Tag Archives: chmod

Vsftpd server user upload permissions

06. Jul, 2011 0 Comments

How to quickly set up user file and folder permissions in the classic FTP server vsftpd. It is trickier and could give you some headaches. I made here a small comprehensive guide on how to rapidly set a FTP server which runs vsftpd.

There are certain aspects which must be taken into consideration when you have a large FTP server on which runs with vsftpd. Supposing that you have multiple users and many many files and folders you can’t every time check for the right user permissions to be set correctly. The solution is to properly set up the configuration file of vsftpd and when users are uploading files the permissions on the server should gain the correct priority.

We consider that  you finished installing vsftpd on your server. The next thing is to edit the configuration file generally located:

/etc/vsftpd/vsftpd.conf

1. Identifying the settings which are setting the permissions.
2. The default vsftpd permissions.
3. How to choose  the correct values needed by your users can save you from wasted time.
4. A more detailed look about permissions in VSFTPD.
5. Playing with permissions.
6. Useful settings  in vsftpd.

1. Identifying the settings which are setting the permissions:

The main 2 settings which are taking control of permissions are in vsftpd:

local_umask=077

which is controlling the permissions of the uploaded folders, and

file_open_mode=0770

which is controlling the permissions of the files uploaded but taking into account also the local_umask.

How they work ? It’s not difficult if you know the rules of chmod and umask from the unix/linux family operating systems. They are on the same principles.[][][][]

2. The default vsftpd permissions:

By default vsftpd comes with the local_umask=077 and file_open_mode=0640,

which means that your uploaded folder will have 700 permissions (read, write, execute for user) for the FTP user which is in this case manager. The files will have only 600 permissions (read, write for user).

drwx——  2 manager manager  4096 Jul  6 17:30 .
-rw——-  1 manager manager   184 Jul  6 17:30 drives_disable.ini
-rw——-  1 manager manager   216 Jul  6 17:30 drives_disable.reg

This is not so comfortable. Their files will not be accessible via web and they call you to change permissions. You could also give them permissions to change the files after uploading them with the setting chmod_enable=YES. They will be still unsatisfied.

3. How to choose  the correct values needed by your users can save you from wasted time:

Set :

local_umask=022

file_open_mode=0755

which will give :

drwxr-xr-x  2 manager manager   4096 Jul  6 17:51 .
-rwxr-xr-x  1 manager manager    184 Jul  6 17:51 drives_disable.ini
-rwxr-xr-x  1 manager manager    216 Jul  6 17:51 drives_disable.reg

755 permissions for the folders and 755 for the files. This is secure because group and others can’t write in the folder or modify a file.

4. A more detailed look about permissions in VSFTPD.

Suppose you want to have read, write, execute permission for the user, group and others (777) for the files uploaded which is a little crazy. We just suppose. Now you can’t  just change the file_open_mode=0777. You’ll have all the permissions except the write permission for group and others like bellow:

local_umask=022
file_open_mode=0777

drwxr-xr-x  2 manager manager   4096 Jul  6 16:04 .
-rwxr-xr-x  1 manager manager    184 Jul  6 16:04 drives_disable.ini
-rwxr-xr-x  1 manager manager    216 Jul  6 16:04 drives_disable.reg

Why? Well, because the local_umask is blocking the write attribute. As shown above the local_umask=022 (0 for user owner, 2 for group and 2 for others). You must change this to be

local_umask=000. This will give you the final permissions of 777. I DO NOT RECOMMEND THIS !

5. Playing with permissions :

local_umask=022
file_open_mode=0777

drwxr-xr-x  2 manager manager   4096 Jul  6 16:04 .
-rwxr-xr-x  1 manager manager    184 Jul  6 16:04 drives_disable.ini
-rwxr-xr-x  1 manager manager    216 Jul  6 16:04 drives_disable.reg
===========================================

local_umask=022
file_open_mode=0776

drwxr-xr-x  2 manager manager 4096 Jul  6 16:06 .
-rwxr-xr–  1 manager manager  184 Jul  6 16:06 drives_disable.ini
-rwxr-xr–  1 manager manager  216 Jul  6 16:06 drives_disable.reg
===========================================

local_umask=022
file_open_mode=0775

drwxr-xr-x  2 manager manager   4096 Jul  6 16:08 .
-rwxr-xr-x  1 manager manager    184 Jul  6 16:08 drives_disable.ini
-rwxr-xr-x  1 manager manager    216 Jul  6 16:08 drives_disable.reg
============================================

local_umask=022
file_open_mode=0774

drwxr-xr-x  2 manager manager   4096 Jul  6 16:09 .
-rwxr-xr–  1 manager manager    184 Jul  6 16:09 drives_disable.ini
-rwxr-xr–  1 manager manager    216 Jul  6 16:09 drives_disable.reg
=============================================

local_umask=022
file_open_mode=0773

drwxr-xr-x  2 manager manager 4096 Jul  6 16:17 .
-rwxr-x–x  1 manager manager  184 Jul  6 16:17 drives_disable.ini
-rwxr-x–x  1 manager manager  216 Jul  6 16:17 drives_disable.reg
============================================

local_umask=022
file_open_mode=0772

drwxr-xr-x  2 manager manager 4096 Jul  6 16:19 .
-rwxr-x—  1 manager manager  184 Jul  6 16:19 drives_disable.ini
-rwxr-x—  1 manager manager  216 Jul  6 16:19 drives_disable.reg
============================================

local_umask=022
file_open_mode=0771

drwxr-xr-x  2 manager manager   4096 Jul  6 16:20 .
-rwxr-x–x  1 manager manager    184 Jul  6 16:20 drives_disable.ini
-rwxr-x–x  1 manager manager    216 Jul  6 16:20 drives_disable.reg
============================================
local_umask=022
file_open_mode=0770

drwxr-xr-x  2 manager manager  4096 Jul  6 16:22 .
-rwxr-x—  1 manager manager   184 Jul  6 16:22 drives_disable.ini
-rwxr-x—  1 manager manager   216 Jul  6 16:22 drives_disable.reg

6. Useful settings  in vsftpd :

Look bellow for some vsftpd settings in a private server with shared hosting accompanied by the explanation of what they are doing.

/etc/vsftpd/vsftpd.conf

anonymous_enable=NO       #    do not allow anonymous access
local_enable=YES      #    Allow the local users to log in;
write_enable=YES       #    Allow the user to pass commands to the FTP server;
local_umask=022       #     Permissions of the folder;
file_open_mode=0755     #     Permissions of the files;

anon_umask=022      #     If the anonymous access is enabled set the permissions of the files (in this case 755);
chmod_enable=YES     #     Allow the users to change permissions on the uploaded files. the command is as chmod 755 sone_file;
chroot_local_user=YES      #     Don’t let the user to navigate up in the folder structure hierarchy;
pasv_enable=YES       #     Passive mode enabled;

dirmessage_enable=YES     #    Messages given to the user;
xferlog_enable=YES      #     Enable the log of the files transferred;
connect_from_port_20=YES    #   The port on which files are transferred  ;
xferlog_file=/var/log/xferlog     #   The log files containing all the operations;
xferlog_std_format=YES      #     The standard format of the log files
idle_session_timeout=1800    #     Disconnect the user after the time set in seconds (default is 120 = 2 minutes which is sometimes annoying);
ascii_upload_enable=YES
ascii_download_enable=YES
listen=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Tips
, , , , , , , , ,