[Trilug-ontopic] VSFTPD configuration question

Richard O. Hammer rhammer at FastMail.fm
Wed Jun 30 18:35:29 EDT 2010


Hi,

I'm trying to set up VSFTPD on CentOS5 with a specific set of permissions, 
listed below.  Can anyone tell me how to do this?

<FTP service goals>
1. No anonymous access.  Access allowed only for local users who login with 
their password.
2. Whenever anyone logs into the FTP site they are placed initially in the 
public FTP directory, /var/ftp/.
3. Our staff (each with their own local user name) will be able to write files 
into /var/ftp/, and also be able to cd out of /var/ftp/ to anywhere else on the 
server where their permissions allow.
4. We will have one local user name (and password) for people outside our 
company who may need to access our ftp site to get files we have placed there. 
This one user will not be able to cd out of /var/ftp/, and will not have write 
permission in that directory either.
</FTP service goals>

I've been trying to set the configuration options in a number of different ways. 
    From reading the man page for vsftpd.conf 
<http://vsftpd.beasts.org/vsftpd_conf.html> it is easy for me to believe that I 
should be able to set these parameters [chroot_list_enable, chroot_local_user, 
chroot_list_file, passwd_chroot_enable, local_root] in some combination to get 
what I need.  But I have not yet found a combination that works.  The 
chroot_list always seems to be ignored in every combination I've tried.

Below you can see the present state of my configuration file.

Thanks for any suggestions,
Rich Hammer
Hillsborough



<vsftpd.conf file>
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
#The following line added 1/28/10 ROH, out again 6/10
#chroot_local_user=YES

#The following lines added 6/10 ROH
#local_root=/var/ftp
user_config_dir=/etc/vsftpd/per_user_config

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list


#"pam_service_name", seems necessary for login to work, 6/30/10, RH
pam_service_name=vsftpd

#enable for standalone mode
listen=YES
#tcp_wrappers=YES
</vsftpd.conf file>


More information about the Trilug-ontopic mailing list