[CentOS] vsftpd: transfer of files fails

Sat Apr 1 22:54:33 UTC 2006
Kai Schaetzl <maillists at conactive.com>

I've got a problem with vsftpd on a new CentOS system. Most users can 
login and list and everything but when they want to transfer files the 
client says "transfer failed" or so. However, it works fine with two 
users. Of course, these two have been created by me and used only by me. 
So, I didn't detect the problem before other users tried to upload.
I tried with the command line ftp client and get this:

ftp> put medlingua_beta.sql
local: medlingua_beta.sql remote: medlingua_beta.sql
229 Entering Extended Passive Mode (|||59620|)
150 Ok to send data.
  0% |                                     |     0       0.00 KB/s    
--:-- ETAftp: netout: Connection reset by peer
  0% |                                     |    -1       0.00 KB/s    
--:-- ETA
451 Failure writing to local file.

vsftpd logs "FAIL UPLOAD:" for this, nothing else.
Of course, first thought is there might be some permission problem. 
However, I checked everything and the directory permissions are identical 
with the two accounts that work. Same goes for the user details they have. 
They only difference is that one of the two accounts is uid 50x while all 
the others are over 10000 - including the second one that works. All users 
have login shell /bin/false, are in /home and are chrooted to their 

The same users with the same directory setup, permissions and everything 
work fine on the old machine with vsftpd 1.1 (CentOS has 2.0). The vsftpd 
configuration is basically how it is when installed from base plus a few 
additional settings (like write-enable=yes etc.). SELINUX is in permissive 
mode and there are no advanced ACLs in effect.
The baffling thing is that it works for these two (and maybe other users I 
haven't identified yet), but not for the majority, although all seem to be 
setup equivalent.
One other thing I just notice is that I can delete root-owned files 
(standard 644 permissions) with any of the FTP users (the working and the 
non-working ones) which should not be possible at all.

Any hints?


Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com