Home > Others

Modify SELinux settings to enable VSFTP to function properly in enforcing security enhance mode

Source: Internet
Author: User
Tags ftp login
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

SELinux and firewall opened, did not expect to lead to the problem of vsftp. FTP Login Error: Oops:cannot change directory. Let's look at the causes and countermeasures for this problem.

First, analyze the cause of the conflict:
1. To lock the user in their home directory, open Chroot_local_user in vsftpd.conf.
So the ftp login user's "/", is passwd in the home path, such as/var/www/a.com/. Prevent FTP users from running to/etc. This setting, FTP login, will automatically execute cwd/var/www/html/www.xxx.com, and this directory is set to the root directory of the FTP process, the user can not leave.

vi/etc/vsftpd/vsftpd.conf

# Specify an explicit list of the Local users to Chroot () to their home
# directory. If Chroot_local_user is YES and then this list becomes a list of
# users to Not Chroot ().
Chroot_local_user=yes
# Chroot_list_enable=yes
# (default follows)
# chroot_list_file=/etc/vsftpd/chroot_list
# Of course you can use the Chroot_list_enable=yes method. However, it is cumbersome to specify the FTP user name one by one in Chroot_list. Also prone to omissions. So it is recommended to use Chroot_local_user to limit.




2. Below, the problem is out. When SELinux is turned on, SELinux prevents the FTP daemon from reading the user home directory. So FTP will throw out a phrase "Oops:cannot change directory". Unable to enter directory, error exits.

There are two solutions:

1. Reduce the SELinux security level and reduce the enforcing to permissive

Vi/etc/sysconfig/selinux

# This file controls the state of the SELinux on the system.
# selinux= can take one of these three values:
# Enforcing-selinux security policy is enforced.
# Permissive-selinux Prints warnings instead of enforcing.
# Disabled-selinux is fully disabled.
selinux=permissive


At this point, the FTP login function is normal. But reducing overall system security as a cost to solve a small problem is not always the best solution.

2. After a study, another more desirable approach was found. First look at the settings for the FTP setting in SELinux:

getsebool-a|grep FTP
allow_ftpd_anon_write --off
allow_ftpd_full_access --off
allow_ftpd_use_cifs --off
Allow_ftpd_use_nfs --off
allow_tftp_anon_write --off
Ftp_home_dir --off
ftpd_connect_db --off
Ftpd_disable_trans --off
Ftpd_is_daemon -On
httpd_enable_ftp_server --off
Tftpd_disable_trans --off



After trying to find, open Ftp_home_dir or Ftpd_disable_trans. Can reach the enforcing level, allowing FTP to log in normally.

# setsebool-p Ftpd_disable_trans 1
or
# setsebool-p Ftp_home_dir 1
# service VSFTPD Restart


Plus-P is the Save option, and you do not have to re-execute this command each time you restart. Finally, don't forget to change the selinux=enforcing in/etc/sysconfig/selinux.

Modify SELinux settings to enable VSFTP to function properly in enforcing security enhance mode

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to enhance website modify to how to enable developer mode on android how to enable developer mode on android how to modify table in mysql how to enhance wifi signal how to change security certificate settings in windows 7

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More