1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer

Paf.dias.ac.cy is a portal that can help you get your work done

Αυτή η υπηρεσία μπορεί να σας βοηθήσει να γίνετε πιο αποτελεσματικοί στην τάξη και στο μάθημα σας γενικότερα...

Setup VSFTPD with custom multiple directories

Setup VSFTPD with custom multiple directories and (virtual) users accounts on Ubuntu (no database required)

I wanted to install an FTP server on my servers, I check online and it turned up that VSFTPD is the most secure one so I started installing it.

I’ve been through many tutorials and I couldn’t find any fully detailled ones so I decided to write mine. I have to explain, I set up VSFTPD on my personal server, wrote the tutorial step by step then followed my own tutorial to deploy VSFTPD on my production dedicated server.

What we will do

  1. Install vsftpd and a PAM library
  2. Edit /etc/vsftpd.conf and /etc/pam.d/vsftpd
  3. Create user accouts with custom directories (in /var/www/ for example)
  4. Set directories with the correct chmod and chown
  5. Create a admin user with full access to the server
  6. Troubleshoot

1. Install vsftpd (Very Secure FTP Deamon) and libpam-pwdfile to create virtual users

I wanted to create FTP users but I didn’t want to add local unix users (no shell access, no home directory and so on). A PAM (Pluggable Authentication Modules) will help us creating virtual users.

sudo apt-get install vsftpd libpam-pwdfile

2. Edit vsftpd.conf

First we need to back up the original file

sudo mv /etc/vsftpd.conf /etc/vsftpd.conf.bak

Then create a new one

sudo vim /etc/vsftpd.conf

Copy and paste the following lines. The file should contains ONLY theses lines:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/var/www/$USER
chroot_local_user=YES
hide_ids=YES
guest_username=vsftpd
pam_service_name=ftp

 

3. Register virtual users

To register user we use htpasswd so I assume you have apache2 working on your server. Create a vsftpd folder, we’ll put configuration files in it.

sudo mkdir /etc/vsftpd

then

sudo htpasswd -cd /etc/vsftpd/ftpd.passwd user1

  • -c means that we’ll create the file if it’s not existing yet
  • -d forces MD5, you need it on ubuntu 12.04, just use it always

The command will prompt for password.

If you want to add new users afterwards:

sudo htpasswd -d /etc/vsftpd/ftpd.passwd user2

4. Configure PAM in /etc/pam.d/vsftpd

Again, we need to back up the orignal file

sudo mv /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak

and create a new one

sudo vim /etc/pam.d/vsftpd

Copy and paste these 2 lines (this should be the only content). I insist, I wasted a lot of time because I kept orignal lines and just added these.

auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd
account required pam_permit.so

5. Create a local user without shell access

sudo useradd --home /home/vsftpd --gid nogroup -m --shell /bin/false vsftpd

You can check that it has been created with the id command: id vsftpd. We define the user with the /bin/false shell because of the check_shell parameter (even if we don’t use it).

When the end user will connect to the FTP server, this user will be used for rights and ownership: chmod and chown.

6. Restart vsftpd

The common way is using init.d like all deamon

sudo /etc/init.d/vsftpd restart

In Ubuntu 12.04 there is something new with services. It worked on my 12.04 but not on my 10.04 one. To be honest I’m not a Linux expert (yet) so I can’t explain why. Something to do with Upstart I think.

sudo service vsftpd restart

7. Create directories

According to our configuration all users will be placed into there folder: /var/www/user1.

You need to create them with particular rights: the root folder cannot be writable!

  •  / [root = /var/www/user1] => 555
    • www [ /var/www/user1/www ] => 755
    • docs [ /var/www/user1/docs ] => 755

Note: the user cannot create files or folders in the root directory.

In vsftpd.conf we have chroot_local_user=YES so the user can’t see anything outside his folder. To him the server looks like this:

vsFTP-article1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Anyway, just run these commands:

mkdir /var/www/user1
chmod -w /var/www/user1
mkdir /var/www/user1/www
chmod -R 755 /var/www/user1/www
chown -R vsftpd:nogroup /var/www/user1

 

mkdir /var/www/elias
chmod -w /var/www/elias/
mkdir /var/www/elias/www
chmod -R 755 /var/www/elias/www/
chown -R vsftpd:nogroup /var/www/elias/

 

The /var/www/user1 folder HAS TO exist or connection will fail.

Right now you can try to connect with your FTP client and it will succeed! If it doesn’t you can check the troubleshooting part.

8. Create an Admin user to access the entire server

To create an admin user we need to register a new user with htpasswd.

Before we do so, I’ll advice you to check into the /etc/ftpusers file that define certain users that are not allow to connect with ftp. I think it’s only for local users and not virtual users but just in case don’t choose a name contained into this file. Let’s be honest, vsftpd is complicated enough! ^^

sudo htpasswd -d /etc/vsftpd/ftpd.passwd theadmin

Now we need to add a new line into /etc/vsftpd.conf

chroot_list_enable=YES

This means that your user will be placed into their folder (as a jail) EXCEPT users into the /etc/vsftpd.chroot_list

Let’s create this file and add our user, the file is a simple line containing “theadmin”. Add one user per line. That means we DON’T need to create a /var/www/theadmin folder, the user will login placed into /home/vsftpd.

Restart the server and you are done !

Troubleshooting

Here are some errors I had.

500 OOPS: vsftpd: refusing to run with writable root inside chroot ()

Your root directory is writable, this is not allowed. Check part 7 for more information, you need to create a 555 root and 755 subfolders

500 OOPS: cannot change directory:/var/www/theadmin if the folder doesnt exist

The /var/www/$USER folder doesn’t exist, create it with the correct rights (not writable) or add the user into the /etc/vsftpd.chroot_list (see part 8). Don’t forget to restart the server.

htpasswd: cannot create file /etc/vsftpd/ftpd.passwd

The /etc/vsftpd/ folder has to be existing, htpasswd won’t create it.

vsftpd restart or stop error: “restart: Unknown instance

This means you can’t start the deamon even if you have success message with /etc/init.d/vsftpd start. It doesn’t start because your configuration is wrong. Start over this tutorial

Sources

Here are some websites that helped

If you want to create some sort of symlink to let your user access somewhere outside there chroot jail use mount –bind
http://backdrift.org/how-to-use-bind-mounts-in-linux