2

I'm trying to set up my ftp sever (vsftpd) to give both local users and anonymous users access.

I would like the local users to have write access to their home directory but anonymous logins only to have read access to a directory that I can drop files into for the wider world to download.

First of, is this even possible? Or do all logins either have to be read access or write access but not a combination of the two?

If it is possible, I can't get this to work. My current set up is giving me "Permission denied" error when I try to log in anonymously. Access for local users is working as I want it to.

Can anyone spot where I'm going wrong, or missing in the following set up?

The following is the directory set up for the ftp folders. The path is /var/ftp/ (please note that the local user here does not have a shell or a specific home directory which is why it's been moved to the general ftp folder):

dr-xr-xr-x  2 ftp         ftp-users 4.0K Apr 17 13:19 anon
drwxr-xr-x  2 localuser   ftp-users 4.0K Apr 17 15:08 localuser

The anon user does not have write access to their home directory, but the local user does. There is an ftp-users group that all users of ftp are part of.

Below is an extract from the /etc/passwd file for the two users above:

ftp:x:109:115:ftp daemon,,,:/var/ftp/anon:/bin/false
localuser:x:1002:1002::/var/ftp/localuser:/bin/false

The following is the vsftpd.config file which I'm using (all comments removed for brevity):

listen=NO
listen_ipv6=YES
anonymous_enable=YES
ftp_username=ftp
no_anon_password=YES
anon_root=/var/ftp/anon
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
anon_max_rate=52000
local_enable=YES
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users
write_enable=YES
allow_writeable_chroot=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=ftp
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

All users that can login are listed in the userlist_file (including ftp).

hojkoff
  • 149
  • 1
  • 6

1 Answers1

0

I've managed to answer my own question with a bit of playing. I'll detail the answer for reference.

  1. Yes, it is possible to have privileged 'named' users and unprivileged anonymous users. The config file extract above allows this setup.

  2. In the config file there is the userlist_enable=YES and userlist_file=... to control the names users who can use FTP. This prevents default created users (such as pi on Raspbian) to log in with the default password, assuming it hasn't been changed. (The default password should obviously be changed though.)

  3. To use the above directives and allow anonymous logins, the user 'anonymous' needs to be named in the file along with approved named users.

hojkoff
  • 149
  • 1
  • 6