關於「vsftpd 部分本地用戶不能登錄「的問題,我重新做了實驗,重新把問題再描述一下

火星人 @ 2014-03-05 , reply:0


關於「vsftpd 部分本地用戶不能登錄「的問題,我重新做了實驗,重新把問題再描述一下

關於「vsftpd 部分本地用戶不能登錄,部分可以」的問題,我重新做了一些實驗,我把這個問題結合實驗的結果再重新描述一下,請各位高人,幫忙看看可能的原因。 謝謝了!

系統中原來就有的本地帳號都不能登錄,我的/etc/vsftpd/vsftpd.conf文件的配置如下:
local_enable=YES
write_enable=YES
chroot_local_user=YES
pam_service_name=vsftpd
/etc/pam.d/vsftpd存在且正常。

登錄時錯誤信息都是一樣的:
500 OOPS: cannot change directory:/home/xxxx
Login failed.
421 Service not available, remote server has closed connection

他們的home目錄都是/home/xxxx。/home和/home/xxxx的許可權都是755。
以上這些帳號都不能ftp登錄,這些都是平常經常使用的,可以用shell登錄的。

我新創建了一個usr1帳號,
# useradd -G test -d /tmp/usr1 usr1
能ftp登錄,他的home為/tmp/usr1,在/分區上。而/home我是mount到/dev/hda9上的。
#mount
/dev/hdb1 on / type ext3 (rw)
/dev/hda9 on /home type ext2 (rw)

所以,我猜想:是否是由於/home分區的原因,而造成「主目錄在/home分區的帳號」都不能登錄呢?

為了驗證以上設想,我試著再創建了一個帳號,
useradd -G test -d /home/usr3 usr3
/home, /home/usr3 的許可權都是755。

usr3 ftp登錄失敗。
500 OOPS: cannot change directory:/home/usr3
Login failed.
421 Service not available, remote server has closed connection

至此,我覺得可以確定是由於/home分區的原因,而造成「主目錄在/home分區的帳號」都不能登錄。
《解決方案》

更進一步的發現是:把usr1設置為--不放在chroot jail中,用usr1帳號ftp登錄進去以後,可以cd到/usr等目錄,但不能cd到/home目錄;用ls命令查看,竟然沒看見/home目錄。

ftp> ls
227 Entering Passive Mode (219,236,140,49,184,89)
150 Here comes the directory listing.
drwxr-xr-x    4 0        0            4096 Nov 16 10:13 chroot
drwxr-xr-x   10 0        0            5440 Feb 22 05:52 dev
drwxr-xr-x   95 0        0           12288 Feb 22 09:50 etc
drwxr-xr-x   11 0        0            4096 Jul 12  2005 lib
drwxr-xr-x    2 0        0               0 Feb 22 05:52 misc
drwxr-xr-x    2 0        0               0 Feb 22 05:52 net
drwxr-xr-x    3 0        0            4096 Nov 04 13:34 opt
dr-xr-xr-x  127 0        0               0 Feb 22  2006 proc
drwxr-x---   30 0        0            4096 Feb 22 11:53 root
drwxr-xr-x    2 0        0            4096 May 23  2005 srv
drwxr-xr-x   10 0        0               0 Feb 22  2006 sys
drwxrwxrwt   13 0        0            4096 Feb 22 11:30 tmp
drwxr-xr-x   16 0        0            4096 Oct 11 07:13 usr
drwxr-xr-x   27 0        0            4096 Nov 03 05:25 var
226 Directory send OK.

/ 下一共有22個目錄,但ls只能看到14個(如上)。/sbin, /bin 不能用ls看到,但能cd進去,/home用cd進不去

ftp> cd /
250 Directory successfully changed.
ftp> cd /bin
250 Directory successfully changed.
ftp> cd /sbin
250 Directory successfully changed.
ftp> cd /home
550 Failed to change directory.

請大家幫忙看看啊,謝謝!
《解決方案》

精神可嘉!首先鼓勵一下。

問一下系統是Fedora嗎?會不會跟SELinux有關呢?
《解決方案》

google到一篇blog,類似你的問題,看來是與SELinux有關的可能性很大
http://dogriley.blogspot.com/2005/07/fedora-core-4.html

I finished my second upgrade to Fedora Core 4. Not everything is ironed out yet with the build of course. But one thing is for sure a lot has happened to the RedHat I knew before.

I must say of all the changes, for me the nicest addition is the new SELinux extensions. For deep background on the reasons for and theory of SELinux read, The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

The more I work with SELinux the more I realize I need to know about it, and how exactly it does all its stuff. It certainly changes things relating to users, directories and access. As I am starting to learn it, I'm sure I'm doing things the hard-way. :)

The major difference, so far for me, in Red Hat's SELinux is the way ftp is handled. vsftpd is still the server which is great. However, it seems to be designed to run as a daemon rather than invoked via xinet.d. If you grab a working copy of the xinet.d file for vsftpd you can invoke it via xinet.d wrapper. I did my first server upgrade in this manner. The current one I am trying as a daemon. I certainly think I will miss some of the features that the xinet.d wrapper brings, and may yet return to it.

Of all the issues I saw most notable is if you want to enable chroot directory's outside of the normal /home/xxx vsftpd. These will fail with a

    500 OOPS: cannot change directory: /mnt/xxxxx

I was able to use ftp if I logged in with an account with a directory in /home, but once I set a user account to have a home drive outside of /home (in this case on a mounted secondary disk) vsftpd barfs the above.


I found information at the NSA that indicates you can disable SELinux protection of the ftp daemon.

    setsebool -P ftpd_disable_trans 1

This seems a bit drastic. It certainly works for now though.

I think ultimately the issue resides with policies, but as SELinux policies are new to me, it will take time before it all gets sorted out. As I spend time with the new SELinux extensions in Fedora Core 4 I will keep you updated on my thoughts and configuration lessons.
《解決方案》

試試
  # setsebool ftpd_disable_trans 1
  # service vsftpd restart
《解決方案》

我用的是FC4,按照你上一帖子里的方法試了,馬上就解決了。所以,可以確定原因就在SELinux。

謝謝wolfg了!
《解決方案》

我在centos 5上也碰到了這個問題,我就知道是SElinux的問題,但是我很想知道SElinux的一些配置,畢竟,這是第一個在個人系統上實現的MAC。但是我們都是以禁掉該功能,來實現目的,而不是去調試SElinux的參數解決問題。是不是應該做點什麼。




[火星人 via ] 關於「vsftpd 部分本地用戶不能登錄「的問題,我重新做了實驗,重新把問題再描述一下已經有189次圍觀

http://www.coctec.com/docs/service/show-post-38180.html