fedelibre
(Federico Bruni)
March 8, 2022, 6:52pm
1
I have a printer with scanner capability. I’ve always used samba to send the scans from the printer to my computer, but every time the printer is replaced for some reasons (I’m in an office) I have to configure it again and each time there’s a new problem. So I’d like to say goodbye to Samba and try FTP.
I’ve installed vsftpd and I’m trying to understand how to configure the shared folder.
It’s not easy because the tutorials I found on the Internet seem quite out-of-date; same for the man page (for example, the SElinux contexts suggested to allow anonymous write in a directory do not exist, IIUC).
I don’t have much time to invest and I’d be happy to get some help. Do you know some good tutorial on vsftpd? Or maybe similar tools?
Thanks in advance
fedelibre
(Federico Bruni)
March 10, 2022, 4:39pm
3
Thanks, it’s a good article. It helped me to get started.
I don’t like the complex way suggested to disable SSH. IIUC creating a user with the option -s /bin/false
of useradd is enough.
SElinux is not covered at all, unfortunately. And I think I’ve just hit a problem with SElinux… or maybe just permissions in general? Here the logs from journalctl:
mar 10 17:19:56 federico audit[56139]: USER_AUTH pid=56139 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="scan" exe="/usr/sbin/vsftpd" hostname=::ffff:10.0.20.160 addr=::ffff:10.0.20.160 terminal=ftp res=failed'
10.0.20.160 is the IP of the printer.
scan is the new user I created with this command:
useradd -m -s /bin/false -d /var/scan scan
Current SElinux context is:
drwx------. 1 scan scan system_u:object_r:var_t:s0 80 9 mar 19.20 scan
Above message is suggesting that it expects to find system_u:system_r:ftpd_t:s0
?
I’ll try changing SElinux contexts and see if it helps.
fedelibre
(Federico Bruni)
March 10, 2022, 5:53pm
4
I first tried setting SElinux to permissive mode, but I got the same error:
mar 10 18:47:56 federico audit[67661]: USER_AUTH pid=67661 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="scan" exe="/usr/sbin/vsftpd" hostname=::ffff:10.0.20.160 addr=::ffff:10.0.20.160 terminal=ftp res=failed'
fedelibre
(Federico Bruni)
March 10, 2022, 6:00pm
5
system_r and ftpd_t don’t seem to be part of SElinux policies.
semanage fcontext -l | grep system_r
doesn’t return anything.
ftpd_t doesn’t exist either:
# semanage fcontext -l | grep ftpd
/etc/(x)?inetd\.d/tftp regular file system_u:object_r:tftpd_etc_t:s0
/etc/cron\.monthly/proftpd regular file system_u:object_r:ftpd_exec_t:s0
/etc/proftpd\.conf regular file system_u:object_r:ftpd_etc_t:s0
/etc/rc\.d/init\.d/proftpd regular file system_u:object_r:ftpd_initrc_exec_t:s0
/etc/rc\.d/init\.d/vsftpd regular file system_u:object_r:ftpd_initrc_exec_t:s0
/tftpboot directory system_u:object_r:tftpdir_t:s0
/tftpboot/.* all files system_u:object_r:tftpdir_t:s0
/usr/bin/ftpd regular file system_u:object_r:publicfile_exec_t:s0
/usr/bin/ftpdctl regular file system_u:object_r:ftpdctl_exec_t:s0
/usr/kerberos/sbin/ftpd regular file system_u:object_r:ftpd_exec_t:s0
/usr/lib/systemd/system/proftpd.* regular file system_u:object_r:iptables_unit_file_t:s0
/usr/lib/systemd/system/vsftpd.* regular file system_u:object_r:iptables_unit_file_t:s0
/usr/libexec/webmin/vsftpd/webalizer/xfer_log regular file system_u:object_r:xferlog_t:s0
/usr/sbin/atftpd regular file system_u:object_r:tftpd_exec_t:s0
/usr/sbin/ftpwho regular file system_u:object_r:ftpd_exec_t:s0
/usr/sbin/in\.ftpd regular file system_u:object_r:ftpd_exec_t:s0
/usr/sbin/in\.tftpd regular file system_u:object_r:tftpd_exec_t:s0
/usr/sbin/muddleftpd regular file system_u:object_r:ftpd_exec_t:s0
/usr/sbin/proftpd regular file system_u:object_r:ftpd_exec_t:s0
/usr/sbin/vsftpd regular file system_u:object_r:ftpd_exec_t:s0
/var/lib/tftpboot(/.*)? all files system_u:object_r:tftpdir_rw_t:s0
/var/lock/subsys/*.ftpd regular file system_u:object_r:ftpd_lock_t:s0
/var/log/muddleftpd\.log.* regular file system_u:object_r:xferlog_t:s0
/var/log/proftpd(/.*)? all files system_u:object_r:xferlog_t:s0
/var/log/proftpd\.log regular file system_u:object_r:xferlog_t:s0
/var/log/vsftpd.* regular file system_u:object_r:xferlog_t:s0
/var/run/proftpd.* all files system_u:object_r:ftpd_var_run_t:s0
I’m always confused about SElinux.
Should I install some selinux policy packages?
fedelibre
(Federico Bruni)
March 18, 2022, 11:57am
7
Thanks, these guides seem useful. However, now I’m stuck with this error:
$ sudo passwd ftp
Changing password for user ftp.
passwd: Authentication token manipulation error
I read this tutorial , but didn’t help much.
I guess I’ll have to use another user.
Try to go in to root first with su and then try to change that if it works by that way.
fedelibre
(Federico Bruni)
March 20, 2022, 8:27pm
9
It doesn’t help:
[fede@fedora ~]$ sudo -i
[root@fedora ~]# passwd ftp
Changing password for user ftp.
passwd: Authentication token manipulation error
I’m on Fedora Silverblue (OStree based), in case it matters.
fedelibre
(Federico Bruni)
March 23, 2022, 3:44pm
10
I tried creating a new user and following the tuxfixer.com guide you linked above, but I suspect it requires the ftp user to be used.
Here’s what I did.
First, let’s add the new user:
sudo useradd -m -s /sbin/nologin -d /var/scan scan
sudo passwd scan
chown -R scan:scan /var/scan
semanage fcontext -a -t public_content_rw_t /var/scan
restorecon -Rvv /var/scan
sudo chmod -R 755 /var/scan
sudo usermod -a -G scan $USER
Let’s configure vsftpd:
echo scan >> /etc/vsftpd/user_list
then change userlist_deny in vsftpd.conf from YES to NO.
The conf file now looks like this:
# grep ^[^#] /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
Let’s start the service:
sudo systemctl start vsftpd
ftp is not available in Silverblue, so I had to use a toolbox container to test the ftp connection:
⬢[fede@toolbox ~]$ ftp localhost
Trying ::1...
Connected to localhost (::1).
220 (vsFTPd 3.0.3)
Name (localhost:fede): scan
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp>
221 Goodbye.
I tried also to send a scan from the printer and journalctl shows a SElinux error:
audit[66706]: USER_AUTH pid=66706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="scan" exe="/usr/sbin/vsftpd" hostname=::ffff:10.0.20.160 addr=::ffff:10.0.20.160 terminal=ftp res=failed'
fedelibre
(Federico Bruni)
March 24, 2022, 3:35pm
11
I’m giving up. My assumption that FTP could have been easier than Samba was obviously wrong.
I’ll use Samba.
mattdm
(Matthew Miller)
March 24, 2022, 8:24pm
12
I think this is actually a good call — ftp is a really old protocol, and has a lot of weird quirks. Not quite sure what’s going on, but my memory vsftpd config is quite vintage at this point.
Since you’re on Silverblue, things might be a little strange. Depending on your system’s resources, one approach would be to set up Fedora Server in a VM, and use the new Cockpit GUI for file sharing .