vsftpd Configuration Options on RHEL

The vsftpd FTP daemon runs confined by default. SELinux policy defines how vsftpd interacts with files, processes, and with the system in general. For example, when an authenticated user logs in via FTP, they can not read from or write to files in their home directories: SELinux prevents vsftpd from accessing user home directories by default. Also, by default, vsftpd does not have access to NFS or CIFS file systems, and anonymous users do not have write access, even if such write access is configured in /etc/vsftpd/vsftpd.conf. Booleans can be turned on to allow the previously mentioned access.

The following example demonstrates an authenticated user logging in, and an SELinux denial when trying to view files in their home directory:

1. Run rpm -q ftp to see if the ftp package is installed. If it is not, run yum install ftp as the root user to install it.
2. Run rpm -q vsftpd to see if the vsftpd package is installed. If it is not, run yum install vsftpd as the root user to install it.
3. In Red Hat Enterprise Linux, vsftpd only allows anonymous users to log in by default. To allow authenticated users to log in, edit /etc/vsftpd/vsftpd.conf as the root user. Make sure the local_enable=YES option is uncommented:

   # Uncomment this to allow local users to log in.
   local_enable=YES
   

   chroot_local_user=YES
   #chroot_list_enable=YES

4. Run service vsftpd start as the root user to start vsftpd. If the service was running before editing vsftpd.conf, run service vsftpd restart as the root user to apply the configuration changes:

   service vsftpd start
   Starting vsftpd for vsftpd:                                [  OK  ]
   

5. Run ftp localhost as the user you are currently logged in with. When prompted for your name, make sure your username is displayed. If the correct username is displayed, press Enter, otherwise, enter the correct username:

   $ ftp localhost
   Connected to localhost (127.0.0.1).
   220 (vsFTPd 2.1.0)
   Name (localhost:username):
   331 Please specify the password.
   Password: Enter your password
   500 OOPS: cannot change directory:/home/username
   Login failed.
   ftp>
   

6. An SELinux denial similar to the following is logged:

   setroubleshoot: SELinux is preventing the ftp daemon from reading users home directories (username). For complete SELinux messages. run sealert -l c366e889-2553-4c16-b73f-92f36a1730ce
   

7. Access to home directories has been denied by SELinux. This can be fixed by activating the ftp_home_dirBoolean. Enable this ftp_home_dir Boolean by running the following command as the root user:

   # setsebool -P ftp_home_dir=1 // this is important