Is it the end for FTP? “ftp_home_dir” Issue
Has the time come for one of the oldest and most popular protocols to cease? A new problem has arisen which has highlighted again that the use of FTP has to be on its way out due to its known flaws. In this post I shall be exploring this new problem and how I overcame it.
A new problem with vsFTPD
A routine upgrade of one of my main CentOS web servers to Linux release 7.3.1611 (Core) brought down my main FTP service (vsftpd). Upon login to the server via FTP I was greeted with a familiar error indicating to me an SELinux issue. Its basically blocking FTP access to the home directories.
Response: 500 OOPS: chroot
Error: Critical error: Could not connect to server
Status: Disconnected from server
To resolve this issue with SELinux there is a boolean you must enable to allow this through its security. This was a boolean I know I already enabled so was surprised to see it. The next shock was that when attempting to enable it, I got the new error below:
Boolean ftp_home_dir is not defined
The system doesn’t recognise it as a valid boolean. Not Good.
The Conclusion
It would appear that the upgrade to RHEL 7.3 does not have this boolean on its OS and has been removed. Naturally this has been reported as bug and is being investigated.
BUG 1406542
While this is being worked on the only workaround is to apply another boolean “ftpd_full_access”. Command below:
setsebool -P ftpd_full_access on
This will allow ftpd full access to the system.
Maybe it’s time to move away from FTP and let it die gracefully?
It was time to move away from FTP starting in the exact microsecond that OpenSSH gained SCP over SSHv2 capability, many years ago. 😉
But sadly, FTP connects two ends, and sometimes one end is controlled by a problem person or problem organization. Such as a mainframe shop that hates and fears anything that isn’t at least 30 years old, a fairly common thing to encounter in the medical and banking industries.
Those of us trying to run secure servers despite the foibles of our business partners used to be able to count on Red Hat to help us out – we could run vsftpd and micro-manage the FTP transfer to the point where although it was certainly not secure, at least the hazard was primarily on the partner at fault, we didn’t have to compromise our own server security completely.
But not any more, I guess. Yet another Red Hat server will be ripped out because of this – our entire corporate infrastructure was Red Hat driven in 2005, but now we have a hundred Windows servers and about ten Red Hat, basically because RH no longer ships a cost-effective, secure server. Windows is less than half the price for us (Red Hat told us their price is not negotiable) and Red Hat is spending all their programmer time on stuff like systemd and gnome that are meaningful for student laptops, not corporate servers.
Sadly, though, the days of Red Hat helping out with this are done. Their attitude is that FTP should die (and they are right about that) and anyone who has to use FTP is not worth the time and effort of Red Hat.
If you wonder why Red Hat is losing their server dominance, now you know! Attitude and corporate culture are more important to success than anything else, you can’t make desirable product if you have a bad attitude or culture.