Bonjour,
J'ai un scanner réseau qui peut enregistrer les scan sur un serveur ftp, avec deux boutons paramétrables un pour le recto et un pour recto/verso. C'est simple et rapide, pas besoin d'avoir l'ordi allumé pour la plupart des scans. Si j'ai besoin de plus de personnalisation j'y accède via simple scan.
J'ai donc installé vsftpd sur mon serveur et je n'active que la session anonyme. Le ftp ne me sert vraiment que pour ça. En toute logique l'utilisateur anonyme est mappé sur l'utilisateur ftp de /etc/passwd. J'affecte donc les droits sur /var/ftp
ls -la /var/ftp
# ls -la /var/ftp/
drwxr-xr-x. 5 root root 4096 10 mai 21:07 .
drwxr-xr-x. 21 root root 4096 2 mai 22:10 ..
drwxr-xr-x. 2 ftp ftp 4096 29 jan 07:13 pub
drwxrwx---. 3 ftp ftp 4096 3 mai 22:46 uploads
-rw-r--r--. 1 ftp ftp 224 19 fév 2020 welcome.msg
# ls -la /var/ftp/uploads/
-rw-------. 1 ftp ftp 0 3 mai 22:46 'markdown document.md'
drwx------. 2 ftp ftp 4096 3 mai 22:45 'Nouveau dossier'
-rw-r-----. 1 ftp ftp 522138 4 avr 2020 scan__002241.pdf
-rw-r-----. 1 ftp ftp 640005 4 avr 2020 scan__002247.pdf
-rw-r-----. 1 ftp ftp 493316 4 avr 2020 scan__002260.pdf
-rw-r-----. 1 ftp ftp 153427 4 avr 2020 scan__002269.pdf
-rw-r-----. 1 ftp ftp 93734 19 avr 2020 scan__002270.pdf
-rw-r-----. 1 ftp ftp 308203 19 avr 2020 scan__002271.pdf
-rw-r-----. 1 ftp ftp 398435 19 avr 2020 scan__002284.pdf
-rw-r-----. 1 ftp ftp 117582 12 mai 2020 scan__002294.pdf
Alors je me connecte,
je rentre dans le répertoire `uploads` et là je ne vois rien, pourtant j'ai pu créer `Nouveau dossier` et `markdown document.md` mais même après rafraichissements ils n'apparaissent pas dans le client (filezilla, nemo).
J'ai quand même vérifié que le process tourne bien en tant que l'utilisateur ftp :
# ps aux | grep vsftp
root 887 0.0 0.0 8112 428 ? Ss mai06 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
nobody 18275 0.0 0.1 17204 2868 ? Ss 21:23 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
ftp 18277 0.5 0.2 31356 4148 ? S 21:23 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Si je comprends bien le process en tant que root, s'est le service en "tâche de fond", le process en tant que ftp, c'est l'instance lorsqu'un utilisateur anonyme est connecté et le process nobody c'est pour la journalisation.
# lsof -p 887
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
vsftpd 887 root cwd DIR 8,5 4096 2 /
vsftpd 887 root rtd DIR 8,5 4096 2 /
vsftpd 887 root txt REG 8,5 171968 1070935 /usr/sbin/vsftpd
vsftpd 887 root mem REG 8,5 32696 1052638 /usr/lib64/libcap-ng.so.0.0.0
vsftpd 887 root mem REG 8,5 103184 1052535 /usr/lib64/libz.so.1.2.11
vsftpd 887 root mem REG 8,5 37288 1052041 /usr/lib64/libdl-2.33.so
vsftpd 887 root mem REG 8,5 1911064 1052043 /usr/lib64/libm-2.33.so
vsftpd 887 root mem REG 8,5 36768 1054879 /usr/lib64/libeconf.so.0.3.8
vsftpd 887 root mem REG 8,5 131552 1052643 /usr/lib64/libaudit.so.1.0.0
vsftpd 887 root mem REG 8,5 301592 1052053 /usr/lib64/libpthread-2.33.so
vsftpd 887 root mem REG 8,5 3228320 1052039 /usr/lib64/libc-2.33.so
vsftpd 887 root mem REG 8,5 3096376 1056660 /usr/lib64/libcrypto.so.1.1.1k
vsftpd 887 root mem REG 8,5 37672 1052586 /usr/lib64/libcap.so.2.48
vsftpd 887 root mem REG 8,5 69976 1056427 /usr/lib64/libpam.so.0.85.1
vsftpd 887 root mem REG 8,5 646384 1056662 /usr/lib64/libssl.so.1.1.1k
vsftpd 887 root mem REG 8,5 300160 1052032 /usr/lib64/ld-2.33.so
vsftpd 887 root 3u IPv4 26265 0t0 TCP *:ftp (LISTEN)
# lsof -p 18277
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
vsftpd 18277 ftp cwd DIR 8,5 4096 130839 /var/ftp
vsftpd 18277 ftp rtd DIR 8,5 4096 130839 /var/ftp
vsftpd 18277 ftp txt REG 8,5 171968 1070935 /usr/sbin/vsftpd
vsftpd 18277 ftp mem REG 8,5 40192 1052648 /usr/lib64/libffi.so.6.0.2
vsftpd 18277 ftp mem REG 8,5 618856 1052755 /usr/lib64/libpcre2-8.so.0.10.1
vsftpd 18277 ftp mem REG 8,5 108344 1046547 /usr/lib64/libgcc_s-11-20210428.so.1
vsftpd 18277 ftp mem REG 8,5 1289072 1052695 /usr/lib64/libp11-kit.so.0.3.0
vsftpd 18277 ftp mem REG 8,5 202008 1052542 /usr/lib64/libcrypt.so.2.0.0
vsftpd 18277 ftp mem REG 8,5 171376 1052805 /usr/lib64/libselinux.so.1
vsftpd 18277 ftp mem REG 8,5 324392 1056777 /usr/lib64/libnss_systemd.so.2
vsftpd 18277 ftp mem REG 8,5 78992 1052051 /usr/lib64/libnss_files-2.33.so
vsftpd 18277 ftp mem REG 8,5 11567160 131526 /var/lib/sss/mc/initgroups
vsftpd 18277 ftp mem REG 8,5 9253600 131528 /var/lib/sss/mc/passwd
vsftpd 18277 ftp mem REG 8,5 49672 1061634 /usr/lib64/libnss_sss.so.2
vsftpd 18277 ftp mem REG 8,5 32696 1052638 /usr/lib64/libcap-ng.so.0.0.0
vsftpd 18277 ftp mem REG 8,5 103184 1052535 /usr/lib64/libz.so.1.2.11
vsftpd 18277 ftp mem REG 8,5 37288 1052041 /usr/lib64/libdl-2.33.so
vsftpd 18277 ftp mem REG 8,5 1911064 1052043 /usr/lib64/libm-2.33.so
vsftpd 18277 ftp mem REG 8,5 36768 1054879 /usr/lib64/libeconf.so.0.3.8
vsftpd 18277 ftp mem REG 8,5 131552 1052643 /usr/lib64/libaudit.so.1.0.0
vsftpd 18277 ftp mem REG 8,5 301592 1052053 /usr/lib64/libpthread-2.33.so
vsftpd 18277 ftp mem REG 8,5 3228320 1052039 /usr/lib64/libc-2.33.so
vsftpd 18277 ftp mem REG 8,5 3096376 1056660 /usr/lib64/libcrypto.so.1.1.1k
vsftpd 18277 ftp mem REG 8,5 37672 1052586 /usr/lib64/libcap.so.2.48
vsftpd 18277 ftp mem REG 8,5 69976 1056427 /usr/lib64/libpam.so.0.85.1
vsftpd 18277 ftp mem REG 8,5 646384 1056662 /usr/lib64/libssl.so.1.1.1k
vsftpd 18277 ftp mem REG 8,5 77680 1052057 /usr/lib64/librt-2.33.so
vsftpd 18277 ftp mem REG 8,5 300160 1052032 /usr/lib64/ld-2.33.so
vsftpd 18277 ftp 0u IPv4 6374936 0t0 TCP mamachine.mondomaine.fr:ftp->192.168.35.23:46594 (ESTABLISHED)
vsftpd 18277 ftp 1u IPv4 6374936 0t0 TCP mamachine.mondomaine.fr:ftp->192.168.35.23:46594 (ESTABLISHED)
vsftpd 18277 ftp 2u IPv4 6374936 0t0 TCP mamachine.mondomaine.fr:ftp->192.168.35.23:46594 (ESTABLISHED)
vsftpd 18277 ftp 3r REG 8,5 9253600 131528 /var/lib/sss/mc/passwd
vsftpd 18277 ftp 4w REG 8,5 126 133807 /var/log/xferlog
vsftpd 18277 ftp 5r REG 8,5 11567160 131526 /var/lib/sss/mc/initgroups
vsftpd 18277 ftp 6u unix 0x0000000053814d77 0t0 6375849 type=STREAM (CONNECTED)
vsftpd 18277 ftp 7u unix 0x000000001a7e522a 0t0 6374940 type=STREAM (CONNECTED)
# lsof -p 18275
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
vsftpd 18275 nobody cwd DIR 8,5 4096 1179067 /usr/share/empty
vsftpd 18275 nobody rtd DIR 8,5 4096 1179067 /usr/share/empty
vsftpd 18275 nobody txt REG 8,5 171968 1070935 /usr/sbin/vsftpd
vsftpd 18275 nobody mem REG 8,5 9253600 131528 /var/lib/sss/mc/passwd
vsftpd 18275 nobody mem REG 8,5 49672 1061634 /usr/lib64/libnss_sss.so.2
vsftpd 18275 nobody mem REG 8,5 32696 1052638 /usr/lib64/libcap-ng.so.0.0.0
vsftpd 18275 nobody mem REG 8,5 103184 1052535 /usr/lib64/libz.so.1.2.11
vsftpd 18275 nobody mem REG 8,5 37288 1052041 /usr/lib64/libdl-2.33.so
vsftpd 18275 nobody mem REG 8,5 1911064 1052043 /usr/lib64/libm-2.33.so
vsftpd 18275 nobody mem REG 8,5 36768 1054879 /usr/lib64/libeconf.so.0.3.8
vsftpd 18275 nobody mem REG 8,5 131552 1052643 /usr/lib64/libaudit.so.1.0.0
vsftpd 18275 nobody mem REG 8,5 301592 1052053 /usr/lib64/libpthread-2.33.so
vsftpd 18275 nobody mem REG 8,5 3228320 1052039 /usr/lib64/libc-2.33.so
vsftpd 18275 nobody mem REG 8,5 3096376 1056660 /usr/lib64/libcrypto.so.1.1.1k
vsftpd 18275 nobody mem REG 8,5 37672 1052586 /usr/lib64/libcap.so.2.48
vsftpd 18275 nobody mem REG 8,5 69976 1056427 /usr/lib64/libpam.so.0.85.1
vsftpd 18275 nobody mem REG 8,5 646384 1056662 /usr/lib64/libssl.so.1.1.1k
vsftpd 18275 nobody mem REG 8,5 300160 1052032 /usr/lib64/ld-2.33.so
vsftpd 18275 nobody 0u IPv4 6374936 0t0 TCP mamachine.mondomaine.fr:ftp->192.168.35.23:46594 (ESTABLISHED)
vsftpd 18275 nobody 1u IPv4 6374936 0t0 TCP mamachine.mondomaine.fr:ftp->192.168.35.23:46594 (ESTABLISHED)
vsftpd 18275 nobody 2u IPv4 6374936 0t0 TCP mamachine.mondomaine.fr:ftp->192.168.35.23:46594 (ESTABLISHED)
vsftpd 18275 nobody 3r REG 8,5 9253600 131528 /var/lib/sss/mc/passwd
vsftpd 18275 nobody 4w REG 8,5 126 133807 /var/log/xferlog
vsftpd 18275 nobody 5u unix 0x000000009ee21066 0t0 6375848 type=STREAM (CONNECTED)
Les droits SE linux me semblent correct :
# getsebool allow_ftpd_anon_write
ftpd_anon_write --> on
# getsebool allow_ftpd_full_access
ftpd_full_access --> on
Ca m'embête de devoir mettre les droits en lectures sur others et surtout de ne pas comprendre pourquoi.
Auriez-vous des explications ? Merci d'avance.
[EDIT]
# cat /etc/vsftpd/vsftpd.conf
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#anon_root=/var/ftp
ftp_username=ftp
no_anon_password=YES
#
# Uncomment this to allow local users to log in.
local_enable=NO
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=
banner_file=/var/ftp/welcome.msg
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES