About:
vsftpd is a secure and fast FTP server for UNIX-like systems that is used on many large and critical Internet sites. Its rich feature set includes SSL encryption, IPv6, bandwidth throttling, PAM integration, virtual users, virtual IPs and per-user / per-IP configuration.

Author:
Chris Evans [contact developer]

Rating:	reset 1 2 3 4 5 6 7 8 9 10
8.68/10.00 (46 votes)

Homepage:
http://vsftpd.beasts.org/
Tar/GZ:
ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.0.6.tar.gz
Changelog:
ftp://vsftpd.beasts.org/[..]sers/cevans/untar/vsftpd-2.0.6/Changelog

Trove categories: [change]

[Development Status]		5 - Production/Stable
[License]		OSI Approved :: GNU General Public License (GPL)
[Programming Language]		C
[Topic]		Internet :: File Transfer Protocol (FTP)

Dependencies: [change]
No dependencies filed

 Branches

Branch	Version	Last release	License	URLs
Stable	2.0.6	13-Feb-2008	GNU General Public License (GPL)

 Comments

[»] Enable virtual and local users on a PAM file
by zoonalex - Jul 17th 2007 09:47:41

I just want to know if it's possible to enable virtual and local users on a PAM file.

My vsftpd.conf:
-----------------------------------------------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022

anon_upload_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES

chroot_list_enable=NO
chroot_list_file=/etc/vsftpd.chroot_list

userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist_file

guest_enable=YES
guest_username=virtual

pam_service_name=ftp

use_localtime=YES

user_config_dir=/etc/vsftpd_user_conf
-----------------------------------------------------------
I know there are different PAM files for virtual users and local users. I tried to
merge this files without success. But when I tried this new PAM file I was able to login with local and virtual users.

-----------------------------------------------------------
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth sufficient /lib/security/pam_userdb.so db=/etc/vsftpd_login
auth required /lib/security/pam_unix.so shadow nullok
auth required /lib/security/pam_shells.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_userdb.so db=/etc/vsftpd_login
session required /lib/security/pam_unix.so
-----------------------------------------------------------
The drawback was that local users where logged as virtual users and not into their home directories.

Is there a way to correct this drawback?
Sorry for my english.

[reply] [top]

[»] VSFTPD Virtual Users Setup (with individual FTP home directories)
by alien2thisworld - Mar 19th 2007 14:08:55

I wrote a guide on how to setup virtual ftp users in vsftpd (with individual ftp home directories and full read/write access) since I found the documentation on this a little incomplete (and there are several questions about this in the comments for this project). You can find the setup guide here:

[reply] [top]

[»] Re: VSFTPD Virtual Users Setup (with individual FTP home directories)
by jMCg - Jun 28th 2007 09:00:12

For an active supporter in #vsftpd on freenode, I'm really not checking this project website often enough.

We have started a vsftpd wiki, where we collect how-tos, know-how and patches.

Contrary to

> http://alien2thisworld.net/sitePages/tutorials/vsftpd_virtual_users_setup.html
It's still available...

>

> I hope others find it useful.
Yep, same here

So long,
Igor


[reply] [top]

---

[»] Daylight savings
by Nate - Feb 22nd 2007 12:19:01

Any issues with vsftpd and the daylight savings changes in the US this year? Thanks.

[reply] [top]

[»] display vsftpd banner via client's web browser
by slc - Dec 27th 2006 10:49:23

We are required to display a login banner to users. I am having trouble getting the banner to display from within a web browser. It can be seen from command line access. Is there a way to implement this? If so, could you please direct me to documentation for implementing the banner to be displayed within a client's browser.

[reply] [top]

[»] Issue with simultaneous connections
by sa99 - Nov 30th 2006 23:28:46

I am facing issue with user ids unable to open multiple ftps connections to same site running vsftpd 2.0.4. My max_clients is set to 0 which implies there is no restrictions from the config side. Is there anything I am missing here?

[reply] [top]

[»] Certificate requirements
by Leroy - Nov 23rd 2006 21:51:45

The only thing I found which works is 'openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem' but I'm getting a "Fatal: self-signed certificate" when trying to use it with lftp. Are there other options? Thanks for any help.

[reply] [top]

[»] Re: Certificate requirements
by Leroy - Dec 30th 2006 19:32:48


> The only thing I found which works is

> 'openssl req -new -x509 -nodes -out

> vsftpd.pem -keyout vsftpd.pem' but I'm

> getting a "Fatal: self-signed

> certificate" when trying to use it

> with lftp. Are there other options?

> Thanks for any help.


Found the answer (thanks cacert.org - Google
for 'vsftpd certificate' without the quotes),
hopefully it will help someone else.

For a signed, unencrypted key certificate:
#Create certificate request
openssl req -new -days 365 -config vsftpd.cnf \
-keyout vsftpd.key -out vsftpd.crt
#Sign the request
openssl ca -config vsftpd.cnf -in vsftpd.req \
-out vsftpd.crt
#Extract unencrypted key out of encrypted one
openssl rsa -in vsftpd.key -out vsftpd_out.key
#Combine certificate and unencrypted key
cat vsftpd.crt vsftpd_out.key > vsftpd.pem

For a signed, encrypted key certificate simply copy
vsftpd.key instead of vsftpd_out.key to vsftpd.pem.
You will be prompted for the pass phrase at startup.



[reply] [top]

---

[»] Who is downloding what from where ?
by Robert Orri Brooks - Oct 29th 2006 02:15:03

Is there any way for me to parse the log so I can see from wheare ( what ip ) a user is DL files from or even from how many ip's has a particular user dl files from ?

[reply] [top]

[»] IBM Mainframe JES2 Job SSL/TLS to AIX UNIX Store Unique Command Error
by PAT - Oct 4th 2006 14:48:11

SSL/TLS is running on our IBM mainframe v1r4 operating sytem and sending a file to an AIX 5.1 UNIX operating system server using the "Store Unique" command (so a unique file is created every time and it does not write over any existing files). The file transfer is using vsftpd version 2.0.5 and is successful however the mainframe SSL/TLS ftp step is receiving an error code of "EZA1735I FTP Return Code=27150, Error Code=0002". From what I can tell the vsftpd server (which is on the AIX 5.1 side) is sending back to the mainframe client an acknowledgment of the file being transferred TWICE. It seems this duplicate message is causing the mainframe job step error.

Has anyone seen this before and how can I stop this duplicate response from the server to stop the invalid error condition?

When transferring a file from UNIX to UNIX using vsftpd (using the Store Unique command) the duplicate line is also created but the vsftpd client can handle it and does not produce an invalid error message.

Below is an example of the mainframe jobstram ouput. The file transfer WAS successful, but the mainframe job failed. Any help in this mattrer would be greatly apprciated.

Thanks ..... Pat

EZA1736I FTP -r TLS "server name"
EZA1450I IBM FTP CS V1R4
EZA1772I FTP: EXIT has been set.
EZA1554I Connecting to: "server name" xxx.xxx.xxx.xxx port: 21.
220 (vsFTPd 2.0.5)
EZA1701I >>> AUTH TLS
234 Proceed with negotiation.
EZA2895I Authentication negotiation succeeded
EZA1459I NAME ("server name:User):
EZA1701I >>> USER xxxxxxxx
331 Please specify the password.
EZA1789I PASSWORD:
EZA1701I >>> PASS
230 Login successful.
EZA1460I Command:
EZA1736I ascii
EZA1701I >>> TYPE A
200 Switching to ASCII mode.
EZA1460I Command:
EZA1736I sunique
EZA1626I Store unique is ON
EZA1460I Command:
EZA1736I PUT 'PGCS.GBZ.COINS.FTP.INVOICES' +
EZA1736I /u/coins/incoming/GCSINV.TI10
EZA1701I >>> SITE FIXrecfm 144 LRECL=144 RECFM=FBA BLKSIZE=27936
500 Unknown SITE command.
EZA1701I >>> PORT xxx,xx,xxx,xx,13,87
200 PORT command successful. Consider using PASV.
EZA1701I >>> STOU /u/coins/incoming/GCSINV.TI10
150 FILE: /u/coins/incoming/GCSINV.TI10.1
EZA1485I 1858024 bytes transferred.
150 FILE: /u/coins/incoming/GCSINV.TI10.1
EZA1735I FTP Return Code = 27150, Error Code = 00002
EZA1701I >>> QUIT
226 File receive OK.

[reply] [top]

[»] FreeBSD Group Membership Bug
by chiefmojo - Sep 6th 2006 12:25:54

In a nutshell, if a user is a member of more than 16 groups authentication happens but the session is immediately dropped with the following error:

Name (case:foo): foo
331 Please specify the password.
Password:
421 Service not available, remote server has closed connection.
ftp: Login failed.

15 groups or less, no problem, everything works as expected. I initially ran into this on a FreeBSD 6.1 box running vsftpd 2.0.4; I subsequently upgraded to 2.0.5 but that didn't help. I was then able to duplicate this on a FreeBSD 4.11 server running vsftpd 2.0.4. This does seem to work as expected on Linux hosts -- it works on a CentOS 4 server, anyway. I haven't had a chance to test against any of the other BSDs.

[reply] [top]

[»] 'user_config_dir' bug
by cache22 - Aug 21st 2006 22:20:07

In previous versions, if 'user_config_dir' was set, vsftpd
would apply any user-specific configuration files it found in
the specified directory. If there was no such file for a given
user, the settings as specified in vsftpd.conf would be used.

Under v2.0.4 (and I presume v2.0.5, since I can't find any
mention of this issue in the changelog), user-specific config
files are *required* for each user if 'user_config_dir' is set.
If there's no config file for a given user, an access error is
generated.

In our setup we only need to change one or two settings for
a very small subset of users, so I consider the new
behaviour to be a bug.

[reply] [top]

[»] SCO Unix 5.07
by tsp-intl - Jul 12th 2006 15:47:56

read the faq and googled my eyes out.

I'm trying to setup vsftp on sco unix 5.07

compile errors
# make
gcc -c sysutil.c -O2 -Wall -W -Wshadow -idirafter dummyinc
sysutil.c:88: field `u_sockaddr_in6' has incomplete type
sysutil.c: In function `vsf_sysutil_activate_sigurg':
sysutil.c:656: `F_SETOWN' undeclared (first use in this function)
sysutil.c:656: (Each undeclared identifier is reported only once
sysutil.c:656: for each function it appears in.)
sysutil.c: In function `vsf_sysutil_dir_stat':
sysutil.c:1250: warning: implicit declaration of function `dirfd'
sysutil.c: In function `vsf_sysutil_statbuf_is_socket':
sysutil.c:1272: warning: implicit declaration of function `S_ISSOCK'
sysutil.c: In function `vsf_sysutil_statbuf_get_perms':
sysutil.c:1299: `S_IFSOCK' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_get_ipv6_sock':
sysutil.c:1574: `PF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_bind':
sysutil.c:1606: `AF_INET6' undeclared (first use in this function)
sysutil.c:1608: sizeof applied to an incomplete type
sysutil.c: In function `vsf_sysutil_accept_timeout':
sysutil.c:1674: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_connect_timeout':
sysutil.c:1708: `AF_INET6' undeclared (first use in this function)
sysutil.c:1743: `socklen_t' undeclared (first use in this function)
sysutil.c:1743: parse error before `socklen'
sysutil.c:1744: `socklen' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_getsockname':
sysutil.c:1771: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_getpeername':
sysutil.c:1796: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_alloc_ipv6':
sysutil.c:1857: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_clone':
sysutil.c:1874: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_addr_equal':
sysutil.c:1895: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_is_ipv6':
sysutil.c:1941: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_set_ipv4addr':
sysutil.c:1957: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_set_ipv6addr':
sysutil.c:1977: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_ipv6_v4':
sysutil.c:1993: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_get_raw_addr':
sysutil.c:2024: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_get_ipsock':
sysutil.c:2055: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_set_any':
sysutil.c:2074: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sockaddr_set_port':
sysutil.c:2093: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_inet_ntop':
sysutil.c:2121: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_dns_resolve':
sysutil.c:2188: `AF_INET6' undeclared (first use in this function)
sysutil.c: In function `vsf_sysutil_sleep':
sysutil.c:2560: storage size of `ts' isn't known
sysutil.c:2567: warning: implicit declaration of function `nanosleep'
sysutil.c:2560: warning: unused variable `ts'
*** Error code 1 (bu21)

runtime errors

# ./vsftpd &
3804
# ./vsftpd: service: not found
./vsftpd: socket_type: not found
./vsftpd: =: bad number

Thanks,

[reply] [top]

[»] Bug with solaris+sparc and pwd.
by PRIAP - Jun 2nd 2006 16:54:35

Hi,

I have an incoming directory so I want nobody can
list the directory:
chmod 111 incoming

I create a directory in incoming:
cd incoming;mkdir test;chmod 777 test

Now I connect to the FTP as anonymous. :
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd incoming
250 Directory successfully changed.
ftp> pwd
257 "/incoming"
ftp> cd test
250 Directory successfully changed.
ftp> pwd
257 ""
ftp> quit

pwd returns "" instead of "/incoming/test".
The answer of pwd command is incorrect with solaris 8
and solaris 10 on sparc but is correct with solaris 10 or
linux on x86. With wu-ftpd, pwd returns the good
answer on solaris+sparc.

I'm using vsftpd 2.0.3 and 2.0.4. I hide my directories
with hide_file in vsftpd.conf but it's not a good solution.

[reply] [top]

[»] Enabling SSL breaks chroot_local_user Jail... vsftpd-2.0.4
by Colin - May 5th 2006 02:16:40

Successfully tested local user Chroot Jail (chroot_local_user) on Fedora5 (vsftpd compiled from source).

However when SSL is enabled (ssl_enable), local user is no longer Chroot Jailed in their home directory. User is free to roam the entire file system.

Any suggestions as to why Chroot broke would be gratefully accepted...

Note: I have found other posts on the Net indicating similar problems in the past. However no suggestions on how to fix...

Colin

[reply] [top]

[»] Re: Enabling SSL breaks chroot_local_user Jail... vsftpd-2.0.4
by JimJams - May 7th 2006 10:51:27

I have the same issue. I haven't found anyone who actually has it working.

[reply] [top]

---

[»] Re: Enabling SSL breaks chroot_local_user Jail... vsftpd-2.0.4
by JimJams - May 7th 2006 10:53:05

Consequently I'm thinking of switching to use a different FTP server. Possibly CrushFTP.

[reply] [top]

---

[»] Re: Enabling SSL breaks chroot_local_user Jail... vsftpd-2.0.4
by Colin - May 7th 2006 18:22:47

I would have thought that this was a fairly major security issue.
It's a pity the problem made it's way into a "Stable" version. On paper VSFTPD looked great - it's not until you actually try the different configurations that you start to find problems.
I could possibly CHROOT the entire application - not sure how well that would work with PAM tho.

I'm also looking at ProFTPD as an alternative.

Colin

[reply] [top]

---

[»] Re: Enabling SSL breaks chroot_local_user Jail... vsftpd-2.0.4
by Colin - Jun 12th 2006 17:15:45

Found the problem... was using the wrong client! I was using WinSCP - which was talking to SSH and not vsftpd!! (i.e could still connect when vsftpd was not running).

My last post was unfair on vsftpd. Please disregard.

Belated post to help others who've fallen into the same trap (I found lots of posts on the net - but no solutions. PEBKAC! Problem exists between keyboard and chair).

Apologies - Colin

[reply] [top]

---

[»] Users cant change to home directory using vsftpd
by Brian Glasser - May 1st 2006 13:31:06

Hi
I installed vsftpd from the Fedora Core 5 distribution and am running version 2.0.4. I have included a copy of my /etc/vsftpd/vsftpd.conf file.

Any local users I have defined cannot log in. I saw that some guy in a previous release of Fedora had to get the vsftpd pam file from your website, which I did. However, that pam file totally broke vsfptd in core 5.

Do you know of any reason why I cannot have a user chroot to his/her home directory?

The user can login, just not change to the home dir so the server boots him off.

Here is the conf file:

anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd/banned_emails
chroot_list_enable=YES
#chroot_local_user=YES
chroot_list_file=/etc/vsftpd/chroot_list
#ls_recurse_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES


Thanks for the help,
Brian

[reply] [top]

[»] Re: Users cant change to home directory using vsftpd (Fedora5)
by Colin - May 5th 2006 01:54:26

Brian,
You will possibly find that attempts to log in as a local user result in errors in /var/log/secure

vsftpd: PAM [error: /lib/security/pam_pwdb.so: cannot open shared object file: No such file or directory]
vsftpd: PAM adding faulty module: /lib/security/pam_pwdb.so

The sample vsftp.pam file for RedHat distributed with the vsdtpd source is as follows:

#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_shells.so
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so

In Fedora5 the file pam_pwdb.so has been replaced by pam_unix.so

Replacing any occurance of pam_pwdb.so in /etc/pam.d/ftp (or in your case /etc/pam.d/vsftpd) with pam_unix.so may allow your local users to log on.

Do a google search for "pam_pwdb.so" "pam_unix.so" for more info.

Colin


[reply] [top]

---

[»] vsftpd store unique
by PAT - Apr 21st 2006 13:34:31

I have been able to successfully install, customize and get operational the vsftpd software on AIX and Solaris platforms. However I am having a problem with the store unique (sunique) command. It doesn't seem to work like the old ftp command. I want a user to be able to ftp files (with the same name) and store them with unique file names incrementing a numeric identifier on the end of the file name (like test.file, test.file.1, test.file.2, test.file.3). Using the vsftpd software it doesn't work the same. With sunique turned on the first file gets the .1 name (even though it should not have the .1) and ftp's over fine and the second file gets the .2 name and has no data in the ftp'd file. I'm not sure how to get this to work. I've checked the 'man' pages, documentation and the internet to find an answer and have not had much luck. Hopefully someone else has come across this problem and has found a solution.

Thanks....Pat

[reply] [top]

[»] 2.0.4 make error: structure has no member named `tm_gmtoff'
by jboyle - Mar 7th 2006 11:47:15

I've got Sol2.9, gcc 3.3.2, latest 9_recommended, vsftpd 2.0.4.

With 2.0.4, I do a 'make' and get the following error (that i don't get w/ 2.0.3 or other versions) and can't find a fix/workaround:

sysutil.c: In function `vsf_sysutil_chroot':
sysutil.c:2443: warning: implicit declaration of function `setenv'
sysutil.c: In function `vsf_sysutil_tzset':
sysutil.c:2481: error: structure has no member named `tm_gmtoff'
*** Error code 1
make: Fatal error: Command failed for target `sysutil.o'

[reply] [top]

[»] Re: 2.0.4 make error: structure has no member named `tm_gmtoff'
by Dataserve - Mar 15th 2006 18:40:16


> 2.0.3 or other versions) and can't find

> a fix/workaround:

>

Your OS needs to have IPv6 support.

[reply] [top]

---

[»] Re: 2.0.4 make error: structure has no member named `tm_gmtoff'
by Laurent Maldo - Mar 24th 2006 02:42:40

%

> Your OS needs to have IPv6 support.


I'm on AIXv5.2, and unless I'm mistaken, It has full IPV6 support...
This 'tm_gmtoff' doesn't seem to exist on AIX.
Any workaround?


[reply] [top]

---

[»] Re: 2.0.4 make error: structure has no member named `tm_gmtoff'
by larryt - Mar 26th 2006 14:52:26

I have this problem on solaris9 also. Any suggestions appreciated. -larry

[reply] [top]

---

[»] Re: 2.0.4 make error: structure has no member named `tm_gmtoff'
by Frank Rizzo - Apr 1st 2006 19:04:57


> I've got Sol2.9, gcc 3.3.2, latest

> 9_recommended, vsftpd 2.0.4.

>

> With 2.0.4, I do a 'make' and get the

> following error (that i don't get w/

> 2.0.3 or other versions) and can't find

> a fix/workaround:

>

> sysutil.c: In function

> `vsf_sysutil_chroot':

> sysutil.c:2443: warning: implicit

> declaration of function `setenv'

> sysutil.c: In function

> `vsf_sysutil_tzset':

> sysutil.c:2481: error: structure has no

> member named `tm_gmtoff'

> *** Error code 1

> make: Fatal error: Command failed for

> target `sysutil.o'



This is a feature of glibc. The below patch should work. I was able to get a build but did not have time to test it. Set the s_timezone variable to your GMT offset in seconds. In my case I am in Central (GMT-6) so 6*60*60 = -21600. I did this on a Solaris 9 box but should also work on AIX.

--- vsftpd-2.0.4.orig/sysutil.c Mon Jan 9 11:05:18 2006
+++ vsftpd-2.0.4/sysutil.c Sat Apr 1 20:54:32 2006
@@ -2439,8 +2439,8 @@
{
hour = -hour;
}
- snprintf(envtz, sizeof(envtz), "UTC%+d:%d:%d", hour, min, sec);
- setenv("TZ", envtz, 1);
+ snprintf(envtz, sizeof(envtz), "TZ=UTC%-d:%d:%d", hour, min, sec);
+ putenv(envtz);
}
}
}
@@ -2478,7 +2478,7 @@
tzset();
the_time = time(NULL);
p_tm = localtime(&the_time);
- s_timezone = -p_tm->tm_gmtoff;
+ s_timezone = -21600;
}

const char*


[reply] [top]

---

[»] Re: 2.0.4 make error: structure has no member named `tm_gmtoff'
by Frank Rizzo - Apr 6th 2006 15:57:47

the latest patch is at http://mirch.com/sysutil.c.patch

[reply] [top]

---

[»] Re: 2.0.4 make error: structure has no member named `tm_gmtoff'
by stealth_cx - Apr 26th 2006 21:52:22


> the latest patch is at

>

> http://mirch.com/sysutil.c.patch

>

sorry, for my stupidity, I'm not too familiar with patching, would you mind to let me know how to use the patch?

[reply] [top]

---

[»] Re: 2.0.4 make error: structure has no member named `tm_gmtoff'
by Frank Rizzo - Apr 29th 2006 16:32:39


>
> % the latest patch is at
> %
> % http://mirch.com/sysutil.c.patch
> %
>
>
> sorry, for my stupidity, I'm not too
> familiar with patching, would you mind
> to let me know how to use the patch?

you need to use the patch program. cp the
sysutil.c.patch to the build directory.

ie:


cd vsftpd-2.0.4
patch < sysutil.c.patch
make


[reply] [top]

---

[»] Unable to connect to vsftpd (426 Failure writing network stream).
by Andrew E. Guly - Mar 4th 2006 07:32:24

RH Fedora Core 4
Current stable vsftpd and iptables from fc4 repo.
Can't connect to server:
Sat Mar 4 15:13:18 2006 [pid 16751] FTP response: Client "client_ip", "220 "
Sat Mar 4 15:13:18 2006 [pid 16751] FTP command: Client "client_ip", "USER username"
Sat Mar 4 15:13:18 2006 [pid 16751] [username] FTP response: Client "client_ip", "331 Please specify the password."
Sat Mar 4 15:13:18 2006 [pid 16751] [username] FTP command: Client "client_ip", "PASS <password>"
Sat Mar 4 20:13:18 2006 [pid 16750] [username] OK LOGIN: Client "client_ip"
Sat Mar 4 20:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "230 Login successful."
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP command: Client "client_ip", "SYST"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "215 UNIX Type: L8"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP command: Client "client_ip", "PWD"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "257 "/""
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP command: Client "client_ip", "TYPE I"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "200 Switching to Binary mode."
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP command: Client "client_ip", "PASV"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "227 Entering Passive Mode (server_ip,191,211)"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP command: Client "client_ip", "EPSV"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "229 Entering Extended Passive Mode (|||11923|)"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP command: Client "client_ip", "EPRT |1|client_ip|42733|"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "200 EPRT command successful. Consider using EPSV."
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP command: Client "client_ip", "LIST -la"
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "150 Here comes the directory listing."
Sat Mar 4 15:13:18 2006 [pid 16752] [username] FTP response: Client "client_ip", "426 Failure writing network stream."
----------------------------------------------

When I disable firewall, all works fine.

iptables status (configured with system-config-securitylevel-tui):
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5222
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5223
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5269
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8000
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
-------------------------------------------------------------

vsftpd.conf:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/not.chroot_list
use_sendfile=NO # From FAQ, about error 426
banner_file=/etc/vsftpd/banner
text_userdb_names=YES
session_support=YES
pasv_enable=YES
dual_log_enable=NO
log_ftp_protocol=YES
max_clients=100
max_per_ip=4
use_localtime=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES

----------------------------------------------------------------
What's wrong? iptables rules? What I need change?

[reply] [top]

[»] Re: Unable to connect to vsftpd (426 Failure writing network stream).
by Andrew E. Guly - Mar 6th 2006 08:13:12

Solved. modprobe ip_conntrack_ftp

[reply] [top]

---

[»] vsftpd generating inconsistent time stamps in vsftpd.log
by Harry - Feb 15th 2006 04:37:02

The timestamps generated by vsftpd in the /var/log/vsftpd.log file are inconsistent, alternating between local (07:22) and GMT (12:22). This is causing my log analysis and security audit programs to generate inconsistent results.

I am using the following settings, in addition to etc/localtime in the chroot directory:

use_localtime=YES
xferlog_enable=YES
log_ftp_protocol=YES
dual_log_enable=NO
xferlog_std_format=NO
syslog_enable=NO

Note the inconsistent timestamps below for one failed login and one successful login:

Wed Feb 15 07:22:25 2006 [pid 8406] CONNECT: Client "208.45.XXX.XXX"
Wed Feb 15 12:22:25 2006 [pid 8406] FTP response: Client "208.45.XXX.XXX", "220 Welcome to birch FTP service."
Wed Feb 15 12:22:32 2006 [pid 8406] FTP command: Client "208.45.XXX.XXX", "USER foobar"
Wed Feb 15 12:22:32 2006 [pid 8406] [foobar] FTP response: Client "208.45.XXX.XXX", "530 Permission denied."
Wed Feb 15 12:22:32 2006 [pid 8406] FTP command: Client "208.45.XXX.XXX", "SYST"
Wed Feb 15 12:22:32 2006 [pid 8406] FTP response: Client "208.45.XXX.XXX", "530 Please login with USER and PASS."
Wed Feb 15 12:22:42 2006 [pid 8406] FTP command: Client "208.45.XXX.XXX", "USER XXXXXX"
Wed Feb 15 12:22:42 2006 [pid 8406] [XXXXXX] FTP response: Client "208.45.XXX.XXX", "331 Please specify the password."
Wed Feb 15 12:22:47 2006 [pid 8406] [XXXXXX] FTP command: Client "208.45.XXX.XXX", "PASS <password>"
Wed Feb 15 07:22:47 2006 [pid 8405] [XXXXXX] OK LOGIN: Client "208.45.XXX.XXX"
Wed Feb 15 07:22:47 2006 [pid 8407] [XXXXXX] FTP response: Client "208.45.XXX.XXX", "230 Login successful."
Wed Feb 15 07:22:50 2006 [pid 8407] [XXXXXX] FTP command: Client "208.45.XXX.XXX", "PASV"
Wed Feb 15 07:22:50 2006 [pid 8407] [XXXXXX] FTP response: Client "208.45.XXX.XXX", "227 Entering Passive Mode (10,1,1,2,119,101)"
Wed Feb 15 07:22:50 2006 [pid 8407] [XXXXXX] FTP command: Client "208.45.XXX.XXX", "RETR foo"
Wed Feb 15 07:22:50 2006 [pid 8407] [XXXXXX] FTP response: Client "208.45.XXX.XXX", "150 Opening BINARY mode data connection for foo (4144 bytes)."
Wed Feb 15 07:22:50 2006 [pid 8407] [XXXXXX] FTP response: Client "208.45.XXX.XXX", "226 File send OK."
Wed Feb 15 07:22:51 2006 [pid 8407] [XXXXXX] OK DOWNLOAD: Client "208.45.XXX.XXX", "/foo", 4144 bytes, 22.78Kbyte/sec
Wed Feb 15 07:22:52 2006 [pid 8407] [XXXXXX] FTP command: Client "208.45.XXX.XXX", "QUIT"
Wed Feb 15 07:22:52 2006 [pid 8407] [XXXXXX] FTP response: Client "208.45.XXX.XXX", "221 Goodbye."

Is this a bug, or is there yet another configuration parameter that I have missed for setting local time?

Much tnx for any help you can give me!

Harry

[reply] [top]

[»] Re: vsftpd generating inconsistent time stamps in vsftpd.log
by Harry - Feb 16th 2006 03:36:27


> The timestamps generated by vsftpd in

> the /var/log/vsftpd.log file are

> inconsistent, alternating between local

> (07:22) and GMT (12:22). This is

> causing my log analysis and security

> audit programs to generate inconsistent

> results.

>

> I am using the following settings, in

> addition to etc/localtime in the chroot

> directory:

>

> use_localtime=YES

> xferlog_enable=YES

> log_ftp_protocol=YES

> dual_log_enable=NO

> xferlog_std_format=NO

> syslog_enable=NO

>

> Note the inconsistent timestamps below

> for one failed login and one successful

> login:

>

> Wed Feb 15 07:22:25 2006 [pid 8406]

> CONNECT: Client

> "208.45.XXX.XXX"

> Wed Feb 15 12:22:25 2006 [pid 8406] FTP

> response: Client

> "208.45.XXX.XXX", "220

> Welcome to birch FTP service."

> Wed Feb 15 12:22:32 2006 [pid 8406] FTP

> command: Client

> "208.45.XXX.XXX", "USER

> foobar"

> Wed Feb 15 12:22:32 2006 [pid 8406]

> [foobar] FTP response: Client

> "208.45.XXX.XXX", "530

> Permission denied."

> Wed Feb 15 12:22:32 2006 [pid 8406] FTP

> command: Client

> "208.45.XXX.XXX",

> "SYST"

> Wed Feb 15 12:22:32 2006 [pid 8406] FTP

> response: Client

> "208.45.XXX.XXX", "530

> Please login with USER and PASS."

> Wed Feb 15 12:22:42 2006 [pid 8406] FTP

> command: Client

> "208.45.XXX.XXX", "USER

> XXXXXX"

> Wed Feb 15 12:22:42 2006 [pid 8406]

> [XXXXXX] FTP response: Client

> "208.45.XXX.XXX", "331

> Please specify the password."

> Wed Feb 15 12:22:47 2006 [pid 8406]

> [XXXXXX] FTP command: Client

> "208.45.XXX.XXX", "PASS

> <password>"

> Wed Feb 15 07:22:47 2006 [pid 8405]

> [XXXXXX] OK LOGIN: Client

> "208.45.XXX.XXX"

> Wed Feb 15 07:22:47 2006 [pid 8407]

> [XXXXXX] FTP response: Client

> "208.45.XXX.XXX", "230

> Login successful."

> Wed Feb 15 07:22:50 2006 [pid 8407]

> [XXXXXX] FTP command: Client

> "208.45.XXX.XXX",

> "PASV"

> Wed Feb 15 07:22:50 2006 [pid 8407]

> [XXXXXX] FTP response: Client

> "208.45.XXX.XXX", "227

> Entering Passive Mode

> (10,1,1,2,119,101)"

> Wed Feb 15 07:22:50 2006 [pid 8407]

> [XXXXXX] FTP command: Client

> "208.45.XXX.XXX", "RETR

> foo"

> Wed Feb 15 07:22:50 2006 [pid 8407]

> [XXXXXX] FTP response: Client

> "208.45.XXX.XXX", "150

> Opening BINARY mode data connection for

> foo (4144 bytes)."

> Wed Feb 15 07:22:50 2006 [pid 8407]

> [XXXXXX] FTP response: Client

> "208.45.XXX.XXX", "226

> File send OK."

> Wed Feb 15 07:22:51 2006 [pid 8407]

> [XXXXXX] OK DOWNLOAD: Client

> "208.45.XXX.XXX",

> "/foo", 4144 bytes,

> 22.78Kbyte/sec

> Wed Feb 15 07:22:52 2006 [pid 8407]

> [XXXXXX] FTP command: Client

> "208.45.XXX.XXX",

> "QUIT"

> Wed Feb 15 07:22:52 2006 [pid 8407]

> [XXXXXX] FTP response: Client

> "208.45.XXX.XXX", "221

> Goodbye."

>

> Is this a bug, or is there yet another

> configuration parameter that I have

> missed for setting local time?

>

> Much tnx for any help you can give me!

>

> Harry


One other important piece of information. The following configuration option:

log_ftp_protocol=YES

appears to cause some FTP Protocol commands to be logged in GMT instead of local time, which is inconsistent with all the other vsftpd logging that takes place.


[reply] [top]

---

[»] SSL+virtual user BUG?
by BHermann - Feb 9th 2006 03:04:49

Hello,

I compiled vsftpd to link with SSL (Suse 10). When I configure vsftpd.conf to run without SSL (ssl_enable=NO), all my virtual users can log in, everybody who is not on the userlist stays outside - everything is just working fine and smooth. As soon as I change to ssl_enable=YES and restart vsftpd with the new settings, suddenly local users are allowed to log in (with ssl), no matter if they are on the list of allowed users, but the virtual users can't log in.

To me it looks like with ssl_enable=YES the authentication procedure somehow changes.

Did I forget to adjust some settings or is this a real bug?

Thanks! B

[reply] [top]

[»] Re: SSL+virtual user BUG?
by Colin - May 5th 2006 03:47:12

I found the same using Fedora5 & vsftpd-2.0.4

In addition to local users being able to log in over SSL (but virtual users denied) the local user is not chrooted - the default directory is the root of the linux host!

Colin

[reply] [top]

---

[»] Re: SSL+virtual user BUG?
by Vinicius - Jul 17th 2006 20:57:08

Hello, I'm using FC5 and vsftpd 2.0.4, too. Virtual users don't work with SSL, but they work without SSL, too. Differently, when I use SSL, my local users are chrooted for theirs home dirs. Did you solved the two issues, please? I can help you with the second one. Regards, Vinicius.

[reply] [top]

---

[»] MORE FEATURES NEEDED!
by OBLus - Jan 5th 2006 10:09:10

hi.

I just installed on sid (debian) vsftpd. I think it's great, but still need more features.

1. Bandwith for download/upload, not only for all fraffic.
2. More option in user files in user_config_dir, for eg. local_max_rate, force_dot_files etc.
3. Maybe a separeted settings for directories in ftpd, .dir_setting like .mesage in dirmessage_enable (no_download, no_upload etc.)

If I found smth else I wrote.
Sory for my bad english.

[reply] [top]

[»] Re: MORE FEATURES NEEDED!
by OBLus - Jan 5th 2006 16:06:13

4. db3_load??? it's old! maybe you can apply mysql and some binary to add users? 5. virtual users & PAM - TOGETHER!

[reply] [top]

---

[»] Problem with Local User Login
by Andrew McGregor - Dec 31st 2005 23:41:01

I've installed vsftpd onto a Fedora 2 Core server which was built very plainly (in a server farm).

I only want local user login, but every password I pass in is invalid:
C:\Documents and Settings\andrewm>ftp 68.178.197.204
Connected to 68.178.197.204.
220 "Welcome to AMDP's FTP service."
User (68.178.197.204:(none)): andrew
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp>

I turned on local_enable=YES (otherwise it tells me that the server is for anonymous access only), but I always get rejected. Anonymous login in OK.

Any ideas?

--
Regards, Andrew.

[reply] [top]

[»] Re: Problem with Local User Login
by Andrew McGregor - Jan 1st 2006 00:51:41

I found the answer in ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-1.2.2/FAQ The problem was that I had PAM linked in automatically and I had to copy:
sudo cp /home/amdp/sw/vsftpd/vsftpd-2.0.3/RedHat/vsftpd.pam /etc/pam.d/vsftpd
(Note the removal of the .pam suffix)

--
Regards, Andrew.

[reply] [top]

---

[»] vsftpd ssl errors
by halls - Nov 22nd 2005 07:38:43

I have installed vsftpd, and can use it just fine without ssl. When I use ssl, and "force_local_data_ssl" and "ssl_enabled" are enabled, I get the following errors when I try to login "521 Data connections must be encrypted. Invalid response '5' received from server." Does anyone know what might be causing this? I am using gftp and have been trying to login with ftp ssl.

Also, I have created the certificate by going into /usr/share/ssl/certs/ and running the command "make vsftpd.pem" per the instructions in README.ssl. I also moved the public portion of that cert to my local machines ca-bundle.crt.

The full log of the transaction is below.

Trying server.generic.com:21
Connected to server.generic.com:21
220 Access Restricted.
AUTH TLS

234 Proceed with negotiation.
SSL connection established using TLSv1/SSLv3 (DES-CBC3-SHA)
PBSZ 0

200 PBSZ set to 0.
PROT C

200 PROT now Clear.
USER genericuser
331 Please specify the password.
PASS xxxx
230 Login successful.
SYST

215 UNIX Type: L8
TYPE I

200 Switching to Binary mode.
PWD

257 "/"
PORT 192,168,1,1,139,147

200 PORT command successful. Consider using PASV.
LIST -a

521 Data connections must be encrypted.
Invalid response '5' received from server.

[reply] [top]

[»] Re: vsftpd ssl errors
by halls - Nov 22nd 2005 07:39:56

I am also using active ftp.

[reply] [top]

---

[»] Re: vsftpd ssl errors
by halls - Nov 22nd 2005 08:01:50

when I use lftp, I get the following error: "ls: Fatal error: SSL read: wrong version number"

[reply] [top]

---

[»] Re: vsftpd ssl errors
by Vinicius - Jul 17th 2006 21:08:33

Hello,

I use Fedora Core 5 and vsftpd 2.0.4.

I'm having the same problem as you. I'm using gftp as the client. I think the client doesn't work with data encripted, only works with control data encripted.

Regards, Vinicius.

[reply] [top]

---

[»] Re: vsftpd ssl errors
by Vinicius - Jul 18th 2006 19:37:29


> Hello,
>
> I use Fedora Core 5 and vsftpd 2.0.4.
>
> I'm having the same problem as you. I'm
> using gftp as the client. I think the
> client doesn't work with data encripted,
> only works with control data encripted.
>
> Regards, Vinicius.
>

Where is said "encripted", say "encrypted".

[reply] [top]

---

[»] virtual users
by konik - Nov 16th 2005 14:29:42

Hi all,

I am trying to have different virtual users for different local users like say we have two real users "me" and "him" and i want to have "virt1" and "virt2" mapping to "me" and "virt3","virt4" and "virt5" mapping to "him"

Is there a way to do something like that with vsftpd. I have already read the virtual users sample but I didn't find anything on google or in your documentation about that kind of configuration.

Thanks in advance for your help.

[reply] [top]

[»] Virtual users and chroot
by chouan - Oct 17th 2005 08:19:38

I use virtual users. The real account is 'virtual'.
It seems that all my virtual users are chrooted into the directory of the user 'virtual'.
Is it normal?
I'd like that virtual users could access to directories outside of the chroot dir using symbolic links. Is it possible?

[reply] [top]

[»] Re: Virtual users and chroot
by OBLus - Jan 5th 2006 15:53:43


> I use virtual users. The real account is

> 'virtual'.

> It seems that all my virtual users are

> chrooted into the directory of the user

> 'virtual'.

> Is it normal?

> I'd like that virtual users could access

> to directories outside of the chroot dir

> using symbolic links. Is it possible?

I think it's normal, for virtual users must be created one system user 'virtual'. I'ts goob beacouse it's secure, but you can have only one user dbase, virtual users (vsftpd_login.db) or system users (PAM), not both AND THAT's A BIT DISATVANTAGE!


[reply] [top]

---

[»] Using virtual users for website maintenance
by Jay Urish - Oct 11th 2005 22:33:28

I have googled my brains out... Is there a howto floating around that can lead me to a good solution for setting up virtual user accounts to up/download web content?

Here are the requirements.

1. Be a virtual user
2. All uploaded files belong to apache.apache (so the webserver has full access to them
3. All web content is under /home/html/something.com or /home/html/foo.net (you get the idea)
4. It would be cool if upon authenticating, the user could just be dropped into thier content directory.
5. Oh yea, each login should have its own directory.

any pointers would be appreciated!

-Jay
W5GM

--
Jay Urish- W5GM Systems Engineer for Unixwolf Enterprises LLC.

[reply] [top]

[»] vsftpd
by nix4me - Sep 9th 2005 18:51:12

Why is it that vsftpd has no help available whatsoever?

It is rediculous!

Opensource software that has absolutely no help available on the internet. I would love to use your software however there is one probelm that I can't solve and yet there is nowhere to ask. I have tried here and the new so called forum with no help.

What a waste of a promising piece of software.

I am not the only one that is complaining either. I see it all over google.

--

[reply] [top]

[»] vsFTPd & PAM (Virtual Users Setup)
by biggjoe - Sep 7th 2005 17:38:38

Hello;

Here's my problem:

I'm trying to setup 'Virtual Users' with vsFTPd on a Linux Fedora-Core 2 box.

- I've used YUM to install the latest supported Berkeley DB for my distro 'Version: 4.1.25

- I've followed the instructions for 'Virtual User' in the Example Folder the best that I can, but it's not working...meaning I can't log in with the user/passwords in my 'logins.txt' file

- Any suggestions on what can be going wrong? Maybe a few hints/tips on items I should go back and check just to be sure?

- Maybe you can point me to a good support forum or mailing list?

Thanks so much!

[reply] [top]

[»] Re: vsFTPd & PAM (Virtual Users Setup)
by OBLus - Jan 5th 2006 15:57:59

I used libdb3-utils or smth like that, just v3 not above and it worked, but you must remember to add ENTER (\n) on end of logins.txt, if not db3_load makes Error ;>

[reply] [top]

---

[»] problems with /bin/false
by reactnet - Aug 28th 2005 20:00:57

Hey,

I am using vsftpd 2.0.3 installed from source and recently I have this problem. Users with /bin/false can't log in . When I put /bin/bash everything it's okay. Anyone can help me ? Thanks

--
Legalize It !

[reply] [top]

[»] Re: problems with /bin/false
by reactnet - Aug 29th 2005 03:20:03

I solve that problem. vsftpd or any ftp daemon I think, don't recognize users with -s /bin/false if /bin/false isn't added in /etc/shells.

--
Legalize It !

[reply] [top]

---

[»] 426 Failure writing network stream
by mb - Jul 20th 2005 01:32:36

i got this error when downloading large file (over 5MB)

vsftpd 2.0.3

how can I fix it?

[reply] [top]

[»] anon_umask
by ninewands - Jun 30th 2005 14:35:36

I recently tried setting up a special-purpose, restricted-access, anonymous upload server using vsftpd-2.0.1 under Fedora Core 3. Nothing I did in the vaftpd.conf with anon)umask and file_open_mode had any effect. I tried building from the vsftpd-2.0.3 source in case RedHat had decided to disable anon_umask for Fedora, but I got no change whatsoever.

In order to achieve the functionality I needed I had to drop back to a vsftpd built from the 1.2.2 source.

Is this (anon_umask not working) a bug or was it a conscious design decision to disable this feature?

--
I have sworn on the altar of God eternal hostility to every form of tyranny over the minds of men -- Thomas Jefferson, revolutionary, patriot and 3rd President of the United States

[reply] [top]

[»] Re: anon_umask
by ScottS - Feb 6th 2006 11:45:50

I have had the same problem ...
I wanted an "upload folder" to:
* accept anonymous uploads from customers
* refuse anonymous downloads by customers
* mark files 660, so staff (local lan) can grab the files uploaded by customers

I ran into this early and I by-passed it during beta testing by adding all my test users to the samba.conf as admins, but that won't fly in production. After I managed to get everything else working but the 660 file permissions I started experimenting with the anon_umask setting in the vsftpd.conf file:

anon_umask setting :: resulting permission
022 :: 644
001 :: 666
002 :: 664
003 :: 664
004 :: 662
005 :: 662
006 :: 660

Where I stopped because that was what I needed ...
but it looks like there is a standard mask of 666 and then if you specify the anon-Umask it doesn't use it as specified, but instead ANDs the default mask and the inverse of the anon_umask.
I think this because it ignores the low bit in the anon_umask and anything else set is removed from the desired result instead of added.


> I recently tried setting up a

> special-purpose, restricted-access,

> anonymous upload server using

> vsftpd-2.0.1 under Fedora Core 3.

> Nothing I did in the vaftpd.conf with

> anon)umask and file_open_mode had any

> effect. I tried building from the

> vsftpd-2.0.3 source in case RedHat had

> decided to disable anon_umask for

> Fedora, but I got no change whatsoever.

>

> In order to achieve the functionality I

> needed I had to drop back to a vsftpd

> built from the 1.2.2 source.

>

> Is this (anon_umask not working) a bug

> or was it a conscious design decision to

> disable this feature?

>

>



--
Scott

[reply] [top]

---

[»] Re: anon_umask, solution
by Andrew N. Balahonov - Mar 10th 2006 16:38:10

vsftpd >=1.2.1 lack such functionality. Please apply following patch: http://www.drand.ru/linux/vsftpd.anon_umask.patch

--
Yours sincerely, Andrew N. Balahonov PGP: 1024D/3C340684 94B4 C3C5 8936 9DF5 A2B8 3E5C DB3A CC66 3C34 0684

[reply] [top]

---

[»] Upload timeouts using SSL and virtual clients
by joe_kdwll - May 17th 2005 14:44:37

I'm having problems with uploads timing out to our vsftpd server. I've tried two different clients, CuteFTP and SmartFTP and both exhibit similar behavior. Large uploads ( >50MB ) fail partway through the transfer. Small files usually succeed.

I've tried both 2.0.1 and 2.0.3 versions o fvsftpd and have the same problem with both versions. I've tried recompiling the vsftpd executable and have tried commenting out the ssl versions in the .conf file with no success.

The log file from vsftpd says simple "421 Data timeout. Reconnect. Sorry."

In the latest attempt two 74MB files failed at 13% and 14%.

Any help would be greatly appreciated.

[reply] [top]

[»] Chroot local_users into local_root
by Chad - May 4th 2005 10:00:46

I've been trying to determine if this is possible or not. This appears to be the same question as Neil Watson's comment on May 18th 2004.

I would like to chroot local_users into local_root not their home directories. I don't want to use virtual users or allow anonymous ftp access or map local users to guest. Is this possible to do with vsftpd? I've seen several posts on the net of people asking this question but never any replies.

Thanks!

[reply] [top]

[»] 500 OOPS: SSL: cannot load RSA key
by James B. Byrne - Apr 28th 2005 13:34:53

vsftpd-2.0.1-5

I am trying to get vsftpd to start with ssl_enabled=yes and not having much success. The config file works when ssl_enabled=No and does not work when ssl_enabled=Yes. I have tried setting the following:

rsa_cert_file=/usr/share/ssl/certs/inet06cert.pem

which is the public certificate and this:

rsa_cert_file=/usr/share/ssl/private/inet06key.pem

which is the server private key. Both these are in use by the apache web server as :

SSLCertificateFile /usr/share/ssl/certs/inet06cert.pem

and

SSLCertificateKeyFile /usr/share/ssl/private/inet06key.pem

respectively and I have no trouble using ssl with that service. As far as I can tell the certificates are in the right places and do the right things for apache but vsftpd chokes. Since vsftpd does not deign to log what is going on I cannot tell what it finds disagreeable about this setup. Does anyone have any idea what would prevent vsftpd from using a certificate that works with apache?

Thanks,
Jim

[reply] [top]

[»] Quota check implementation status
by Digital Agent - Apr 25th 2005 14:24:02

Chris (or whomever runs this project),

Are there any plans in place to add functionality whereby a user can check their quota status via a SITE command or something similar? Is this feature already in place? We're only running 1.2.1 currently but it would be worthwhile to upgrade if this quota feature was added.

Thanks in advance for any information you provide.

Hoke Smart
Digital Agent, LLC

[reply] [top]

[»] Serverside transfer rate/progress information for vsftpd.
by Anders Andersson - Apr 21st 2005 17:24:57

Hi! I would like to get more information about the current file transfers on my server (using debian testing/vsftpd 2.0.1). I haven't find any information at all about this, other then setting setproctitle_enable, but this only gives info that a transfer is going, not the details. I would like to know atleast how much of a transfer that has taken place. The rest can be calculated in other ways. Any clues? (other than hacking the source, that I will do if there's no other option! :D)

[reply] [top]

[»] Problem with connection and automated connection
by Tropeas - Apr 5th 2005 00:54:25

When I'm trying to connect to server without vsftpd for their ftp server I have "KERBEROS_V4 rejected as an authentication type" but in vsftpd server everything acts ok! I have as continuance problem with an autologin when I use .netrc files in servers tat don't have vsftpd...
My system is on RH 9
What I have missed from configs?
My config file is above:

#vi /etc/vsftpd/vsftpd.conf
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES

These are the messages from login:

[root@stopix ~]# ftp xyz.xyz.com
Connected to xyz.xyz.com.
220 Microsoft FTP Service
500 'AUTH GSSAPI': command not understood
500 'AUTH KERBEROS_V4': command not understood
KERBEROS_V4 rejected as an authentication type
Macro definition missing null line terminator.
ftp>

[reply] [top]

[»] Uploading timestamp problem
by Eric Smith - Apr 1st 2005 14:33:51

Hey guys, is there a way to upload files to vsftpd without the server editing the timestamp on the file? I have a need to preserve the actual time the file was last edited as opposed to when the file was uploaded. thanks~

Eric

[reply] [top]

[»] Re: Uploading timestamp problem
by wshawn - Apr 18th 2005 20:01:32

I would like to know exactly the same thing. I have read the man pages and the online html docs and there are no options for leaving the time stamp untouched. Is this a bug?

[reply] [top]

---

[»] Re: Uploading timestamp problem
by cent5 - Dec 14th 2005 06:10:30


> I would like to know exactly the same

> thing. I have read the man pages and

> the online html docs and there are no

> options for leaving the time stamp

> untouched.

>

> Is this a bug?

>

>

>

I recognized if a file is uploaded with the webbrowser then the time stamp is updated. If a ftp client like WS_FTP_Pro was used, then the time stamps remain untouched. I would like to know how the time stamps can be updated if they are copied via ftp client, because in my case tmpwatch removes all files which are older than 1 week. I the original time stamp does not change then the file will be removed immediately if the original time stamp was older than one week

[reply] [top]

---

[»] error when compile vsftpd fedora 3
by hoanghien - Mar 29th 2005 16:13:29

i got this error when "make" vsftpd from source

sysdeputil.c: In function `do_sendfile':
sysdeputil.c:641: warning: null argument where non-null required (arg 3)
gcc -o vsftpd main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o tunables.o ftpdataio.o secbuf.o ls.o postprivparent.o logging.o str.o netstr.o sysstr.o strlist.o banner.o filestr.o parseconf.o secutil.o ascii.o oneprocess.o twoprocess.o privops.o standalone.o hash.o tcpwrap.o ipaddrparse.o access.o features.o readwrite.o ssl.o sysutil.o sysdeputil.o -Wl,-s `./vsf_findlibs.sh`
/lib/libpam.so.0: could not read symbols: File in wrong format
collect2: ld returned 1 exit status
make: *** [vsftpd] Error 1

hoe can i fix it?

[reply] [top]

[»] Re: error when compile vsftpd fedora 3
by Greg Knapp - Apr 1st 2005 06:05:44


> i got this error when "make"

> vsftpd from source

>

> sysdeputil.c: In function

> `do_sendfile':

> sysdeputil.c:641: warning: null argument

> where non-null required (arg 3)

> gcc -o vsftpd main.o utility.o

> prelogin.o ftpcmdio.o postlogin.o

> privsock.o tunables.o ftpdataio.o

> secbuf.o ls.o postprivparent.o logging.o

> str.o netstr.o sysstr.o strlist.o

> banner.o filestr.o parseconf.o secutil.o

> ascii.o oneprocess.o twoprocess.o

> privops.o standalone.o hash.o tcpwrap.o

> ipaddrparse.o access.o features.o

> readwrite.o ssl.o sysutil.o sysdeputil.o

> -Wl,-s `./vsf_findlibs.sh`

> /lib/libpam.so.0: could not read

> symbols: File in wrong format

> collect2: ld returned 1 exit status

> make: *** [vsftpd] Error 1

>

> hoe can i fix it?

I am also experiencing this problem on Redhat ES 4:

sysdeputil.c: In function `do_sendfile':
sysdeputil.c:641: warning: null argument where non-null required (arg 3)
sysdeputil.c: At top level:
sysdeputil.c:1112: warning: 'vsf_insert_uwtmp' defined but not used
sysdeputil.c:1151: warning: 'vsf_remove_uwtmp' defined but not used
gcc -o vsftpd main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o tunables.o ftpdataio.o secbuf.o ls.o postprivparent.o logging.o str.o netstr.o sysstr.o strlist.o banner.o filestr.o parseconf.o secutil.o ascii.o oneprocess.o twoprocess.o privops.o standalone.o hash.o tcpwrap.o ipaddrparse.o access.o features.o readwrite.o ssl.o sysutil.o sysdeputil.o -Wl,-s `./vsf_findlibs.sh`

[reply] [top]

---

[»] Re: error when compile vsftpd fedora 3
by Gavin - Jun 1st 2006 01:00:44

I also hit this - the problem is that the lib-finding script vsf_findlibs.sh returns e.g. /lib/libpam.so.0; however if you're on a x86_64 machine, for example, you need /lib64/libpam.so.0. Fixing this up sorted things out for me.

[reply] [top]

---

[»] Anonymous Logins
by M Ritchie - Mar 1st 2005 05:02:07

Is there a problem with the project server? vsftpd.beasts.org? I'm not getting connected.

I'm running 2.0.1 Slackware source patched to enable SSL from Gentoo

For some reason there is no pre login check for anonymous logins.

Not sure if there sould be but for those of you that wnte the tunable_anonymous_enable to stop anonymous logins from being attempted here is a patch.

[reply] [top]

[»] Re: Anonymous Logins
by Chris Evans - Mar 19th 2005 13:50:06

The server should be fine now - had some power supply issues for a bit. Thanks for the pointer to the patch, it gives a much clearer error message - I'll get it into v2.0.4. Cheers Chris

[reply] [top]

---

[»] Sharing with vsftpd
by Bob - Feb 10th 2005 10:45:51

I am trying to set up a user so that his home directory is within another ftp user's home direcotry.

/home/user1
/home/user1/user2

This way user 2 can upload/download files an only see those file, nothing higher; and user 1 can upload/download files and manipulate user2's files.

Any help would be greatly appriciated

[reply] [top]

[»] Re: Sharing with vsftpd
by Mastor - Feb 18th 2005 01:49:13


> I am trying to set up a user so that his

> home directory is within another ftp

> user's home direcotry.

>

> /home/user1

> /home/user1/user2

>

> This way user 2 can upload/download

> files an only see those file, nothing

> higher; and user 1 can upload/download

> files and manipulate user2's files.

>

> Any help would be greatly appriciated

Try with virtual-users.
user2 will login as "guest_username=user1" and chrooted with "local_root=/home/user1/user2".
Of course, you should use "guest_enable=YES", "chroot_local_user=YES" and "pam_service_name=name.of.pam.config" to enable the authentication modules for virtual users.

Yes, it's a lame solution ...

[reply] [top]

---

[»] Re: Sharing with vsftpd
by Bob - Feb 18th 2005 13:30:31

Sounds good, but do to security issues... I cannot enable the guest option. Thanks for the input.

[reply] [top]

---

[»] Encryption of FTP data connection possible using FTP over SSH?
by TN - Jan 24th 2005 06:52:07

Is it possible with vsftpd to encrypt both the control and the data connection using FTP over SSH? I can't find any info on this issue.

[reply] [top]

[»] SSL Handler & Data Timeout
by Mastor - Jan 21st 2005 03:07:17

I found a little problem when downloading files with an encrypted connection...
The data timeout triggers evenif the transfer isn't stalled. Whitout the SSL/TLS Encryption (eg anonymous connection) all works fine

[reply] [top]

[»] Re: SSL Handler & Data Timeout
by Chris Evans - Mar 2nd 2005 16:35:24

Thanks for reporting this. I've just released v2.0.2 which should fix this. Cheers Chris

[reply] [top]

---

[»] Re: SSL Handler & Data Timeout
by Chris Evans - Mar 19th 2005 13:52:05

OK, v2.0.2 didn't fully fix this. v2.0.3 should work fine in this area. Cheers Chris

[reply] [top]

---

[»] Good Stuff. A few questions, though.
by SeventhCycle - Jan 15th 2005 20:44:14

Great FTP server. This + pam_mysql has worked very nicely for me creating virtual FTP accounts.

Three questions, though.

1) Is there any support or planned support for implicit FTP-SSL running on port 990? It'd be nice to have this for older FTP clients that don't know about AUTH-TLS on port 21.

2) When I try connecting with AUTH-TLS on Filezilla, I get a popup message saying that it's unable to get the local issuer certificate. My guess here is that it wants a path to the Certificate Authority's cert, but can't find it. I haven't seen any option in vsftpd to specify a path to the CA. Is there an option, will there be one, or is this even necessary?

3) I'm unable to connect with WS_FTP Home using FTP/SSL (AUTH_SSL). I've tried forcing 128 bit SSL, but it still gives an error message saying, "SSL Connect error 2: Connect Failed." The options ssl_sslv2 and ssl_sslv3 are enabled.

Anyone have insights?

[reply] [top]

[»] Re: Good Stuff. A few questions, though.
by crm10 - Jul 8th 2005 10:05:45

Has there been an answer to the implicit SSL question? I would like to use this too. Does it work on any other ports? I cannot find anything in the man page about implicit ssl.


> Great FTP server. This + pam_mysql has

> worked very nicely for me creating

> virtual FTP accounts.

>

> Three questions, though.

>

> 1) Is there any support or planned

> support for implicit FTP-SSL running on

> port 990? It'd be nice to have this for

> older FTP clients that don't know about

> AUTH-TLS on port 21.

>

> 2) When I try connecting with AUTH-TLS

> on Filezilla, I get a popup message

> saying that it's unable to get the local

> issuer certificate. My guess here is

> that it wants a path to the Certificate

> Authority's cert, but can't find it. I

> haven't seen any option in vsftpd to

> specify a path to the CA. Is there an

> option, will there be one, or is this

> even necessary?

>

> 3) I'm unable to connect with WS_FTP

> Home using FTP/SSL (AUTH_SSL). I've

> tried forcing 128 bit SSL, but it still

> gives an error message saying, "SSL

> Connect error 2: Connect Failed."

> The options ssl_sslv2 and ssl_sslv3 are

> enabled.

>

> Anyone have insights?



[reply] [top]

---

[»] DOS Attack Bug - vsftpd-2.0.1 - SSL/TLS
by Flain - Dec 30th 2004 00:09:24

First vsftpd exploit?

Seems to be a bug with SSL/TLS support in 2.0.1. Multiple FTP clients have been tryed and uploads fail when using SSL/TLS. Downloads work fine. Turning off SSL/TLS fixes this problem (but that defeats the purpose of SSL support :))

This is what i get:
SSL/TLS connection using cipher DES-CBC3-SHA (168 bits)
421 Data timeout. Reconnect. Sorry.
Transfer Failed!

Ok it failed, no big deal... but...
After that - vsftpd leaves the process there and doesnt clean it up. This results in a serious DOS attack against the server if someone leaves their client on retry. ie. over 10000 dead vsftpd processes are bad for the system. To make things worse, each single ftp connection that uses TLS uses 3 processes, so each failure leaves 3 dead processes there.

This bug exists on every machine ive tryed vsftpd on so far (3 machines - 2 debian unstable, the other RHE). This problem also dissapears when switching to glftpd or proFTPd.

[reply] [top]

[»] Re: DOS Attack Bug - vsftpd-2.0.1 - SSL/TLS
by Chris Evans - Mar 19th 2005 14:02:58


> First vsftpd exploit?

No :) There is a bug here but not a security issue. The bug is that when a timeout fires in SSL mode, the session doesn't get killed off instantly like it should. But it _does_ eventually go, so there is no leak. The bug is fixed in v2.0.3. To protect against one client causing problems, use vsftpd's per-IP-address session limits.

Cheers
Chris


[reply] [top]

---

[»] Account bypassing max user limit?
by frodema - Dec 29th 2004 23:13:32

Hi,
I'm trying to figure out if there's any possibility to
have one account bypassing the max user limit. I've
been using BPFTP server on an ms box, and bypass
is a great option. (I use this account to show that my
server is online with a small gif picture on a website.)

~frodema

[reply] [top]

[»] vsftpd with separate max user directives
by nix4me - Dec 24th 2004 10:16:24

Hi,

I need the ability to have 3 virtual users accounts with different max users.

download - 2 users can use this account
upload - 2 users can use this account
private - 1 user can use this account

Using the max_users directive is no good for me because if i set it to 5, 5 download users can log in and noone else can get on.

Is there another way to do this?

[reply] [top]

[»] Re: vsftpd with separate max user directives
by nix4me - Dec 25th 2004 12:07:36


> Hi,

>

> I need the ability to have 3 virtual

> users accounts with different max

> users.

>

> download - 2 users can use this account

> upload - 2 users can use this account

> private - 1 user can use this account

>

> Using the max_users directive is no good

> for me because if i set it to 5, 5

> download users can log in and noone else

> can get on.

>

> Is there another way to do this?
I did some more testing and thought I found out how to do this but it doesn't work. I tried setting up virtual users with pam auth and then setting the /etc/security/limits.conf file to only allow the download, upload, and private to the above maxlogins.....however this will not work! When using virtual users, all the users are logged in as the same username virtual.

I then tried to use local accounts and not virtual users. I got this working but there is still no way to limit multiple user accounts. The /etc/security/limits.conf appears to have NO effect at all on vsftpd.

Am I missing something?


[reply] [top]

---

[»] Anonymous FTP can't change directories
by Greg Dickinson - Nov 17th 2004 12:15:59

I have a server that acts as a central repository for antivirus updating. If I log in as the replication user, I can do whatever I need to. However, if I log in as anonymous, I can download any file in the root FTP directory, but am told that I cannot change to any subdirectories. All the files in the tree are world-readable - I don't know where to look next.

Config:
# Standalone mode
listen=YES
listen_address=10.10.xxx.yyy
max_clients=1000
max_per_ip=4
# Access rights
anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000

[reply] [top]

[»] Re: Anonymous FTP can't change directories
by Greg Dickinson - Nov 17th 2004 12:38:23


> I have a server that acts as a central

> repository for antivirus updating. If I

> log in as the replication user, I can do

> whatever I need to. However, if I log

> in as anonymous, I can download any file

> in the root FTP directory, but am told

> that I cannot change to any

> subdirectories. All the files in the

> tree are world-readable - I don't know

> where to look next.


You know, I always seem to find the answer right after asking for help :-) I had to set all the directories to Group Execute to be able to change to them...duh...

--Greg



[reply] [top]

---

[»] SSL VSFTPD
by enoxard - Nov 15th 2004 16:23:49

Hello,

I am having a little trouble getting vsftpd to work over ssl. i am able to get it working without ssl, but when i add the following lines to /etc/vsftpd.conf

# enable ssl
rsa_cert_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

i get the error

500 OOPS: SSL: ssl_enable is set but SSL support
not compiled in

when attempting to log in.

i ha