Using VSFTPD with MySQL and restricting users
Let me save you over 10 hours of hair pulling stress and give you the easiest guide you’ll ever come across to setup vsftpd on your linux box and give you control of your private server.
This guide will let you accomplish the following:
- Allow vsftpd to use a mysql database for login authentication and logging of authentication messages
- Setup a base set of permissions for all users
- Setup per-user permission sets, including a chroot’d login, download speed limit and hidden directories
Let’s get started. Firstly you’ll need to install all the packages required:
On Redhat based systems this command will install it all for you:Ã‚Â yum -y vsftpd mysql-server pam_mysql
Now that you’ve got them all installed correctly, you’ll need to setup a mysql database and user for vsftpd to use:
`id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
`msg` VARCHAR(255) NOT NULL,
`user` VARCHAR(30) NOT NULL,
`pid` VARCHAR(15) NOT NULL,
`host` VARCHAR(30) NOT NULL,
`rhost` VARCHAR(30) NOT NULL,
`logtime` VARCHAR(30) NOT NULL,
PRIMARY KEY (`id`)
CREATE TABLE IF NOT EXISTS `users` (
`id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
`name` VARCHAR(30) NOT NULL,
`passwd` VARCHAR(30) NOT NULL,
`group` VARCHAR(10) NOT NULL,
PRIMARY KEY (`id`)
This is all you need to allow PAM to authenticate. You might want to add yourself as a user right about now. Note that the password field is plain text and not encrypted.
Now we want to setup a PAM entry for vsftpd. There should already be one here: /etc/pam.d/vsftpd but we want to replace that with our own. Edit this file or create a new one and insert the following contents, replacing the values:
account required /lib/security/pam_mysql.so user=your-db-user passwd=your-db-password host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=0 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime
Next we’ll setup vsftpd. All the configuration files for vsftpd exist in: /etc/vsftpd/
Crack open vsftpd.conf and make some changes. This is how I have mine setup. You may want to change a couple of things after finding out more about them, but at this stage you might want to stick with this.
ftpd_banner=This is a private server.
The most important part is the pam_service_name entry, it must be the same name as the file we edited in /etc/pam.d/. The local_root entry is where your users will be locked in to as their root directory. Change that to something else too.
So what we have so far is a FTP server that will allow users who exist in the mysql table to login and see the files within the local_root folder only.
From this point I have a more specific setup going on. I have a login for myself that I don’t want restricted in any way. Here’s how to accomplish this:
Edit the file /etc/vsftpd/chroot_list and add yourself on a single line. Ie, my username in the mysql database is ‘jc’ so I just add ‘jc’ to a line in that file all by itself. This tells vsftpd that my user should not be chroot’d unlike the others.
Then go into the /etc/vsftpd/users/ directory (create one if it doesn’t exist) and edit a new file, named after the user, in my case ‘jc’. Add these lines to the file, replacing the values with your preferences:
This tells vsftpd that for the ftp user ‘jc’, the home is /home/jc and the files that I upload or modify fall under the linux permissions of the linux user ‘jc’. I also want to see hidden files too.
Now for everyone else I also have a user file setup for them too. Here’s what it generally looks like:
So this tells vsftpd that these users can’t see or access some directories that I don’t want them to and it restricts their speeds (in bytes per second).
You could just setup a file like this for all your other users and ln -s them to the actual usernames if you want. Alternatively you can move these directives into vsftpd.conf and then override them where appropriate using these user files. It’s up to you.
So once this is all setup and assuming your firewall is good to go and mysqld is running, it’s time to start the vsftpd service. In some installations of vsftpd, it will create an init.d script but won’t add it to chkconfig and therefore you have to add it yourself first.
I haven’t managed to prevent vsftpd from starting up properly yet so I can’t explain how to debug it. However if you find that vsftpd has started up and working, try logging in. If you can’t, try checking the logs for the authentication: /var/log/secure