Pure-FTPD : How to make anonymous/ftp user allowed to rename and delete file?

Question

I have some kind of problem. I'm setting up hobby local ftp server in trusted network. I want to allow anon/ftp user to able to delete and rename file, but after many attempt tinkering with /etc/pure-ftpd/pure-ftpd.conf, yield no result. I'm on Fedora 38, using pure-ftpd version 1.0.51. I also set /var/ftpd to be allowed to written, and the default file is permission is 777 for folder and 666 for generated file. I also try to enable allow anon ftpd write in sebool, and so far no error generated from SELINUX. I also tried to let selinux permissive, and it doesn't raise any error on /var/log/audit/audit.log

This is my pure-ftpd config

############################################################
#                                                          #
#             Configuration file for pure-ftpd             #
#                                                          #
############################################################

# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf
#
# Online documentation:
# https://www.pureftpd.org/project/pure-ftpd/doc


# Restrict users to their home directory

ChrootEveryone               yes



# If the previous option is set to "no", members of the following group
# won't be restricted. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

# TrustedGID                   100



# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility   no



# Maximum number of simultaneous users

MaxClientsNumber             100



# Run as a background process
# Important: this must be set to 'yes' for the systemd service to work.
Daemonize                    yes



# Maximum number of simultaneous clients with the same IP address

MaxClientsPerIP              16



# If you want to log all client commands, set this to "yes".
# This directive can be specified twice to also log server responses.

VerboseLog                   no



# List dot-files even when the client doesn't send "-a".

DisplayDotFiles              yes



# Disallow authenticated users - Act only as a public FTP server.

AnonymousOnly                yes



# Disallow anonymous connections. Only accept authenticated users.

NoAnonymous                  no



# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.

SyslogFacility               ftp



# Display fortune cookies

# FortunesFile                 /usr/share/fortune/zippy



# Don't resolve host names in log files. Recommended unless you trust
# reverse host names, and don't care about DNS resolution being possibly slow.

DontResolve                  yes



# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime                  15



# LDAP configuration file (see README.LDAP)

# LDAPConfigFile               @sysconfigdir@/pureftpd-ldap.conf



# MySQL configuration file (see README.MySQL)

# MySQLConfigFile              @sysconfigdir@/pureftpd-mysql.conf


# PostgreSQL configuration file (see README.PGSQL)

# PGSQLConfigFile              @sysconfigdir@/pureftpd-pgsql.conf


# PureDB user database (see README.Virtual-Users)

# PureDB                       @sysconfigdir@/pureftpd.pdb


# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth                      /var/run/ftpd.sock



# If you want to enable PAM authentication, uncomment the following line

PAMAuthentication            yes



# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication           yes



# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used specified once, but can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be used first. If the SQL authentication fails because the
# user wasn't found, a new attempt will be done using system authentication.
# If the SQL authentication fails because the password didn't match, the
# authentication chain stops here. Authentication methods are chained in
# the order they are given.



# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth.

LimitRecursion               10000 8



# Are anonymous users allowed to create new directories?

AnonymousCanCreateDirs       yes



# If the system load is greater than the given value, anonymous users
# aren't allowed to download.

MaxLoad                      64



# Port range for passive connections - keep it as broad as possible.

# PassivePortRange             30000 50000



# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

# ForcePassiveIP               192.168.0.1



# Upload/download ratio for anonymous users.

# AnonymousRatio               1 10



# Upload/download ratio for all users.
# This directive supersedes the previous one.

# UserRatio                    1 10



# Disallow downloads of files owned by the "ftp" system user;
# files that were uploaded but not validated by a local admin.

AntiWarez                    yes



# IP address/port to listen to (default=all IP addresses, port 21).

# Bind                         127.0.0.1,21



# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth           8



# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, not both.

# UserBandwidth                8



# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.

Umask                        111:011



# Minimum UID for an authenticated user to log in.
# For example, a value of 100 prevents all users whose user id is below
# 100 from logging in. If you want "root" to be able to log in, use 0.

MinUID                       1000


# Allow FXP transfers for authenticated users.

AllowUserFXP                 no



# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP            no



# Users can't delete/write files starting with a dot ('.')
# even if they own them. But if TrustedGID is enabled, that group
# will exceptionally have access to dot-files.

ProhibitDotFilesWrite        no



# Prohibit *reading* of files starting with a dot (.history, .ssh...)

ProhibitDotFilesRead         no



# Don't overwrite files. When a file whose name already exist is uploaded,
# it gets automatically renamed to file.1, file.2, file.3, ...

AutoRename                   no



# Prevent anonymous users from uploading new files (no = upload is allowed)

AnonymousCantUpload          no



# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (such as 10.x.x.x) for
# authenticated users, and run a public anon-only FTP server on another IP.

# TrustedIP                    10.1.1.1



# To add the PID to log entries, uncomment the following line.

# LogPID                       yes



# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Apr/2017:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by common HTTP traffic analyzers.

AltLog                       clf:/var/log/pureftpd.log



# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

# AltLog                       stats:/var/log/pureftpd.log



# Create an additional log file with transfers logged in the standard W3C
# format (compatible with many HTTP log analyzers)

# AltLog                       w3c:/var/log/pureftpd.log



# Disallow the CHMOD command. Users cannot change perms of their own files.

NoChmod                      no



# Allow users to resume/upload files, but *NOT* to delete them.

KeepAllFiles                 no



# Automatically create home directories if they are missing

CreateHomeDir                yes



# Enable virtual quotas. The first value is the max number of files.
# The second value is the maximum size, in megabytes.
# So 1000:10 limits every user to 1000 files and 10 MB.

# Quota                        1000:10



# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile                     /var/run/pure-ftpd.pid



# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# Don't enable this option if you don't actually use pure-uploadscript.

# CallUploadScript             yes



# This option is useful on servers where anonymous upload is
# allowed. When the partition is more that percententage full,
# new uploads are disallowed.

MaxDiskUsage                   49



# Set to 'yes' to prevent users from renaming files.

NoRename                     no



# Be 'customer proof': forbids common customer mistakes such as
# 'chmod 0 public_html', that are valid, but can cause customers to
# unintentionally shoot themselves in the foot.

CustomerProof                yes



# Per-user concurrency limits. Will only work if the FTP server has
# been compiled with --with-peruserlimits.
# Format is: <max sessions per user>:<max anonymous sessions>
# For example, 3:20 means that an authenticated user can have up to 3 active
# sessions, and that up to 20 anonymous sessions are allowed.

# PerUserLimits                3:20



# When a file is uploaded and there was already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# The file will be stored under a temporary name and once the upload is
# complete, it will be atomically renamed. For example, when a large PHP
# script is being uploaded, the web server will keep serving the old version and
# later switch to the new one as soon as the full file will have been
# transferred. This option is incompatible with virtual quotas.

# NoTruncate                   yes



# This option accepts three values:
# 0: disable SSL/TLS encryption layer (default).
# 1: accept both cleartext and encrypted sessions.
# 2: refuse connections that don't use the TLS security mechanism,
#    including anonymous sessions.
# Do _not_ uncomment this blindly. Double check that:
# 1) The server has been compiled with TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS                          1


# Cipher suite for TLS sessions.
# The default suite is secure and setting this property is usually
# only required to *lower* the security to cope with legacy clients.
# Prefix with -C: in order to require valid client certificates.
# If -C: is used, make sure that clients' public keys are present on
# the server.

# TLSCipherSuite               HIGH



# Certificate file, for TLS
# The certificate itself and the keys can be bundled into the same
# file or split into two files.
# CertFile is for a cert+key bundle, CertFileAndKey for separate files.
# Use only one of these.

# CertFile                     /etc/ssl/private/pure-ftpd.pem
# CertFileAndKey               "/etc/pure-ftpd.pem" "/etc/pure-ftpd.key"



# Unix socket of the external certificate handler, for TLS

# ExtCert                      /var/run/ftpd-certs.sock


# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.

# IPV4Only                     yes



# Listen only to IPv6 addresses in standalone mode (i.e. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.

The Folder Owner and SELINUX Context :

[ben@TP-X220 ftp]$ pwd
/var/ftp
[ben@TP-X220 ftp]$ ls -lahRZ 
.:
total 0
drwxr-xr-x. 1 ftp  ftp  system_u:object_r:public_content_t:s0       6 2023-06-13 08:02 .
drwxr-xr-x. 1 root root system_u:object_r:var_t:s0                194 2023-05-07 08:25 ..
drwxrwxrwx. 1 ftp  ftp  unconfined_u:object_r:public_content_t:s0  58 2023-06-13 08:28 sql

./sql:
total 16K
drwxrwxrwx. 1 ftp ftp unconfined_u:object_r:public_content_t:s0  58 2023-06-13 08:28 .
drwxr-xr-x. 1 ftp ftp system_u:object_r:public_content_t:s0       6 2023-06-13 08:02 ..
-rw-rw-rw-. 1 ftp ftp system_u:object_r:public_content_t:s0     244 2023-06-13 08:28 coba.py
-rw-rw-rw-. 1 ftp ftp system_u:object_r:public_content_t:s0       0 2023-06-13 08:06 coba.txt
-rw-rw-rw-. 1 ftp ftp system_u:object_r:public_content_t:s0     12K 2023-06-13 08:08 pure-ftpd.conf

This is the semanage boolean -l

[ben@TP-X220 ftp]$ getenforce
Permissive
[ben@TP-X220 ftp]$ sudo semanage boolean -l | grep ftp
ftpd_anon_write                (on   ,   on)  Allow ftpd to anon write
ftpd_connect_all_unreserved    (off  ,  off)  Allow ftpd to connect all unreserved
ftpd_connect_db                (off  ,  off)  Allow ftpd to connect db
ftpd_full_access               (on   ,   on)  Allow ftpd to full access
ftpd_use_cifs                  (off  ,  off)  Allow ftpd to use cifs
ftpd_use_fusefs                (off  ,  off)  Allow ftpd to use fusefs
ftpd_use_nfs                   (off  ,  off)  Allow ftpd to use nfs
ftpd_use_passive_mode          (on   ,   on)  Allow ftpd to use passive mode
httpd_can_connect_ftp          (off  ,  off)  Allow httpd to can connect ftp
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to enable ftp server
tftp_anon_write                (off  ,  off)  Allow tftp to anon write
tftp_home_dir                  (off  ,  off)  Allow tftp to home dir

The output of the ftp client when delete

ftp> ls -lah
229 Extended Passive mode OK (|||54365|)
150 Accepted data connection
drwxrwxrwx    1 14         50                 58 Jun 13 08:28 .
drwxr-xr-x    1 0          0                   6 Jun 13 08:02 ..
-rw-rw-rw-    1 14         50                244 Jun 13 08:28 coba.py
-rw-rw-rw-    1 14         50                  0 Jun 13 08:06 coba.txt
-rw-rw-rw-    1 14         50              11487 Jun 13 08:08 pure-ftpd.conf
226-Options: -a -l 
226 5 matches total
ftp> delete coba.py
550 Anonymous users can not delete files
ftp> cd /
ftp> ls -lah
229 Extended Passive mode OK (|||65372|)
150 Accepted data connection
drwxrwxrwx    1 14         50                 12 Jun 13 09:31 .
drwxrwxrwx    1 14         50                 12 Jun 13 09:31 ..
drwxrwxrwx    1 14         50                  0 Jun 13 09:31 ben
drwxrwxrwx    1 14         50                 58 Jun 13 08:28 sql
226-Options: -a -l 
226 4 matches total
ftp> rm ben
550 Sorry, anonymous users are not allowed to remove directories
ftp> delete ben
550 Anonymous users can not delete files

I did check https://superuser.com/a/419683/973279, but as I see I can write and make directory in it, so I don't know why it can't delete, as write permission already there. I already restarted the service after changing the config files. Any help is appreciated. Thank you

Answer 1

N.B.: I don't use any ftpd, including Pure-FTPd (though it looks quite nice), and this answer is based solely on reviewing source code and build logs. It's possible that Fedora modified the source code and/or the build logs don't represent/show all the configuration options possible for building Pure-FTPd.

Pure-FTPd is _"designed with security in mind" so it's not surprising that anonymous access operations are restricted by default. The OP states that the FTP server will be on a "trusted network" and presumably with trusted users so relaxing security in this environment may be an acceptable risk. Command line arguments (see man page or GitHub README) and configuration file options can allow some anonymous user operations, however, it seems that anonymous user delete permission can only be enabled at build time.

Snippets from pure-ftpd's src/ftpd.c:

...

void dodele(char *name)
{
#ifndef ANON_CAN_DELETE
    if (guest != 0) {
        addreply_noformat(550, MSG_ANON_CANT_DELETE);
        return;
    }
#endif

...

void dormd(char *name)
{
#ifdef QUOTAS
    Quota quota;
#endif

#ifndef ANON_CAN_DELETE
    if (guest != 0) {
        addreply_noformat(550, MSG_ANON_CANT_RMD);
        return;
    }
#endif
...

Looking at Fedora's build log, there doesn't seem to be any setting for ANON_CAN_DELETE that would allow anonymous user delete permission.

The OP may need to build pure-ftpd with all the desired permissions enabled or perhaps find another package to install that already has the desired options enabled.