NSLU2-Linux
view · edit · print · history

(redirected from Unslung.Vsftpd)

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be: 
 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1
  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy. 

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 /unslung/rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

someuser:xxxx:2000:501:::/dev/null

change this to:

someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

chroot_local_user=YES

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.

Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following 

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log
Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line 
 
xferlog_file=/opt/var/log/vsftpd.log
then add the following 
 
vsftpd_log_file=/opt/var/log/vsftpd.log

Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file 

 
user_config_dir=/opt/etc/vsftpd_user_conf

3. Create the directory /opt/etc/vsftpd_user_conf 

 
mkdir /opt/etc/vsftpd_user_conf

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user 

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user 

 
write_enable=YES

OR 

 
write_enable=NO

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?

Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with 

 
admin
root

guest

Add these lines to /opt/etc/vsftpd.conf 

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on. 

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES