vsftpd anonymous upload

I cannot get this to work, and none of the “solutions” I can find using
google search seem to help at all. Has anyone gotten vsftpd configured
correctly to support anonymous uploads?

TIA

Can you post back your vsftpd.conf file? You may want to censor any passwords, etc. you have in there first before posting.

twelveeighty wrote:
> Can you post back your vsftpd.conf file? You may want to censor any
> passwords, etc. you have in there first before posting.

You betcha! I should have done that one the original post.

vsftpd.conf

dirmessage_enable=YES
nopriv_user=ftpsecure
anonymous_enable=YES
anon_world_readable_only=YES
anon_other_write_enable=YES
syslog_enable=YES
connect_from_port_20=YES
pam_service_name=vsftpd
listen=YES
ssl_enable=NO

anon_mkdir_write_enable=YES
anon_root=/srv/ftp
anon_umask=0077
anon_upload_enable=YES
chroot_local_user=NO
file_open_mode=0666
ftpd_banner=Welcome message
idle_session_timeout=900
local_enable=YES
log_ftp_protocol=NO
max_clients=10
max_per_ip=8
pasv_enable=YES
pasv_max_port=40500
pasv_min_port=40000
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
write_enable=YES

Here are a couple of things to check:

  • The user ftpsecure exists and has write-access to your /srv/ftp folder.

  • Turn on logging with log_ftp_protocol=YES and xferlog_enable=YES. Then try a transaction and check the /var/log/vsftpd.log file.

I guess I haven’t asked you the most basic question: what exactly does (not) work? Are you able to log in and download anonymously? Is it just the upload that fails?

Also: is your FTP client using PASV protocol?

twelveeighty wrote:
> Here are a couple of things to check:
>
> * The user ftpsecure exists and has write-access to your /srv/ftp
> folder.
>
> * Turn on logging with log_ftp_protocol=YES and xferlog_enable=YES.
> Then try a transaction and check the /var/log/vsftpd.log file.
>
> I guess I haven’t asked you the most basic question: what exactly does
> (not) work? Are you able to log in and download anonymously? Is it just
> the upload that fails?
>
> Also: is your FTP client using PASV protocol?
>

This is not a new server; it has been running for awhile. Anonymous
downloads work. For actual users, both downloads and uploads work. So
far, the only problem I have observed is anonymous uploads do not. When I
attempt that, the file transfer seems to go normally, but at the end, I
get:
553 could not create file.

User “ftpsecure” exists, assuming this simply means there is an entry for
the user in the /etc/passwd file.

You want me to check permissions for /srv/ftp? I thought uploads would go
into the ftpsecure user’s home directory, which is /var/1ib/empty. (This
is a strange location as far as I’m concerned. If this is where anonymous
uploads will go, I will want to change this when I get it working. In
fact, see below.)

I confirmed that user “ftpsecure” does have write permission for his own
home directory. Still get the “553 could not create”. I changed this
user’s home directory to /srv/ftpUploads, and made sure he had permission
to write. I still get the same 553 error.

Now looking at “srv/ftp” as the target directory.
If I do “chmod 777 /srv/ftp” I get:
500 OOPS: vsftpd refuses to run with writable anonymous root

So I tried using group permissions:
(user “ftpsecure” changed to be a member of group “ftp”)
chown root:ftp /srv/ftp
chmod 775 /srv/ftp
I still get the same “500 OOPS” error

Now trying direct ownership:
chown ftpsecure:ftp /srv/ftp
chmod 755 /srv/ftp
No “500 OOPS”, but now it goes back to the same “553 could not create file”
error.

The FTP client I am using is FileZilla. It is using PASV.

I do not think it is a transmission problem, but I will activate the logging
you requested, and post the results when available.

Thanks again for helping!

twelveeighty wrote:
> * Turn on logging with log_ftp_protocol=YES and xferlog_enable=YES.
> Then try a transaction and check the /var/log/vsftpd.log file.

Fri Apr 16 08:45:13 2010 [pid 17112] CONNECT: Client “192.168.179.58”
Fri Apr 16 08:45:13 2010 [pid 17111] [ftp] OK LOGIN:
Client “192.168.179.58”, anon password “anon@localhost”
Fri Apr 16 08:45:22 2010 [pid 17115] CONNECT: Client “192.168.179.58”
Fri Apr 16 08:45:22 2010 [pid 17114] [ftp] OK LOGIN:
Client “192.168.179.58”, anon password “anon@localhost”
Fri Apr 16 08:45:23 2010 [pid 17116] [ftp] FAIL UPLOAD:
Client “192.168.179.58”, “/xls2csv-1.06.tar.gz”, 0.00Kbyte/sec
Fri Apr 16 08:50:54 2010 [pid 17174] CONNECT: Client “192.168.179.58”
Fri Apr 16 08:50:55 2010 [pid 17173] [ftpsecure] OK LOGIN:
Client “192.168.179.58”, anon password “anon@localhost”
Fri Apr 16 09:03:40 2010 [pid 17231] CONNECT: Client “192.168.179.58”
Fri Apr 16 09:03:41 2010 [pid 17230] [ftp] OK LOGIN:
Client “192.168.179.58”, anon password “anon@localhost”
Fri Apr 16 09:03:54 2010 [pid 17234] CONNECT: Client “192.168.179.58”
Fri Apr 16 09:03:54 2010 [pid 17233] [ftp] OK LOGIN:
Client “192.168.179.58”, anon password “anon@localhost”
Fri Apr 16 09:03:55 2010 [pid 17235] [ftp] FAIL UPLOAD:
Client “192.168.179.58”, “/xls2csv-1.06.tar.gz”, 0.00Kbyte/sec

Is that filepath serious?!? Is it REALLY trying to write the file into
the / directory?!?

I think you’re close, according to (Paranoid Penguin - Secure Anonymous FTP with vsftpd | Linux Journal):

Create an anonymous FTP user account, such as ftp, and make sure its home directory is set to …] (/srv/ftp). Your system already may have such an account. The anonymous ftp user should not be able to write in its home directory, and it should never own any files or directories.

Also try from (* - Ubuntu Forums](http://ubuntuforums.org/archive/index.php/t-403983.html):slight_smile:

To enable anonymous uploads you need to create a directory in the ftp root directory that is world writable. So for example by default the ftp area is /home/ftp.

So do:
sudo mkdir /home/ftp/incoming
sudo chmod a+rwx /home/ftp/incoming

Now anon users will be able to upload into /incoming.

You must have the following in your vsftpd.conf:
anonymous_enable=YES
write_enable=YES
anon_upload_enable=YES

My suggestion: install yastftpserver packages. They give you all the options to configure vsftpd.

rotfl! After years of using openSUSE and vsftpd, I never clued into that there may be a Yast module for it.

Wow - that’s awesome. I feel stupid and amused at the same time.

I know that feeling. And love it, makes me aware of the fact it’s even better than I already know.

Yast has 2 modules for FTP server, one of them offers a choice between pureftp and vsftp

twelveeighty wrote:

> Larry Bristol;2153514 Wrote:
>> Is that filepath serious?!? Is it REALLY trying to write the file into
>> the / directory?!?
>
> I think you’re close, according to
> (http://www.linuxjournal.com/article/7520):
> …<snip>…

Yes, I used that article when I originally configured the server.
Unfortunately, it apparently does not completely explain what it takes to
get anonymous uploads working.

> Also try from (‘I’d like to strangle vsftpd - anonymous uploads denied
> [Archive] - Ubuntu Forums’
> (http://ubuntuforums.org/archive/index.php/t-403983.html):slight_smile:

I’ve read that one at least three times. :frowning:

>> To enable anonymous uploads you need to create a directory in the ftp
>> root directory that is world writable. So for example by default the ftp
>> area is /home/ftp.
>>
>> So do:
>> sudo mkdir /home/ftp/incoming
>> sudo chmod a+rwx /home/ftp/incoming
>>
>> Now anon users will be able to upload into /incoming.

For crying out loud. After reading that article again, I found the key
point that had escaped me. There was nothing wrong with my vsftpd.conf
file after all. I was simply trying to make anonymous uploads too
complicated.

I had been trying to upload into the /srv/ftp directory, even though I knew
that was not supposed to me allowed! The answer was so simple, it is
embarrassing! I have now created a world-writable SUBdirectory
(/srv/ftp/uploads). VIOLA! Anonymous users can upload into that directory
with no problem.

Sometimes, the answer has to kick you in the face. I think I got confused
by the YAST configuration module for vsftpd. When I tried to enable
anonymous uploads, it offered to create a directory called “ftpSecure”, but
then never actually did so. Maybe that is what created a user by the name
of “ftpsecure”.

At any rate, the problem is SOLVED! Thank you so very much for kicking me
in the face! :slight_smile:

Knurpht wrote:

> My suggestion: install yastftpserver packages. They give you all the
> options to configure vsftpd.

I would normally agree that is a good suggestion! I used that initially,
but when it did not seem to work, I started modifying the configuration
file by hand. In this case, unfortunately, it was not actually a
configuration problem. Maybe it was simply a perception problem.

If I could make a recommendation to those who handle the YAST vsftpd
configuration package, it would be to examine the section where it offers
to create a directory called “ftpSecure” and handle it a little better.

No kicking in the face intended, really! I learned from this that there is a Yast module, which makes us all happier. Glad you got your problem fixed.

Not to change the subject here, but when I had my FTP server outside the firewall a while ago it took all but a week for someone trying to attack it with a “dictionary” attack. Would you know off-hand if you can configure a longer timeout when a login fails? If I can set that to 5 seconds or so, that would make it easier to fend off such attacks (since it’ll take forever to crack and they’ll move on or get busted).