VSFTPD Configuration Help

Hexadecimal · 08-08-2005, 07:56 PM

I'm currently setting up a free hosting company. I've got everything configured except the FTP server. I installed vsftpd, and now I could use a little help configuring it. I've read a few vsftpd tuts, but none of them have answered certain questions I have.

I have a control panel installed, so after each user signs up for free hosting, I simply create their subdomain and create their account. Each user will have their own private directory, so that they can work on their files in private. For example, if the user's name is "Bob" his directory would be "/www/htdocs/hosted/bob". He would also need to have the ability to read and write inside his directory.

What should my vsftpd configuration file look like if I wanted it to operate as I explained above?

Also, if possible I'd prefer to have some kind of userlist so that I can have my php script create users so I dont' have to. If it's possible to do a userlist type-thing, what would need to be added to the list to add a user?

Something like "user, password;"?

I'm kinda new to FTP servers, so any help is appreciated. I'll even throw decently-sized hosting plan at anyone that helps me out.

ilikejam · 08-08-2005, 08:47 PM

Hi.

The ftp users are the same users as those on the hosting machine.

I have a seperate group for ftp users, to help keep their privelidges down (mine's called 'anonftpusers'). Knowing that, your script should do:

Code:

useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob
echo bobspassword | passwd --stdin bob
echo bob >> /etc/vsftpd/user_list

For this to work you'll have to have the:

Code:

userlist_enable=YES
userlist_deny=NO

options enabled in /etc/vsftpd/vsftpd.conf

Be extremely careful with your scripts, as they'll have to be run as root (somewhat obviously).

I can post an example /etc/vsftpd/vsftpd.conf file from my server if you like. Do you need anonymous access? If so should anon users have write access? Should normal users have write access?

Dave

P.S. The location of /etc/vsftpd/xxxx may be slightly different depending on what version of vsftpd you're using. They used to be in /etc/ named as vsftpd.xxxx

P.P.S. The 'Free House Music!' link in my .sig goes to my home vsftpd server. If you happen to like House...

Hexadecimal · 08-08-2005, 09:08 PM

Thanks for your helpful reply.

Yes, a sample vsftpd.conf file would be helpful. (A sample userlist would be nice too.

) I don't believe I need anonymous access at this time. I just want to be able to have some kind of userlist so that I can add/delete users, and change their permissions and dirs.

And yes, users should have write access.

Also, I checked out the link to your FTP server in your sig. The music is Grooovy.

Thanks!

Hexadecimal · 08-09-2005, 02:55 AM

*bump* noticed you were in the forum, ilikejam.

ilikejam · 08-09-2005, 06:37 AM

Hi again. I had to go to work. (I'm at lunch at the moment).
OK, here's my vsftpd.conf, it allows the users listed in the user_list file to log in, no anonymous users, and quite tight restrictions on what users can do:

Code:

# Allow anonymous FTP?
anonymous_enable=NO
#
# Allow local users to log in?
local_enable=YES
#
# Allow any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=0000
file_open_mode=0220
#
# Allow the anonymous FTP user to upload files?
anon_upload_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=NO
#
# Activate logging of uploads/downloads?
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data)?
connect_from_port_20=YES
#
# Log file in standard ftpd xferlog format?
xferlog_std_format=NO
#
# User for vsftpd to run as?
nopriv_user=vsftpd
#
# Login banner string:
ftpd_banner=ILikeJam FTP server. Logs are being monitored.
#
# chroot local users (only allow users to see their directory)?
chroot_local_user=YES
#
# PAM service name?
pam_service_name=vsftpd
#
# Enable user_list (see next option)?
userlist_enable=YES
#
# Should the user_list file specify users to deny(=YES) or to allow(=NO)
userlist_deny=NO
#
# Standalone (not run through xinetd) listen mode?
listen=YES
#
#
tcp_wrappers=NO
#
# Log all ftp actions (not just transfers)?
log_ftp_protocol=YES
#
# Show file ownership as ftp:ftp instead of real users?
hide_ids=YES
#
# Allow ftp users to change permissions of files?
chmod_enable=NO
#
# Use local time?
use_localtime=YES
#
# List of raw FTP commands which are allowed (some commands may be a security hazard):
cmds_allowed=ABOR,QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,NLST,PORT,SYST,PRET,MDTM

Have a look at 'man vsftpd.conf' for a full list and description of all options. There's quite a few.
For a list of raw FTP commands (for the cmds_allowed option) have a look here: http://www.nsftools.com/tips/RawFTP.htm

With this config, uploaded files are not readable or executable by anyone, so the server is acting as a 'dropbox'. Change the file_open_mode option to change that.

As for my user_list file contains:

Code:

fromilj
fromlq

as they are the only two users that are allowed to log in.

My ftpusers file contains (it's not been changed from the default list that was installed with vsftpd):

Code:

# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody

That's about it.

Dave

Hexadecimal · 08-09-2005, 08:15 AM

Thanks so much for your help! I have one more quick question though. Is it possible to assign passwords for each of the users? If so, how would I go about doing that?

ilikejam · 08-09-2005, 09:58 AM

The users and passwords are just the Linux users and passwords on the FTP machine, so for someone to access the FTP server when anonymous access is disabled, they must have a normal Linux user account on the FTP machine (just the same as your own account and 'root' etc). The following three commands will add 'bob' to the users on your machine (with the home directory /www/htdocs/hosted/bob), assign bob the password 'bobspassword' and will allow bob to log in through ftp:

Code:

useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob
echo bobspassword | passwd --stdin bob
echo bob >> /etc/vsftpd/user_list

'bob' will also be put in the group 'anonftpusers' by those commands, and his login shell will be /sbin/nologin, to prevent him from logging to your ftp machine as a real user and running programs etc.

Being normal Linux user accounts, you could also use whatever you normally use to change or assign passwords.

Dave

P.S. As usual your /etc/vsftpdxxxx files may be in different locations.

ilikejam · 08-09-2005, 10:36 AM

Also, as an update to vsftpd.conf, you probably want:

Code:

file_open_mode=0644
local_umask=0000
anon_umask=0777

That will make files uploaded by your users writable by only themselves (but readable by everyone, which may be required by your webserver, I don't know) and if, through some misconfiguration, an anonymous user manages to upload a file, the file will have no read, write or execute permission. Just to be safe.

You also probably want 'DELE', 'MKD' and 'RMD' in your cmds_allowed=, to let your users delete files, create directories and also delete directories.

It's also worth noting that 'log_ftp_protocol=YES' will log _every_ FTP command issued by any client connecting to your machine. It might be a good idea to have this on to begin with, to watch out for any problems, but if your FTP site is busy, this file will get very large very fast, so you might want to swith this option to 'NO' at some point. (The log file usually goes to /var/log/vsftpd.log).

Dave

Hexadecimal · 08-10-2005, 10:12 PM

Alright, I understand how it works now. Originally I thought I could make it so I could have all the client information in one file.

Now that I can't do that, I'll need to make my script execute the adduser command AND add the user to the userlist. I will be slightly more challenging, but from what I can see it's my only option.

Thanks for your time.