Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

vsftpd: Local And Virtual Users With Bash Scripts For User Maintainance (CentOS 6.0)


vsftpd is the most popular FTP server in the Linux world and is secure and fast. Recently I had to configure a FTP server quickly onto a CentOS server setup built using the minimal ISO and the server was up and running in a snap.

The server being used here is a Linux Cent OS Minimal installation build.

CentOS 6
vsftpd 2.2.2

Follow these instructions:

$ su – root

At the root shell:

# yum install vsftpd

This installs the daemon from the distribution’s repository. A default config file is placed with the most basic and necessary options. Now edit the config file at /etc/vsftpd/config using your favourite editor e.g. vi.

# cd /etc/vsftpd/
# vi config

In this file comment/add or uncomment the following and leave the rest as is.

anonymous_enable=NOThis is set to YES by default.

local_enable=YES This is set to NO by default and change when you want the local users to have ftp access.

xferlog_enable=Yes This is set to NO by default. Your logs will be written to /var/log/xferlog.

 

Common Pitfalls & Panic Areas

Most Linux’s have SELinux installed by default and this gives an error when the installer does not take care of the Selinux policy’s. The error is as follows:

500 OOPS: cannot change directory:/home/someuser

This can be fixed by either disabling the selinux or setting the selinux boolean option.

Disabling SELinux:

# vi /etc/selinux/config

In this file set the option to disabled.

SELINUX=disabled

Setting SELinux for ftp access:

# getsebool -a | grep ftp

This will list a group of ftp boolean options, ftp_home_dir will by default be off. Set it on by

# setsebool -P ftp_home_dir on

This might take a min or two, wait till the prompt comes back. You can check by using the getsebool command again. If you need both local and virtual users then use the instructions in the next section.

 

Starting the server and test

Now set the service to start automatically at startup.

# chkconfig –levels 345 vsftpd on

Start the service

# service vsftpd start

From a different box connect to this server. Go on, you can use either a GUI or a cli client.

All set, the FTP server is ready to serve.

Virtual Users

This chapter describes a detailed instruction set which when used enables the virtual user access option within VSFTPD server. This document assumes that you already have a working vsftpd server which has got local shell user access to it, if you don’t then follow the instructions from the previous page.

The server being used here is a Linux CentOS Minimal installation build.

CentOS 6
vsftpd 2.2.2

The virtual users home folders will be under /var/ftp/. You need to have either ‘su’ permissions or ‘root’ access or ‘sudo’ access.

As authentication will be required pam_userdb is a good option and is installed by default. Check with:

# yum info db4-utils

Install it with:

# yum install db4-utils as necessary

 

Create the virtual users

Now cd to /etc/vsftpd and prepare the .txt user file with the usernames and passwords. This file will have a username in single line and the password in the next as shown. It is good practice to put these in a separate folder.

sudhakar
password1
bellamkonda
password2

# cd /etc/vsftpd/
# mkdir vuser
# cd vuser

A pwd should show /etc/vsftpd/vuser, now create the file:

# vim vuser_list

Add your users and save it. This file now needs to be hashed with the DB4-util db_load so that vsftpd along with pam can use it for authentication.

# db_load -T -t hash /etc/vsftpd/vuser/vuser_list /etc/vsftpd/vuser/vuser_db.db

A hashed DB file of the vuser_list is created named vuser_db.db. Note that the file has a .db extension and this is necessary.

 

Enable Authentication with PAM

Now append to the file /etc/pam.d/vsftpd for this virtual user authentication to work.

# cd /etc/pam.d/
# vi vsftpd

auth     sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db
account  sufficient pam_userdb.so db=/etc/vsftpd/vuser/vuser_db

Put these two lines at the very top of the file just below the #%PAM-1.0 line and save it. PAM_Userdb will automatically append the extension .db to the file specified in the path. These two lines have to be at the top of the stack for the dual authentication to work. This way you can have both real shell users and virtual users using the same instance of the daemon rather than starting two process of vsftpd.

 

Append Options to vsftpd.conf

Do the following changes to the vsftpd config file at /etc/vsftpd/vsftpd.conf:

guest_enable=YES # activate the virtual users
virtual_use_local_privs=YES # virtual users have local priveleges
user_sub_token=$USER
local_root=/var/ftp/vuser/$USER # specifies a home directory for each virtual user
chroot_local_user=YES # Restricting the user to the FTP area and HOME dir's only

Also disable SELinux in /etc/selinux/config so that the virtual user can write to the virtual directories under /var/ftp/vuser/$USER. Now change to the virtual user folder.

Create the Virtual User Folders

# cd /var/ftp
# mkdir vuser
# mkdir vuser/sudhakar
# mkdir vuser/bellamkonda
# chown -R ftp:ftp /etc/ftp/vuser/

Create system links with ln -s of all the /home/ folders under /var/ftp/vuser/ so that when the users login vsftpd will chroot to their respective folders.

Bash scripts and Howto article for automation are at http://sudhakarbellamkonda.blogspot.com/2011/12/vsftpd-virtual-users-creation-bash.html

 

For Local Users

In folder /var/ftp/vuser/:

# mkdir yourlocaluser
# chown ftp:ftp yourlocaluser
# ln -s /var/ftp/vuser/yourlocaluser /home/yourlocaluser/ftphome

All files uploaded will be owned by the user ftp:ftp.

 

Starting the server and testing

Start the service:

# service vsftpd start

Or restart it if already started with

# service vsftpd restart

From a different box connect to this server. Go on, you can use either a GUI or a cli client.

All set, go on use the FTP server, it is ready to serve.

Bash Scripts

The Bash scripts presented here are for the vsftpd server that has been set up using the instructions in the previous pages.

Do these changes before using the scripts assuming that you have root access.

Create the following vuser subfolder in /etc/vsftpd/ if not done already:

# cd /etc/vsftpd
# mkdir vuser

Download the scripts bundle and untar it in the /etc/vsftpd/vuser folder. This is at version v0.1 and is being developed so you can check back for more versions and funcationality at http://vsftpd-virtualuser-bash-scripts.blogspot.com/.

Click here to download http://www.mediafire.com/?j9anm89c8v6pt84
The scripts

vuserchk – checks the necessary files and folders necessary for these scripts
vuser.conf – the file containing configuration parameters for these scripts
vuseradd – adds a virtual user
vuserdel – delets a virtual user
vuserres – restores a deleted user
vuserpas – changes a virtual user password
vusersho – displays the user password

The scripts are very verbose and will display messages and errors which are self explanatory.

 

What the scripts do not do

Deleting a user will remove the user from the active list and the ftp home folder is renamed to $USER-deleted and the deleted user details are copied to a user deleted list. A script to archive and move the tarball to an archive folder is on the back burner.

 

Panic not, be cautious

Use the scripts wisely and carefully. Please backup before any use at production servers. The scripts have been tested and used without any errors or problems.

 

Six are the scripts

These scripts are very non intrusive and have a simple logic flow. Prerequisites are BASH, GAWK, SED for the scripts to work. I am hoping to introduce more functionality into the scripts and add a local user ftp home sync’er and a deleted folder archiver, once finished will add them here.

Test them, deploy for ease of mind, let the scripts do the work and relax :).

Comments

comments