Thursday, May 19, 2011

FTP and e-mail on the same server

Setting up VSFTP using non-local users.


If an administrator wants for roadwarriors to set up on the same server
email and FTP , it's better that the FTP account has virtual users .

/etc/vsftpd/vsftpd.conf


local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES
# Sets a port range for passive mode. (must configure firewall to accept)
pasv_max_port=51123
pasv_min_port=51323
port_enable=YES
Setup virtual FTP usernames and their passwords (use the following format)
/etc/vsftpd/vsftpd_users.txt
username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3
Build the vsftpd database
#db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
#chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt
Create directories for each virtual FTP user
#mkdir -p /home/virtualftp/username1
Test an FTP virtual user login
#ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.

Setting up VSFTPD permissions


I'm setting up a php-driven web app that serves files through a web interface. I've also set up a vsftp server to allow users to upload their data to a virtual directory. The vsftp server uses the pam-mysql module to use the web app's user database so no accounts are created on the system and we can disable ssh access.

Apache and vsftp run as different users , so we needed a way for each of them to view and edit the files created by the other. What we wound up doing was creating a group www-users and make it the group owner of /var/www. Then assigning the users apache and nobody to the group and set the permissons on the /var/www directory to 775. This will allow nobody and any other users in the www-users group to read and write to /var/www; it will also make it easier to authorize other users to write to /var/www — simply assign the user to the www-users group. Here are the steps in case any googlers need a hint.

1) set up vsftpd for umask 0027 (/etc/vsftpd.conf) [local_umask=0027]
2) create www-users group (groupadd www-users)
3) add user to group (usermod -a -G group user)
4) Set apache to run as www-users group (httpd.conf)
5) chgrp www-users /var/www
6) chmod 2775 /var/www
7) Add setgid permission to the directory: chmod g+s /var/www (I believe this is redundant)

No comments:

Post a Comment