In this post we create an ftp/samba server and grant access for user to linux server, based on Centos 8, and allow listing of this content on specific url via Apache web server (eventually for testing speed download via web and upload via ftp).
At the beginng, we install secure ftp server, apache web server and samba:
dnf -y install vsftpd samba httpd vim nfs-utils
Create SAMBA shares
Create user, who can access our samba secure folder:
useradd -s /sbin/nologin guru groupadd smbgroup usermod -a -G smbgroup guru smbpasswd -a guru
Then, create a directories for samba shares. Chcon command mark our directory with label, that SELinux allows samba service to operate with this folder. Another possibility is disable SELinux, but it is not the right way
#for anonymous mkdir -p /mnt/aaa chmod -R 0777 /mnt/aaa semanage fcontext -a -t samba_share_t '/mnt/aaa' chown -R nobody:nobody /mnt/aaa restorecon -R /mnt/aaa
#for another secure user "guru" mkdir -p /mnt/kadeco/ chmod -R 0755 /mnt/kadeco/ semanage fcontext -a -t samba_share_t '/mnt/kadeco' chown -R guru:smbgroup /mnt/kadeco/ restorecon -R /mnt/kadeco/
Edit samba config for ours anonymous and secure shares
vim /etc/samba/smb.conf
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
map to guest = bad user
[Anonymous-aaa]
path = /mnt/aaa
writable = yes
browsable = yes
guest ok = yes
create mode = 0777
directory mode = 0777
[kadeco]
path = /mnt/kadeco
writable = yes
browsable = yes
guest ok = no
valid users = guru
create mask = 0755
directory mask = 0755
read only = No
Now, we can see our configuration of samba by this command and test it for errors:
testparm
Next, if we use firewall, we must add some ports, or service for samba to allow:
firewall-cmd --permanent --zone=public --add-service=samba firewall-cmd --reload
And finally, start samba services and enable it, after reboot.
systemctl enable smb.service --now systemctl enable nmb.service --now systemctl status smb systemctl status nmb
A way to restart samba services:
systemctl restart smb systemctl restart nmb
And now we can use our samba server. Anonymous folder, or secured folder
Status of samba we can list by this commands:
smbstatus -p - show list of samba processes smbstatus -S - show samba shares smbstatus -L - show samba locks
If we need restart samba process, or restart server, we can list locked files by “smbstatus -L”. We can see, which share is locked and which specific file is accessing.
Create FTP access
We want secure ftp server, then we need to modify some variables in main configuration file. And check other variables, if set by below example:
vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO #disable anonymous access local_enable=YES write_enable=YES chroot_local_user=YES #chroot user to their home folder allow_writeable_chroot=YES
Now we allow ftp access in firewall and start it:
firewall-cmd --permanent --add-service=ftp --zone=public firewall-cmd --reload systemctl enable vsftpd --now systemctl status vsftpd
Creating an FTP User
To test the FTP server, we will create a new user.
Create a new user named ftpguru
adduser ftpguruNext, you’ll need to set the user password :
passwd ftpguru
Create the FTP directory tree and set the correct permissions :
mkdir -p /home/ftpguru/ftp/uploadchmod 550 /home/ftpguru/ftpchmod 750 /home/dftpguru/ftp/uploachown -Rsystemctl restart vsftpdftpguru: /home/ftpguru/ftp
As discussed in the previous section, the user will be able to upload its files to the ftp/upload directory
At this point, your FTP server is fully functional, and you should be able to connect to your server with any FTP client.
Create NFS access
Allow nfs service in firewalld:
firewall-cmd --permanent --zone=public --add-service=nfs firewall-cmd --reload #if sometimes on clients don't working showmount, and it create an error: showmount -e 11.22.33.44 rpc mount export: RPC: Unable to receive; errno = No route to host clnt_create: RPC: Unable to receive #we must add another ports to firewall: firewall-cmd --permanent --zone=public --add-service=rpc-bind firewall-cmd --permanent --zone=public --add-service=mountd firewall-cmd --reload
Now enable nfs-server to run after poweron server and start it:
systemctl enable nfs-server.service systemctl start nfs-server.service
Now we create a directory, where we want to enable nfs access:
mkdir /mnt/nfs
And edit file /etc/exports for this folder to by allowed for everybody in network:
/mnt/nfs *(rw,sync,no_root_squash,no_all_squash)
And apply this change:
exportfs -arv
We can see our settings with command “exportfs”:
/mnt/nfs <world>
And from other linux machine, we can mount this folder:
mount 11.22.33.44:/mnt/nfs /mnt/nfs/ #see this disk report space df -h Filesystem Size Used Avail Use% Mounted on 11.22.33.44:/mnt/nfs 1.5T 200G 1.3T 14% /mnt/nfs
And we can test it with 1GB file:
dd if=/dev/zero of=/mnt/nfs/1gb bs=1M count=1000 1048576000 bytes (1.0 GB) copied, 16.4533 s, 63.7 MB/s ... ... ls -lah /mnt/nfs/ drwxr-xr-x. 18 nfsnobody nfsnobody 4.0K Feb 28 10:47 . drwxr-xr-x. 3 root root 4.0K Feb 28 10:24 .. -rw-r--r--. 1 root root 1000M Feb 28 10:47 1gb
And if everything is ok, umount it:
umount /mnt/nfs/
Apache web server
Now, we set the firewall for http port (80), enable apache to start after boot:
systemctl enable httpd.service firewall-cmd --add-service=http --permanent firewall-cmd --reload
Now, we create an configuration file for one folder from nfs storage:
vim /etc/httpd/conf.d/media.exmaple.com.conf
<VirtualHost *:80>
ServerAdmin user@example.com
DocumentRoot "/mnt/nfs/kadeco/install"
ServerName installs.example.com
<Directory "/mnt/nfs/kadeco/install">
AllowOverride All
Require all granted
Options Indexes
</Directory>
ErrorLog /var/log/httpd/install.example.com-error_log
CustomLog /var/log/httpd/install.example.com-access_log common
</VirtualHost>
If we reload apache web server (via command “apachectl graceful”), we can see an error log, if we access to this web content:
AH01276: Cannot serve directory /mnt/nfs/kadeco/install/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
So, we install som softvare to modify file and folders context with selinux:
yum install setroubleshoot
And change context to this folder:
semanage fcontext -a -t httpd_sys_content_t "/mnt/nfs/kadeco/install(/.*)?" restorecon -R /mnt/nfs/kadeco/install #comment out every line in welcome.conf bellow, or delete it: rm /etc/httpd/conf.d/welcome.conf systemctl restart httpd.service
Now, we can see the content of folder /mnt/nfs/kadeco/install. But if we want actively copy files here through samba access, we can’t, because we change security content of those folder ( httpd_sys_content_t ).
So, now we must change this behavior in 2 responsibilities:
1, set samba permissions, to write everywhere (security risk) by:
setsebool -P samba_export_all_rw 1
2, or if you want to be a little more descrite about it (my prefered way):
SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and public_content_rw_t.
These context allow any of the above domains to read the
content. If you want a particular domain to write to the public_con‐
tent_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write.semanage fcontext -a -t public_content_rw_t '/mnt/nfs/kadeco/install(/.*)?' restorecon -Rv /mnt/nfs/kadeco/install setsebool -P allow_smbd_anon_write 1 #allow write samba to public_content chcon -t public_content_rw_t /mnt/nfs/kadeco 2) setsebool -P allow_smbd_anon_write 1 3) setsebool -P allow_httpd_anon_write 1
If you create a NFS shared folder and you want to share its content via another apache configuration, you must set, that apache is allowed to use NFS files:
setsebool -P httpd_use_nfs on
Have a nice day