how to enable local user on localhost vsftpd?

[david m]

Please help! Either I figure this out or I have to find another distro.

I installed a localhost web server for Wordpress development on Fedora. It needs ftp server and credentials.

But I get a 530 login incorrect if I try to login with my local user in terminal.

What is NOT the problem:

• In vsftpd.conf, local_enable=YES.
• The local user is not in any of the two blocked user lists (ftpusers and user_list).
• Disabling SELinux makes no difference.

I've been banging my head with caging, chroot, pam, virtual users, for three solid evenings, and a) I haven't understood a word b) no code I have copypasted has solved anything.

Any ideas? How to enable your local user from scratch for dummies? Thanks.

[AlexDudko]

Have you opened ports 21(20) in firewall?

[david m]

Quote:

Originally Posted by AlexDudko

Have you opened ports 21(20) in firewall?

No. Does the firewall prevent localhost connections?

[jpollard]

It depends on how you access vsftfpd...

If you use "localhost" or "127.0.0.1", then no it does not.

If you use your hostname, and that host name is associated with your external IP number... Then yes.

[david m]

The command I use is ftp localhost.

[jpollard]

How about posting the actual error and the sftpd configuration file.

Was there a log of the error?

[david m]

Quote:

Originally Posted by jpollard

How about posting the actual error and the sftpd configuration file.

Was there a log of the error?

Sorry, I'm totally new to FTP setup (and to Fedora by the way...).

This is the terminal output (regardless of SELinux being permissive or enforcing):

Code:

[david@totoro ~]$ ftp localhost
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.3.4)
Name (localhost:david): david
331 Please specify the password.
Password: ********
530 Login incorrect.
Login failed.
ftp>

/etc/vsftpd/vsftpd.conf:

Code:

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_acc$
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
# 
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

/etc/pam.d/vsftpd:

Code:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth	   required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers o$
auth	   required     pam_shells.so
auth	   include	password-auth
account    include	password-auth
session    required     pam_loginuid.so
session    include	password-auth

Thank you.

[RupertPupkin]

What are the contents of your /etc/hosts.allow and /etc/hosts.deny files, if any? Since you've enabled tcp wrappers those files will have an effect.

[david m]

Quote:

Originally Posted by RupertPupkin

What are the contents of your /etc/hosts.allow and /etc/hosts.deny files, if any? Since you've enabled tcp wrappers those files will have an effect.

Both files are empty.

Maybe I should add that I just installed Fedora from scratch, installed vsftpd, changed permissions and SELinux configuration for the wordpress folder, and did nothing else. Everything is default.

Oh, and something else, actually I don't care about enabling my local user to ftp on localhost, any user would do, a new ftp user, a virtual user, whatever. But I couldn't understand how to do that neither (my user setup skills are limited to the Gnome 3 dialog...).

[david m]

I have done small progresses but at the cost of a lot of my mental health.

Is there any way to completely disable SELinux for vsftpd? I think that would solve all my problems.

I have read http://docs.fedoraproject.org/en-US/...-securitylevel but that only tells people to read half a dozen manuals in a difficult to understand technical language.

By the way, is there any way to get a GUI for configuring SELinux? system-config-selinux has vanished with Gnome3, I guess.

[jpollard]

SELinux has nothing to do with vsftpd disabling logins.

I suspect that you have a conflicting configuration where local users and remote users are disabled.

I suspect, though I don't use vsftpd, that turning on userlist_enable, AND setting pam "sense=deny file=/etc/vsftpd/ftpusers" causes the failures. My reasoning is that enabling uslist_enable tells vsftpd to use the users in the file... and the "sense=deny" causes PAM to disallow these users. Using one or the other (but not both) may work.

[david m]

Please, if I disable SELinux, it works. I need to disable SELinux for ftp (or maybe for httpd, actually I'm not sure where the problem is).

I'll explain more properly. At the moment, after reinstalling Fedora and performing the same steps of the previous time, ftp with local user works (yeah, same steps, different outcome). That means that if I do an ftp localhost and write my username, it works.

But the reason of all this is having a working Wordpress site on localhost. If I enter my username in the Wordpress dialog that asks for ftp credentials, it still doesn't work (the error message is different, by the way). I disable SELinux, it works.

I have no idea where the error is (which user is actually being denied what) and after two weeks without a proper computer, reading tutorials I couldn't even grasp (and thus learning nothing of use), I don't want to try to understand it anymore. It worked by default in other Linuxes I've used. I really prefer Fedora, but this is way too much for me.

[jpollard]

That doesn't sound like a vsftpd issue - it sounds more like a wordpress issue. Different place to look.

Not sure this would help (I don't use wordpress): http://www.jamison.org/2010/12/04/ho...ftp-in-ubuntu/

Note also that if this is being used to update user files, they must be labeled properly... and it is possible that the destination directory isn't correct (either what is treated as the home directory, or the directory that vsftpd is attempting to write into. don't know which is actually reporting the error, either wordpress or vsftpd..)

There should be some system logs reporting the problem. But again, SELinux isn't the problem unless you have not got the configuration quite right. Fedora uses a targeted model, and that puts services into separate security jails to prevent inadvertent system penetrations.

[david m]

Thanks, but I have already looked into that.

I don't know where the issue is, but setenforce permissive lets me go on with my life. Can I do a setenforce permissive just for vsftpd?

(Already tried setsebool -P ftpd_disable_trans 1. Didn't work.)

[jpollard]

No.

It is either on or off (and permissive is the same as off).