11.2.1 Anonymous access mode

As mentioned earlier, anonymous open mode is one of the least secure authentication modes in vsftpd service programs. A nyone can log on to an FTP server without password verification. T his pattern is typically used to access public files that are not important (try not to store important files in a production environment). Of course, you can also provide basic security if you use the firewall management tools described in Chapter 8, such as the Tcp_wrappers service program, to set the host scope that the vsftpd service program allows access to to the enterprise intranet.

The vsftpd service program turns on anonymous open mode by default, and all we need to do is open up permissions for anonymous users to upload, download, and have anonymous users create, delete, and change files. I t is important to note that there is a potential danger of letting go of these permissions for anonymous users, and we have only let them go just to practice configuring vsftpd service programs in Linux systems, and it is not recommended to do so in a production environment. Table 11-2 lists the permission parameters and effects that can be opened to anonymous users.

Table 11-2 can open permission parameters and functions to anonymous users

Parameters acting anonymous_enable-YES allowing anonymous access mode anon_umask-022 Anonymous users upload files with the umask value anon_upload_enable-YES allowing anonymous users to upload files anon_mkdir_write_enable-YES allowing anonymous users to create directories anon_other_write_enable-YES allowing anonymous users to modify directory names or delete directories root@linuxprobe vim /etc/vsftpd/vsftpd.conf 1 anonymous_enable=YES 2 anon_umask=022 3 anon_upload_enable=YES 4 anon_mkdir_write_enable=YES 5 anon_other_write_enable Y ES 6 local_enable .7 write_enable .YES 8 local_umask .022 9 dirmessage_enable .YES 10 xferlog_enable .YES 11 connect_from_port_20 .YES 12 xferlog_std_format .YES 1 3 listen-NO 14 listen_ipv6=YES 15 pam_service_name=vsftpd 16 userlist_enable=YES 17 tcp_wrappers=YES correctly fills in the parameters in the main profile of the vsftpd service provider and then saves and exits. T he vsftpd service program also needs to be restarted for the new configuration parameters to take effect. Readers need to be reminded that in the production environment or in the RHCSA, RHCE, RHCA certification exam must be configured service programs to join the boot item, to ensure that the server after the restart can still provide normal transmission services:

the root@linuxprobe systemctl restart vsftpd ( root@linuxprobe . . . systemctl enable vsftpd ln -s'/usr/lib/system/system/vsftpd.service' '/etc/systemd/system/system/multi-user.target.wants/vsftpd.service can now execute ftp commands on the client to connect to a remote FTP server. I n the anonymous open authentication mode of vsftpd service program, its account is unified as anonymous and the password is empty. A nd when connected to the FTP server, the default access is to the /var/ftp directory. We can switch to the pub directory under the directory and try to create a new directory file to verify that we have write permissions:

[root@linuxprobe ~]# ftp 192.168.10.10 Connected to 192.168.10.10 (192.168.10.10). 2 20 (vsFTPd 3.0.2) Name (192.168.10.10:root): anonymous 331 Please specify the password. P assword: Click back here to get 230 Login successful. R emote system type is UNIX. U sing binary mode to transfer files. f tp> cd pub 250 Directory successfully changed. f tp> mkdir files 550 Permission denied. T he system shows that the directory was denied! W e clearly emptied the iptables firewall policy earlier, and added permissions to allow anonymous users to create directories and write files to the main profile of the vsftpd service provider. It is recommended that you do not rush down, but think about the solution to this problem, in order to exercise your Linux system error-making ability.

As mentioned earlier, in the anonymous open authentication mode of the vsftpd service provider, the default access is the /var/ftp directory. T he permission to view the directory is known to be written only by the root administrator. N o wonder the system refuses to operate! Here's how to change the owner of the directory to a system account ftp (the account already exists in the system), so you should:

[root@linuxprobe ~]# ls -ld /var/ftp/pub drwxr-xr-x. 3 root root 16 Jul 13 14:38 /var/ftp/pub [root@linuxprobe ~]# chown -Rf ftp /var/ftp/pub [root@linuxprobe ~]# ls -ld /var/ftp/pub drwxr-xr-x. 3 ftp root 16 Jul 13 14:38 /var/ftp/pub [root@linuxprobe ~]# ftp 192.168.10.10 Connected to 192.168.10.10 (192.168.10.10). 2 20 (vsFTPd 3.0.2) Name (192.168.10.10:root): anonymous 331 Please specify the password. P assword: Click back here to get 230 Login successful. R emote system type is UNIX. U sing binary mode to transfer files. f tp> cd pub 250 Directory successfully changed. f tp> mkdir files 550 Create directory operation failed. T he system is wrong again! A lthough we used the ftp command to log on to the FTP server and then create the directory with the system still prompting the operation to fail, the error message changed. W hen there is no write permission, permission denied is prompted, so Mr. Liu suspects that it is a permission issue. But now that the system is prompting "Create directory operation failed", readers should be aware that the SELinux service is "messing around".

Here's a look at the SELinux domain policies associated with FTP using the getsebool command:

[root@linuxprobe ~]# getsebool -a | g rep ftp ftp_home_dir --> off ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off sftpd_anon_write --> off sftpd_ e nable_homedirs -- off sftpd_full_access -- off sftpd_write_ssh_home -- off tftp_anon_write -- off tftp_home_dir -- off We can judge from experience (need long-term training, no other way) and the name of the policy is ftpd_full_access -- off policy rules caused the operation to fail. Next, modify the policy rule and use the -P parameter when setting up to make the modified policy permanent, ensuring that the file can still be written smoothly after the server restarts.

ftpd_full_access root@linuxprobe Once again, before you go to your next experiment, remember to restore the virtual machine to its original state so that multiple experiments don't conflict with each other.

You can now successfully perform file creation, modification, and deletion.

Cookie Consent