Tuesday, April 15, 2008

Setup of VSFTPD - another approach

If you are hosting several web sites, for security reason, you may want the webmasters to access their own files only. One of the good way is to give them FTP access by setup of VSFTPD virtual users and directories.

In my last article, I described how to setup VSFTPD virtual users. In this article, I will describe another approach to setup VSFTPD, it needs real users on the system.

1. Installation of VSFTPD

For Red Hat, CentOS and Fedora, you may install VSFTPD by the command
# yum install vsftpd
For Debian and Ubuntu,
# apt-get install vsftpd
2. Virtual users and authentication

We may create a real user account for each webmaster. We will only give them FTP access to our server.

First, use `useradd' command to create user accounts. Something to be specified are:
  • group: we may specify the group of users to the group HTTP server runs as. In most cases, it is `apache' for Apache HTTP Server, it is `lighttpd' for lighttpd.

  • home directory: we should also specify users' home directories to their virtual hosts' DocumentRoot. We should also make these directories writable by HTTP server.

  • login shell: in order to disallow normal login for these FTP users, we should specify their login shell to `/sbin/nologin'.
For example:
# useradd -g apache -d /var/www/vhosts/mike -s /sbin/nologin mike
# chmod g+w /var/www/vhosts/mike
# passwd mike
Changing password for user mike.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
3. Configuration of VSFTPD

Create a configuration file /etc/vsftpd/vsftpd-virtual.conf,
# disables anonymous FTP
# enables non-anonymous FTP
# enables uploads and new directories
# authentication of virtual uses
# the virtual user is restricted to the virtual FTP area
# runs vsftpd in standalone mode
# listens on this port for incoming FTP connections
# the minimum port to allocate for PASV style data connections
# the maximum port to allocate for PASV style data connections
# controls whether PORT style data connections use port 20 (ftp-data)
# the umask for file creation
4. Start VSFTPD and test
Now we can start VSFTPD by the command:
# /usr/sbin/vsftpd /etc/vsftpd/vsftpd-virtual.conf
and test the FTP access of a virtual user:
# lftp -u mike -p 60021
The virtual user should have full access to his directory.


  1. I know, I'm nitpicking ... but these are not virtual users, but system users with restricted access.

    While real virtual users are only known by the ftp server, these users are known by the linux system.

    Often enough this solution would be enough secure and somehow more feasible.
    But if you want to add security, use *real* virtual users.

    Its a small difference - but a difference.


  2. Excellent article, the example above induced very good. But as well as alternative solutions I want to draw your attention to the possibility of using for such purposes cloud server dataroom services