What this setup does is create a list of FTP users, not local users on the server system, and jail them to web directories. This means that they can only work in those directories to which they are assigned.
Firstly, install vsftpd:
linux# apt-get install vsftpd
Now install the PAM password file support:
linux# apt-get install libpam-pwdfile
Make sure this directory exists: /etc/vsftpd and if it does not:
linux#mkdir /etc/vsftpd
Now, we are going to make a list of users using PAM. The username will need to match the directory name of the web root for each virtual host. E.G. /var/www/google.com would be ‘google.com’ for the username.
linux# htpasswd -c /etc/vsftpd/passwd google.com
For each user after that drop off the -c
linux# htpasswd /etc/vsftpd/passwd yahoo.com
Next we need to edit the vsftpd config file
linux# nano /etc/vsftpd.conf
Edit or add these settings:
-
listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
guest_enable=YES
guest_username=www-data
user_sub_token=$USER
local_root=/var/www/$USER
chroot_local_user=YES
hide_ids=YES
check_shell=NO
user_config_dir=/var/www/users
Now we need to configure PAM to read the password file:
linux# nano /etc/pam.d/vsftpd
Comment out all existing lines and add these:
# Customized login using htpasswd file
auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd
account required pam_permit.so
To make a super FTP user with access to all of the website we need to make a special config file for them.
First, make the config file directory:
linux# mkdir /var/www/users
Create the super FTP user using htpasswd in /etc/vsftpd, but now we are also going to create a config file for that user (google.com):
linux# nano /var/www/users/google.com
Put just this line in the file and save: local_root=/var/www
Now that user has access to all of the websites in /var/www because we jailed it there instead of /var/www/google.com
These config file take precedence over /etc/vsftpd.conf settings.
Reboot vsftpd
linux# /etc/init.d/vsftpd restart
Note, users will not work until their directory is made.
—Cleaning up—
Make all website accessible to apache:
linux# chown www-data:www-data /var/www -R
Make the www-data group sticky to retain the group even when ftp users create things:
linux# chmod g+s /var/www -R
Fix the user config file directory
linux# chown root:root /var/www/users -R
Many thanks to the author of this article to get me most of the way there.
http://howto.gumph.org/content/setup-virtual-users-and-directories-in-vsftpd/
Norbert Essing
3 Jan 2011Conspicuous site, pls contiune your work and keep us update with fresh entries
Suryadi
22 Jan 2013Hi I’ve follow your step but I can’t login with the following error:
530 Login incorrect.
any help would be appreciate, thanks
Andy
4 Sep 2013Excellent article, thanks for your help.