PDA

View Full Version : vsftpd



cranium
28th October 2006, 03:10 AM
Hi all,

Thanks to the help I received here I recently got vsftpd working on my machine. I want to secure so that only one user can use ftp and will only be able to access a particular directory. I read the man for vsftpd and thought I had understood how to do this, but, of course, it didn't work.

Here is a quick rundown on what I did to at least limit a particular user, didn't figure out how to limit to a particular dirctory (I actually want to give a user access to the web directory, such that uploaded files (possibly html, php, etc) will be able to be run/seen on the web).

OK, based on the documentation, this what I attempted to limit to a particular user:

userlist_enable=YES
userlist_deny=NO

Then in ftpusers file, I just listed the one user. Any ideas on both topics?

Thank you for your time and help,
cranium

pbx
28th October 2006, 07:13 AM
please read this: http://www.netadmintools.com/art355.html or the manpage (http://vsftpd.beasts.org/vsftpd_conf.html)
to change first directory add this to /etc/vsftpd/vsftpd.conf:
local_root=/home/username/Desktop (for example)
Don't forget to create the file /etc/vsftpd/chroot_list containing the user names allowed (one line - one user name) if not existing yet :)

j-billy
12th November 2006, 11:09 AM
Any help with this message?


[root@localhost ftp-docs]# ftp IP
Connected to IP.
220 (vsFTPd 2.0.4)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (IP:root): usuario
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/ftp-docs
Login failed.
421 Service not available, remote server has closed connection
ftp> quit
[root@localhost ftp-docs]#

I guess it is about permissions but I dont know what to type.. I set for directory:

# chmod 750 /home/ftp-docs
# chown root:ftp-users /home/ftp-docs
And for files on:

# chown root:ftp-users /home/ftp-docs/*
# chmod 740 /home/ftp-docs/*

pbx
13th November 2006, 05:24 AM
Any help with this message?


[root@localhost ftp-docs]# ftp IP
Connected to IP.
220 (vsFTPd 2.0.4)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (IP:root): usuario
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/ftp-docs
Login failed.
421 Service not available, remote server has closed connection
ftp> quit
[root@localhost ftp-docs]#

On this site (http://www.nslu2-linux.org/wiki/Unslung/Vsftpd) I found:

* Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root

Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Does the directory ftp-docs exists inside the home folder???

I just tested with my ftp server (changing the directory a currently have to other that does not exists) and got the same error...
To solve this you need to edit your /etc/vsftpd/vsftpd.conf file and change, the line that says: "local_root=/home/ftp-docs" and change the /home/ftp-docs to a directory that really exists :)

P.S. dont forget to retsart the server typing, as root, "service restart vsftpd" so that the changes can take effect.

pbx
13th November 2006, 05:25 AM
Any help with this message?


[root@localhost ftp-docs]# ftp IP
Connected to IP.
220 (vsFTPd 2.0.4)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (IP:root): usuario
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/ftp-docs
Login failed.
421 Service not available, remote server has closed connection
ftp> quit
[root@localhost ftp-docs]#

On this site (http://www.nslu2-linux.org/wiki/Unslung/Vsftpd) I found:

* Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root

Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Do you have the directory /home/ftp-docs???

pbx
13th November 2006, 07:08 AM
Here is a quick rundown on what I did to at least limit a particular user, didn't figure out how to limit to a particular dirctory (I actually want to give a user access to the web directory, such that uploaded files (possibly html, php, etc) will be able to be run/seen on the web).

OK, based on the documentation, this what I attempted to limit to a particular user:

userlist_enable=YES
userlist_deny=NO

Then in ftpusers file, I just listed the one user. Any ideas on both topics?

Thank you for your time and help,
cranium

your problem will be solved. Please reed this carefully:

- There are 3 files where you can put user names: ftpusers, user_list and chroot_list. In my case (vsftpd 2.0.5) the file ftpusers says on the first line: # Users that are not allowed to login via ftp; The file user_list is where you put the user names allowed or denyed; The chroot_list file contains the name that have access to all folders (you shouldn't allow users here for security reasons).

- You have "userlist_enable=YES", so vsftpd will load "userlist_file" (not "ftpusers" file) and If a user tries to log in using a name in this file, they will be denied!

- Then you have "userlist_deny=NO", so then users will be denied login unless they are explicitly listed in the file specified by userlist_file!!! This is in conflit with "userlist_enable=YES". You probably cant connect to your ftp server!

To solve this, first you need to remove the user name from ftpusers file.
Then the solutions are:

-Keep "userlist_enable=YES" and change to "userlist_deny=YES", then in the file "user_list" will be the names that will be denyed login.
OR
-Change to "userlist_enable=NO" and keep "userlist_deny=NO", but then in the "user_list" file will be the list of user that can access the server. The user name needs to be there!!!

(I use the first option)

Check the chroot_list file. If you want the user to have full access place its name here. If not, leave it empty.
Go to the /etc/vsftpd/vsftpd.conf file and insert the path you want the user can access to (local_root=/"where ever you want")
Then restart the server (service vsftpd restart) and your done :)