SELinux and firewall opened, did not expect to lead to the problem of vsftp. FTP Login Error: Oops:cannot change directory. Let's look at the causes and countermeasures for this problem.
First, analyze the cause of the conflict:
1. To lock the user in their home directory, open Chroot_local_user in vsftpd.conf.
So the ftp login user's "/", is passwd in the home path, such as/var/www/a.com/. Prevent FTP users from running to/etc. This setting, FTP login, will automatically execute cwd/var/www/html/www.xxx.com, and this directory is set to the root directory of the FTP process, the user can not leave.
vi/etc/vsftpd/vsftpd.conf
# Specify an explicit list of the Local users to Chroot () to their home
# directory. If Chroot_local_user is YES and then this list becomes a list of
# users to Not Chroot ().
Chroot_local_user=yes
# Chroot_list_enable=yes
# (default follows)
# chroot_list_file=/etc/vsftpd/chroot_list
# Of course you can use the Chroot_list_enable=yes method. However, it is cumbersome to specify the FTP user name one by one in Chroot_list. Also prone to omissions. So it is recommended to use Chroot_local_user to limit.
2. Below, the problem is out. When SELinux is turned on, SELinux prevents the FTP daemon from reading the user home directory. So FTP will throw out a phrase "Oops:cannot change directory". Unable to enter directory, error exits.
There are two solutions:
1. Reduce the SELinux security level and reduce the enforcing to permissive
Vi/etc/sysconfig/selinux
# This file controls the state of the SELinux on the system.
# selinux= can take one of these three values:
# Enforcing-selinux security policy is enforced.
# Permissive-selinux Prints warnings instead of enforcing.
# Disabled-selinux is fully disabled.
selinux=permissive
At this point, the FTP login function is normal. But reducing overall system security as a cost to solve a small problem is not always the best solution.
2. After a study, another more desirable approach was found. First look at the settings for the FTP setting in SELinux:
getsebool-a|grep FTP
allow_ftpd_anon_write --off
allow_ftpd_full_access --off
allow_ftpd_use_cifs --off
Allow_ftpd_use_nfs --off
allow_tftp_anon_write --off
Ftp_home_dir --off
ftpd_connect_db --off
Ftpd_disable_trans --off
Ftpd_is_daemon -On
httpd_enable_ftp_server --off
Tftpd_disable_trans --off
After trying to find, open Ftp_home_dir or Ftpd_disable_trans. Can reach the enforcing level, allowing FTP to log in normally.
# setsebool-p Ftpd_disable_trans 1
or
# setsebool-p Ftp_home_dir 1
# service VSFTPD Restart
Plus-P is the Save option, and you do not have to re-execute this command each time you restart. Finally, don't forget to change the selinux=enforcing in/etc/sysconfig/selinux.
Modify SELinux settings to enable VSFTP to function properly in enforcing security enhance mode