NSLU2-Linux
view · edit · print · history

Optware.Vsftpd History

Hide minor edits - Show changes to markup

October 08, 2008, at 03:50 AM by BrianZhou -- explicit path of /unslung/rc.xinetd
Changed lines 31-32 from:
 Using "chmod 755 rc.xinetd".
to:
 Using "chmod 755 /unslung/rc.xinetd".
September 23, 2006, at 02:06 PM by Phil Endecott -- De-spam
Changed lines 1-342 from:

http://www.forumage.com/?mforum=buyphentermine <a href="http://www.forumage.com/?mforum=buyphentermine">buy phentermine</a> buy phentermine

to:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

September 23, 2006, at 01:31 PM by yaasel --
Changed lines 1-342 from:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

to:

http://www.forumage.com/?mforum=buyphentermine <a href="http://www.forumage.com/?mforum=buyphentermine">buy phentermine</a> buy phentermine

September 22, 2006, at 11:57 PM by rwhitby --
Changed lines 1-8 from:

Hello, nice site look this: <a href="http://lokimno.info/free-ringtone-download.html">free ringtone download</a> http://lokimno.info/silent-ringtone.html http://lokimno.info/high-pitched-ringtone.html <a href="http://lokimno.info/free-verizon-ringtones.html">free verizon ringtones</a> <a href="http://lokimno.info/high-pitched-ringtone.html">high pitched ringtone</a>

End ^) See you

to:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

September 22, 2006, at 11:29 PM by Bush --
Changed lines 1-342 from:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

to:

Hello, nice site look this: <a href="http://lokimno.info/free-ringtone-download.html">free ringtone download</a> http://lokimno.info/silent-ringtone.html http://lokimno.info/high-pitched-ringtone.html <a href="http://lokimno.info/free-verizon-ringtones.html">free verizon ringtones</a> <a href="http://lokimno.info/high-pitched-ringtone.html">high pitched ringtone</a>

End ^) See you

September 22, 2006, at 05:57 PM by Poutnik -- restore pre-SPAM
Changed lines 1-342 from:

http://www.bloggen.be/zend/ <a href="http://www.bloggen.be/zend/">replica watches</a> replica watches

to:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

September 22, 2006, at 04:57 PM by yaasel --
Changed lines 1-342 from:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

to:

http://www.bloggen.be/zend/ <a href="http://www.bloggen.be/zend/">replica watches</a> replica watches

September 21, 2006, at 04:15 PM by ST -- spam
Changed lines 1-342 from:

http://www.bloggen.be/rosarybracelets <a href="http://www.bloggen.be/rosarybracelets">rosary bracelets</a> rosary bracelets

to:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

September 21, 2006, at 03:13 PM by dfgdgaw --
Changed lines 1-342 from:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

to:

http://www.bloggen.be/rosarybracelets <a href="http://www.bloggen.be/rosarybracelets">rosary bracelets</a> rosary bracelets

September 21, 2006, at 06:30 AM by Poutnik -- restore of pre-SPAM version
Changed lines 1-342 from:

http://www.forumage.com/?mforum=salvationbracel <a href="http://www.forumage.com/?mforum=salvationbracel">salvation bracelets</a> salvation bracelets

to:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

September 21, 2006, at 01:34 AM by yaasel --
Changed lines 1-342 from:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

to:

http://www.forumage.com/?mforum=salvationbracel <a href="http://www.forumage.com/?mforum=salvationbracel">salvation bracelets</a> salvation bracelets

September 19, 2006, at 02:25 PM by PatrickSchneider -- Removed Spam
Changed lines 1-342 from:

http://www.forumage.com/?mforum=alltelringtones <a href="http://www.forumage.com/?mforum=alltelringtones">alltel ringtones</a> alltel ringtones

to:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

September 19, 2006, at 01:18 PM by dsafsfd --
Changed lines 1-342 from:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
  4. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
#!/bin/sh
# /unslung/rc.xinetd

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

(:tableend:)

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
  2. Restart xinetd with /etc/rc.d/rc.xinetd
  3. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!

Test it out with your favorite ftp client, and enjoy.

 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".

Troubleshooting

  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.

Tip #1 - Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd

By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

change this to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in Unslung.UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.


Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

then add the following

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)


Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above)

2. Add the following line to the /opt/etc/vsftpd.conf file

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
user_config_dir=/opt/etc/vsftpd_user_conf 

(:tableend:)

3. Create the directory /opt/etc/vsftpd_user_conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
cp /opt/etc/vsftpd.conf  /opt/etc/vsftpd_user_conf/johndoe

(:tableend:)

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=YES

(:tableend:)

OR

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
write_enable=NO

(:tableend:)

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?


Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with (:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Add these lines to /opt/etc/vsftpd.conf

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)


Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

to:

http://www.forumage.com/?mforum=alltelringtones <a href="http://www.forumage.com/?mforum=alltelringtones">alltel ringtones</a> alltel ringtones

August 31, 2006, at 10:50 AM by peter blok --
Changed lines 26-27 from:
to:
  1. Assure yourself that you use a linux compatible texteditor otherwise the CR/LFs will be wrong and your ftp-server will not start!!
August 28, 2006, at 09:02 AM by pablok --
Changed lines 40-42 from:
Solution: Verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
to:
Solution: In the configuration file verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
February 26, 2006, at 05:08 AM by markc -- tip
Changed lines 29-30 from:
  1. Tip: Make sure the file /unslung/rc.xinetd file is executable.
  2. Using "chmod 755 rc.xinetd".
to:
 Tip: Make sure the file /unslung/rc.xinetd is executable.
 Using "chmod 755 rc.xinetd".
February 26, 2006, at 05:07 AM by markc -- Tip
Added lines 29-30:
  1. Tip: Make sure the file /unslung/rc.xinetd file is executable.
  2. Using "chmod 755 rc.xinetd".
January 24, 2006, at 12:59 PM by Eric Wu -- added solution for login issue
Added lines 33-39:
  • Problem: When I try to login to my ftp server, I get:
    530 Login incorrect
Solution: Verify that you have local_enable=yes and user/pass is correct. If still doesn't work add in check_shell=no
August 23, 2005, at 09:31 PM by tman --
Changed lines 1-2 from:

vsftpd is the very secure file transfer protocol daemon (http://vsftpd.beasts.org/). It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

to:

vsftpd is the very secure file transfer protocol daemon. It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

Added line 9:
Changed lines 31-35 from:

Troubleshooting

  • Problem: When I ftp into my slug running vsftpd, I get

/opt/bin/vsftpd: 1: Syntax error: "(" unexpected

to:

Troubleshooting

  • Problem: When I ftp into my slug running vsftpd, I get:
    /opt/bin/vsftpd: 1: Syntax error: "(" unexpected
Changed lines 40-42 from:
  • Problem: vsftpd gives the error

/opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory

to:
  • Problem: vsftpd gives the error:
    /opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
Changed lines 69-70 from:

Tip #1 - Enabling User Level Access

to:

Tip #1 - Enabling User Level Access

Changed lines 76-77 from:
someuser:xxxx:2000:501:::/dev/null
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501:::/dev/null (:tableend:)

Changed lines 83-84 from:
someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh (:tableend:)

Changed lines 97-98 from:
chroot_local_user=YES
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:) chroot_local_user=YES (:tableend:)

Changed lines 106-108 from:

Tip #2 - Logging (note that this will become the default as of ipk version 2.0.1-5)

to:

Tip #2 - Logging

(note that this will become the default as of ipk version 2.0.1-5)

Changed lines 112-114 from:
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log

(:tableend:)

Changed lines 122-123 from:
xferlog_file=/opt/var/log/vsftpd.log
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
xferlog_file=/opt/var/log/vsftpd.log 

(:tableend:)

Changed lines 131-132 from:
vsftpd_log_file=/opt/var/log/vsftpd.log
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
vsftpd_log_file=/opt/var/log/vsftpd.log

(:tableend:)

Changed lines 140-141 from:

Tip #3 - Enabling different user level access

to:

Tip #3 - Enabling different user level access

Added lines 148-150:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 [=
Changed lines 152-154 from:
to:

=] (:tableend:)

Added lines 157-163:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
mkdir /opt/etc/vsftpd_user_conf

(:tableend:)

Added lines 166-168:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 [=
Changed lines 170-172 from:
to:

=] (:tableend:)

Added lines 175-177:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 [=
Changed lines 179-181 from:
to:

=] (:tableend:)

Added lines 184-186:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 [=
Changed lines 188-190 from:
to:

=] (:tableend:)

Changed lines 194-195 from:

Tip #4 - Security - Disable root and admin

to:

Tip #4 - Security - Disable root and admin

Changed lines 199-203 from:
admin
root
guest
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
admin
root

guest

(:tableend:)

Changed lines 210-212 from:
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

(:tableend:)

Changed lines 223-328 from:
 # Example config file /opt/etc/vsftpd.conf
 #
 # The default compiled in settings are fairly paranoid. This sample file
 # loosens things up a bit, to make the ftp daemon more usable.
 # Please see vsftpd.conf.5 for all compiled in defaults.
 #
 # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
 # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
 # capabilities.
 #
 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
 anonymous_enable=NO
 #
 # Uncomment this to allow local users to log in.
 local_enable=YES
 #
 # Uncomment this to enable any form of FTP write command.
 write_enable=YES
 #
 # Default umask for local users is 077. You may wish to change this to 022,
 # if your users expect that (022 is used by most other ftpd's)
 local_umask=022
 #
 # Uncomment this to allow the anonymous FTP user to upload files. This only
 # has an effect if the above global write enable is activated. Also, you will
 # obviously need to create a directory writable by the FTP user.
 #anon_upload_enable=YES
 #
 # Uncomment this if you want the anonymous FTP user to be able to create
 # new directories.
 #anon_mkdir_write_enable=YES
 #
 # Activate directory messages - messages given to remote users when they
 # go into a certain directory.
 dirmessage_enable=YES
 #
 # Activate logging of uploads/downloads.
 xferlog_enable=YES
 #
 # Make sure PORT transfer connections originate from port 20 (ftp-data).
 connect_from_port_20=YES
 #
 # If you want, you can arrange for uploaded anonymous files to be owned by
 # a different user. Note! Using "root" for uploaded files is not
 # recommended!
 #chown_uploads=YES
 #chown_username=whoever
 #
 # You may override where the log file goes if you like. The default is shown
 # below.
 vsftpd_log_file=/opt/var/log/vsftpd.log
 #
 # If you want, you can have your log file in standard ftpd xferlog format
 #xferlog_std_format=YES
 #
 # You may change the default value for timing out an idle session.
 #idle_session_timeout=600
 #
 # You may change the default value for timing out a data connection.
 #data_connection_timeout=120
 #
 # It is recommended that you define on your system a unique user which the
 # ftp server can use as a totally isolated and unprivileged user.
 #nopriv_user=ftpsecure
 #
 # Enable this and the server will recognise asynchronous ABOR requests. Not
 # recommended for security (the code is non-trivial). Not enabling it,
 # however, may confuse older FTP clients.
 #async_abor_enable=YES
 #
 # By default the server will pretend to allow ASCII mode but in fact ignore
 # the request. Turn on the below options to have the server actually do ASCII
 # mangling on files when in ASCII mode.
 # Beware that turning on ascii_download_enable enables malicious remote parties
 # to consume your I/O resources, by issuing the command "SIZE /big/file" in
 # ASCII mode.
 # These ASCII options are split into upload and download because you may wish
 # to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
 # without the DoS? risk of SIZE and ASCII downloads. ASCII mangling should be
 # on the client anyway..
 #ascii_upload_enable=YES
 #ascii_download_enable=YES
 #
 # You may fully customise the login banner string:
 ftpd_banner=Welcome to the NSLU2 vsftp daemon.
 #
 # You may specify a file of disallowed anonymous e-mail addresses. Apparently
 # useful for combatting certain DoS? attacks.
 #deny_email_enable=YES
 # (default follows)
 #banned_email_file=/opt/etc/vsftpd.banned_emails
 #
 # You may specify an explicit list of local users to chroot() to their home
 # directory. If chroot_local_user is YES, then this list becomes a list of
 # users to NOT chroot().
 #chroot_list_enable=YES
 # (default follows)
 #chroot_list_file=/opt/etc/vsftpd.chroot_list

 #
 # You may activate the "-R" option to the builtin ls. This is disabled by
 # default to avoid remote users being able to cause excessive I/O on large
 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 # the presence of the "-R" option, so there is a strong case for enabling it.
 ls_recurse_enable=YES
to:

(:table border=0 width=100% bgcolor=#eeffee:) (:cell:)

 
# Example config file /opt/etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
vsftpd_log_file=/opt/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the NSLU2 vsftp daemon.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/opt/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/opt/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

(:tableend:)

August 23, 2005, at 08:43 PM by nsc --
Changed line 15 from:

if ( [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ) then

to:

if [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ; then

July 20, 2005, at 08:31 PM by DougLourey --
Changed lines 60-67 from:
Solution: Use vi to edit /opt/passwd '#vi /opt/passwd' and change "/root" to "/"

Before: root:BlqE?/Rhsz9nZ5?:0:0:root:/root:/bin/sh After: root:BlqE?/Rhsz9nZ5?:0:0:root:/:/bin/sh or create a sub-directory for root

  1. mkdir /root
to:
Cause: The sub-directory /root does not exist
Solution 1: Use #mkdir /root to create the sub-directory
Solution 2: Use vi to edit the /opt/passwd file. Change /root to / or an existing directory.
July 20, 2005, at 08:22 PM by DougLourey --
Changed lines 61-62 from:
to:
Solution: Use vi to edit /opt/passwd '#vi /opt/passwd' and change "/root" to "/"

Before: root:BlqE?/Rhsz9nZ5?:0:0:root:/root:/bin/sh After: root:BlqE?/Rhsz9nZ5?:0:0:root:/:/bin/sh or create a sub-directory for root

  1. mkdir /root
July 20, 2005, at 04:35 PM by DougLourey --
Changed lines 59-62 from:
to:
  • Problem: 500 OOPS: cannot change directory:/root when attempting to Login as root
June 29, 2005, at 10:42 PM by RobHam -- # /unslung/rc.xinetd added to script section for clarity
Changed lines 11-19 from:
 #!/bin/sh

 if ( [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ) then
   echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
 fi

 return 1
to:
 
#!/bin/sh
# /unslung/rc.xinetd

if ( [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ) then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
fi

return 1

June 29, 2005, at 09:13 PM by Frans Meulenbroeks -- added a line to tell that /opt/var/log should exist
Added line 7:
  1. If you use the default vsftpd.conf make sure that /opt/var/log exists and is writable by vsftpd
May 05, 2005, at 08:33 AM by Arno -- added question to Tip #3
Changed lines 130-131 from:
to:

Comment: [Arno] This will allow the users to write or not write at all. What if there is a public directory that all users should have readonly access to (from their homedirs), but still be able to read/write in their own homedirs?

January 24, 2005, at 05:19 PM by bob_tm --
Changed line 14 from:
   echo "ftp stream tcp nowait root /opt/sbin/vsftpd" >>/etc/inetd.conf
to:
   echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
January 21, 2005, at 04:19 PM by C de Bruin --
Added lines 53-57:
  • Problem: When trying to ftp into the slug, it gives a message 500 OOPS: vsftpd: cannot locate user specified in 'ftp_username':ftp""
Solution: Change the echo line in /unslung/rc.xinetd to: echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf
January 19, 2005, at 07:24 PM by Mathieu --
Added lines 49-51:
  • Problem: Users without access to a shell cannot log in
Solution: Add the "check_shell=NO" option in your vsftpd conf file (usually (/opt/etc/vsftpd.conf)
January 18, 2005, at 01:15 PM by bobtm --
Changed lines 13-14 from:
 if ( [ ! -f /etc/inetd.conf ] || !(grep proftpd /etc/inetd.conf -q) ) then
   echo "ftp stream tcp nowait root /opt/sbin/proftpd" >>/etc/inetd.conf
to:
 if ( [ ! -f /etc/inetd.conf ] || !(grep vsftpd /etc/inetd.conf -q) ) then
   echo "ftp stream tcp nowait root /opt/sbin/vsftpd" >>/etc/inetd.conf
Changed line 69 from:
If you've updated busybox, the /etc/shells file as described in http://www.nslu2-linux.org/wiki/Unslung/UpgradeBusyBoxUsingIpkg is needed.
to:
If you've updated busybox, the /etc/shells file as described in http://www.nslu2-linux.org/wiki/Unslung/UpgradeBusyBoxUsingIpkg Unslung.UpgradeBusyBoxUsingIpkg is needed.
Added line 131:
January 15, 2005, at 04:00 PM by bobtm --
Changed lines 13-14 from:
 if ( !(grep vsftp /etc/inetd.conf -q) ) then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf 
to:
 if ( [ ! -f /etc/inetd.conf ] || !(grep proftpd /etc/inetd.conf -q) ) then
   echo "ftp stream tcp nowait root /opt/sbin/proftpd" >>/etc/inetd.conf
Added line 240:
January 12, 2005, at 07:59 PM by bobtm --
Changed lines 7-8 from:
  1. Add a line like echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf to your /unslung/rc.xinetd file (note that this file is not created automatically - you either will have created it previously, or you will need to create it now according to the README distributed with Unslung). That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
  2. Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
to:
  1. Create (or modify existing) diversion script /unslung/rc.xinetd . Previous suggestions were broken in that multiple lines could be added or other services, like telnetd, become disabled. A good solution (not just for vsftpd, but for all applications needing entries in inetd.conf) seem to be:

table border=0 width=100% bgcolor=#eeffee? cell?

 #!/bin/sh

 if ( !(grep vsftp /etc/inetd.conf -q) ) then
  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf 
 fi

 return 1

tableend?

  1. Note: Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
Deleted lines 48-58:
  • Problem: Using the echo XXXXXX >> /etc/inetd.conf solution in /unslung/rc.xinitd adds multiple lines when Enabling and Disabling telnet.
Solution: Use this script as /unslung/rc.xinitd instead:

#!/bin/sh

if ( !(grep vsftp /etc/inetd.conf -q) ) then echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf fi

return 1

Added line 121:
January 11, 2005, at 07:46 PM by RickardDahlstrand --
Changed line 40 from:

@@#!/bin/sh

to:

#!/bin/sh

Changed lines 42-44 from:

if ( !(grep vsftp /etc/inetd.conf -q) ) then

  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf 

fi

to:

if ( !(grep vsftp /etc/inetd.conf -q) ) then echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf fi

Changed line 46 from:

return 1@@

to:

return 1

Added line 77:
January 11, 2005, at 07:44 PM by RickardDahlstrand --
Added lines 36-47:
  • Problem: Using the echo XXXXXX >> /etc/inetd.conf solution in /unslung/rc.xinitd adds multiple lines when Enabling and Disabling telnet.
Solution: Use this script as /unslung/rc.xinitd instead:

@@#!/bin/sh

if ( !(grep vsftp /etc/inetd.conf -q) ) then

  echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf 

fi

return 1@@

January 11, 2005, at 07:01 PM by bobtm --
Added line 8:
  1. Make sure that the file /unslung/rc.xinetd file ends with the line "return 1" in order for inetd to be started when /etc/rc.d/rc.xinetd is executed
January 11, 2005, at 02:44 AM by wstewart --
Changed line 31 from:
  • Problem: After upgrading vsftpd, error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
to:
  • Problem: After upgrading vsftpd, can't connect and FTP client gives error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
January 11, 2005, at 02:44 AM by wstewart --
Added lines 31-34:
  • Problem: After upgrading vsftpd, error message "500 OOPS: vsftpd: not found: directory given in 'secure_chroot_dir':/usr/share/empty"
Solution: Create (mkdir) /usr/share and /usr/share/empty from a telnet session
January 05, 2005, at 06:35 AM by wstewart --
Added lines 103-116:

Tip #4 - Security - Disable root and admin

By default vsftp will allow root and admin to login if setup with a home dir in /etc/passwd. To disable root, admin and guest, do the following:

Create /opt/etc/vsftpd.user_list with

admin
root
guest

Add these lines to /opt/etc/vsftpd.conf

userlist_enable=YES
userlist_file=/opt/etc/vsftpd.user_list

January 04, 2005, at 03:03 AM by jeremyeglen --
Deleted lines 0-1:

nigga

January 02, 2005, at 09:30 PM by Spast --
Added lines 1-2:

nigga

December 31, 2004, at 01:08 PM by Olivier Mungo --
Changed line 92 from:

cp /opt/etc/vsftpd.conf /opt/etc/vsftpd_user_conf/johndoe

to:

cp /opt/etc/vsftpd.conf /opt/etc/vsftpd_user_conf/johndoe

December 31, 2004, at 01:07 PM by Olivier Mungo --
Added line 83:
Added line 89:
December 31, 2004, at 01:06 PM by Olivier Mungo --
Added lines 78-101:

Tip #3 - Enabling different user level access

For example, allowing userX to be able to read/write on /share/hdd/data/mp3, while userY can only read the files.

1. Follow the guidelines in Tip #1 (here above) 2. Add the following line to the /opt/etc/vsftpd.conf file

user_config_dir=/opt/etc/vsftpd_user_conf

3. Create the directory /opt/etc/vsftpd_user_conf 4. For each FTP user copy the /opt/etc/vsftpd.conf file to /opt/etc/vsftpd_user_conf directory and name it by the name of the user

cp /opt/etc/vsftpd.conf /opt/etc/vsftpd_user_conf/johndoe

5. Customize the new configuration file (/opt/etc/vsftpd_user_conf/johndoe) for the access you want to grant to that user

write_enable=YES

OR

write_enable=NO


December 30, 2004, at 03:33 PM by jeremyeglen --
Changed line 61 from:

Tip #2 - Logging

to:

Tip #2 - Logging (note that this will become the default as of ipk version 2.0.1-5)

Changed line 78 from:

Below is the vsftpd.conf file distributed with the ipk for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

to:

Below is the vsftpd.conf file distributed with the ipk (2.0.1-5) for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

Changed line 131 from:
 xferlog_file=/opt/var/log/vsftpd.log
to:
 vsftpd_log_file=/opt/var/log/vsftpd.log
December 30, 2004, at 02:37 PM by jeremyeglen --
Changed line 7 from:
  1. Add a line like echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf to your /unslung/rc.xinetd file (note that this file is not created automatically - you either will have created it previously, or you will need to create it now). That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
to:
  1. Add a line like echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf to your /unslung/rc.xinetd file (note that this file is not created automatically - you either will have created it previously, or you will need to create it now according to the README distributed with Unslung). That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
December 30, 2004, at 12:55 PM by bobtm --
Added lines 27-30:
  • Problem: vsftpd does not start after installing inetutils
Solution: Inetutils uses its own inetd.conf file stored in /opt/etc but does not import what is already in /etc/inetd.conf upon installation. Insert a line for vsftp there and do kill -HUP <PID of inetd> for inetd to reread the configuration. Note that the format for inetd.conf lines is different from that given here (the program base name must be given as the first argument), so the line should read ftp stream tcp nowait root /opt/sbin/vsftpd vsftpd /opt/etc/vsftpd.conf. Maybe you would like to add telnet while you're at it, since it will no longer start after installing inetutils (add telnet stream tcp nowait root /opt/libexec/telnetd telnetd as a line in /opt/etc/inetd.conf)
December 30, 2004, at 09:40 AM by rwhitby --
Changed line 59 from:

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is on the flash file system if I'm not mistaken, if your worried about running out space or writing to your flash to many times, do the following

to:

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is in a ramdisk, if you're worried about running out space or want the logs to be persistent across reboots, do the following

December 30, 2004, at 09:26 AM by wstewart --
Changed line 29 from:

Tips - Enabling User Level Access

to:

Tip #1 - Enabling User Level Access

Added lines 54-70:

Tip #2 - Logging

The default settings in vsftpd.conf cause vsftpd to log to /var/log. This is on the flash file system if I'm not mistaken, if your worried about running out space or writing to your flash to many times, do the following

mkdir /share/hdd/conf/opt/var
mkdir /share/hdd/conf/opt/var/log
Edit /share/hdd/conf/opt/etc/vsftpd.conf, comment out the line
xferlog_file=/opt/var/log/vsftpd.log
then add the following
vsftpd_log_file=/opt/var/log/vsftpd.log
December 30, 2004, at 05:11 AM by wstewart --
Changed line 40 from:
someuser:xxxx:2000:501::/share/hdd/data/userdir:/bin/sh
to:
someuser:xxxx:2000:501::/share/hdd/data/someuser:/bin/sh
Changed line 43 from:
''If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.
to:
If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.
December 30, 2004, at 05:10 AM by wstewart --
Changed lines 29-31 from:

Tips

Enabling User Level Access

to:

Tips - Enabling User Level Access

Added line 52:
December 30, 2004, at 05:09 AM by wstewart --
Changed line 35 from:
/etc/passwd
to:

/etc/passwd

Deleted line 36:
->bstewart:scRbGh3Odyf8U:2000:501:::/dev/null
Changed line 38 from:
change this to:
to:
someuser:xxxx:2000:501:::/dev/null
Changed lines 40-54 from:
bstewart:scRbGh3Odyf8U:2000:501::/share/hdd/data:/opt/bin/sh
to:
change this to:
someuser:xxxx:2000:501::/share/hdd/data/userdir:/bin/sh
where /share/hdd/data/someuser is the users home directory. If you've updated busybox, the shell should be /opt/bin/sh instead
''If you change a user password in the web gui, it will reset the /etc/passwd changes, you'll change to make the changes above again.

If you've updated Busybox

If you've updated busybox, the /etc/shells file as described in http://www.nslu2-linux.org/wiki/Unslung/UpgradeBusyBoxUsingIpkg is needed.

Enable chroot jail

add the following to /opt/etc/vsftpd.conf
chroot_local_user=YES

This will prevent users from being able to access other users directories and the rest of the file system. Without it, users have access to /. I haven't fully tested this security option on the nslu2 but it seems to work.

December 30, 2004, at 05:01 AM by wstewart --
Added lines 29-44:

Tips

Enabling User Level Access

To enable use of user account username/password for FTP, the following worked for me

/etc/passwd
By default the web gui creates users with no home directory and a null shell. Heres an example of what the gui creates by default:
->bstewart:scRbGh3Odyf8U:2000:501:::/dev/null
change this to:
bstewart:scRbGh3Odyf8U:2000:501::/share/hdd/data:/opt/bin/sh

December 23, 2004, at 03:59 AM by jeremyeglen --
Changed line 19 from:
Solution: Update to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
to:
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
Changed line 25 from:
Solution: You need librt.so.1. This is included in Unslung v3 (see GettingStarted), and may go into future versions of the vsftpd package
to:
Solution: Upgrade to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
December 21, 2004, at 09:22 PM by jeremyeglen --
Added lines 14-28:

Troubleshooting

  • Problem: When I ftp into my slug running vsftpd, I get

/opt/bin/vsftpd: 1: Syntax error: "(" unexpected

Solution: Update to the newest version of the vsftpd package with ipkg remove vsftpd ; ipkg update ; ipkg install vsftpd
  • Problem: vsftpd gives the error

/opt/sbin/vsftpd: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory

Solution: You need librt.so.1. This is included in Unslung v3 (see GettingStarted), and may go into future versions of the vsftpd package

December 18, 2004, at 09:36 PM by wipmac --
Changed line 7 from:
  1. Add a line like echo "ftp stream tcp nowait root /opt/bin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf to your /unslung/rc.xinetd file (note that this file is not created automatically - you either will have created it previously, or you will need to create it now). That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
to:
  1. Add a line like echo "ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf to your /unslung/rc.xinetd file (note that this file is not created automatically - you either will have created it previously, or you will need to create it now). That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
December 18, 2004, at 10:42 AM by rwhitby --
Changed line 7 from:
  1. Add a line like echo "ftp stream tcp nowait root /opt/bin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf to your /unslung/rc.xinetd file. That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
to:
  1. Add a line like echo "ftp stream tcp nowait root /opt/bin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf to your /unslung/rc.xinetd file (note that this file is not created automatically - you either will have created it previously, or you will need to create it now). That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
December 18, 2004, at 06:04 AM by scott --
Changed line 7 from:
  1. Add a line like echo \"ftp stream tcp nowait root /opt/bin/vsftpd /opt/etc/vsftpd.conf\" >>/etc/inetd.conf to your /unslung/rc.xinetd file. That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
to:
  1. Add a line like echo "ftp stream tcp nowait root /opt/bin/vsftpd /opt/etc/vsftpd.conf" >>/etc/inetd.conf to your /unslung/rc.xinetd file. That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
December 17, 2004, at 02:33 PM by jeremyeglen --
Changed line 7 from:
  1. Add a line like echo \"ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf\" >>/etc/inetd.conf to your /unslung/rc.xinetd file. That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
to:
  1. Add a line like echo \"ftp stream tcp nowait root /opt/bin/vsftpd /opt/etc/vsftpd.conf\" >>/etc/inetd.conf to your /unslung/rc.xinetd file. That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
December 16, 2004, at 03:22 PM by jeremyeglen --
Changed lines 1-120 from:

Describe {{Vsftpd}} here.

to:

vsftpd is the very secure file transfer protocol daemon (http://vsftpd.beasts.org/). It's the ftp server of choice for kernel.org, gnu.org, RedHat, Debian, FreeBSD, OpenBSD and a cast of thousands. It runs quite well on the slug utilizing little memory and processor time.

The postinst file distributed with the ipk should take care of a couple of details, but in case it doesn't, here's what vsftpd needs to be fully enabled:

  1. Create the empty jail directory as root with mkdir -p /usr/share/empty
  2. Ensure vsftpd.conf is in /opt/etc (the default vsftpd.conf is below)
  3. Add a line like echo \"ftp stream tcp nowait root /opt/sbin/vsftpd /opt/etc/vsftpd.conf\" >>/etc/inetd.conf to your /unslung/rc.xinetd file. That will cause /unslung/rc.xinetd to add the line to /etc/inetd.conf
  4. Restart xinetd with /etc/rc.d/rc.xinetd

Test it out with your favorite ftp client, and enjoy.


Below is the vsftpd.conf file distributed with the ipk for NSLU2. The conf file is well commented and should be placed in /opt/etc/vsftpd.conf. By default, write access is enabled for local users (i.e. users with a username/password), but there is no anonymous access. Recursive directory listings default to on.

 # Example config file /opt/etc/vsftpd.conf
 #
 # The default compiled in settings are fairly paranoid. This sample file
 # loosens things up a bit, to make the ftp daemon more usable.
 # Please see vsftpd.conf.5 for all compiled in defaults.
 #
 # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
 # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
 # capabilities.
 #
 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
 anonymous_enable=NO
 #
 # Uncomment this to allow local users to log in.
 local_enable=YES
 #
 # Uncomment this to enable any form of FTP write command.
 write_enable=YES
 #
 # Default umask for local users is 077. You may wish to change this to 022,
 # if your users expect that (022 is used by most other ftpd's)
 local_umask=022
 #
 # Uncomment this to allow the anonymous FTP user to upload files. This only
 # has an effect if the above global write enable is activated. Also, you will
 # obviously need to create a directory writable by the FTP user.
 #anon_upload_enable=YES
 #
 # Uncomment this if you want the anonymous FTP user to be able to create
 # new directories.
 #anon_mkdir_write_enable=YES
 #
 # Activate directory messages - messages given to remote users when they
 # go into a certain directory.
 dirmessage_enable=YES
 #
 # Activate logging of uploads/downloads.
 xferlog_enable=YES
 #
 # Make sure PORT transfer connections originate from port 20 (ftp-data).
 connect_from_port_20=YES
 #
 # If you want, you can arrange for uploaded anonymous files to be owned by
 # a different user. Note! Using "root" for uploaded files is not
 # recommended!
 #chown_uploads=YES
 #chown_username=whoever
 #
 # You may override where the log file goes if you like. The default is shown
 # below.
 xferlog_file=/opt/var/log/vsftpd.log
 #
 # If you want, you can have your log file in standard ftpd xferlog format
 #xferlog_std_format=YES
 #
 # You may change the default value for timing out an idle session.
 #idle_session_timeout=600
 #
 # You may change the default value for timing out a data connection.
 #data_connection_timeout=120
 #
 # It is recommended that you define on your system a unique user which the
 # ftp server can use as a totally isolated and unprivileged user.
 #nopriv_user=ftpsecure
 #
 # Enable this and the server will recognise asynchronous ABOR requests. Not
 # recommended for security (the code is non-trivial). Not enabling it,
 # however, may confuse older FTP clients.
 #async_abor_enable=YES
 #
 # By default the server will pretend to allow ASCII mode but in fact ignore
 # the request. Turn on the below options to have the server actually do ASCII
 # mangling on files when in ASCII mode.
 # Beware that turning on ascii_download_enable enables malicious remote parties
 # to consume your I/O resources, by issuing the command "SIZE /big/file" in
 # ASCII mode.
 # These ASCII options are split into upload and download because you may wish
 # to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
 # without the DoS? risk of SIZE and ASCII downloads. ASCII mangling should be
 # on the client anyway..
 #ascii_upload_enable=YES
 #ascii_download_enable=YES
 #
 # You may fully customise the login banner string:
 ftpd_banner=Welcome to the NSLU2 vsftp daemon.
 #
 # You may specify a file of disallowed anonymous e-mail addresses. Apparently
 # useful for combatting certain DoS? attacks.
 #deny_email_enable=YES
 # (default follows)
 #banned_email_file=/opt/etc/vsftpd.banned_emails
 #
 # You may specify an explicit list of local users to chroot() to their home
 # directory. If chroot_local_user is YES, then this list becomes a list of
 # users to NOT chroot().
 #chroot_list_enable=YES
 # (default follows)
 #chroot_list_file=/opt/etc/vsftpd.chroot_list
 #
 # You may activate the "-R" option to the builtin ls. This is disabled by
 # default to avoid remote users being able to cause excessive I/O on large
 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 # the presence of the "-R" option, so there is a strong case for enabling it.
 ls_recurse_enable=YES