/modules/mod_ctrls.html)
ControlsEngine          on
ControlsACLs            all allow user root
ControlsSocketACL       allow user *
ControlsLog         /var/log/proftpd/controls.log

# Enable admin controls via ftpdctl
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
<IfModule mod_ctrls_admin.c>
  AdminControlsEngine       on
  AdminControlsACLs     all allow user root
</IfModule>

# Enable mod_vroot by default for better compatibility with PAM
# (http://bugzilla.redhat.com/506735)
<IfModule mod_vroot.c>
  VRootEngine           on
</IfModule>

# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
<IfDefine TLS>
  TLSEngine         on
  TLSRequired           on
  TLSRSACertificateFile     /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile  /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite        ALL:!ADH:!DES
  TLSOptions            NoCertRequest
  TLSVerifyClient       off
  #TLSRenegotiate       ctrl 3600 data 512000 required off timeout 300
  TLSLog            /var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache     shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>

# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule            mod_ban.c
  BanEngine         on
  BanLog            /var/log/proftpd/ban.log
  BanTable          /var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent            MaxLoginAttempts 2/00:10:00 01:00:00

  # Inform the user that it's not worth persisting
  BanMessage            "Host %a has been banned"

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs       all allow user ftpadm
</IfDefine>

# Set networking-specific "Quality of Service" (QoS) bits on the packets used
# by the server (contrib/mod_qos.html)
<IfDefine QOS>
  LoadModule            mod_qos.c
  # RFC791 TOS parameter compatibility
  QoSOptions            dataqos throughput ctrlqos lowdelay
  # For a DSCP environment (may require tweaking)
  #QoSOptions           dataqos CS2 ctrlqos AF41
</IfDefine>

# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask             022

  # Allow users to overwrite files and change permissions
  AllowOverwrite        yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>

</Global>

# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
  <Anonymous ~ftp>
    User            ftp
    Group           ftp
    AccessGrantMsg      "Anonymous login ok, restrictions apply."

    # We want clients to be able to login with "anonymous" as well as "ftp"
    UserAlias           anonymous ftp

    # Limit the maximum number of anonymous logins
    MaxClients          10 "Sorry, max %m users -- try again later"

    # Put the user into /pub right after login
    #DefaultChdir       /pub

    # We want 'welcome.msg' displayed at login, '.message' displayed in
    # each newly chdired directory and tell users to read README* files. 
    DisplayLogin        /welcome.msg
    DisplayChdir        .message
    DisplayReadme       README*

    # Cosmetic option to make all files appear to be owned by user "ftp"
    DirFakeUser         on ftp
    DirFakeGroup        on ftp

    # Limit WRITE everywhere in the anonymous chroot
    <Limit WRITE SITE_CHMOD>
      DenyAll
    </Limit>

    # An upload directory that allows storing files but not retrieving
    # or creating directories.
    #
    # Directory specification is slightly different if mod_vroot is in
    # use: see http://sourceforge.net/p/proftp/mailman/message/31728570/
    #          https://bugzilla.redhat.com/show_bug.cgi?id=1045922
    <IfModule mod_vroot.c>
      <Directory /uploads/*>
        AllowOverwrite      no
        <Limit READ>
          DenyAll
        </Limit>

        <Limit STOR>
          AllowAll
        </Limit>
      </Directory>
    </IfModule>
    <IfModule !mod_vroot.c>
      <Directory uploads/*>
        AllowOverwrite      no
        <Limit READ>
          DenyAll
        </Limit>

        <Limit STOR>
          AllowAll
        </Limit>
      </Directory>
    </IfModule>

    # Don't write anonymous accesses to the system wtmp file (good idea!)
    WtmpLog         off

    # Logging for the anonymous transfers
    ExtendedLog         /var/log/proftpd/access.log WRITE,READ default
    ExtendedLog         /var/log/proftpd/auth.log AUTH auth

  </Anonymous>
</IfDefine>

LoadModule mod_auth.c
LoadModule mod_sql.c
LoadModule mod_sql_mysql.c
LoadModule mod_quotatab.c
LoadModule mod_quotatab_sql.c
# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes            Plaintext Crypt
SQLAuthenticate         users groups

# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo  ftp@localhost proftpd password

# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo     ftpuser userid passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo    ftpgroup groupname gid members

# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo    ftpgroup groupname gid members

# set min UID and GID - otherwise these are 999 each
SQLMinID        500

# create a user's home directory on demand if it doesn't exist
CreateHome on

# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

# Update modified everytime user uploads or deletes a file
SQLLog  STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
RootLogin off
RequireValidShell off

<Directory /srv/ftp>
Umask 000 000
AllowOverwrite on
    <Limit READ>
        DenyAll
        </Limit>

        <Limit STOR CWD MKD RMD DELE XRMD XMKD>
        AllowAll
        </Limit>
</Directory>

1 ответ

Решение

По умолчанию в CentOS включен selinux. Проверьте /var/log/audit/audit.log на наличие записей, связанных с вашей проблемой.

Чтобы проверить, включен ли selinux на вашем сервере, введите команду ниже через консоль ssh или непосредственно на сервер:

sestatus

Если вы видите там сообщения, то вы можете создать собственную политику для selinux, чтобы разрешить доступ на запись proftp, например:

grep -i proftp /var/log/audit/audit.log | audit2allow -M myproftppol

Затем вам нужно будет запустить:

semodule -i myproftppol.pp 

Если audit2allow не установлен на вашем сервере, вы можете запустить эту команду, чтобы установить его:

yum install policycoreutils-python

Пожалуйста, внимательно осмотрите логи. Альтернативой может быть отключение selinux, если он вам действительно не нужен, но это влияет на безопасность вашего сервера. Селинукс великолепен, но в большинстве случаев его может быть сложно настроить.

Вы также можете разрешить доступ по ftp через selinux, выполнив:

setsebool -P allow_ftpd_full_access=1
Другие вопросы по тегам