I have vsftpd setup on a Fedora 8 system. I configured the vsftpd.conf to chroot all users (not in the list). Have a user that is on the list, so he's an exception from the chroot(). I want to have him be able to ftp files into all the other users directories - including new users that are later added.

Thanks in advance!
-Rick

****Config****
# BOOLEAN options

# allow anonymous users to create directories?
anon_mkdir_write_enable=NO

# allow anonymous users to modify / delete files?
anon_other_write_enable=NO

# allow anonymous uploads?
anon_upload_enable=NO

# allow anonymous downloads of only world-readable content?
anon_world_readable_only=YES

# allow anonymous logins?
anonymous_enable=NO

# allow ascii-mode downloads?
ascii_download_enable=NO

# allow ascii-mode uploads?
ascii_upload_enable=NO

# allow async ABOR command (for buggy ftp clients)?
async_abor_enable=NO

# spawn a background process?
background=YES

# check /etc/shells (non-pam builds only)
check_shell=YES

# enable SITE CHMOD command?
chmod_enable=YES

# chown uploads?
chown_uploads=NO

# enable a list of chroot'd users?
chroot_list_enable=YES

# chroot local users?
chroot_local_user=YES

# force data ports to use port 20?
connect_from_port_20=YES

# deny anonymous logins based on email address?
deny_email_enable=NO

# enable directory listings?
dirlist_enable=YES

# enable directory messages?
dirmessage_enable=YES

# enable downloads?
download_enable=YES

# use both vsftpd and xferlog formats?
dual_log_enable=NO

# always show dot files?
force_dot_files=NO

# enable guest logins?
guest_enable=NO

# hide user / group ids?
hide_ids=NO

# run in standalone mode?
listen=YES

# listen on IPv6?
listen_ipv6=NO

# enable local logins?
local_enable=YES

# log FTP protocol debugging messages?
log_ftp_protocol=NO

# enable recursive directory listings?
ls_recurse_enable=NO

# disable password for anonymous logins?
no_anon_password=NO

# use single-process model (linux 2.4)?
one_process_model=NO

# use per-user chroot passwd file?
passwd_chroot_enable=NO

# enable PASV transfers?
pasv_enable=YES

# enable promiscuous PASV transfers (dangerous)?
pasv_promiscuous=NO

# enable PORT transfers?
port_enable=YES

# enable promiscuous PORT transfers (dangerous)?
port_promiscuous=NO

# allow anonymous access for only certain email addresses?
secure_email_list_enable=NO

# session support?
session_support=YES

# show session status information in process listing?
setproctitle_enable=NO

# log to syslog?
syslog_enable=NO

# use tcp wrappers?
tcp_wrappers=NO

# use textual names for directory owners?
text_userdb_names=NO

# use localtime (as opposed to GMT)?
use_localtime=NO

# use sendfile() to transfer?
use_sendfile=YES

# deny users based on userlist file?
userlist_deny=YES

# enable userlist?
userlist_enable=YES

# virtual users have same permissions as local users?
virtual_use_local_privs=NO

# enable uploads?
write_enable=YES

# enable logging?
xferlog_enable=YES

# write logs in standard format?
xferlog_std_format=YES


# NUMERIC options

# maximum timeout in seconds for PASV transfers
accept_timeout=60

# maximum transfer rate in seconds for anonymous connections (0 = unlimited)
anon_max_rate=0

# umask for anonymous file creation
anon_umask=077

# connetion timeout in seconds for PORT transfers
connect_timeout=60

# timeout on stalled transfers
data_connection_timeout=300

# uploaded file permissions (before umask)
file_open_mode=0666

# port to use for ftp data
ftp_data_port=20

# idle session timeout
idle_session_timeout=300

# port to listen on
listen_port=21

# maximum transfer rate for local users
local_max_rate=0

# umask for local users
local_umask=022

# maximum number of connections
max_clients=0

# maximum number of connections per client IP address
max_per_ip=0

# PASV maximum port # (0=use any)
pasv_max_port=0

# PASV minimum port # (0=use any)
pasv_min_port=0

# transfer chunk size (0 = pick automatically, 8192 may be a decent default)
trans_chunk_size=0


# STRING options

# directory to change into
# anon_root=

# banned email file (see deny_email_enable)
banned_email_file=/etc/vsftpd.banned_emails

# banner file (overrides ftp_banner option)
# banner_file=

# username to make uploads owned by
chown_username=ftp

# list of users to chroot (see chroot_list_enable) -- negated if chroot_local_user=YES
chroot_list_file=/etc/vsftpd.chroot_list

# comma-separated list of commands to allow
# cmds_allowed=

# deny file - list of files which should not be allowed
# deny_file=

# email password file (see secure_email_list_enable)
email_password_file=/etc/vsftpd.email_passwords

# ftp username
ftp_username=ftp

# greeting to display on login
ftpd_banner=Welcome to the Rackwise FTP server! For site issues, please contact Rackwise Support at Support@Rackwise.com

# guest user name (see guest_enable)
guest_username=ftp

# pattern of files to hide
# hide_file=

# default address to listen on (default is all)
# listen_address=

# default address to listen on for ipv6 (default is all)
# listen_address6=

# directory to change into after local login
# local_root=

# message file to display on directory listings (see dirmessage_enable)
message_file=.message

# non-priviledged user
nopriv_user=nobody

# pam service name
pam_service_name=vsftpd

# PASV address (default is auto)
# pasv_address=

# secure chroot dir - should be an empty directory
secure_chroot_dir=/usr/share/empty

# user config dir - allows override of config options on per-user basis
# user_config_dir=

# user_sub_token - used to generate home directory for virtual users
# user_sub_token=

# userlist file - used for specifying allowed / denied users (see userlist_enable)
userlist_file=/etc/vsftpd.ftpusers

# vsftp format log file (used if xferlog_enable is set, and xferlog_std_format is not)
# vsftpd_log_file=/var/log/vsftpd.log

# standard format log file
xferlog_file=/var/log/vsftpd.log

Welcome to LQ!

Could you explain in more detail what you are trying to accomplish? I suspect that FTP is not the right tool for your problem, but without more details it is hard to say.

Our customers download software from our FTP site. I would like to create a user on the server, and upload files to his home directory, but not allow him to upload to the server, just download.

The software and or files we are giving them are not always the same for each customer, so having the ability to upload from my computer to their folder is ideal. Also, this server is a remote, dedicated server that is only intended for FTP, we don't store anything else there.

What do you think?

Thanks for the help!
-Rick

Oh, and it has to be very simple, so anyone in the organization can use it without having to read a manual

Thanks for the explanation. Now that I understand it better (particularly the easy to use bit) maybe FTP is the right tool.

If I understand the problem right, vsftpd doesn't allow user specific disabling of uploads, however you might be able to do what you want by creatively using permissions. When you create the FTP directory for your customers, don't give them write privileges to that directory. That should prevent them from uploading anything. However, to allow your person to uploadfiles, they should be part of a group that does have write privileges to that directory.

So essentially you would first have to create a group on the system (for example, call it upload) and then make the person(s) responsible for uploading to customer directories part of that group. Then every time you create a new FTP directory for a customer, you would have the owner be that customer, and the group be the upload group. If you set the permissions on that directory to 464 (or 460), then only the members of the upload group could write to the directory.

The only difficult part is setting up the group and the directories properly, the FTP portion should be drop-dead simple.

Thank you for the reply.

The FTP part is working. I can create a user on the control panel (it's Godaddy, so it is very limited), the new users can login thru an FTP client. They are chrooted to their home directory.

I'm struggling thru some of the user / permissions issues still. The /home is owned by root (group and user)
drwxr-xr-x 5 root root 4096 2009-02-27 10:39 home
Is there a way to change the permissions on everything that is created in that directory from now on? For instance, if I create the group 'upload', how can I ensure that group will be able to write to the directory without manually updating directory permissions each time I create a user?

I have a user 'ftp', I'm adding that user to the 'upload' group. What would I need to do to make this easy?

Thank you again for all your help. The learning curve is a little steep, but I'll get there.

actually i think you are looking for the oposite of that
create a group called 'download' and put your download user in that group and have only that user (the owner of the files/directories) have permission to upload
otherwise group assigned priveleges will be inherited and give others permission to upload
like this

scenario a
user download (read only) member of group upload which has upload priveleges
user download can upload by inheritance of priveleges

scenario b
user upload (read write) member of group download which only can download
user upload inherits read permission, but already has it so this doesn't matter

Ah, actually may be right about that. If the user owns the download directory, they could give themselves write privileges, even if they weren't in the upload group. However, if the user doesn't own the directory, either as the user or the group, then they couldn't do that.

That is pretty normal and you probably want to leave it. It is the directories that the users are chrooted to that you need to worry about. so say you've created a user rickpond. Normally, the /home/rickpond directory would look something like:

drwxr-xr-x 5 rickpond users 4096 2009-02-27 10:39 rickpond/

when what you want is something like this:

drwxrw-r-- 5 root upload 4096 2009-02-27 10:39 rickpond/

In theory, that should allow the user rickpond to get in and read the directory, but not give themselves write privileges (provided they aren't part of the upload group).

What command are you using to add users? That is going to determine if you can do this when you create users. Otherwise, I would just write a small script to do the needed changes and run that when you create users.

I'm not sure I would do this. At least on my rig, the ftp user is there to run the FTP daemon and doesn't have shell access. That is that way for security reasons (if anyone cracks vsftpd, they have limited access). However, by making the ftp user your upload user, you'll need to give them more privileges, and that is a security risk you probably don't want to take. I'd create a brand new user just for this purpose.

Is there an easy / quick way to do this?

I apologize in advance for the following question... But can you walk me through sample commands to set up the groups and give the permissions to all the folders that are / will be under the /home directory? Please?

Thank you for your help and patience!!!
-Rick

"What command are you using to add users? That is going to determine if you can do this when you create users. Otherwise, I would just write a small script to do the needed changes and run that when you create users."

I'm using the stoopid Simple Control Panel provided by GoDaddy. I'm okay with a shell, but our other folks might not be. I don't know what the CP calls as it is using Ajax, so I'm kind of lost. If I did it via the shell, I'd use the useradd, typically.

"However, by making the ftp user your upload user, you'll need to give them more privileges, and that is a security risk you probably don't want to take. I'd create a brand new user just for this purpose."

Okay, I'll stop using the ftp user and make a new one. Didn't realize the risk. I just thought it sounded pretty simple

Thank you!!
-Rick

You would only set up the upload group once:

groupadd upload

Then add your account you want to be able to upload to to group (we'll call this user1)

usermod -G upload user1

Again, you only have to do that once.

Once you've got the new customer's account set up, you'll need to change the ownership and permissions:

chown root:upload /home/customer
chmod 764 /home/customer

The kicker is that you'll likely have to have root privileges to do these last two steps. In theory, sudo should be perfect to allow normal users to do this, but I'm have no idea if GoDaddy has sudo installed. They should be shot if they don't.

Then you should be good to go. If you really need, you could probably write a script that would do the chown and chmod steps if you supplied the username.

Thank you!

I have created the groups... in fact, I got a better tool. The default GoDaddy "simple control panel" is horrible. I got Webmin, which I like better.

The trouble I'm having now, is that I want to setup SFTP. I have the certificate, but when I add a user, I'm having to give them SSH access, which allows them to login to the server and they can navigate around.

Here's what I added to the vsftpd.conf:
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem


How do I allow SFTP without letting them telnet to the server? Or at least force them to stay in their chroot?

I didn't know GoDaddy would work with Webmin. Yeah, it is a great tool.

Um. Uh. Unless I'm completely off my rocker (always a possibility), sftp and vsftpd are two VERY different beasts. Sftp is a sub-program of ssh, and if you want to keep sftp uses in their home directory, you would have to chroot all of ssh. Even then, unless you create a chroot jail for each user, you would have them moving about the chroot jail. Vstpd is a pure ftp server, and as far as I know, doesn't work using the sftp protocols. What vsftpd does support (and you seem to be enabling in your conf file) is encrypting FTP traffic using ssl. However, that is NOT the same thing as sftp (at least as far as I know). If you do use vsftpd/ssl, be aware that your customers will need to use an FTP client that can handle encrypted traffic.

Yeah... I've been working on it all day. That was what I concluded as well. Still a chance I'm way wrong, too.

You all have been soooo awesome! thank you. I am very appreciative.

Ftp and sftp use different ports as well. Are you able to use setfacl & getfacl? You have two groups of users. Clients and employees. You want employees to be able to write to any customer's home directory, but users to be only able to read their own.

I'd recommend that employees use sftp or scp to deliver the files to the customers, while the users only use ftp to download. Use "AllowUsers" in the /etc/ssh/sshd_config file to restrict ssh access to only the employees accounts. This will also deny system users access as well, which are a target of script kiddies. Now you can configure vsftp to only allow downloading as you wish, without making exceptions.

You could use setfacl to allow another group write access to the home directories. You can use a group that employees are members of.

Alternately, you could change the group ownership of the client's home directories to one that they are not members of. Then the directory ownership will allow access for clients, and the group ownership will allow access for employees.