LinuxQuestions.org - Can't make vsftp works on Ubuntu

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Can't make vsftp works on Ubuntu - Users can't login (https://www.linuxquestions.org/questions/linux-server-73/cant-make-vsftp-works-on-ubuntu-users-cant-login-790362/)

Can't make vsftp works on Ubuntu - Users can't login

Hello
I am a "light" user of Linux, not a totally newbie but rather inexpert with advanced configurations (and some basics concepts, of course ;)).
I have an Ubuntu 9.10 server and i need to use an ftp server. I installed vsftp but i can't make it to work. What doesn't work is that can't login to the ftp server with my user(s).

I created a user ("AddressBookUser") that should access to some files located on "/var/www/fpt/rubriche/". I set this folder as his home.
Here is the row for this user in /etc/passwd:

Quote:

AddressBookUser:x:1001:1002::/var/www/ftp/rubriche:/bin/false

This user is member of the group "rubriche_ro" (and no other groups).

This is my /etc/vsftp.conf:

Quote:

listen=YES
#listen_ipv6=YES
#
anonymous_enable=YES
local_enable=YES
write_enable=YES
#local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ftpd_banner=Welcome to WEBS FTP service!
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
chroot_local_user=YES
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
#ls_recurse_enable=YES
#
# Debian customization
#
secure_chroot_dir=/var/run/vsftpd/empty
#pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

# Follwing rows have been added by me (LZ)
userlist_enable=YES
userlist_file=/etc/vsftpd_user_list

My /etc/vsftpd_user_list contains the following:
AddressBookAdmin
AddressBookUser

vsftpd.chroot_list exists, but as you see above the chroot_list_file directive is disabled.

When i try to connect to the FTP server the connections is established but after i insert "AddressBookUser" as user name and confirm i get a "530 permission denied" message. This occurs both from the network (LAN) computers and locally:

Quote:

webs@webs:/etc$ ftp localhost
Connected to localhost.
220 Welcome to WEBS FTP service!
Name (localhost:webs): AddressBookUser
530 Permission denied.
Login failed.

I can't figure out what is the problem but my thought was that it's a problem related to the user configuration rather than vsftp configuration, but it's only my supposition. If i try to login with the "main" user of my Ubuntu server, "webs" i can login correctly.

I googled a lot but found anything useful.
Anyone can help me?
Thank you

1) first of all check if you have enabled your vsftpd daemon running
if not use following command.
"sudo /etc/init.d/vsftpd start"

2) have you created rule on your ip tables to allow incoming traffic for ftp?
in that case you ca try flushing them "sudo iptables -F"
NOTE: note flushing iptables in not good choice but you can try it for temperory testing.

3) have you set correct permission on your ftp share folder/file?

vsftpd is running (as i said i can login with user "webs")
AFAIK iptables is not running. If i run sysv-rc-conf i don't see it on the list of deamons.

The home of "AddressBookUser" is set as following:

Quote:

drwxrwxr-x 3 webs ftpusers 4096 2010-02-20 06:36 rubriche

So, since AddressBookUser is a member of the "rubriche_ro" group he has only read access to that folder. And this is what i want.
Differently, i created another user, "AddressBookAdmin", member of the "ftpusers" group. This group has write access to that folder (that is the home for this user, too) but he can't login, neither.

If this thread is true, I think that having AddressBookUser having their console set to /bin/false may be a problem. There apparently a number of ways to solve this one. If you google "vsftpd bin false" you'll find a bunch. I'm not sure which one you would be more comfortable following, so I'll leave that to you.

I missed to tell it before, but i've already tried to set the console to something different than "false", as "sh" or "bash", but it doesn't solve the problem. Even with this values i can't login. But, as i said, if i try to login with the "main" Ubuntu user i can regularly log in. So there must be something else related to the users. Maybe they'd have to be member of some other groups in addition to the one thy are member of? I don't have the concepts clear about this.

Some additional infos. The problem seems to be not related to the FTP service, but rather it's a problem of correct definition of the user(s) on my system. I realized that i can't login to the system neither with any of the users i have created nor with any other new one that i can try to create. I mean not only the login trough fpt but every type of login (local shell, via Putty from another machine, ecc.). So it's something wrong on the user definition, but i can't figure out what.

Have you looked in the vsftpd log files? It is usually pretty good about logging stuff, so there may be some additional clues as to why this is happening.

The only other thing I can think of is to start turning off options in vsftpd.conf one at a time and see if anything allows AddressBookUser to log in. Personally I'd start with the userlist directives in case something is misconfigured there. Then I'd try turning off chrooting.

At this point there are so many possibilities that we can't really give guidance until we have a better idea of where things are goofed up. If the logs aren't helping, then trying one at a time changes is really the best way to diagnose the problem.

Quote:

Originally Posted by cianoz (Post 3871472)

Well, since you've got their shells set to /bin/false, they shouldn't be able to log in. You might be able to su to them from root (su - AddressBookUser). I think root can do that even if the shell is /bin/false.

[EDIT] I take that back, you can't su to a /bin/false user. However, if the user is invalid, it appears that su complains whereas a valid user it doesn't.[/EDIT]

Quote:

Originally Posted by Hangdog42 (Post 3871489)

Well, since you've got their shells set to /bin/false, they shouldn't be able to log in [CUT]

No, i set shell to /bin/bash but the user(s) can't login anyway.

Quote:

userlist_enable=YES

You should set the above to NO to allow access to the user(s) in userlist_file. Read vsftpd.conf documentation for more details.

Note also that /bin/false is correct as a shell if you don't want that user to have shell access to your box.

Regards

Quote:

Originally Posted by bathory (Post 3871582)

Hi

You should set the above to NO to allow access to the user(s) in userlist_file. Read vsftpd.conf documentation for more details.

Note also that /bin/false is correct as a shell if you don't want that user to have shell access to your box.

Regards

No, I think he's got it right:

Quote:

Originally Posted by man vsftpd.conf

userlist_enable If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny. Default: NO

However, now that I look at userlist_deny, cianoz may need to set that to no:

Quote:

userlist_deny
This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password.

Default: YES

A little update. As said in my first post if I enable the userlist file, as follows:

Quote:

userlist_enable=YES
userlist_file=/etc/vsftpd_user_list

I get a "530 permission denied" just after inserting the login name (and i am not asked for the pw).
If i comment them (that is the same as setting "userlist_enable=NO", AFAIK) i get i a different response: i am prompted for the password and after i insert it i receive a "530 login incorrect". Obviously, i take care to insert the correct pw.

Regarding to the setting of the shell: i consciously set it to "/bin/false" because i don't want the user can log in shell. Anyway, at the moment i tried to change it to "/bin/bash" to reduce the potential problems, but anything changes.

Is the directory /var/www/ftp/rubriche writable by that user?

Code:

ls -l /var/www/ftp/rubriche

Update guys!
I tried to update/change the password for my two users and now one of the two can finally login!
But there's still something that i can't understand here. So, here you are the situation:
(Note: i changed the name of the users to shorter and simplier names)

user "abadmin" is currently set with shell "/bin/bash"
user "abuser" is currently set with shell "/bin/false"
directives "userlist_enable" and "userlist_file" are disabled (commented)

With this settings "abadmin" can login, both with via ftp client and a shell. "abuser" instead still can't login.
Perhaps the passwords have been badly set previously and reassigning them has fixed things. Anyway, the value of the shell for the users seems to be something that still play a role here. AFAIK setting the shell to "false" for the ftp users is common practive, but here seems to determine if ftp users can login or not.
I still have some confusion about this.

Directory /var/www/ftp/rubriche (that is the home for both the ftp users) is set as follows:

Quote:

drwxrwxr-x 3 abadmin ftpusers 4096 2010-02-20 06:36 rubriche

Both "abadmin" and "abuser" are member of the groups "ftpusers" (as command "groups username" returns).

Here are the settings for these two users in /etc/passwd:

Quote:

abuser:x:5003:1001::/var/www/ftp/rubriche:/bin/false
abadmin:x:5004:1001::/var/www/ftp/rubriche:/bin/bash

You have to check if /bin/false exists in /etc/shells as a valid shell.
Also check logs for hints.

OK, after googling a little more and making some more tries i think i finally got everything working like expected!
Here is my final steps.

AFAIK the reason why "abuser" couldn't login was that "/bin/false" was not listed in "/etc/shells". Then i added it there, tried to login again and... yeah! abuser has finally been able to do the login!

The second and last step was to change his groups membership, assigning only "rubriche_ro" as primary group and removing any other secondary group. This way he doesn't have write access to /var/www/ftp/ (where only the owner "abadmin" and the group "ftpusers" have write access)

I really hope to not encounter any other unexpected surprise. Basing me on what i see at the moment everything seems to work well.

There's only still one thing that i can't make to work as i would: everything works only if i set "userlist_enable=NO" (disabled). This is somehow a limitation, because i can't define which users have to be ftp users. At the moment any user of the system is a potential ftp user.

Quote:

Originally Posted by bathory (Post 3871673)

You have to check if /bin/false exists in /etc/shells as a valid shell.
Also check logs for hints.

You posted just seconds before my last post!
As you can see it was exactly one of the things to check!

Quote:

There's only still one thing that i can't make to work as i would: everything works only if i set "userlist_enable=NO" (disabled). This is somehow a limitation, because i can't define which users have to be ftp users. At the moment any user of the system is a potential ftp user.

You have to use:

Code:

userlist_deny=no

userlist_enable=yes

userlist_file=userlist_file=/etc/vsftpd_user_list

Regards