Vsftpd On Linux - Need Some Help

[khel]

Is it possible to make the following....

 

I have ftp server (vsftpd) with one generic (guest) user account (auth. is done with pam). Needed:

 

home/ftpsite (ex.) - user can only list and download

home/ftpsite/incoming - user can create/delete/upload/download files

 

Any help from unix gurus is appreciated :-)

[Sysman]

Okay so nobody else wants to take a crack at this. I'm familiar with several flavors of Unix including Linux and I've been a system administrator for several operating systems since 1987 so here goes.

 

First I want to say that vsftpd is freeware availble at the following URL:

 

http://vsftpd.beasts.org/

 

Documentation is available at:

 

ftp://vsftpd.beasts.org/users/cevans/unta...-1.1.3/EXAMPLE/

 

I spent a couple of hours cruising the documentation. It looks like this product is a good choice for adding an FTP server daemon to a Unix box. The documentation talks about how the product was designed and how the creator handled common security issues. Anyone that writes software should read this documentation.

 

If you've already installed the software then the following information should get you going. There are three steps involved in setting up the environment. The first step is to set up the unique user account that will own the ftp directories. The next step is to set up the ftp directories. The third step is to set up the vsftpd configuration files. The vsftpd software is going to do a lot of other stuff that a Unix system administrator would normally do such as creating an environment for the ftp anonymous access that has restricted visibility to the system's files.

 

First create a user account that will not be used for anything else and that cannot log in. This user account should be in a unique user group that will not have any other user accounts as members. For example you could create the nonprivileged user account called notftp in a user group called notftp. Disable log in access. You COULD use the root account as the owner of the anonymous ftp directories which is a common configuration and which is recommended in the vsftpd documentation. Creating a special user account that will never be used and can be disabled just seems a little bit more secure to me. DO NOT DISABLE THE ROOT ACCOUNT IF YOU USE THAT TO OWN THE ANONYMOUS FTP DIRECTORIES.

 

Second create the directories for anonymous ftp access. This is the directory that the ftp user has for its login directory. Your Linux system probably already has an ftp user account for this purpose and its login directory is already specified in the user account file. See if this directory already exists. If not then create it. Or you can change the login directory for the ftp account to the directory that you specified in your post ( /home/ftpsite ). The create the subdirectory that you specified in your post ( incoming ). Change the ownership of the ftp user's login directory to the special ftp account ( or to root if you prefer ). Also change the ownership of the subdirectory to this account. These directories are not owned by the ftp account in order to limit the ability of the ftp account to change the settings on the directories. The ftp user will access these directories by way of the file protection for 'other' users. Speaking of which we have to set these now. Set file file settings for the ftp user account login directory to (rwxr-xr--) otherwise known as 754 by using the chmod command. Then change the protections on the incoming directory to (rwxrwxrwx) or 777. That will allow anonymous users to see the files in the login directory but not write or delete files there while allowing full access to the files in the incoming subdirectory.

 

The third and last step is to set up the vsftpd configuration files. This information came from the vsftpd site.

 

You want to allow the ftp user to create files on your computer so you want to change the line in the /etc/vfspd.conf file that reads

write_enable=NO

so that it reads

write_enable=YES

 

Then change the line that reads

anon_upload_enable=NO

to read

anon_upload_enable=YES

 

Then change the line that reads

anon_other_write_enable=NO

to read

anon_other_write_enable=YES

 

That will change the default configuration to allow anonymous ftp access to write files to your computer. The other settings limit where the files can be written to the incoming subdirectory of the ftp login directory.

 

Now you want to set the default file protection on the files that the ftp account creates. This is also in the /etc/vsftpd.conf file. Find the line that has the keywork 'anon_umask' and set it to read

anon_umask=000

This will tell vsftpd to set file protections to (rw-rw-rw-). Keep in mind that since any anonymous access has the same privilege as any other anonymous access it is possible for one person to delete or replace files left by another user. If you expect people to leave software kits in your incoming directory this configuration will be an invitation for malicious users to replace a good software kit with one that has a virus.

 

Many public ftp sites that allow the public to 'drop off' software kits typically to NOT allow anyone to look into the incoming directoy, much less delete/replace files in that directory. The setting on the incoming directory would be (-w--w--w-) to allow anyone to write files into the incoming directory but not to look into it. Then the anon_umask should be 777 which would prevent the files from being seen or deleted by the ftp user account.

 

Your post caused me to discover the existence of the vsftpd software and so for that I thank you. I think that it looks like a good software product that I may use at home and at work.

 

Good luck. Let me know if you have any problems but don't be shy about reading the software documentation first.

 

Cheers,

 

Sysman