許可が拒否されましたProftpd CentOS7

Question

私はProftpdでFTPサーバーを取得しようとしています。 私のユーザーは仮想ユーザーであり、Mysqlサーバーによって管理されています。 私のすべてのユーザーは、/ srv/ftpフォルダにあり、777のchmodを持っています しかし、自分のユーザーと私のサーバーに接続しているとき、サーバーはフォルダを作成できません。 コマンドjournalctl -xeが返信します：

FTPセッションが開かれました。 '/ SRV/FTP /テスト' を作成

エラー：もしDefaultRoot '〜/' を使用することができません[ '/ SRV/FTP /テスト/' に解決]：sushファイルまたはディレクトリ権限がありません

通知を拒否

テストCHDIRは、（ "/"）に失敗しました：いいえsushファイルまたはディレクトリ

FTPセッションは閉じられません。

---

は、ProFTPDのは、GUID 2001

完全にDebianではこの作品でftpgroupというグループ内にあるUID 2001を持つユーザーと呼ばれるFTPUSERを持っていますが、私はCentOSの上でこの仕事を作ることは不可能です。

Thx。

ProFTPDのバージョン：1.3.5e（MAINT） スコアボードのバージョン：01040003 内蔵：水曜日2017年5月3日14時58分47秒UTC

ロードされたモジュール：
mod_quotatab_sql.c
mod_quotatab/1.3.1
mod_sql_mysql/4.0.8
mod_sql/4.3
mod_vroot/0.9.2
mod_ctrls_admin/0.9.7
mod_lang/1.0
mod_ctrls/0.9.5
mod_cap/1.1
mod_memcache/0.1
mod_tls/2.6
mod_auth_pam/1.2
mod_readme/1.0
mod_ident/1.0
mod_dso/0.5
mod_facts/0.4
mod_delay/0.7
mod_site.c
mod_log.c
mod_ls.c
mod_auth.c
mod_auth_file/1.0
mod_auth_unix.c
mod_rlimit/1.0
mod_xfer.cデフォルトのCentOSことで

ServerName   "ProFTPD server" 
ServerIdent   on "FTP Server ready." 
ServerAdmin   root@localhost 
DefaultServer   on 

# Cause every FTP user except adm to be chrooted into their home directory 
DefaultRoot   ~ !adm 

# Use pam to authenticate (default) and be authoritative 
#AuthPAMConfig   proftpd 
#AuthOrder   mod_auth_pam.c* mod_auth_unix.c 
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd 
#PersistentPasswd  off 

# Don't do reverse DNS lookups (hangs on DNS problems) 
UseReverseDNS   off 

# Set the user and group that the server runs as 
User    nobody 
Group    nobody 

# To prevent DoS attacks, set the maximum number of child processes 
# to 20. If you need to allow more than 20 concurrent connections 
# at once, simply increase this value. Note that this ONLY works 
# in standalone mode; in inetd mode you should use an inetd server 
# that allows you to limit maximum number of processes per service 
# (such as xinetd) 
MaxInstances   20 

# Disable sendfile by default since it breaks displaying the download speeds in 
# ftptop and ftpwho 
UseSendfile   off 

# Define the log formats 
LogFormat   default "%h %l %u %t \"%r\" %s %b" 
LogFormat   auth "%v [%P] %h %t \"%r\" %s" 

LoadModule mod_vroot.c 

ModuleControlsACLs  insmod,rmmod allow user root 
ModuleControlsACLs  lsmod allow user * 

# Enable basic controls via ftpdctl 
# (http://www.proftpd.org/docs/modules/mod_ctrls.html) 
ControlsEngine   on 
ControlsACLs   all allow user root 
ControlsSocketACL  allow user * 
ControlsLog   /var/log/proftpd/controls.log 

# Enable admin controls via ftpdctl 
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html) 
<IfModule mod_ctrls_admin.c> 
    AdminControlsEngine  on 
    AdminControlsACLs  all allow user root 
</IfModule> 

# Enable mod_vroot by default for better compatibility with PAM 
# (http://bugzilla.redhat.com/506735) 
<IfModule mod_vroot.c> 
    VRootEngine   on 
</IfModule> 

# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) 
<IfDefine TLS> 
    TLSEngine   on 
    TLSRequired   on 
    TLSRSACertificateFile  /etc/pki/tls/certs/proftpd.pem 
    TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem 
    TLSCipherSuite  ALL:!ADH:!DES 
    TLSOptions   NoCertRequest 
    TLSVerifyClient  off 
    #TLSRenegotiate  ctrl 3600 data 512000 required off timeout 300 
    TLSLog   /var/log/proftpd/tls.log 
    <IfModule mod_tls_shmcache.c> 
    TLSSessionCache  shm:/file=/var/run/proftpd/sesscache 
    </IfModule> 
</IfDefine> 

# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html) 
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd 
<IfDefine DYNAMIC_BAN_LISTS> 
    LoadModule   mod_ban.c 
    BanEngine   on 
    BanLog   /var/log/proftpd/ban.log 
    BanTable   /var/run/proftpd/ban.tab 

    # If the same client reaches the MaxLoginAttempts limit 2 times 
    # within 10 minutes, automatically add a ban for that client that 
    # will expire after one hour. 
    BanOnEvent   MaxLoginAttempts 2/00:10:00 01:00:00 

    # Inform the user that it's not worth persisting 
    BanMessage   "Host %a has been banned" 

    # Allow the FTP admin to manually add/remove bans 
    BanControlsACLs  all allow user ftpadm 
</IfDefine> 

# Set networking-specific "Quality of Service" (QoS) bits on the packets used 
# by the server (contrib/mod_qos.html) 
<IfDefine QOS> 
    LoadModule   mod_qos.c 
    # RFC791 TOS parameter compatibility 
    QoSOptions   dataqos throughput ctrlqos lowdelay 
    # For a DSCP environment (may require tweaking) 
    #QoSOptions   dataqos CS2 ctrlqos AF41 
</IfDefine> 

# Global Config - config common to Server Config and all virtual hosts 
# See: http://www.proftpd.org/docs/howto/Vhost.html 
<Global> 

    # Umask 022 is a good standard umask to prevent new dirs and files 
    # from being group and world writable 
    Umask    022 

    # Allow users to overwrite files and change permissions 
    AllowOverwrite  yes 
    <Limit ALL SITE_CHMOD> 
    AllowAll 
    </Limit> 

</Global> 

# A basic anonymous configuration, with an upload directory 
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd 
<IfDefine ANONYMOUS_FTP> 
    <Anonymous ~ftp> 
    User   ftp 
    Group   ftp 
    AccessGrantMsg  "Anonymous login ok, restrictions apply." 

    # We want clients to be able to login with "anonymous" as well as "ftp" 
    UserAlias   anonymous ftp 

    # Limit the maximum number of anonymous logins 
    MaxClients   10 "Sorry, max %m users -- try again later" 

    # Put the user into /pub right after login 
    #DefaultChdir  /pub 

    # We want 'welcome.msg' displayed at login, '.message' displayed in 
    # each newly chdired directory and tell users to read README* files. 
    DisplayLogin  /welcome.msg 
    DisplayChdir  .message 
    DisplayReadme  README* 

    # Cosmetic option to make all files appear to be owned by user "ftp" 
    DirFakeUser   on ftp 
    DirFakeGroup  on ftp 

    # Limit WRITE everywhere in the anonymous chroot 
    <Limit WRITE SITE_CHMOD> 
     DenyAll 
    </Limit> 

    # An upload directory that allows storing files but not retrieving 
    # or creating directories. 
    # 
    # Directory specification is slightly different if mod_vroot is in 
    # use: see http://sourceforge.net/p/proftp/mailman/message/31728570/ 
    #   https://bugzilla.redhat.com/show_bug.cgi?id=1045922 
    <IfModule mod_vroot.c> 
     <Directory /uploads/*> 
     AllowOverwrite  no 
     <Limit READ> 
      DenyAll 
     </Limit> 

     <Limit STOR> 
      AllowAll 
     </Limit> 
     </Directory> 
    </IfModule> 
    <IfModule !mod_vroot.c> 
     <Directory uploads/*> 
     AllowOverwrite  no 
     <Limit READ> 
      DenyAll 
     </Limit> 

     <Limit STOR> 
      AllowAll 
     </Limit> 
     </Directory> 
    </IfModule> 

    # Don't write anonymous accesses to the system wtmp file (good idea!) 
    WtmpLog   off 

    # Logging for the anonymous transfers 
    ExtendedLog   /var/log/proftpd/access.log WRITE,READ default 
    ExtendedLog   /var/log/proftpd/auth.log AUTH auth 

    </Anonymous> 
</IfDefine> 

LoadModule mod_auth.c 
LoadModule mod_sql.c 
LoadModule mod_sql_mysql.c 
LoadModule mod_quotatab.c 
LoadModule mod_quotatab_sql.c 
# The passwords in MySQL are encrypted using CRYPT 
SQLAuthTypes   Plaintext Crypt 
SQLAuthenticate   users groups 

# used to connect to the database 
# databasename@host database_user user_password 
SQLConnectInfo ftp@localhost proftpd password 

# Here we tell ProFTPd the names of the database columns in the "usertable" 
# we want it to interact with. Match the names with those in the db 
SQLUserInfo  ftpuser userid passwd uid gid homedir shell 

# Here we tell ProFTPd the names of the database columns in the "grouptable" 
# we want it to interact with. Again the names match with those in the db 
SQLGroupInfo ftpgroup groupname gid members 

# Here we tell ProFTPd the names of the database columns in the "grouptable" 
# we want it to interact with. Again the names match with those in the db 
SQLGroupInfo ftpgroup groupname gid members 

# set min UID and GID - otherwise these are 999 each 
SQLMinID  500 

# create a user's home directory on demand if it doesn't exist 
CreateHome on 

# Update count every time user logs in 
SQLLog PASS updatecount 
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser 

# Update modified everytime user uploads or deletes a file 
SQLLog STOR,DELE modified 
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser 

# User quotas 
# =========== 
QuotaEngine on 
QuotaDirectoryTally on 
QuotaDisplayUnits Mb 
QuotaShowQuotas on 

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'" 
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" 
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies 
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies 

QuotaLimitTable sql:/get-quota-limit 
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally 
RootLogin off 
RequireValidShell off 

<Directory /srv/ftp> 
Umask 000 000 
AllowOverwrite on 
    <Limit READ> 
     DenyAll 
     </Limit> 

     <Limit STOR CWD MKD RMD DELE XRMD XMKD> 
     AllowAll 
     </Limit> 
</Directory> 

Answer 1

はSELinuxが有効になっている
mod_core.c。あなたの問題に関連するエントリは/var/log/audit/audit.logで確認してください。

sestatus 

あなたがそこにメッセージが表示された場合、あなたはSELinuxのためのカスタムポリシーを作成することができます：SELinuxのは、sshコンソールを介して、または直接サーバーにサーバーの問題に怒鳴るのコマンドを有効になっているかどうかを確認するには

これと同様に、proftpの書き込みアクセスを許可します

grep -i proftp /var/log/audit/audit.log | audit2allow -M myproftppol 

あなたはその後、実行する必要があります：

semodule -i myproftppol.pp 

audit2allowがサーバーにインストールされていない場合、あなたがそれをインストールするには、このコマンドを実行することができますが：

yum install policycoreutils-python 

慎重にログを点検してください。別の方法として、selinuxを本当に必要としない場合はselinuxを無効にすることができますが、これはサーバーのセキュリティに影響を与えます。 Selinuxは素晴らしいですが、ほとんどの時間を設定するのは苦労かもしれません。

ます。また、発行することによって、SELinuxのFTP経由のアクセスを許可することができます。

setsebool -P allow_ftpd_full_access=1