Here is a copy of the official vsftpd FAQ that is included in the vsftpd package:

Q) Can I restrict users to their home directories?
A) Yes. You are probably after the setting:

Q) Why don’t symlinks work with chroot_local_user=YES?
A) This is a consequence of how chroot() security works. As alternatives,
look into hard links, or if you have a modern Linux, see the powerful
“mount –bind”.

Q) Does vsftpd support a limit on the number of users connected?
A1) Yes, indirectly. vsftpd is an inetd-based service. If use the popular
“xinetd” as your inetd, this supports per-service per-IP connection limits.
There is an example of this in the “EXAMPLE” directory.
A2) If you run vsftpd in “standalone” mode with the setting listen=YES, then
you can investigate the setting (e.g.):

Q) Help! I’m getting the error message “refusing to run with writable anonymous
A) vsftpd is protecting against dangerous configurations. The cause of this
message is usually dodgy ownership of the ftp home directory. The home
directory should NOT be owned by the ftp user itself. Neither should it
be writable by the ftp user. A way to fix this is:
chown root ~ftp; chmod -w ~ftp

Q) Help! I’m getting the error message “str_getpwnam”.
A) The most likely cause of this is that the “nobody” user does not exist on
your system. vsftpd needs this user to run bits of itself with no privilege.

Q) Help! Local users cannot log in.
A) There are various possible problems.
A1) By default, vsftpd disables any logins other than anonymous logins. Put
local_enable=YES in your /etc/vsftpd.conf to allow local users to log in.
A2) vsftpd tries to link with PAM. (Run “ldd vsftpd” and look for libpam to
find out whether this has happened or not). If vsftpd links with PAM, then
you will need to have a PAM file installed for the vsftpd service. There is
a sample one for RedHat systems included in the “RedHat” directory – put it
under /etc/pam.d
A3) If vsftpd didn’t link with PAM, then there are various possible issues. Is
the user’s shell in /etc/shells? If you have shadowed passwords, does your
system have a “shadow.h” file in the include path?
A4) If you are not using PAM, then vsftpd will do its own check for a valid
user shell in /etc/shells. You may need to disable this if you use an invalid
shell to disable logins other than FTP logins. Put check_shell=NO in your

Q) Help! Uploads or other write commands give me “500 Unknown command.”.
A) By default, write commands, including uploads and new directories, are
disabled. This is a security measure. To enable writes, put write_enable=YES
in your /etc/vsftpd.conf.

Q) Help! What are the security implications referred to in the
“chroot_local_user” option?
A) Firstly note that other ftp daemons have the same implications. It is a
generic problem.
The problem isn’t too severe, but it is this: Some people have FTP user
accounts which are not trusted to have full shell access. If these
accounts can also upload files, there is a small risk. A bad user now has
control of the filesystem root, which is their home directory. The ftp
daemon might cause some config file to be read – e.g. /etc/some_file. With
chroot(), this file is now under the control of the user. vsftpd is
careful in this area. But, the system’s libc might want to open locale
config files or other settings…

Q) Help! Uploaded files are appearing with permissions -rw——-.
A1) Depending on if this is an upload by a local user or an anonymous user,
use “local_umask” or “anon_umask” to change this. For example, use
“anon_umask=022” to give anonymously uploaded files permissions
-rw-r–r–. Note that the “0” before the “22” is important.
A2) Also see the vsftpd.conf.5 man page for the new “file_open_mode”

Q) Help! How do I integrate with LDAP users and logins?
A) Use vsftpd’s PAM integration to do this, and have PAM authenticate against
an LDAP repository.

Q) Help! Does vsftpd do virtual hosting setups?
A1) Yes. If you integrate vsftpd with xinetd, you can use xinetd to bind to
several different IP addresses. For each IP address, get xinetd to launch
vsftpd with a different config file. This way, you can get different behaviour
per virtual address.
A2) Alternatively, run as many copies as vsftpd as necessary, in standalone
mode. Use “listen_address=x.x.x.x” to set the virtual IP.

Q) Help! Does vsftpd support virtual users?
A) Yes, via PAM integration. Set “guest_enable=YES” in /etc/vsftpd.conf. This
has the effect of mapping every non-anonymous successful login to the local
username specified in “guest_username”. Then, use PAM and (e.g.) its pam_userdb
module to provide authentication against an external (i.e. non-/etc/passwd)
repository of users.
Note – currently there is a restriction that with guest_enable enabled, local
users also get mapped to guest_username.
There is an example of virtual users setup in the “EXAMPLE” directory.

Q) Help! Does vsftpd support different settings for different users?
A) Yes – in a very powerful way. Look at the setting “user_config_dir” in the
manual page.

Q) Help! Can I restrict vsftpd data connections to a specific range of ports?
A) Yes. See the config settings “pasv_min_port” and “pasv_max_port”.

Q) Help! I’m getting the message “OOPS: chdir”.
A) If this is for an anonymous login, check that the home directory for the
user “ftp” is correct. If you are using the config setting “anon_root”, check
that is correct too.

Q) Help! vsftpd is reporting times as GMT times and not local times!
A) This behaviour can be changed with the setting “use_localtime=YES”.

Q) Help! Can I disable certain FTP commands?
A) Yes. There are some individual settings (e.g. dirlist_enable) or you can
specify a complete set of allowed commands with “cmds_allowed”.

Q) Help! Can I change the port that vsftpd runs on?
A1) Yes. If you are running vsftpd in standalone mode, use the “listen_port”
directive in vsftpd.conf.
A2) Yes. If you are running vsftpd from an inetd or xinetd program, this
becomes an inetd or xinetd problem. You must change the inetd or xinetd
configuration files (perhaps /etc/inetd.conf or /etc/xinetd.d/vsftpd)

Q) Help! Will vsftpd authenticate against an LDAP server? What about a
MySQL server?
A) Yes. vsftpd uses PAM for authentication, so you need to configure PAM
to use pam_ldap or pam_mysql modules. This may involve installing the PAM
modules and then editing the PAM config file (perhaps /etc/pam.d/vsftpd).

Q) Help! Does vsftpd support per-IP limits?
A1) Yes. If you are running vsftpd standalone, there is a “max_per_ip”
A2) Yes. If you are running vsftpd via xinetd, there is an xinetd config
variable “per_source”.

Q) Help! Does vsftpd support bandwidth limiting?
A) Yes. See vsftpd.conf.5 man page and investigate settings such as
“anon_max_rate” and “local_max_rate”.

Q) Help! Does vsftpd support IP-based access control?
A1) Yes. vsftpd can integrate with tcp_wrappers (if built with this support).
It is enabled with the setting “tcp_wrappers=YES”.
A2) Yes. vsftpd can be run from xinetd, which supports tcp_wrappers

Q) Help! Does vsftpd support IPv6?
A) Yes, as of version 1.2.0. Read the vsftpd.conf.5 man page.

Q) Help! vsftpd doesn’t build, it fails with an error about being unable to
find -lcap.
A) Install the libcap package and retry the build. Seems to affect Debian
users a lot.

Q) Help! I’ve put settings in /etc/vsftpd.conf, but they are not taking
A) This is affecting some RedHat users – some RedHat versions put the config
file in /etc/vsftpd/vsftpd.conf.

Q) Help! vsftpd doesn’t build, it complains about problems with incomplete
types in sysutil.c.
A) Your system probably doesn’t have IPv6 support. Either use a more modern
system, use an older vsftpd (e.g. v1.1.3), or wait for a version of vsftpd
without this problem!

Q) Help! I’m getting messages along the lines of 500 OOPS: vsf_sysutil_bind
when trying to do downloads (particularly lots of small files).
A) vsftpd-1.2.1 should sort this out.

Q) Help! Does vsftpd support hiding or denying certain files?
A) Yes. Look at the hide_file and deny_file options in the manual page.

Q) Help! Does vsftpd support FXP?
A) Yes. An FTP server does not have to do anything special to support FXP.
However, you many get tripped up by vsftpd’s security precautions on IP
addresses. In order to relax these precautions, have a look in the
vsftpd.conf.5 for pasv_promiscuous (and the less advisable port_promiscuous).

Q) Blah.. blah..
A) For a good idea of what vsftpd can do, read the vsftpd.conf.5 man page
and the EXAMPLES.


Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Đăng xuất / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất / Thay đổi )

Connecting to %s

%d bloggers like this: