[nycbug-talk] Anonymous ftp upload questions

michael lists
Mon Aug 22 12:49:14 EDT 2005


On Mon, 22 Aug 2005 08:52:31 -0700
pete wright <nomadlogic at gmail.com> wrote:

> On 8/22/05, michael <lists at genoverly.net> wrote:
> > 
> > 
> > > None of the uploads work, but I am kind of annoyed at these test
> > > uploads, but I'm thinking there is very little I can do about
> > > this. Any ideas? Anyone else have a similar set up? Would you set
> > > up a no privaledges account, rather than go anonymous, seems like
> > > more of a hassle to risk having a real user id and password, even
> > > with really restricted privs, going out over ftp.
> > >
> > > Thanks,
> > >
> > > --
> > > Marco
> > 
> > I run vsftp on FreeBSD, it is great stuff. Anon is tough, I block
> > it. vsftp has a lot of flexibility, why not create a single user for
> > them to upload? I set their password using mysql auth, so no shell
> > access. You can use vsftp to tweak their rights.
> 
> 
> 
> sweet, hey michael so is mysql auth part of the stock vsftp package or
> is  there some vodoo that will get that working. proftpd's DB auth
> when i hacked  it some time ago was not too fun....what was nice about
> what we did though  was that the ftp daemon did not need access to
> /etc/passwd, so producers  could create/delete ftp accounts directly
> on the DB. -pete
> 
> 
> -- 
> ~~o0OO0o~~
> Pete Wright
> www.nycbug.org <http://www.nycbug.org>
> NYC's *BSD User Group

I wouldn't call it voodoo <grin>.  I had set up email (courier-imap,
postfix) to hold user auth, so, I figured.. why not ftp?. I was
constrained to MySQL.

xinetd takes the call on port 20 and routes them to vsftpd and its conf
file. On logon, pam gets the auth request. /etc/pam.d/ftp has the
entries to look up the users in the db rather than system accounts. 

vsftpd has a vsftp_user_conf directive that contains a directory and for
each user if you want user-specific confs, which is nice.

Sample conf called by xinetd:

 ->grep ^[^#] /usr/local/etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_enable=YES
xferlog_file=/usr/local/var/log/vsftpd.log
banner_file=/usr/local/etc/vsftpd/vsftpd.banner_file
secure_chroot_dir=/usr/local/share/vsftpd/empty
chroot_local_user=YES
user_config_dir=/usr/local/etc/vsftpd/vsftpd_user_conf



Michael




More information about the talk mailing list