Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-08-2005, 07:56 PM
|
#1
|
LQ Newbie
Registered: Jan 2005
Posts: 22
Rep:
|
VSFTPD Configuration Help
I'm currently setting up a free hosting company. I've got everything configured except the FTP server. I installed vsftpd, and now I could use a little help configuring it. I've read a few vsftpd tuts, but none of them have answered certain questions I have.
I have a control panel installed, so after each user signs up for free hosting, I simply create their subdomain and create their account. Each user will have their own private directory, so that they can work on their files in private. For example, if the user's name is "Bob" his directory would be "/www/htdocs/hosted/bob". He would also need to have the ability to read and write inside his directory.
What should my vsftpd configuration file look like if I wanted it to operate as I explained above?
Also, if possible I'd prefer to have some kind of userlist so that I can have my php script create users so I dont' have to. If it's possible to do a userlist type-thing, what would need to be added to the list to add a user?
Something like "user, password;"?
I'm kinda new to FTP servers, so any help is appreciated. I'll even throw decently-sized hosting plan at anyone that helps me out.
Last edited by Hexadecimal; 08-08-2005 at 08:26 PM.
|
|
|
08-08-2005, 08:47 PM
|
#2
|
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
|
Hi.
The ftp users are the same users as those on the hosting machine.
I have a seperate group for ftp users, to help keep their privelidges down (mine's called 'anonftpusers'). Knowing that, your script should do:
Code:
useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob
echo bobspassword | passwd --stdin bob
echo bob >> /etc/vsftpd/user_list
For this to work you'll have to have the:
Code:
userlist_enable=YES
userlist_deny=NO
options enabled in /etc/vsftpd/vsftpd.conf
Be extremely careful with your scripts, as they'll have to be run as root (somewhat obviously).
I can post an example /etc/vsftpd/vsftpd.conf file from my server if you like. Do you need anonymous access? If so should anon users have write access? Should normal users have write access?
Dave
P.S. The location of /etc/vsftpd/xxxx may be slightly different depending on what version of vsftpd you're using. They used to be in /etc/ named as vsftpd.xxxx
P.P.S. The 'Free House Music!' link in my .sig goes to my home vsftpd server. If you happen to like House...
Last edited by ilikejam; 08-08-2005 at 08:59 PM.
|
|
|
08-08-2005, 09:08 PM
|
#3
|
LQ Newbie
Registered: Jan 2005
Posts: 22
Original Poster
Rep:
|
Thanks for your helpful reply.
Yes, a sample vsftpd.conf file would be helpful. (A sample userlist would be nice too. ) I don't believe I need anonymous access at this time. I just want to be able to have some kind of userlist so that I can add/delete users, and change their permissions and dirs.
And yes, users should have write access.
Also, I checked out the link to your FTP server in your sig. The music is Grooovy.
Thanks!
Last edited by Hexadecimal; 08-10-2005 at 10:06 PM.
|
|
|
08-09-2005, 02:55 AM
|
#4
|
LQ Newbie
Registered: Jan 2005
Posts: 22
Original Poster
Rep:
|
*bump* noticed you were in the forum, ilikejam.
|
|
|
08-09-2005, 06:37 AM
|
#5
|
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
|
Hi again. I had to go to work. (I'm at lunch at the moment).
OK, here's my vsftpd.conf, it allows the users listed in the user_list file to log in, no anonymous users, and quite tight restrictions on what users can do:
Code:
# Allow anonymous FTP?
anonymous_enable=NO
#
# Allow local users to log in?
local_enable=YES
#
# Allow any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=0000
file_open_mode=0220
#
# Allow the anonymous FTP user to upload files?
anon_upload_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=NO
#
# Activate logging of uploads/downloads?
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data)?
connect_from_port_20=YES
#
# Log file in standard ftpd xferlog format?
xferlog_std_format=NO
#
# User for vsftpd to run as?
nopriv_user=vsftpd
#
# Login banner string:
ftpd_banner=ILikeJam FTP server. Logs are being monitored.
#
# chroot local users (only allow users to see their directory)?
chroot_local_user=YES
#
# PAM service name?
pam_service_name=vsftpd
#
# Enable user_list (see next option)?
userlist_enable=YES
#
# Should the user_list file specify users to deny(=YES) or to allow(=NO)
userlist_deny=NO
#
# Standalone (not run through xinetd) listen mode?
listen=YES
#
#
tcp_wrappers=NO
#
# Log all ftp actions (not just transfers)?
log_ftp_protocol=YES
#
# Show file ownership as ftp:ftp instead of real users?
hide_ids=YES
#
# Allow ftp users to change permissions of files?
chmod_enable=NO
#
# Use local time?
use_localtime=YES
#
# List of raw FTP commands which are allowed (some commands may be a security hazard):
cmds_allowed=ABOR,QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,NLST,PORT,SYST,PRET,MDTM
Have a look at 'man vsftpd.conf' for a full list and description of all options. There's quite a few.
For a list of raw FTP commands (for the cmds_allowed option) have a look here: http://www.nsftools.com/tips/RawFTP.htm
With this config, uploaded files are not readable or executable by anyone, so the server is acting as a 'dropbox'. Change the file_open_mode option to change that.
As for my user_list file contains: as they are the only two users that are allowed to log in.
My ftpusers file contains (it's not been changed from the default list that was installed with vsftpd):
Code:
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
That's about it.
Dave
|
|
|
08-09-2005, 08:15 AM
|
#6
|
LQ Newbie
Registered: Jan 2005
Posts: 22
Original Poster
Rep:
|
Thanks so much for your help! I have one more quick question though. Is it possible to assign passwords for each of the users? If so, how would I go about doing that?
|
|
|
08-09-2005, 09:58 AM
|
#7
|
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
|
The users and passwords are just the Linux users and passwords on the FTP machine, so for someone to access the FTP server when anonymous access is disabled, they must have a normal Linux user account on the FTP machine (just the same as your own account and 'root' etc). The following three commands will add 'bob' to the users on your machine (with the home directory /www/htdocs/hosted/bob), assign bob the password 'bobspassword' and will allow bob to log in through ftp:
Code:
useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob
echo bobspassword | passwd --stdin bob
echo bob >> /etc/vsftpd/user_list
'bob' will also be put in the group 'anonftpusers' by those commands, and his login shell will be /sbin/nologin, to prevent him from logging to your ftp machine as a real user and running programs etc.
Being normal Linux user accounts, you could also use whatever you normally use to change or assign passwords.
Dave
P.S. As usual your /etc/vsftpdxxxx files may be in different locations.
Last edited by ilikejam; 08-09-2005 at 10:44 AM.
|
|
|
08-09-2005, 10:36 AM
|
#8
|
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
|
Also, as an update to vsftpd.conf, you probably want:
Code:
file_open_mode=0644
local_umask=0000
anon_umask=0777
That will make files uploaded by your users writable by only themselves (but readable by everyone, which may be required by your webserver, I don't know) and if, through some misconfiguration, an anonymous user manages to upload a file, the file will have no read, write or execute permission. Just to be safe.
You also probably want 'DELE', 'MKD' and 'RMD' in your cmds_allowed=, to let your users delete files, create directories and also delete directories.
It's also worth noting that 'log_ftp_protocol=YES' will log _every_ FTP command issued by any client connecting to your machine. It might be a good idea to have this on to begin with, to watch out for any problems, but if your FTP site is busy, this file will get very large very fast, so you might want to swith this option to 'NO' at some point. (The log file usually goes to /var/log/vsftpd.log).
Dave
Last edited by ilikejam; 08-09-2005 at 10:43 AM.
|
|
|
08-10-2005, 10:12 PM
|
#9
|
LQ Newbie
Registered: Jan 2005
Posts: 22
Original Poster
Rep:
|
Alright, I understand how it works now. Originally I thought I could make it so I could have all the client information in one file.
Now that I can't do that, I'll need to make my script execute the adduser command AND add the user to the userlist. I will be slightly more challenging, but from what I can see it's my only option.
Thanks for your time.
|
|
|
All times are GMT -5. The time now is 11:28 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|