Gentoo VSFTPD Howto
Abstract: This serves as an explicit guide as to how one goes about setting up a VSFTPD server on a Gentoo Linux computer. Though written for Gentoo, these instructions apply to other Linux distributions as well.
When someone asked how you could configure VSFTPD on Gentoo Linux I decided to write this howto. They wanted their daemon to have several user accounts with varying permissions. He wanted to create multiple user accounts, one to download only and one to upload. This document should serve as a useful guide to configuring your VSFTPD server. VSFTPD is an awesome FTP daemon that I recommend to everyone. There is a project for a GUI configuration in the works, please be patient. VSFTPD is known for performance under massive enterprise-level solutions, easy configuration, stability, and security.
You are free to redistribute the contents of this page in part or in whole as long as you either attribute it to John Holden (or by alias, destuxor), or include a link to this site.
Everyone needs to do parts 1 and 7. If you want to configure your server to allow anonymous access, do part 3. For a server that only allows local user accounts (no anonymous), do 2 and 4. For a server that permits anyone to download anonymously, but requires a password to upload, do parts 5 and 6.
If you are interested in using VSFTPD for virtual sites see here.
1) Installation $ emerge vsftpd
That was easy...love Gentoo!
2) Configuration for passworded logins only
Now to configure by editting /etc/vsftpd/vsftpd/.conf. I suggest that you read all the documentation no matter what (man vsftpd.conf), then use this sample code as a guideline. Still, here's a configuration file that allows local users and disallows anonymous access (that means you must enter a password):
# /etc/vsftpd/vsftpd.conf - destuxor - 3/20/2005 - local logins only
local_enable=YES
write_enable=YES
anonymous_enable=NO
xferlog_enable=YES
xferlog_file=/var/log/vsftpd/vsftpd.log
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=NO
ascii_download_enable=NO
nopriv_user=downloader
dirmessage_enable=YES
ftpd_banner=Your Banner Goes Here
chroot_list_enable=NO
chroot_local_user=YES
background=YES
listen=YES
ls_recurse_enable=NO
3) Configuration for anonymous only
The following configuration file is what I use for an FTP server that only allows anonymous access. Be smart about using anonymous though, as well know just how bad anonymous write access can be!
# /etc/vsftpd/vsftpd.conf - destuxor - 3/22/2005 - anonymous only
anonymous_enable=YES
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
chown_uploads=NO
xferlog_enable=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=NO
ascii_download_enable=NO
ftpd_banner=---==[ John's Gentoo Box ]==---
chroot_list_enable=NO
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
background=YES
listen=YES
ls_recurse_enable=NO
4) Adding user accounts (only do this if you've done (1))
So now that it's configured it's time to add the appropriate user accounts. We're going to create two user accounts with the same home directory. One user will be able to read and write, the other will only be able to read. Both will require passwords. Open a command prompt and get root:
$ mkdir /home/shared
$ useradd -d /home/shared -s /bin/bash -g ftp downloader
$ useradd -d /home/shared -s /bin/bash -g ftp uploader
$ chown uploader:ftp -R /home/shared
$ chmod 750 -R /home/shared
$ passwd downloader
$ passwd uploader
$ rc-update add vsftpd default
This has added two users named uploader and downloader. You set the passwords, so don't forget them (or leak them!). These user accounts are given permission to use the shell, so be careful with who you share these logins with.
5) Configuration for anonymous downloading, passworded uploading
Suppose you want to allow people to download anonymously, but require a password to modify those files. This can be done exactly the same way, only it will need a different config file. This is the config file you need:
# /etc/vsftpd/vsftpd.conf - destuxor - 3/22/2005 - both anon and local logins anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
chown_uploads=NO
xferlog_enable=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=NO
ascii_download_enable=NO
ftpd_banner=Your Banner Goes Here
chroot_list_enable=NO
chroot_local_user=YES
nopriv_user=ftp
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
background=YES
listen=YES
ls_recurse_enable=NO
6) Adding upload user account (only if you've done (5))
Instead of adding the user named download we will use the useraccount named ftp which should already exist. If this user exists (again, it should, from the VSFTPD installation) then /home/ftp/ should exist.
$ useradd -d /home/ftp -s /bin/bash -g ftp uploader
$ chown uploader:ftp -R /home/ftp
$ chmod 750 -R /home/ftp
$ passwd uploader
$ rc-update add vsftpd default
7) Starting the daemon (all configurations)
So now that you've got the daemon configured and you've also got the user accounts setup, it is time to launch the daemon!
$ /etc/init.d/vsftpd start
You probably want to set the daemon to start by default, so use this command to make it run on system startup:
$ rc-update add vsftpd default
If for some reason it doesn't work or people can't connect to it, the first place is to look is of course the Gentoo Forums. If that fails you, check the VSFTPD website. If that doesn't answer your questions, hit TLDP and LinuxQuestions. Those failing, you can learn anything from that magical site.
I hope you found this document helpful! If you have any comments or whatnot feel free to email me. I'm also known to hang out in the Gentoo Forums under alias destuxor. You could do me a real favor getting this into TLDP or Wikipedia.