Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For some reason my vsftpd.conf file allows the system users, added using useradd and groupadd commands to browse other directories - even though I set the jailed option. Can anyone figure out what I did wrong in vsftpconf. I want clients to RW and browse just one directory! Its like vsftp auto logs into the root directory. Here’s how it looks:
Not sure. I'm not seeing anything that immediately jumps out as a culprit. Here's a running instance from a system I've setup that will chroot user to their defined home-dir and not navigate above it.
Are you defining the correct home-dir when adding the user via useradd? For those users created that are dropped to root-filesystem (/), what value is set in the directory field of /etc/passwd for them?
Thanks for the info Ray. I'm a little rusty. I haven't worked with groups or users in ages. I'm trying my best to follow the vsftp tutorials on youtube.com. Let me just say, that this is a real pain in the behind! It seems like there's a million and one steps involved with setting up an FTP server with ssl! Gone are the good old days of win9x when all we had to do was run app with a pretty GUI to select files. This is a nightmare! I typed groups on my system and I cant figure out why my user name is associated with so many god darn groups....I see admin, cdrom, samba, dip, lpaadmin, etc. I know that the system creates a group when a user is created. I don't get the purpose of defining all these groups...feel free to explain
You have not defined attribute local_root in your vsftpd.conf. It defines the path of the directory where you want to jail the user. Jail means user can go to sub-directories but not in parent directories. User will log into this directory and can not go to the parent directory.
Add this line in your vsftpd.conf
Code:
local_root=/path/of/the/directory
Restart the vsftpd server because you have made changes in vsftpd.conf
@eklavya hm interesting I'll try both suggestions as soon as I get a handle of user and group admin. I knew it was just a matter of setting the right attributes for the FTP. I wonder how this works with SSL. According, to the Ubuntu forums adding SSL security is just as simple.
Last edited by linuxman2013; 03-28-2013 at 03:26 PM.
@arun5002 Virtual users are meant for web admins according to the info online. It would require the installation of Apache web server. I'm looking for a minimalist approach.
awk -F":" '{ print "username: " $1 "\t\tuid:" $3 }' /etc/passwd | less
lists all the users groups on my system....I can't make heads or tails out of it! very preplexing.
cat /etc/passwd | grep "/home" |cut -d: -f1 lists the following users:
syslog
usbmux
saned
joe
dummy
i never created syslog,usbmux or saned. How can they possibly have home directories?
Last edited by linuxman2013; 03-30-2013 at 09:35 PM.
Can someone pls explain the procedure of adding users to vsftp? I know that there're two types of users, virtual and system. I managed to set up a server and add an user using by following this guide. I don't want virtual users now, as it requires installation of Apache web server, which would bloat my system. After making a "fake shell" and configuring the vsftpconf file to jail users, I logged in as ftpuser. For some reason I cannot login as root or r/w to the jailed directory. How exactly does vsftpd keep track of users with this method? There's just too much info out there on the subject.
root and a handful of other usernames are not permitted login via ftp by default. The list of names are typically found in file /etc/vsftpd/ftpusers and/or /etc/vsftpd/user_list. This is because of the (default) clear-text nature of FTP leaving the root user's password freely obtainable to anyone along the path with even the slightest interest of capturing clear-text passwords.
If you are able to successfully authenticate via FTP for your user account, but unable to read the directory contents it is likely a filesystem permissions problem. Ensure the account has at least e(x)ecute permissions to all directories in the path to its home directory and at least (r)ead and e(x)ecute on its home directory.
Write problems could be similarly filesystem permission induced, ensure the write_enable option is set correctly in vsftpd.conf and check filesystem permissions on home directory for (w)rite access.
Depending on the system installation you may need to contend with mandatory access controls (SELinux, AppArmor, etc.) in addition to discretionary access controls (filesystem permissions, file or directory ownership, etc.)
My first post contained a working example of a non-SSL enabled vsftpd configuration file that permits my local users the ability to login via FTP and be chrooted to their defined home directory. I am defining the term 'local users' as those created through the use of useradd (or adduser) and having a password set via passwd although it could be through various other mechanisms too, such as LDAP. I believe in your terminology used above that would be a 'system' user. If you're wanting a robust, feature-rich, SSL-enabled ftp server, my advice is to start slow and tackle one configuration objective (AKA: problem) at a time. Start with a working configuration that does what you want with what I'll call simple ftp (this is pretty much done right out of the box with a default vsftpd.conf), then enable local users and get that working how you desire, once that's completed, move on to the next step whether creating SSL certificates or otherwise. I'd advise performing the build-up with it not Internet facing until you are satisfied with your configuration to meet your intended objectives.
Code:
$ sudo grep -v ^# /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
$ sudo service vsftpd restart
Shutting down vsftpd: [FAILED]
Starting vsftpd for vsftpd: [ OK ]
$ sudo useradd demo1
$ sudo passwd demo1
Changing password for user demo1.
New password: demo1-password
Retype new password: demo1-password
passwd: all authentication tokens updated successfully.
$ ftp server.domain.local
Connected to server.domain.local (172.16.8.11).
220 (vsFTPd 2.3.4)
Name (server.domain.local:linuxman2013): demo1
331 Please specify the password.
Password: demo1-password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (172,16,8,11,180,163).
150 Here comes the directory listing.
drwxr-xr-x 3 502 502 4096 Nov 14 2010 Documents
226 Directory send OK.
ftp> bye
221 Goodbye.
Notice how 'pwd' is "/". The demo1 user is at the root of the ftp directory structure which happens to be his home directory (/home/demo1, in this case) and is unable to navigate up any directories ('cd ..' or 'cd /' or 'cd /tmp' etc.). If we change the chroot_local_user value and repeat, you'll see demo1 is no longer chroot to home directory and can freely navigate the filesystem.
Code:
$ sudo sed -i 's/\(chroot_local_user=\).*$/\1NO/g' /etc/vsftpd/vsftpd.conf
$ sudo service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
$ ftp server.domain.local
Connected to server.domain.local (172.16.8.11).
220 (vsFTPd 2.3.4)
Name (server.domain.local:linuxman2013): demo1
331 Please specify the password.
Password: demo1-password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/demo1"
ftp> ls
227 Entering Passive Mode (172,16,8,11,117,224).
150 Here comes the directory listing.
drwxr-xr-x 3 502 502 4096 Nov 14 2010 Documents
226 Directory send OK.
ftp> cd /
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (172,16,8,11,109,116).
150 Here comes the directory listing.
dr-xr-xr-x 2 0 0 4096 Jun 14 2011 bin
dr-xr-xr-x 5 0 0 1024 Jul 11 2011 boot
drwxr-xr-x 9 0 0 4096 Apr 06 02:46 cgroup
drwxr-xr-x 20 0 0 4040 Apr 06 02:55 dev
drwxr-xr-x 141 0 0 12288 Apr 06 14:16 etc
drwxr-xr-x 6 0 0 4096 Apr 06 14:15 home
dr-xr-xr-x 12 0 0 4096 Jun 26 2012 lib
dr-xr-xr-x 11 0 0 12288 Aug 14 2011 lib64
drwx------ 2 0 0 16384 Sep 10 2010 lost+found
drwxr-xr-x 3 0 0 4096 Apr 06 02:48 media
drwxr-xr-x 2 0 0 0 Apr 06 02:46 misc
drwxr-xr-x 3 0 0 4096 Oct 15 18:17 mnt
drwxr-xr-x 2 0 0 0 Apr 06 02:46 net
drwxr-xr-x 4 0 0 4096 Jun 26 2012 opt
dr-xr-xr-x 308 0 0 0 Apr 05 21:46 proc
dr-xr-x--- 9 0 0 4096 Oct 15 18:38 root
dr-xr-xr-x 2 0 0 12288 Aug 14 2011 sbin
drwxr-xr-x 7 0 0 0 Apr 05 21:46 selinux
drwxr-xr-x 2 0 0 4096 Oct 01 2009 srv
drwxr-xr-x 13 0 0 0 Apr 05 21:46 sys
drwxrwxrwt 25 0 0 4096 Apr 06 08:15 tmp
drwxr-xr-x 15 0 0 4096 Sep 10 2010 usr
drwxr-xr-x 26 0 0 4096 Oct 22 2010 var
226 Directory send OK.
ftp> bye
221 Goodbye.
Notice how 'pwd' is now "/home/demo1". The demo1 user begins in defined home directory but is not at the root of the ftp directory structure like before. Instead, now demo1 account is no longer confined to its home directory via the chroot and can navigate the system much more broadly.
@Rayford Now I see why root cannot login. Its not premitted in the files you listed! I had to manually configure the local_root option to local_root=home/ftp/, changing it from /home/ftp/$USER. VSFTPD failed to recognize the $USER variable, for some reason. Now I can login and it appears jailed (in other words I cannot nav above the user's home directory).
I can access the directory below the jailed ftp directory, which on my system is "ftpuser" - the acnt that I use to login. The problem that I'm trying to tackle at the momement is r/w permissions. Its like I have to use nautilus to allow "Others" to rwx to the "ftpuser" directory, 777. From my understanding, specificying such an option would allow anyone logged in to r/w to the ftpuser directory.
I want just the "ftpuser" directory set to 700. So, no one else on the system or FTP server can modify the data in the ftpuser's directory. I'll try manually setting it to 700 through cmd line. As it stands now, it seems like I can write to ftp/ftpsuser/ and ftp/ when set to 777, although its jailed!
Last edited by linuxman2013; 04-06-2013 at 11:02 AM.
If your user "ftpuser" does not own the directory then 700 will not permit that user to write to it when logged in via an ftp client. From the sounds of it, that might be the case. What does the output of 'ls -ld /home/ftp/ftpuser' report?
If it is not owned by ftpuser then you may try something like:
Configuring SSL seems pretty trivial according to the docs online. I checked previous posts on this forum regarding the umask option, which apparently defines file permissions to uploaded files on the remote system. The default is 077. What difference does it make now that I'm NOT allowing anonymouse users? I want the same file permissions set on the remote machine. Would I have to change this particular attribute?
The docs also suggest connecting from port 20. I thought the default for FTP was port 21, unless passive mode is enabled to circumvent firewall settings on the remote machine. On my server, nmap localhost, shows that its set to port 21. Any idea why the suggested port 20?
Last edited by linuxman2013; 04-08-2013 at 08:13 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.