The document describes how to fine-tune vsftpd and the system to significantly expand the capabilities of vsftpd:
Create an anonymous ftp server, if necessary, only special users with permissions can see the downloaded files.
Limit FTP speeds for [not] anonymous \ any_ individual users.
Restrict any necessary users to work only in the subdirectories assigned to them, and users working with all such directories.
And so on, everything that can be configured in vsftpd, but for each individual virtual user!
For the scheme to work, the packages pam, xinetd, db4, db4-utils ( /usr/bin/db_load ) are needed.
Creating a unix-shell user for a new configuration instance.
We will create several vsftpd configurations independent of each other, for each such instance one real unix-shell user and our own set of vsftpd configs will be used. In the example, the username is f_ftp.
# umask 0077;
# mkdir -m 0701 /home/ftp_users
# useradd -m -d /home/ftp_users/f_ftp f_ftp
# chmod 705 /home/ftp_users/f_ftp
# mkdir -m 0775 /home/ftp_users/f_ftp/incoming
# chown ftp:f_ftp /home/ftp_users/f_ftp/incoming
# edquota f_ftp <= assign a common quota for this ftp and all its virtual users.
If you do not plan to give anonymous access, you can not create the incoming directory.
If you want the downloaded files to the incoming directory to be accessible to all anonymous users (anonymous, ftp in the examples below) for downloading only by a "direct link", that is, for those who know the file name, but the list of files in this directory was not displayed, in order to remove the possibility of listing the directory, invoke:
# chmod 0375 /home/ftp_users/f_ftp/incoming;
Setting vsftpd's instance. Configure xinetd
Using xinetd we will be able to run several independent vsftpd, each of which will be with its own configuration.
Each vsftpd is hung on its own IP. When accessing this IP, xinetd will call the corresponding vsftpd with a specific configuration file:
# mkdir -m 700 /etc/xinetd.d/vsftpd_virtual
# cat > /etc/xinetd.d/vsftpd_virtual/f_ftp << EOF
socket_type = stream
protocol = tcp
user = root
wait = no
rlimit_as = 16M
server = /usr/sbin/vsftpd
bind = 192.168.0.33
server_args = /etc/vsftpd/f_ftp/vsftpd.conf
disable = no
192.168.0.33 -- The unique IP stuck behind this instance. Change it.
Do not forget to run this command after entering a new virtual user or changing the password to an existing one.
Configure VSFTPD. 'allowed_list' file.
Config Directive: userlist_file=/etc/vsftpd/f_ftp/allowed_list
allowed_list -- list of allowed users, __including__ virtual.
There is no need to make this .db file.
Just exclude a user from this list to deny him access.
Exclude usernames anonymous and ftp if you do not plan to give anonymous access.
The users anonymous and ftp are the standard anonymous (guest) usernames of the FTP protocol.
Configure VSFTPD. Directory with configuration files 'users'
Config Directive: user_config_dir=/etc/vsftpd/f_ftp/users
The vsftpd.conf configuration files directory for each virtual user individually.
When creating a new virtual user, configure his specific parameters.
# mkdir -m 700 /etc/vsftpd/f_ftp/users/
Create an anonymous, read-only user with the name vuser1:
Directive anon_max_rate=0 Completely removes (equating to zero) a more general speed limit (see above "the main vsftpd.conf configuration file").
Uncomment #local_root=, to limit the user to the ability to work with only one specific [sub] directory.
Using 'f_ftp' Account
Unix-shell user f_ftp cannot log in to the FTP server. You should only set a password for him if you plan to work with account data through, say, SSH (SCP). To set a unix-shell password for a user:
# passwd f_ftp
If you want f_ftp to have access to the FTP server with this name, just make another virtual FTP user f_ftp by writing it to allowed_list:
Please note that the password in the virtual_users file for the virtual user f_ftp will be the password by which f_ftp will go to the FTP server, the password of the unix-shell account does not play any role here.
Bugs / Features
When using options:
A file uploaded to incoming using anonymous changes its rights not taking into account anon_umask, but rigidly with 600 rights.
FIXME - requires fixing.
Option anon_max_rate limits all connections of all users, and not just connections with logins anonymous and / or ftp.
Option local_max_rate in this case does not play any role.
Having registered this or that directive in a configuration file of a specific user from "Directories with configuration files 'users'",
we will replace the settings (defaults) declared in "main configuration file 'vsftpd.conf'".
In the examples above, we thus remove the TCP limit for the speed of upload / download of files to a specific user vuser2 by setting the anon_max_rate option to zero, if not - option will play a role for this user anon_max_rate=80960main configuration file.
Hire me - I'm looking for job opportunities !
If you want to hire me for a full-time job with (preferred)/without relocation please drop me a note with a form below.
Leave your e-mail inline to get the answer. Thanks.
Your comments / suggestions / demands / inquiries: