Posts Tagged ‘ftp’

Sweet vsftpd setup using virtual users for web developers

Wednesday, September 15th, 2010

What this setup does is create a list of FTP users, not local users on the server system, and jail them to web directories. This means that they can only work in those directories to which they are assigned.

Firstly, install vsftpd:

linux# apt-get install vsftpd

Now install the PAM password file support:

linux# apt-get install libpam-pwdfile

Make sure this directory exists: /etc/vsftpd and if it does not:

linux#mkdir /etc/vsftpd

Now, we are going to make a list of users using PAM. The username will need to match the directory name of the web root for each virtual host. E.G. /var/www/google.com would be ‘google.com’ for the username.

linux# htpasswd -c /etc/vsftpd/passwd google.com

For each user after that drop off the -c

linux# htpasswd /etc/vsftpd/passwd yahoo.com

Next we need to edit the vsftpd config file

linux# nano /etc/vsftpd.conf

Edit or add these settings:

    listen=YES
    anonymous_enable=NO
    local_enable=YES
    virtual_use_local_privs=YES
    write_enable=YES
    connect_from_port_20=YES
    secure_chroot_dir=/var/run/vsftpd
    pam_service_name=vsftpd
    guest_enable=YES
    guest_username=www-data
    user_sub_token=$USER
    local_root=/var/www/$USER
    chroot_local_user=YES
    hide_ids=YES
    check_shell=NO
    user_config_dir=/var/www/users

Now we need to configure PAM to read the password file:

linux# nano /etc/pam.d/vsftpd

Comment out all existing lines and add these:

# Customized login using htpasswd file
auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd
account required pam_permit.so

To make a super FTP user with access to all of the website we need to make a special config file for them.
First, make the config file directory:

linux# mkdir /var/www/users

Create the super FTP user using htpasswd in /etc/vsftpd, but now we are also going to create a config file for that user (google.com):

linux# nano /var/www/users/google.com

Put just this line in the file and save: local_root=/var/www

Now that user has access to all of the websites in /var/www because we jailed it there instead of /var/www/google.com

These config file take precedence over /etc/vsftpd.conf settings.

Reboot vsftpd

linux# /etc/init.d/vsftpd restart

Note, users will not work until their directory is made.

—Cleaning up—

Make all website accessible to apache:

linux# chown www-data:www-data /var/www -R

Make the www-data group sticky to retain the group even when ftp users create things:

linux# chmod g+s /var/www -R

Fix the user config file directory
linux# chown root:root /var/www/users -R

Many thanks to the author of this article to get me most of the way there.
http://howto.gumph.org/content/setup-virtual-users-and-directories-in-vsftpd/