Skip to main content
Hugo’s IT journal

vsftpd

vsftpd
Hugo
Author
Hugo
DevOps Engineer in London
Table of Contents

local user
#

By default, local users do not have a chroot environment; their root is /, but they can cd into /home/<user>.

Without chroot, they can access other server files (e.g., /etc/passwd).

Chroot makes /home/<user> the root directory, which must not be writable by the user.

We need to set /home/<user> as non-writable and create a readable subfolder for uploads.

chmod a-w /home/hugo
mkdir /home/hugo/uploads
chown hugo:hugo /home/hugo/uploads

The local_root directive can change the default directory after login, and with chroot enabled, this directory becomes the root.

local_enable=YES
chroot_local_user=YES

user_sub_token=$USER
local_root=/home/$USER

Anony mode
#

anonymous_enable=YES
anon_root=/var/ftp
  • Anonymous login will use chroot by default.
  • The root must not be writable by the user ftp.
  • Therefore, when defining anon_root, we need to create a subfolder (uploads) for the FTP user to upload files, while ensuring that /var/ftp is not writable by the user ftp.
mkdir -p /var/ftp/uploads
chown ftp:ftp /var/ftp/uploads

write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_umask=022
anon_world_readable_only=YES
  • write_enable=YES is required to enable write commands on FTP for both anonymous and local users.
  • Anonymous users have additional restrictions, with the server checking the anon_xxxx_enable settings:
    • anon_upload_enable allows uploads but prevents overwriting, deleting, or creating folders.
    • anon_mkdir_write_enable allows creating directories.
    • anon_other_write_enable allows removing files or overwriting existing ones.
  • anon_world_readable_only=YES means anonymous users can only download files if they are readable by “other.” With a default umask of 0277, this setting prevents anonymous users from downloading files they upload, causing a issue.

Logs
#

xferlog_enable=YES
xferlog_file=/var/log/xfrelog
xferlog_std_format=YES
log_ftp_protocol=YES

Guest Mode
#

When guest mode is enabled, a local user logging into the server will be mapped to the guest user (unpriv).

guest_enable=YES
guest_username=unpriv

userlist
#

When userlist_enable=YES, the server will check the user list.

  • If userlist_deny=YES, the userlist_file = denied list.
  • If userlist_deny=NO, the userlist_file = allowed list.
userlist_enable=NO
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list

FTPS
#

Enable FTPS (not SFTP)

Create dummy cert

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
chmod 600 /etc/ssl/private/vsftpd.pem

ssl_enable=NO
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#allow_anon_ssl=NO
#force_local_data_ssl=YES
#force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO