Difference between revisions of "VsFTP"
From Free Knowledge Base- The DUCK Project: information for everyone
(New page: <nowiki> linux.dbw.org FAQ</nowiki> <nowiki>FAQ document</nowiki> <nowiki>##############################################################################</nowiki> <...) |
m |
||
| (One intermediate revision by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | <nowiki> linux.dbw.org | + | <nowiki> linux.dbw.org Info</nowiki> |
| − | <nowiki> | + | <nowiki>Info document</nowiki> |
<nowiki>##############################################################################</nowiki> | <nowiki>##############################################################################</nowiki> | ||
<nowiki># Some basic notes on getting your own installation of vsftpd running #</nowiki> | <nowiki># Some basic notes on getting your own installation of vsftpd running #</nowiki> | ||
Latest revision as of 02:54, 8 June 2007
linux.dbw.org Info
Info document
##############################################################################
# Some basic notes on getting your own installation of vsftpd running #
# on Redhat 9 and Fedora Core 1.0 #
##############################################################################
v0.82 alpha (which means not speeel checked or verified)
First, make sure the vsftp server RPM has been successfully installed.
(not covered here)
Now, lets create some symlinks to make it feel more like it used to be
before it was "redhatized".
ln -s /etc/pam.d/vsftpd /etc/pam.d/ftp
ln -s /etc/vsftpd/vsftpd.conf /etc/vsftpd.conf
ln -s /etc/vsftpd.ftpusers ftpusers
On some distributions including Fedora Core 1.0 it appears they try to
make vsftpd its own service. We are going to make it an xinetd service
instead. Remove the service script file.
rm /etc/rc.d/rc3.d/???vsftpd
Now we will make an xinetd configuration file so that vsftpd will
start with the other xinetd services.
touch /etc/xinetd.d/vsftpd
Use your text editor of choice and populate the newly created vsftpd
xinetd configuration file with the following text:
service ftp
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
log_on_failure += USERID
}
This assumes that your vsftpd binary is in /var/sbin. If not, then
either move it there or create a symlink to it.
You may wish to check your hosts.allow and make sure that ftp is open
for remote connections. Open /etc/hosts.allow in your text editor
and ensure the following line or something workable exists:
vsftpd : ALL
vsftpd uses the pam.d Linux authentication module. We want to make
sure that vsftpd can find it without regards to vsftpd or distribution
version, which explains the reason for one of the symlinks above.
With your text editor open /etc/pam.d/ftp and make sure it has the
following in the configuration: (which it should by default)
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_shells.so
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so
vsftpd uses a configuration file of its own. The following values are
recommended for use in the vsftpd.conf file. Use your text editor and modify
the /etc/vsftpd.conf file.
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=nopriv
ftpd_banner=You are visiting a fine FTP server.
A non-privileged user shall be created for your system and must exist in the
passwd file. We chose 'nopriv' as you can see above. However, it can be any
name you wish as long as it is not in use, and matches the vsftpd configuration
file as well as the passwd file.
It is recommended you create your nopriv user with uid 97 and the shell
/sbin/nologin or /bin/false. example line from /etc/passwd:
nopriv:x:97:97::/home/ftp:/sbin/nologin
You are not going to want a user named 'nopriv' attempting to connect to your
ftp server as well as using other reserved system names. With your text
editor open the file /etc/ftpusers for editing. Here is a sample of what
you may wish to have in the file:
root
bin
daemon
adm
lp
sync
halt
mail
news
uucp
operator
games
gopher
ftp
squid
mysql
rpc
rpm
ntp
gdm
xfs
pcap
ident
nobody
nopriv
Check your /etc/shells file and make sure the correct entries exist (all of
the allowed system shells). Add an entry called '/bin/true'. Here is a
sample of a valid /etc/shells file:
/bin/sh
/bin/bash
/sbin/nologin
/bin/bash2
/bin/ash
/bin/bsh
/bin/tcsh
/bin/csh
/bin/ksh
/bin/zsh
/bin/true
The entry /sbin/nologin and /bin/true service the same purpose, to allow people
ftp access without shell access. However, /sbin/nologin is someting Redhat
now gives us while /bin/true is perhaps the traditional linux geek's method.
A dummy /bin/true might be necessary, try 'touch /bin/true' or make it +x if
you problems using this as a shell in the passwd file. You could also make a
symlink to /sbin/nologin.
It is preferred to have the ftp root under /home rather than /var but out of
habbit a lot of sysadmin's will look in /var/ftp. So the following is
recommended:
mv /var/ftp /home
ln -s /home/ftp /var/ftp
mkdir /home/ftp/upload
mkdir /home/ftp/pub
Hopefully we haven't missed anything important. Now you are ready to start
the ftp server. If xinetd is already running, restart it, otherwise start the
xinetd service with the following command:
service xinetd start
A BRIEF EXPLANATION OF SYSTEM USERS
(who has shell access, ftp access, and email access)
Some common combinations of non-privileged system user access are as follows:
1. A user has pop3, ftp, and shell access (such as telnet or ssh)
2. A user has pop3, and ftp access only
3. A user has only pop3 access
This is controlled by the /etc/passwd file shell entry for each user. Now to
match up a passwd entry for our user 'johnd' with the examples above:
1. johnd:x:500:100:John Doe,,,,:/home/johnd:/bin/bash
2. johnd:x:500:100:John Doe,,,,:/home/johnd:/bin/true
3. johnd:x:500:100:John Doe,,,,:/home/johnd:/bin/false
The shell /bin/bash allows johnd shell access because not only is /bin/bash a
valid shell as stated in /etc/shells, but it really is a valid shell command
environment as long as the Bourne Again Shell is installed on the system.
While /bin/true is also a valid shell defined in /etc/shells, it is not a real
command environment. This prevents remote shell access via ssh or telnet,
while still allowing ftp access for the user to his or her home directory.
Finally, since /bin/false is not even mentioned in /etc/shells it pretty much
is not a valid shell by any sence. Most xinetd pop3 daemon servers will still
allow pop3 user authentication, however, vsftpd will not.
Thank you for taking the time to utilize or read this FAQ document. Although
not full of "why" it has plenty of "how" and thus puts you on the road to
making it work and terms to go search for if you intend to learn more.
-------------------------
Permissions: local_umask
-------------------------
This new section deals specifically with the file permissions set on files
uploaded by FTP users with an account in passwd.
By default, vsftpd has system users write files as user + group from passwd
with the permissions 0644 or rw-r--r--
6 = read + write for the user
4 = read for the group
4 = read for world
The parameter to change the default permission is 'local_umask'. This works
like UNIX umask. If file_open_mode=0777 then a local_umask=000 gives file
permissions of rwxrwxrwx or 0777. If file_open_mode=0777 then a
local_umask=0022 guves file permissions of rwxr-xr-x or 0755. It works by
simple subtraction independent for each column of digits.
0 7 7 7
umask - 0 0 2 2
----------------
0 7 5 5
coveats: Technically the default for vsftpd strictly was local_umask=022
which worked even though a digit shy. However, when trying to change it,
three digits are read as decimal instead of octal. To achieve the desired
effect it is necessary to set the file_open_mode=0777, because if you don't
vsftpd will use a default of file_open_mode=0666.
Working Example:
I have a web server where I want individuals with an account on the system
to all be able to work on the default web site. I wish to have a group
where all members can delete, create and replace files and directories.
The following settings are necessary in vsftpd.conf
local_enable=YES
local_umask=0003
file_open_mode=0777
Now all files uploaded will be: rwxrwxr-- or 0774
However, when another user replaces files originally created by the first
user, the first user retains ownership. If you prefer a configuration where
the replaced file takes on the ownership of the new user, you can use the
settings in the below. It will prevent actual file replacement, so the new
user will have to delete the original user file and then upload the new
file of the same name. One drawback is that files in a subdirectory can
only be deleted by the original user due to the way permissions work on a
directory. There is no local_dmask option!
local_enable=YES
local_umask=0022
file_open_mode=0755
Now all files uploaded will be: rwxr-xr-x or 0755
* files in subdirectories may not be deleted by the new user.
-Derek Winterstien
created:
Wed Apr 21 22:31:44 CDT 2004
last modified:
Mon Feb 12 15:29:36 CST 2007
