A practical guide to Fedora and Red Hat Enterprise Linux, 7th Edition (2014)

---

The vsftpd server does not make usernames, passwords, data, and connections more secure. However, it is secure in that a malicious user finds it more difficult to compromise directly the system running it, even if vsftpd is poorly implemented. One feature that makes vsftpd more secure than ftpd is the fact that it does not run with root privileges. See also “Security” on page 725.

FTP Connections

FTP uses two connections: one for control (you establish this connection when you log in on an FTP server) and one for data transfer (FTP sets up this connection when you ask it to transfer a file). An FTP server listens for incoming connections on port 21 by default and handles user authentication and file exchange.

Passive versus active connections

A client can ask an FTP server to establish either a PASV (passive—the default) or a PORT (active) connection for data transfer. Some servers are limited to one type of connection. The difference between a passive and an active FTP connection lies in whether the client or the server initiates the data connection. In passive mode, the client initiates the connection to the server (on port 20 by default); in active mode, the server initiates the connection (there is no default port; see “Connection Parameters” on page 734 for the parameters that determine which ports a server uses). Neither approach is inherently more secure than the other. Passive connections are more common because a client using NAT (page 910) can connect to a passive server and it is simpler to program a scalable passive server.

FTP Clients

ftp

Fedora/RHEL supplies several FTP clients, including ftp (an older version of the BSD ftp utility). This section discusses ftp because it is commonly used and most other FTP clients, including sftp and lftp, provide a superset of ftp commands.

sftp

Part of the OpenSSH suite, sftp (openssh-clients package) is a secure and functionally equivalent alternative to ftp. The sftp utility is not a true FTP client—it does not understand the FTP protocol. It maps ftp commands to OpenSSH commands. See page 697 for more information.

lftp

The lftp utility (lftp package) provides the same security as sftp but offers more features. See the lftp man page for more information.

gftp

The gftp utility (gftp package) is a graphical client that works with FTP, SSH, and HTTP servers. This client has many useful features, including the ability to resume an interrupted file transfer. See www.gftp.org and freshmeat.net/projects/gftp for more information.

ncftp

The ncftp utility (ncftp package) is a textual client that offers many more features than ftp, including filename completion and command-line editing. For details see www.ncftp.com and freshmeat.net/projects/ncftp.

More Information

Local

Type help or ? at an ftp> prompt to display a list of commands. Follow the ? with a SPACE and an ftp command to display information about that command.

Files: /usr/share/doc/vsftpd-*

man pages: ftp, sftp, lftp, netrc, vsftpd.conf

Web

vsftpd home page: security.appspot.com/vsftpd.html

HOWTO

FTP mini-HOWTO

Notes

A Linux system running ftp can exchange files with any of the many operating systems that support FTP. Many sites offer archives of free information on an FTP server, although for many it is just an alternative to an easier-to-access Web site (see, for example, ftp://ftp.ibiblio.org/pub/Linuxand http://www.ibiblio.org/software/linux). Most browsers can connect to and download files from FTP servers.

The ftp utility makes no assumptions about filesystem nomenclature or structure because you can use ftp to exchange files with non-UNIX/Linux systems (which might use different filenaming conventions).

Running the ftp and sftp FTP Clients

This section describes how to use the ftp and sftp FTP clients. The commands covered here work with both utilities.

Prerequisites

Install the following packages:

• openssh-clients (installed by default; contains sftp)

• ftp

There is no service to start for ftp or sftp clients.

JumpStart I: Downloading Files Using ftp

This JumpStart section is broken into two parts: a description of the basic commands and a tutorial session that shows a user working with ftp.

Basic Commands

Give the command

$ ftp hostname

where hostname is the name of the FTP server you want to connect to. If you have an account on the server, log in with your username and password. If it is a public system, log in as the user anonymous (or ftp) and give your email address as your password. Use the ls and cd ftp commands on the server as you would use the corresponding utilities from a shell. The command get file copies file from the server to the local system, put file copies file from the local system to the server, status displays information about the FTP connection, and help displays a list of commands.

The preceding commands, except for status, are also available in sftp, lftp, and ncftp.

Tutorial Session

Following are two ftp sessions wherein Sam transfers files from and to a vsftpd server named plum. When Sam gives the command ftp plum, the local ftp client connects to the server, which asks for a username and password. Because he is logged in on his local system as sam, ftp suggests that Sam log in on plum as sam. To log in as sam, he could just press RETURN. Because his username on plum is sls, however, he types sls in response to the Name (plum:sam): prompt. After Sam responds to the Password: prompt with his normal system password, the vsftpd server greets him and informs him that it is Using binary mode to transfer files. With ftp in binary mode, Sam can transfer ASCII and binary files (page 720).

Connect and log in

$ ftp plum
Connected to plum (192.168.206.181).
220 (vsFTPd 3.0.2)
Name (plum:sam): sls
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

After logging in, Sam uses the ftp ls command to see what is in his remote working directory, which is his home directory on plum. Then he cds to the memos directory and displays the files there.

ls and cd

ftp> ls
227 Entering Passive Mode (192,168,206,181,246,88).
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 Jun 13 17:17 expenses
drwxr-xr-x 2 1001 1001 4096 Jun 13 17:19 memos
drwxr-xr-x 2 1001 1001 4096 Jun 13 17:17 tech
226 Directory send OK.

ftp> cd memos
250 Directory successfully changed.

ftp> ls
227 Entering Passive Mode (192,168,206,181,254,97).
150 Here comes the directory listing.
-rw-r--r-- 1 1001 1001 79915 Jun 13 17:19 memo.0514
-rw-r--r-- 1 1001 1001 74069 Jun 13 17:19 memo.0628
-rw-r--r-- 1 1001 1001 37489 Jun 13 17:19 memo.0905
-rw-r--r-- 1 1001 1001 85699 Jun 13 17:18 memo.0921
-rw-r--r-- 1 1001 1001 55181 Jun 13 17:18 memo.1102
226 Directory send OK.

Next Sam uses the ftp get command to copy memo.1102 from the server to the local system. His use of binary mode ensures that he will get a good copy of the file regardless of whether it is binary or ASCII. The server confirms that the file was copied successfully and reports on its size and the time required to copy it. Sam then copies the local file memo.1114 to the remote system. This file is copied into his remote working directory, memos.

get and put

ftp> get memo.1102
local: memo.1102 remote: memo.1102
227 Entering Passive Mode (192,168,206,181,122,35).
150 Opening BINARY mode data connection for memo.1102 (55181 bytes).
226 Transfer complete.
55181 bytes received in 0.000392 secs (140767.86 Kbytes/sec)

ftp> put memo.1114
local: memo.1114 remote: memo.1114
227 Entering Passive Mode (192,168,206,181,71,174).
150 Ok to send data.
226 Transfer complete.
25897 bytes sent in 0.00174 secs (14857.72 Kbytes/sec)

Now Sam decides he wants to copy all the files in the memo directory on plum to a new directory on his local system. He gives an ls command to make sure he will copy the right files, but ftp has timed out. Instead of exiting from ftp and giving another ftp command from the shell, he givesftp an open plum command to reconnect to the server. After logging in, he uses the ftp cd command to change directories to memos on the server.

Timeout and open

ftp> ls
No control connection for command: Success
Passive mode refused.
ftp> open plum
Connected to plum (192.168.206.181).
220 (vsFTPd 3.0.2)
Name (plum:sam): sls
...
ftp> cd memos
250 Directory successfully changed.

Local cd (lcd)

At this point, Sam realizes he has not created the new directory to hold the files he wants to download. Giving an ftp mkdir command would create a new directory on the server, but Sam wants a new directory on the local system. He uses an exclamation point (!) followed by a mkdir memos.hold command to invoke a shell and run mkdir on the local system, thereby creating a directory named memos.hold in his working directory on the local system. (You can display the name of the working directory on the local system using !pwd.) Next, because Sam wants to copy files from the server to the memos.hold directory on his local system, he has to change his working directory on the local system. Giving the command !cd memos.hold will not accomplish what Sam wants to do because the exclamation point will spawn a new shell on the local system and the cd command would be effective only in the new shell, which is not the shell that ftp is running under. For this situation, ftp provides the lcd (local cd) command, which changes the working directory for ftp and reports on the new local working directory:

ftp> !mkdir memos.hold

ftp> lcd memos.hold
Local directory now /home/sam/memos.hold

Sam uses the ftp mget (multiple get) command followed by the asterisk (*) wildcard to copy all files from the remote memos directory to the memos.hold directory on the local system. When ftp prompts him for the first file, Sam realizes that he forgot to turn off the prompts, so he responds with n and presses CONTROL-C to stop copying files in response to the second prompt. The server checks whether he wants to continue with his mget command.

Next Sam gives the ftp prompt command, which toggles the prompt action (turns it off if it is on and turns it on if it is off). Now when he gives a mget * command, ftp copies the files without prompting him. After getting the desired files, Sam gives a quit command to close the connection with the server, exit from ftp, and return to the local shell prompt.

mget and prompt

ftp> mget *
mget memo.0514? n
mget memo.0628? CONTROL-C
Continue with mget? n

ftp> prompt
Interactive mode off.

ftp> mget *
local: memo.0514 remote: memo.0514
227 Entering Passive Mode (192,168,206,181,216,120).
150 Opening BINARY mode data connection for memo.0514 (79915 bytes).
226 Transfer complete.
79915 bytes received in 0.00188 secs (42485.38 Kbytes/sec)
local: memo.0628 remote: memo.0628
227 Entering Passive Mode (192,168,206,181,24,77).
150 Opening BINARY mode data connection for memo.0628 (74069 bytes).
226 Transfer complete.
74069 bytes received in 0.0114 secs (6518.44 Kbytes/sec)
...
150 Opening BINARY mode data connection for memo.1114 (25897 bytes).
226 Transfer complete.
25897 bytes received in 0.00107 secs (24293.62 Kbytes/sec)
ftp> quit
221 Goodbye.

Anonymous FTP

Many systems—most notably those from which you can download free software—allow you to log in as anonymous. Most systems that support anonymous logins accept the name ftp as an easier-to-spell and quicker-to-enter synonym for anonymous. An anonymous user is usually restricted to a portion of a filesystem set aside to hold files that are to be shared with remote users. When you log in as an anonymous user, the server prompts you to enter a password. Although the system accepts any password, by convention you are expected to supply your email address. Do not use an important address if you are logging into a public site because that address could receive spam based on this login.

Many systems that permit anonymous access store interesting files in the pub directory. Most browsers, such as Firefox, log in on an anonymous FTP site and transfer a file when you click on the filename.

Automatic Login

.netrc

You can store server-specific FTP username and password information so you do not have to enter it each time you visit an FTP site. Each line of ~/.netrc identifies a server. When you connect to an FTP server, ftp reads the ~/.netrc file to determine whether you have an automatic login set up for that server. The format of a line in ~/.netrc is

machine server login username password passwd

where server is the name of the server, username is your username, and passwd is your password on server. Replace machine with default on the last line of the file to specify a username and password for systems not listed in ~/.netrc. The default line is useful for logging in on anonymous servers. A sample ~/.netrc file follows:

$ cat ~/.netrc
machine plum login sls password mypassword
default login anonymous password sam@example.com

To protect the account information in .netrc, make it readable only by the user whose home directory it appears in. Refer to the netrc man page for more information.

Binary Versus ASCII Transfer Mode

The vsftpd FTP server can—but does not always—provide two modes to transfer files. Binary mode transfers always copy an exact, byte-for-byte image of a file and never change line endings. Transfer all binary files using binary mode. Unless you need to convert line endings, use binary mode to transfer ASCII files as well.

These descriptions do not apply to files created by word processors such as Word or LibreOffice because those programs generate binary files. The vsftpd server can map Linux line endings to Windows line endings as you upload files and Windows line endings to Linux line endings as you download files.

To use ASCII mode on an FTP server that allows it, give an ascii command (page 722) after you log in and set cr to ON (the default; page 723). If the server does not allow you to change line endings as you transfer a file, you can use the unix2dos (page 260) utility before or after you transfer a file in binary mode.

Security

To enhance security, by default vsftpd transfers every file in binary mode, even when it appears to be using ASCII mode. On the server side, you can enable real ASCII mode transfers by setting the ascii_upload_enable and ascii_download_enable parameters (page 732) to YES. With the server set to allow ASCII transfers, the client controls whether line endings are mapped by using the ascii, binary, and cr commands (page 722).

ftp Specifics

This section covers the details of using ftp.

Format

An ftp command line has the following format:

ftp [options] [ftp-server]

where options is one or more options from the list in the next section and ftp-server is the name or IP address of the FTP server you want to exchange files with. If you do not specify an ftp-server, you will need to use the ftp open command to connect to a server once ftp is running.

Command-Line Options

–g

(globbing) Turns off globbing. See glob (page 723).

–i

(interactive) Turns off prompts during file transfers with mget (page 722) and mput (page 722). See also prompt (page 723).

–n

(no automatic login) Disables automatic logins (page 720).

–v

(verbose) Tells you more about how ftp is working. Displays responses from the server and reports information on how quickly files are transferred. See also verbose (page 724).

ftp Commands

The ftp utility is interactive: After you start ftp, it prompts you to enter commands to set parameters or transfer files. You can abbreviate commands as long as the abbreviations are unique. Program help is available with the help command (page 724).

Shell Command

![command]

Without command, escapes to (spawns) a shell on the local system. Use CONTROL-D or exit to return to ftp when you are finished using the local shell. Follow the exclamation point with command to execute that command only; ftp will display an ftp> prompt when execution of the command finishes. Because the shell that ftp spawns with this command is a child of the shell that is running ftp, no changes you make in this shell are preserved when you return to ftp. Specifically, when you want to copy files to a local directory other than the directory that you started ftp from, you need to use the ftp lcd command to change the local working directory: Issuing a cd command in the spawned shell will not make the change you desire. See “Local cd (lcd)” on page 718 for an example.

Transfer Files

In the following descriptions, remote-file and local-file can be pathnames.

append local-file [remote-file]

Appends local-file to the file with the same name on the remote system or to remote-file if specified.

get remote-file [local-file]

Copies remote-file to the local system under the name local-file. Without local-file, ftp uses remote-file as the filename on the local system.

mget remote-file-list

(multiple get) Copies several files to the local system, with each file maintaining its original filename. You can name the remote files literally or use wildcards (see glob). Use prompt (page 723) to turn off the prompts during transfers.

mput local-file-list

(multiple put) Copies several files to the server, with each file maintaining its original filename. You can name the local files literally or use wildcards (see glob). Use prompt (page 723) to turn off the prompts during transfers.

newer remote-file [local-file]

If the modification time of remote-file is more recent than that of local-file or if local-file does not exist, copies remote-file to the local system under the name local-file. Without local-file, ftp uses remote-file as the filename on the local system. This command is similar to get but will not overwrite a newer file with an older one.

put local-file [remote-file]

Copies local-file to the remote system under the name remote-file. Without remote-file, ftp uses local-file as the filename on the remote system.

reget remote-file [local-file]

If local-file exists and is smaller than remote-file, assumes that a previous get of local-file was interrupted and continues from where the previous get left off. Without local-file, ftp uses remote-file as the filename on the local system. This command can save time when a get of a large file fails partway through the transfer.

Status

ascii

Sets the file transfer type to ASCII. The cr command must be ON for ascii to work (page 720).

binary

Sets the file transfer type to binary (page 720).

bye

Closes the connection to the server and terminates ftp. Same as quit.

case

Toggles and displays the case mapping status. The default is OFF. When it is ON, for get and mget commands, this command maps filenames that are all uppercase on the server to all lowercase on the local system.

close

Closes the connection to the server without exiting from ftp.

cr

(carriage RETURN) Toggles and displays the (carriage) RETURN stripping status. Effective only when the file transfer type is ascii. Set cr to ON (default) to remove RETURN characters from RETURN/LINEFEED line termination sequences used by Windows, yielding the standard Linux line termination of LINEFEED. Set cr to OFF to leave line endings unmapped (page 720).

debug [n]

Toggles/sets and displays the debugging status/level, where n is the debugging level. OFF or 0 (zero) is the default. When n > 0, ftp displays each command it sends to the server.

glob

Toggles and displays the filename expansion (page 165) status for mdelete (page 724), mget (page 722), and mput (page 722) commands.

hash

Toggles and displays the hashmark (#) display status. When it is ON, ftp displays one hashmark for each 1024-byte data block it transfers.

open [hostname]

Specifies hostname as the name of the server to connect to. Without hostname, prompts for the name of the server. This command is useful when a connection times out or otherwise fails. See page 718 for an example.

passive

Toggles between passive (PASV—the default) and active (PORT) transfer modes and displays the transfer mode. For more information refer to “Passive versus active connections” on page 715.

prompt

Toggles and displays the prompt status. When it is ON (default), mdelete (page 724), mget (page 722), and mput (page 722) ask for verification before transferring each file. Set prompt to OFF to turn off these prompts.

quit

Closes the connection to the server and terminates ftp. Same as bye.

umask [nnn]

Changes the umask (page 469) applied to files created on the server to nnn. Without nnn, displays the umask.

user [username] [password]

Prompts for or accepts the username and password that enable you to log in on the server. When you call it with the –n option, ftp prompts you for a username and password automatically. For more information refer to “Automatic Login” on page 720.

Directories

cd remote-directory

Changes the working directory on the server to remote-directory.

cdup

Changes the working directory on the server to the parent of the working directory.

lcd [local_directory]

(local change directory) Changes the working directory on the local system to local_directory. Without an argument, this command changes the working directory on the local system to your home directory (just as the cd shell builtin does without an argument). See “Local cd (lcd)” on page718 for an example.

Files

chmod mode remote-file

Changes the access permissions of remote-file on the server to mode. See chmod on page 193 for more information on how to specify the mode.

delete remote-file

Removes remote-file from the server.

mdelete remote-file-list

(multiple delete) Deletes the files specified by remote-file-list from the server.

Display Information

?

(question mark) Same as help.

dir [remote-directory] [file]

Displays a listing of remote-directory from the server. When you do not specify remote-directory, displays the working directory. When you specify file, the listing is saved on the local system in a file named file.

help [command]

Displays information about command. Without command, displays a list of local ftp commands. Also ?.

ls [remote-directory] [file]

Similar to dir but produces a more concise listing from some servers. When you specify file, the listing is saved on the local system in a file named file.

pwd

Displays the pathname of the working directory on the server. Use !pwd to display the pathname of the local working directory.

rstatus

Displays ftp connection and status information for the local system (client).

status

Displays ftp connection and status information for the remote system (server).

verbose

Toggles and displays verbose mode, which displays responses from the server and reports how quickly files are transferred. The effect of this command is the same as specifying the –v option on the command line.

Setting Up an FTP Server (vsftpd)

This section explains how to set up an FTP server implemented by the vsftpd daemon as supplied by Fedora/RHEL.

Prerequisites

Install the following package:

• vsftpd

Enable and start vsftpd

Run systemctl to cause the vsftpd service (vsftpd daemon) to start each time the system enters multiuser mode and then start the vsftpd service. Use the systemctl status command to make sure the service is running.

$ sudo -c 'systemctl enable vsftpd.service'
$ sudo -c 'systemctl start vsftpd.service'

After modifying vsftpd configuration files, give the second command again, replacing start with restart to cause vsftpd to reread those files.

Notes

Security

The safest policy is not to allow users to authenticate against FTP: Instead, use FTP for anonymous access only. If you do allow local users to authenticate and upload files to the server, be sure to put local users in a chroot jail (page 729). Because FTP sends usernames and passwords in cleartext, a malicious user can easily sniff (page 1273) them. Armed with a username and password, the same user can impersonate a local user, upload a Trojan horse (page 1278), and compromise the system.

Firewall

An FTP server normally uses TCP port 21. If the server is running a firewall or is behind a firewall, you need to open this port. Give the following commands to open this port each time the system boots (permanently) and on the running system; see page 906 for information on firewall-cmd.

$ sudo -c 'firewall-cmd --add-port=21/tcp'
$ sudo -c 'firewall-cmd --permanent --add-port=21/tcp'

SELinux

When SELinux is set to use a targeted policy, FTP is protected by SELinux. For more information refer to “Setting the Targeted Policy with system-config-selinux” on page 475.

JumpStart II: Starting a vsftpd FTP Server

By default, under Fedora/RHEL vsftpd allows local and anonymous users only to log in on the server; it does not set up a guest account. When someone logs in as an anonymous user, that person works in the /var/ftp directory and can download but not upload files. You do not have to configure anything.

Troubleshooting

First make sure the firewall and SELinux (both above) are set up to allow a user to log in and copy files using ftp. Also ensure that either listen or listen_ipv6, but not both, is set to YES (page 727). Next, make sure vsftpd is working by logging in from the server system. You can refer to the server as localhost or by using its hostname on the command line. Log in as a user and provide that user’s password:

$ ftp localhost
Trying ::1...
Connected to localhost (::1).
220 (vsFTPd 3.0.2)
Name (localhost:sam): sls
331 Please specify the password.
Password:
230 Login successful.
...

If you are not able to connect to the server, first make sure the server is running:

# systemctl status vsftpd.service
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active: active (running) since Tue 2013-09-10 13:02:09 PDT; 58min ago
Process: 9351 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
Main PID: 9352 (vsftpd)
CGroup: name=systemd:/system/vsftpd.service
??9352 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

Sep 10 13:02:09 guava.example.com systemd[1]: Started Vsftpd ftp daemon.

If you want to allow users to log in as anonymous or ftp, anonymous_enable must be set to YES in /etc/vsftpd/vsftpd.conf (it is by default; page 728). Restart the vsftpd daemon (page 724) if you change vsftpd.conf. Any password is acceptable with these login names.

$ ftp localhost
Trying ::1...
Connected to localhost (::1).
220 (vsFTPd 3.0.2)
Name (localhost:sam): anonymous
331 Please specify the password.
Password:
230 Login successful.
...

Next check that permissions on /var/ftp, or the home directory of ftp as specified in /etc/passwd, are set to 755 and that the directory is not owned by ftp. If the ftp user can write to /var/ftp, connections will fail.

$ ls -ld /var/ftp
drwxr-xr-x. 3 root root 4096 06-13 10:09 /var/ftp

Once you are able to log in from the local system, log in from another system—either one on the LAN or another system with access to the server. On the command line, use the hostname from within the LAN or the FQDN (page 1250) from outside the LAN. The dialog should appear the same as in the previous example. If you cannot log in from a system that is not on the LAN, use ping (page 305) to test the connection and then make sure the firewall is set up to allow FTP access. See “FTP Connections” on page 715 for a discussion of active and passive modes and the ports that each mode uses.

Configuring a vsftpd Server

The configuration file for vsftpd, /etc/vsftpd/vsftpd.conf, lists Boolean, numeric, and string name-value pairs of configuration parameters, called directives. Each name-value pair is joined by an equal sign with no SPACEs on either side. Fedora/RHEL provides a well-commented vsftpd.conffile that changes many of the compiled-in defaults. This section covers many of the parameters, noting their default values and their values as specified in the vsftpd.conf file supplied with Fedora/RHEL.

Set Boolean parameters to YES or NO and numeric parameters to a nonnegative integer. Octal numbers, which are useful for setting umask parameters, must have a leading 0 (zero). Numbers without a leading zero are treated as base 10 numbers. Following are examples of setting each type of parameter:

anonymous_enable=YES
local_umask=022
xferlog_file=/var/log/vsftpd.log

Descriptions of the directives are broken into the following groups:

• Server setup (next)

• Logging in (next page)

• Working directory and the chroot jail (page 729)

• Downloading and uploading files (page 730)

• Messages (page 732)

• Display (page 733)

• Logs (page 734)

• Connection parameters (page 734)

• Miscellaneous (page 736)

• Other configuration files (page 737)

Server Setup

listen

YES accepts connections from IPv4 clients only. Either this parameter or listen_ipv6, but not both, must be set to YES.

Default: NO

Fedora/RHEL: NO

listen_ipv6

YES accepts connections from IPv6 clients. With listen_address unset or set to :: (“any” address), vsftpd accepts connections from both IPv4 and IPv6 clients. Either this parameter or listen, but not both, must be set to YES.

Default: NO

Fedora/RHEL: YES

listen_address

Specifies the IP address of the local interface that vsftpd listens on for incoming connections. When this parameter is not set, vsftpd uses the default network interface.

Default: none

listen_port

Specifies the port that vsftpd listens on for incoming connections.

Default: 21

max_clients

Specifies the maximum number of clients. Zero (0) indicates unlimited clients.

Default: 0

max_per_ip

Specifies the maximum number of clients from the same IP address. Zero (0) indicates unlimited clients from the same IP address.

Default: 0

Logging In

Three classes of users can log in on a vsftpd server: anonymous, local, and guest. The guest user is rarely used and is not covered in this chapter. A local user logs in using his system username and password. An anonymous user logs in using anonymous or ftp and his email address as a password. You can control whether each of these classes of users can log in on the server and what they can do once they log in. You can also specify what a local user can do on a per-user basis; for more information refer to user_config_dir on page 736.

Local Users

userlistnable

The /etc/vsftpd/user_list file (page 737), or another file specified by userlist_file, contains a list of zero or more users. YES consults this list and takes action based on userlist_deny, either granting or denying users in the list permission to log in on the server. To prevent the transmission of cleartext passwords, access is denied immediately after the user enters her username. NO does not consult the list. Set to NO for a more secure system.

Default: NO

Fedora/RHEL: YES

userlist_deny

YES prevents users listed in /etc/vsftpd/user_list (page 737) from logging in on the server. NO allows only users listed in /etc/vsftpd/user_list to log in on the server. Use userlist_file to change the name of the file that this parameter consults. This parameter is checked only whenuserlistnable is set to YES.

Default: YES

userlist_file

The name of the file consulted when userlistnable is set to YES.

Default: /etc/vsftpd/user_list

local_enable

YES permits local users (users listed in /etc/passwd) to log in on the server.

Default: NO

Fedora/RHEL: YES

Anonymous Users

anonymous_enable

YES allows anonymous logins. NO disables anonymous logins.

Default: YES

no_anon_password

YES skips asking anonymous users for passwords.

Default: NO

deny_email_enable

YES checks whether the password (email address) that an anonymous user enters is listed in /etc/vsftpd.banned_emails or another file specified by banned_email_file. If it is, the user is not allowed to log in on the system. NO does not perform this check. Using firewall-cmd (page 906) to block specific hosts is generally more productive than using this parameter.

Default: NO

banned_email_file

The name of the file consulted when deny_email_enable is set to YES.

Default: /etc/vsftpd/banned_emails

The Working Directory and the chroot Jail

When a user logs in on a vsftpd server, standard filesystem access permissions control which directories and files the user can access and how the user can access them. Three basic parameters control a user who is logged in on a vsftpd server:

• The user ID (UID)

• The initial working directory

• The root directory

By default, the vsftpd server sets the UID of a local user to that user’s UID and sets the UID of an anonymous user to that of the user named ftp. A local user starts in her home directory and an anonymous user starts in /var/ftp.

By default, anonymous users are placed in a chroot jail for security; local users are not. For example, when an anonymous user logs in on a vsftpd server, his home directory is /var/ftp. All that user sees, however, is that his home directory is /. The user sees the directory at /var/ftp/uploadas /upload. The user cannot see or work with, for example, the /home, /usr/local, or /tmp directory because the user is in a chroot jail. For more information refer to “Setting Up a chroot Jail” on page 487.

You can use the chroot_local_user parameter to put each local user in a chroot jail whose root is the user’s home directory. You can use chroot_listnable to put selected local users in chroot jails.

chroot_listnable

Upon login, YES checks whether a local user is listed in /etc/vsftpd/chroot_list (page 737) or another file specified by chroot_list_file.

When a user is in the list and chroot_local_user is set to NO, the user is put in a chroot jail in his home directory. Only users listed in /etc/vsftpd/chroot_list are put in chroot jails.

When a user is in the list and chroot_local_user is set to YES, that user is not put in a chroot jail. Users not listed in /etc/vsftpd/chroot_list are put in chroot jails.

Default: NO

chroot_local_user

See chroot_listnable. Set to NO for a more open system but remember to add new users to the chroot_list_file as needed when you add users to the system. Set to YES for a more secure system. New users are automatically restricted unless you add them to chroot_list_file.

Default: NO

chroot_list_file

The name of the file consulted when chroot_listnable is set to YES.

Default: /etc/vsftpd/chroot_list

passwd_chroot_enable

YES enables you to change the location of the chroot jail that the chroot_listnable and chroot_local_user settings impose on a local user.

The location of the chroot jail can be moved up the directory structure by including a /./ within the home directory string for that user in /etc/passwd. This change has no effect on the standard system login, just as a cd . command has no effect on the working directory.

For example, changing the home directory field in /etc/passwd (page 508) for Sam from /home/sam to /home/./sam allows Sam to cd to /home after logging in using vsftpd. Given the proper permissions, Sam can now view files and collaborate with another user.

Default: NO

secure_chroot_dir

The name of an empty directory that is not writable by the user ftp. The vsftpd server uses this directory as a secure chroot jail when the user does not need access to the filesystem.

Default: /usr/share/empty

local_root

After a local user logs in on the server, this directory becomes the user’s working directory. No error results if the specified directory does not exist.

Default: none

Downloading and Uploading Files

By default, any user—whether local or anonymous—can download files from the vsftpd server, assuming proper filesystem access and permissions. The write_enable parameter must be set to YES (Fedora/RHEL sets it this way) to permit local users to upload files. The local_umaskparameter defaults to 077, although Fedora/RHEL sets it to 022, giving uploaded files 644 permissions (page 191). These permissions allow users to download other users’ files. Change local_umask to 077 to allow only the user who created a file to download and overwrite it.

Security

Refer to “Security” on page 725 for information on the security hole that is created when you allow local users to upload files.

The following actions set up vsftpd to allow anonymous users to upload files:

1. Set write_enable (below) to YES. (Fedora/RHEL sets this parameter to YES.)

2. Create a directory under /var/ftp that an anonymous user can write to but not read from (mode 333). You do not want a malicious user to be able to see, download, modify, and upload a file that another user originally uploaded. The following commands create a /var/ftp/uploadsdirectory that anyone can write to but no one can read from:

# mkdir /var/ftp/uploads
# chmod 333 /var/ftp/uploads

Because of the security risk, vsftpd prevents anonymous connections when an anonymous user (ftp) can write to /var/ftp.

3. Set anon_upload_enable (page 732) to YES.

4. See the other parameters in this section.

Download/Upload for Local Users

local_umask

The umask (page 469) setting for local users.

Default: 077

Fedora/RHEL: 022

file_open_mode

Uploaded file permissions for local users. The umask (page 469) is applied to this value. Change to 0777 to make uploaded files executable.

Default: 0666

write_enable

YES permits users to create and delete files and directories (assuming appropriate filesystem permissions). NO prevents users from making changes to the filesystem.

Default: NO

Fedora/RHEL: YES

Anonymous Users

anon_mkdir_write_enable

YES permits an anonymous user to create new directories when write_enable is set to YES and the anonymous user has permission to write to the working directory.

Default: NO

anon_other_write_enable

YES grants an anonymous user write permission in addition to the permissions granted by anon_mkdir_write_enable and anon_upload_enable. For example, YES allows an anonymous user to delete and rename files, assuming she has permission to write to the working directory. For a more secure site, do not set this parameter to YES.

Default: NO

anon_root

After an anonymous user logs in on the server, this directory becomes the user’s working directory. No error results if the specified directory does not exist.

Default: none

anon_umask

The umask (page 469) setting for anonymous users. The default setting gives only anonymous users access to files uploaded by anonymous users; set this parameter to 022 to give everyone read access to these files.

Default: 077

anon_upload_enable

YES allows anonymous users to upload files when write_enable=YES and the anonymous user has permission to write to the directory.

Default: NO

anon_world_readable_only

YES limits the files that a user can download to those that are readable by the owner of the file, members of the group the file is associated with, and others. It might not be desirable to allow one anonymous user to download a file that another anonymous user uploaded. Setting this parameter to YES can avoid this scenario.

Default: YES

ascii_download_enable

YES allows a user to download files using ASCII mode (page 720). Setting this parameter to YES can create a security risk (page 720).

Default: NO

ascii_upload_enable

YES allows a user to upload files using ASCII mode (page 720).

Default: NO

chown_uploads

YES causes files uploaded by anonymous users to be owned by root (or another user specified by chown_username). To improve security, change chown_username to a name other than root if you set this parameter to YES.

Default: NO

chown_username

See chown_uploads.

Default: root

ftp_username

The username of anonymous users.

Default: ftp

nopriv_user

The name of the user with minimal privileges, as used by vsftpd. Because other programs use nobody, to enhance security you can replace nobody with the name of a dedicated user such as ftp.

Default: nobody

Messages

You can replace the standard greeting banner that vsftpd displays when a user logs in on the system (banner_file and ftpd_banner). You can also display a message each time a user enters a directory (dirmessage_enable and message_file). When you set dirmessage_enable=YES, each time a user enters a directory using cd, vsftpd displays the contents of the file in that directory named .message (or another file specified by message_file).

dirmessage_enable

YES displays .message or another file specified by message_file as an ftp user enters a new directory by giving a cd command.

Default: NO

Fedora/RHEL: YES

message_file

See dirmessage_enable.

Default: .message

banner_file

The absolute pathname of the file that is displayed when a user connects to the server. Overrides ftpd_banner.

Default: none

ftpd_banner

Overrides the standard vsftpd greeting banner displayed when a user connects to the server.

Default: none; uses standard vsftpd banner

Display

This section describes parameters that can improve security and performance by controlling how vsftpd displays information.

hide_ids

YES lists all users and groups in directory listings as ftp. NO lists the real owners.

Default: NO

setproctitle_enable

NO causes ps to display the process running vsftpd as vsftpd. YES causes ps to display what vsftpd is currently doing (uploading and so on). Set to NO for a more secure system.

Default: NO

text_userdb_names

NO improves performance by displaying numeric UIDs and GIDs in directory listings. YES displays names.

Default: NO

use_localtime

NO causes the ls, mls, and modtime FTP commands to display UTC (page 1279). YES causes these commands to display the local time.

Default: NO

ls_recurse_enable

YES permits users to give ls –R commands. Setting this parameter to YES might pose a security risk because giving an ls –R command at the top of a large directory hierarchy can consume a lot of system resources.

Default: NO

Logs

By default, logging is turned off. However, the vsftpd.conf file distributed with Fedora/RHEL turns it on. This section describes parameters that control the details and locations of logs.

A vsftpd server can generate logs in two formats: vsftpd and xferlog. The default vsftpd log format is more readable than xferlog format but cannot be processed by programs that generate statistical summaries of xferlog files. Search for xferlog on the Internet to obtain more information on this command.

log_ftp_protocol

YES logs FTP requests and responses in the default vsftpd log format, provided that xferlog_std_format is set to NO.

Default: NO

xferlog_enable

YES maintains a transfer log in /var/log/vsftpd.log (or another file specified by xferlog_file). NO does not create a log.

Default: NO

Fedora/RHEL: YES

xferlog_std_format

YES causes a transfer log (not covering connections) to be written in standard xferlog format, as used by wu-ftpd, as long as xferlog_file is explicitly set. If xferlog_std_format is set to YES and xferlog_file is not explicitly set, logging is turned off. Setting this parameter to NO causesvsftpd to generate logs in vsftpd log format, provided log_ftp_protocol is set to YES.

Default: NO

Fedora/RHEL: YES

xferlog_file

See xferlog_enable and xferlog_std_format.

Default: /var/log/xferlog

Connection Parameters

You can allow clients to establish passive and/or active connections (page 715). Setting timeouts and maximum transfer rates can improve server security and performance. This section describes parameters that control the types of connections that a client can establish, the length of timevsftpd will wait while establishing a connection, and the speeds of connections for different types of users.

Passive (PASV) Connections

pasv_enable

NO prevents the use of PASV connections.

Default: YES

pasv_promiscuous

NO causes PASV to perform a security check that ensures that the data and control connections originate from a single IP address. YES disables this check. Set to NO for a more secure system.

Default: NO

pasv_max_port

The highest port number vsftpd will allocate for a PASV data connection; useful in setting up a firewall.

Default: 0 (use any port)

pasv_min_port

The lowest port number vsftpd will allocate for a PASV data connection; useful in setting up a firewall.

Default: 0 (use any port)

pasv_address

Specifies an IP address other than the one used by the client to contact the server.

Default: none; the address is the one used by the client

Active (PORT) Connections

port_enable

NO prevents the use of PORT connections.

Default: YES

port_promiscuous

NO causes PORT to perform a security check that ensures that outgoing data connections connect only to the client. YES disables this check. Set to NO for a more secure system.

Default: NO

connect_from_port_20

YES specifies port 20 (ftp-data, a privileged port) on the server for PORT connections, as required by some clients. NO allows vsftpd to run with fewer privileges (on a nonprivileged port).

Default: NO

Fedora/RHEL: YES

ftp_data_port

With connect_from_port_20 set to NO, specifies the port that vsftpd uses for PORT connections.

Default: 20

Timeouts

accept_timeout

The number of seconds the server waits for a client to establish a PASV data connection.

Default: 60

connect_timeout

The number of seconds the server waits for a client to respond to a PORT data connection.

Default: 60

data_connection_timeout

The number of seconds the server waits for a stalled data transfer to resume before disconnecting.

Default: 300

idle_session_timeout

The number of seconds the server waits between FTP commands before disconnecting.

Default: 300

local_max_rate

For local users, the maximum data transfer rate in bytes per second. Zero (0) indicates no limit.

Default: 0

anon_max_rate

For anonymous users, the maximum data transfer rate in bytes per second. Zero (0) indicates no limit.

Default: 0

one_process_model

YES establishes one process per connection, which improves performance but degrades security. NO allows multiple processes per connection. Set to NO for a more secure system.

Default: NO

Miscellaneous

This section describes parameters not discussed elsewhere.

pam_service_name

The name of the PAM service used by vsftpd.

Default: ftp

Fedora/RHEL: vsftpd

rsa_cert_file

Specifies where the RSA certificate for SSL-encrypted connections is kept.

Default: /usr/share/ssl/certs/vsftpd.pem

rsa_private_key_file

Specifies where the RSA key for SSL-encrypted connections is kept.

Default: none

tcp_wrappers

YES causes incoming connections to use tcp_wrappers (page 485) if vsftpd was compiled with tcp_wrappers support. When tcp_wrappers sets the environment variable VSFTPD_LOAD_CONF, vsftpd loads the configuration file specified by this variable, allowing per-IP configuration.

Default: NO

Fedora/RHEL: YES

user_config_dir

Specifies a directory that contains files named for local users. Each of these files, which mimic vsftpd.conf, contains parameters that override, on a per-user basis, default parameters and parameters specified in vsftpd.conf. For example, assume user_config_dir is set to/etc/vsftpd/user_conf. Further suppose the default configuration file, /etc/vsftpd/vsftpd.conf, sets idlesession_timeout=300 and Sam’s individual configuration file, /etc/vsftpd/user_conf/sam, sets idlesession_timeout=1200. Then all users’ sessions except for Sam’s will time out after 300 seconds of inactivity. Sam’s sessions will time out after 1,200 seconds.

Default: none

Other Configuration Files

In addition to /etc/vsftpd/vsftpd.conf, the following files control the functioning of vsftpd. The directory hierarchy that user_config_dir points to is not included in this list because it has no default name.

/etc/vsftpd/ftpusers

Lists users, one per line, who are never allowed to log in on the FTP server, regardless of how userlistnable (page 728) is set and regardless of the users listed in the user_list file. The default file lists root, bin, daemon, and others.

/etc/vsftpd/user_list

Lists either the only users who can log in on the server or the only users who are not allowed to log in on the server. The userlistnable (page 728) parameter must be set to YES for vsftpd to examine the list of users in this file. Setting userlistnable to YES and userlist_deny (page 728) to YES (or not setting it) prevents listed users from logging in on the server. Setting userlistnable to YES and userlist_deny to NO permits only the listed users to log in on the server.

/etc/vsftpd/chroot_list

Depending on the chroot_listnable (page 729) and chroot_local_user (page 730) settings, lists either users who are forced into a chroot jail in their home directories or users who are not placed in a chroot jail.

/var/log/xferlog

Log file. For more information refer to “Logs” on page 734.

Chapter Summary

File Transfer Protocol is a protocol for downloading files from and uploading files to another system over a network. FTP is the name of both a client/server protocol (FTP) and a client utility (ftp) that invokes this protocol. Because FTP is not a secure protocol, it should be used only to download public information. You can run the vsftpd FTP server in the restricted environment of a chroot jail to make it significantly less likely that a malicious user can compromise the system.

Many servers and clients implement the FTP protocol. The ftp utility is the original client implementation; sftp and lftp are secure implementations that use OpenSSH facilities to encrypt the connection. Although they do not understand the FTP protocol, they map ftp commands to OpenSSH commands. The vsftpd daemon is a secure FTP server; it better protects the server from malicious users than do other FTP servers.

Public FTP servers allow you to log in as anonymous or ftp. By convention, you supply your email address as a password when you log in as an anonymous user. Public servers frequently have interesting files in the pub directory.

FTP provides two modes of transferring files: binary and ASCII. It is safe to use binary mode to transfer all types of files, including ASCII files. If you transfer a binary file using ASCII mode, the transfer will fail.

Exercises

1. What changes does FTP make to an ASCII file when you download it in ASCII mode to a Windows machine from a Linux server? What changes are made when you download the file to a Mac?

2. What happens if you transfer an executable program file in ASCII mode?

3. When would ftp be a better choice than sftp?

4. How would you prevent a local user from logging in on a vsftpd server using her system username and password?

5. What advantage does sftp have over ftp?

6. What is the difference between cd and lcd in ftp?

Advanced Exercises

7. Why might you have problems connecting to an FTP server in PORT mode?

8. Why is it advantageous to run vsftpd in a chroot jail?

9. After downloading a file, you find that it does not match the MD5 checksum provided. Downloading the file again gives the same incorrect checksum. What have you done wrong and how would you fix it?