Step 0)
mkdir -p /etc/vsftpd
Step 1) Create the virtual users database.
We are going to use pam_userdb to authenticate the virtual users.
To create a "db" format file, first create a plain text files with the
usernames and password on alternating lines.
tom
foo
fred
bar
Whilst logged in as root, create the actual database file like this:
db_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
==> This will create /etc/vsftpd/vsftpd_login.db.
chmod 600 /etc/vsftpd/vsftpd_login.db
Step 2) Create a PAM file which uses your new database.
vi /etc/pam.d/ftp
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
Step 3) Set up the location of the files for the virtual users.
useradd -d /home/ftpsite virtual
ls -ld /home/ftpsite
drwx------ 3 virtual virtual 4096 Jul 30 00:39 /home/ftpsite
Step 4) Create your vsftpd.conf config file.
# This disables anonymous FTP for security, and enables non-anonymous FTP (which
# is what virtual users use).
anonymous_enable=NO
local_enable=YES
# These ensure that for security purposes, no write commands are allowed.
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# This makes sure that the virtual user is restricted to the virtual FTP area
# /home/ftpsite we set up above.
chroot_local_user=YES
# The guest_enable is very important - it activates virtual users! And
# guest_username says that all virtual users are mapped to the real user
# "virtual" that we set up above. This will also determine where on the
# filesystem the virtual users end up - the home directory of the user
# "virtual", /home/ftpsite.
guest_enable=YES
guest_username=virtual
# These put a port range on passive FTP incoming requests - very useful if
# you are configuring a firewall.
pasv_min_port=30000
pasv_max_port=30999
Step 5) Activate per-user configurability.
# To activate this powerful vsftpd feature, add the following
user_config_dir=/etc/vsftpd/user_conf
# And, create this directory:
# mkdir /etc/vsftpd/user_conf
# For the tom user, supply a config setting override for
# anon_world_readable_only:
echo "anon_world_readable_only=NO" > /etc/vsftpd/user_conf/tom
# Check it out - login as tom and now "ls" will return a directory listing!
# Log in as fred and it won't.
# Give fred the ability to read all files / directories and create
# new ones but not interfere with existing files.
echo "anon_world_readable_only=NO" > /etc/vsftpd/user_conf/fred
echo "write_enable=YES" >> /etc/vsftpd/user_conf/fred
echo "anon_upload_enable=YES" >> /etc/vsftpd/user_conf/fred
# Check it out - login as tom and you can't upload. Log in as fred and you can!
# Try and delete a file as both tom and fred - you can't.