LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-08-2005, 07:56 PM   #1
Hexadecimal
LQ Newbie
 
Registered: Jan 2005
Posts: 22

Rep: Reputation: 15
VSFTPD Configuration Help


I'm currently setting up a free hosting company. I've got everything configured except the FTP server. I installed vsftpd, and now I could use a little help configuring it. I've read a few vsftpd tuts, but none of them have answered certain questions I have.

I have a control panel installed, so after each user signs up for free hosting, I simply create their subdomain and create their account. Each user will have their own private directory, so that they can work on their files in private. For example, if the user's name is "Bob" his directory would be "/www/htdocs/hosted/bob". He would also need to have the ability to read and write inside his directory.

What should my vsftpd configuration file look like if I wanted it to operate as I explained above?

Also, if possible I'd prefer to have some kind of userlist so that I can have my php script create users so I dont' have to. If it's possible to do a userlist type-thing, what would need to be added to the list to add a user?

Something like "user, password;"?

I'm kinda new to FTP servers, so any help is appreciated. I'll even throw decently-sized hosting plan at anyone that helps me out.

Last edited by Hexadecimal; 08-08-2005 at 08:26 PM.
 
Old 08-08-2005, 08:47 PM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

The ftp users are the same users as those on the hosting machine.

I have a seperate group for ftp users, to help keep their privelidges down (mine's called 'anonftpusers'). Knowing that, your script should do:
Code:
useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob
echo bobspassword | passwd --stdin bob
echo bob >> /etc/vsftpd/user_list
For this to work you'll have to have the:
Code:
userlist_enable=YES
userlist_deny=NO
options enabled in /etc/vsftpd/vsftpd.conf

Be extremely careful with your scripts, as they'll have to be run as root (somewhat obviously).

I can post an example /etc/vsftpd/vsftpd.conf file from my server if you like. Do you need anonymous access? If so should anon users have write access? Should normal users have write access?

Dave

P.S. The location of /etc/vsftpd/xxxx may be slightly different depending on what version of vsftpd you're using. They used to be in /etc/ named as vsftpd.xxxx

P.P.S. The 'Free House Music!' link in my .sig goes to my home vsftpd server. If you happen to like House...

Last edited by ilikejam; 08-08-2005 at 08:59 PM.
 
Old 08-08-2005, 09:08 PM   #3
Hexadecimal
LQ Newbie
 
Registered: Jan 2005
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks for your helpful reply.

Yes, a sample vsftpd.conf file would be helpful. (A sample userlist would be nice too. ) I don't believe I need anonymous access at this time. I just want to be able to have some kind of userlist so that I can add/delete users, and change their permissions and dirs.

And yes, users should have write access.


Also, I checked out the link to your FTP server in your sig. The music is Grooovy.

Thanks!

Last edited by Hexadecimal; 08-10-2005 at 10:06 PM.
 
Old 08-09-2005, 02:55 AM   #4
Hexadecimal
LQ Newbie
 
Registered: Jan 2005
Posts: 22

Original Poster
Rep: Reputation: 15
*bump* noticed you were in the forum, ilikejam.
 
Old 08-09-2005, 06:37 AM   #5
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi again. I had to go to work. (I'm at lunch at the moment).
OK, here's my vsftpd.conf, it allows the users listed in the user_list file to log in, no anonymous users, and quite tight restrictions on what users can do:
Code:
# Allow anonymous FTP?
anonymous_enable=NO
#
# Allow local users to log in?
local_enable=YES
#
# Allow any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=0000
file_open_mode=0220
#
# Allow the anonymous FTP user to upload files?
anon_upload_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=NO
#
# Activate logging of uploads/downloads?
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data)?
connect_from_port_20=YES
#
# Log file in standard ftpd xferlog format?
xferlog_std_format=NO
#
# User for vsftpd to run as?
nopriv_user=vsftpd
#
# Login banner string:
ftpd_banner=ILikeJam FTP server. Logs are being monitored.
#
# chroot local users (only allow users to see their directory)?
chroot_local_user=YES
#
# PAM service name?
pam_service_name=vsftpd
#
# Enable user_list (see next option)?
userlist_enable=YES
#
# Should the user_list file specify users to deny(=YES) or to allow(=NO)
userlist_deny=NO
#
# Standalone (not run through xinetd) listen mode?
listen=YES
#
#
tcp_wrappers=NO
#
# Log all ftp actions (not just transfers)?
log_ftp_protocol=YES
#
# Show file ownership as ftp:ftp instead of real users?
hide_ids=YES
#
# Allow ftp users to change permissions of files?
chmod_enable=NO
#
# Use local time?
use_localtime=YES
#
# List of raw FTP commands which are allowed (some commands may be a security hazard):
cmds_allowed=ABOR,QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,NLST,PORT,SYST,PRET,MDTM
Have a look at 'man vsftpd.conf' for a full list and description of all options. There's quite a few.
For a list of raw FTP commands (for the cmds_allowed option) have a look here: http://www.nsftools.com/tips/RawFTP.htm

With this config, uploaded files are not readable or executable by anyone, so the server is acting as a 'dropbox'. Change the file_open_mode option to change that.

As for my user_list file contains:
Code:
fromilj
fromlq
as they are the only two users that are allowed to log in.

My ftpusers file contains (it's not been changed from the default list that was installed with vsftpd):
Code:
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
That's about it.

Dave
 
Old 08-09-2005, 08:15 AM   #6
Hexadecimal
LQ Newbie
 
Registered: Jan 2005
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks so much for your help! I have one more quick question though. Is it possible to assign passwords for each of the users? If so, how would I go about doing that?
 
Old 08-09-2005, 09:58 AM   #7
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
The users and passwords are just the Linux users and passwords on the FTP machine, so for someone to access the FTP server when anonymous access is disabled, they must have a normal Linux user account on the FTP machine (just the same as your own account and 'root' etc). The following three commands will add 'bob' to the users on your machine (with the home directory /www/htdocs/hosted/bob), assign bob the password 'bobspassword' and will allow bob to log in through ftp:
Code:
useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob
echo bobspassword | passwd --stdin bob
echo bob >> /etc/vsftpd/user_list
'bob' will also be put in the group 'anonftpusers' by those commands, and his login shell will be /sbin/nologin, to prevent him from logging to your ftp machine as a real user and running programs etc.

Being normal Linux user accounts, you could also use whatever you normally use to change or assign passwords.

Dave

P.S. As usual your /etc/vsftpdxxxx files may be in different locations.

Last edited by ilikejam; 08-09-2005 at 10:44 AM.
 
Old 08-09-2005, 10:36 AM   #8
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Also, as an update to vsftpd.conf, you probably want:
Code:
file_open_mode=0644
local_umask=0000
anon_umask=0777
That will make files uploaded by your users writable by only themselves (but readable by everyone, which may be required by your webserver, I don't know) and if, through some misconfiguration, an anonymous user manages to upload a file, the file will have no read, write or execute permission. Just to be safe.

You also probably want 'DELE', 'MKD' and 'RMD' in your cmds_allowed=, to let your users delete files, create directories and also delete directories.

It's also worth noting that 'log_ftp_protocol=YES' will log _every_ FTP command issued by any client connecting to your machine. It might be a good idea to have this on to begin with, to watch out for any problems, but if your FTP site is busy, this file will get very large very fast, so you might want to swith this option to 'NO' at some point. (The log file usually goes to /var/log/vsftpd.log).

Dave

Last edited by ilikejam; 08-09-2005 at 10:43 AM.
 
Old 08-10-2005, 10:12 PM   #9
Hexadecimal
LQ Newbie
 
Registered: Jan 2005
Posts: 22

Original Poster
Rep: Reputation: 15
Alright, I understand how it works now. Originally I thought I could make it so I could have all the client information in one file.

Now that I can't do that, I'll need to make my script execute the adduser command AND add the user to the userlist. I will be slightly more challenging, but from what I can see it's my only option.

Thanks for your time.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD Configuration Help dsheller Linux - Software 26 11-06-2010 11:06 PM
VSFTPD Configuration bharaniks Linux - Security 2 10-16-2005 11:58 PM
VSFTPD Configuration MPG Linux - Software 3 09-02-2004 04:33 AM
vsftpd configuration cdang Linux - Software 0 03-04-2004 02:37 AM
vsftpd configuration pazvant Linux - Security 1 10-22-2003 01:05 PM


All times are GMT -5. The time now is 10:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration