Home » Blogs » Vlad's blog

Configuring vsftpd with virtual-users (non-anonymous)

Submitted by Vlad on Sat, 12/29/2007 - 19:37.

I run a small, non-anonymous FTP server for myself and some friends, primarily to use as a server for the excellent Foxmarks Bookmark Synchronizer. It's simple and gets the job done and I'm not particularly concerned with security (obviously).

The first step (in Gentoo, anyways) is to emerge pam_userdb and vsftpd. BerkDB (db) will be used to store the usernames and passwords of the accounts, generated from a flat text file that contains alternating lines of username and password. The configuration file will allow these users to write to the ftp server - this configuration does not include per-user chroots, so keep in mind anyone with an account can access any of the files on the server.

We'll start with setting up the user database:

# echo -e "vlad\nsneakypassword\njesus\ntrinity" > logins.txt
# db4.5_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
# chmod 600 /etc/vsftpd/vsftpd_login.db

Now we have some accounts, we'll setup PAM. Gentoo comes with an /etc/pam.d/ftp file, but we'll remove it and write our own as suggested from vsftpd's README: vsftpd.pam.

The only addition we'll make is the hash=crypt:

auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login hash=crypt
account required pam_userdb.so db=/etc/vsftpd/vsftpd_login hash=crypt

I saved these lines to /etc/pam.d/vsftpd and symlinked that file to /etc/pam.d/ftp, moving the original ftp file out of the way. Now that the authentication aspect is done, we'll create the configuration file, once again using the vsftpd EXAMPLE file: as a base. Below is the configuration file I use, with comments explaining why:

anonymous_enable=NO
local_enable=YES
# We change these below
#write_enable=NO
#anon_upload_enable=NO
#anon_mkdir_write_enable=NO
#anon_other_write_enable=NO
chroot_local_user=YES
guest_enable=YES
# Disable this to prevent seeing
# 500 OOPS: vsftpd: cannot locate user specified in 'guest_username':virtual
#guest_username=virtual
listen=YES
listen_port=21
pasv_min_port=30000
pasv_max_port=30999

# Enable logging
vsftpd_log_file=/var/log/vsftpd.log
xferlog_enable=YES

# Permit directory/file creation.
anon_mkdir_write_enable=YES
anon_upload_enable=YES
anon_other_write_enable=YES
write_enable=YES
anon_umask=002
chown_username=ftp
chown_uploads=YES

The vsftpd daemon runs as root, but uses the ftp users' home directory for the ftp root (which on Gentoo defaults to /home/ftp). On Solaris and UNIX systems, this is typically /var/ftp.

In either case, you'll need to chmod 775 the directory. Subsequent files and directories will be 775 as well. Note that if you do not have the world bits set to read and execute vsftpd will deny you read access to the directory. If the rwx group bits aren't set, write access will be denied. Be sure to change anon_umask=022 to anon_umask=002 or else you wont be able to modify files/directories you create.

I've taken some of these steps from the Gentoo Wiki on vsftpd HOWTO_vsftpd, which, in my humble opinion, is terribly written.

More useful is the man page for the configuration file of vsftpd.conf

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Copy the characters (respecting upper/lower case) from the image.