Digitalnerds News
tail -f /var/blog

To continue the saga of services running on mysql backend i’m presenting today the vsftpd server running on mysql for user virtualisation purposes. The reason one might wanna use such a server is simple: the risk free operation of the server since it’s not working with local users. I’ll proceed to the howto without anymore introductions.
Note that this setup is meant for debian. It may work on other systems as well but i’m not supporting question outside Debian scope.
—–

Chapter 1 – Basic configuration

First we should have (i assume you already have) installed the vsftpd daemon and the libpam-mysql and mysql.

#apt-get install vsftpd libpam-mysql mysql-server

Even if the purpose of the howto is to work with mysql stored username we will need to create a local user. Create it and all aditional directories:

#mkdir /home/ftp
#useradd ftpguest -d /home/ftp
#chown ftpguest.nogroup /home/ftp

Next create the mysql ftp virtual user to operate on mysql:

#mysqladmin -u root -p create ftpvuser

Connect to the mysql server to create the database and to create the tables:

#mysql -u root -p
mysql> create database ftpvuser;
Query OK, 1 row affected (0.00 sec)
mysql> use ftpvuser;
Database changed
mysql> CREATE TABLE users (username varchar (20) NOT NULL,
-> password varchar(40) NOT NULL,
-> PRIMARY KEY (username)) TYPE=MyISAM;
Query OK, 0 rows affected, 1 warning (0.00 sec)

then grant permission to an user to this database:

mysql> grant select on ftpvuser.users to ftpguest@localhost identified by ‘YourPassword’;
Query OK, 0 rows affected (0.04 sec)

This next step is necessary only if you are going to setup Chapter 2 configuration for different users with different permissions.

mysql> insert into users (username,password) values (‘normal’,'555555′);
Query OK, 1 row affected (0.00 sec)
mysql> insert into users (username,password) values (‘admin’,'666666′);
Query OK, 1 row affected (0.00 sec)
mysql> insert into users (username,password) values (‘webmaster’,'777777′);
Query OK, 1 row affected (0.00 sec)
mysql>quit;

Next edit if it exists or create the vsftpd pam config under /etc/pam.d/vsftpd:

#nano -w /etc/pam.d/vsftpd

And add these lines:

auth required pam_mysql.so user=ftpguest passwd=YourPassword host=localhost db=ftpvuser table=users usercolumn=username passwdcolumn=password crypt=0
account required pam_mysql.so user=ftpguest passwd=YourPassword host=localhost db=ftpvuser table=users usercolumn=username passwdcolumn=password crypt=0

Now open up your /etc/vsftpd.conf. Edit it as you may see fit and setup all options you like then restart your vsftpd server:

#/etc/init.d/vsftpd stop
#/etc/init.d/vsftpd start

For the record some vsftpd.conf options that you will need to set are:

# comment this line to disable anonymous logins
#anonymous_enable=YES
# enable local access
local_enable=YES
# enable guest access
guest_enable=YES
guest_username=ftpguest
# chroot local users
chroot_local_user=YES

Now test your ftp server quickly. If you cannot login and you get the errror 500 OOPS : cap_set_proc that its because of the SELinux. To fix this problem you will need to load the capability module into your running kernel:

#modprobe capability

To load this module automatically at each server restart add the capability module to your /etc/modules.

If you would like to restrict access to the ftp server and allow it only from certain IP addresses you will need to make use of the tcp_wrappers and enable it in your /etc/vsftpd.conf:

# TCP Wrappers
tcp_wrappers=YES

Deny all incoming connections by default in /etc/hosts.deny by adding:

vsftpd: ALL

Specify the allowed connection in /etc/hosts.allow by adding:

vsftpd: 192.168.0.,210.83.200.200 : setenv VSFTPD_LOAD_CONF /etc/vsftpd/vsftpd.anonymous
vsftpd: ALL : setenv VSFTPD_LOAD_CONF /etc/vsftpd/vsftpd.virtual

Next create the necessary files:

#mkdir /etc/vsftpd/
#nano -w /etc/vsftpd/vsftpd.anonymous

and add to it:

anonymous_enable=YES

then

#nano -w /etc/vsftpd/vsftpd.virtual

and add to it:

anonymous_enable=NO

Note you should add the ftp users into your mysql database using phpmyadmin or by building your own web app to do that. I dont cover this aspect here.

Chapter 2 – Different users with different permissions (optional)

This is a standalone chapter apart form the original configuration. It shows how to create different users with different permissions using vsftpd configuration files. We have performed the mysql users config for this chapter in the previous step adding in the `users` table the users “normal”, “admin” and “webmaster”.

#nano -w /etc/vsftpd.conf

and add to it:

user_config_dir=/etc/vsftpd/vsftpd_user_conf

Now we should allow ordinary users to download/upload. For this we should do the following:

#mkdir /etc/vsftpd/vsftpd_user_conf
#nano /etc/vsftpd/vsftpd_user_conf/normal

with the following content

anon_world_readable_only=NO
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES

Also we need to allow admins to download/upload/delete and so on:

#cp /etc/vsftpd/vsftpd_user_conf/normal /etc/vsftpd/vsftpd_user_conf/admin
#nano -w /etc/vsftpd/vsftpd_user_conf/admin

and make it look like:

# Allow rename and delete the file
anon_other_write_enable=YES
# Users have to be a local user with the same permissions
virtual_use_local_privs=YES
# allows documents attributes modifications
chmod_enable=YES

And the webmaster configuration file:

#cp /etc/vsftpd/vsftpd_user_conf/admin /etc/vsftpd/vsftpd_user_conf/webmaster

Edit the webmaster configuration files to look like:

#FTP home directory at the website’s home directory
local_root=/var/www
# Because the uploaded files are owned by ftpguest
# other users are not allowed to access these files
# and especially the apache user www-data. To fix this
# we specify the local umask to 033
local_umask=033

With all these being said i hope this helps you.
I have been looking long time ago for this kind of setup. I wrote this tutorial like 2 years ago and it used to be on my website before i had to shut it down. Then i lost my db backups and all my tutorials got lost. But i am re-writting them one by one and hopefully even more.

Thank you

This entry was posted on Friday, August 8th, 2008 and is filed under Featured, Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “VSFTPd with mysql backend”

1. Daniel
   October 16th, 2008 at 8:48 am

   Hi,

   first of all, this is a great tutorial, thanks for that!

   I have two question regarding the second chapter.
   Should the webmaster file only contains the local_root and local_umask settings, or should the configuration of the normal and admin files be merged to it?

   I’ve added the vsftpd user to the www-data group, so the user has the possibility to wright files to /var/www.
   The problem is, all of my directories are chmodded to 755 by default, so another user as www-data can’t upload files.
   What would you suggest to do? Change all directory rights to 775?

   I’m looking forward to your answer.

   Regards,

   Daniel
2. Andy
   October 22nd, 2008 at 6:12 pm

   Hey Daniel

   As you may see the vsftpd.conf still exists and it specifies which is the users’ conf dir. The users configuration files are “per se” as i wrote them.
   Please note that this config is for virtual users. The apache’s user www-data will also not be able to upload files but only READ them. Setting umask to 033 should give the directory owner read/write permissions, but only read permissions to everyone else. If you want other permissions for the webmaster config you will need to tweak the local_umask value.

   Regards
   Andy

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Categories

• Entertainment
• Featured
• Gaming
• Linux
• News

Archive

Select Month March 2010 September 2008 August 2008