1vsftpd frequently asked questions!! 2----------------------------------- 3 4Q) Can I restrict users to their home directories? 5A) Yes. You are probably after the setting: 6chroot_local_user=YES 7 8Q) Why don't symlinks work with chroot_local_user=YES? 9A) This is a consequence of how chroot() security works. As alternatives, 10look into hard links, or if you have a modern Linux, see the powerful 11"mount --bind". 12 13Q) Does vsftpd support a limit on the number of users connected? 14A1) Yes, indirectly. vsftpd is an inetd-based service. If use the popular 15"xinetd" as your inetd, this supports per-service per-IP connection limits. 16There is an example of this in the "EXAMPLE" directory. 17A2) If you run vsftpd in "standalone" mode with the setting listen=YES, then 18you can investigate the setting (e.g.): 19max_clients=10 20 21Q) Help! I'm getting the error message "refusing to run with writable anonymous 22root". 23A) vsftpd is protecting against dangerous configurations. The cause of this 24message is usually dodgy ownership of the ftp home directory. The home 25directory should NOT be owned by the ftp user itself. Neither should it 26be writable by the ftp user. A way to fix this is: 27chown root ~ftp; chmod -w ~ftp 28 29Q) Help! I'm getting the error message "str_getpwnam". 30A) The most likely cause of this is that the user that is configured as the 31'nopriv_user' setting (often 'nobody') does not exist on your system. vsftpd 32needs this user to run bits of itself with no privilege. 33 34Q) Help! Local users cannot log in. 35A) There are various possible problems. 36A1) By default, vsftpd disables any logins other than anonymous logins. Put 37local_enable=YES in your /etc/vsftpd.conf to allow local users to log in. 38A2) vsftpd tries to link with PAM. (Run "ldd vsftpd" and look for libpam to 39find out whether this has happened or not). If vsftpd links with PAM, then 40you will need to have a PAM file installed for the vsftpd service. There is 41a sample one for RedHat systems included in the "RedHat" directory - put it 42under /etc/pam.d 43A3) If vsftpd didn't link with PAM, then there are various possible issues. Is 44the user's shell in /etc/shells? If you have shadowed passwords, does your 45system have a "shadow.h" file in the include path? 46A4) If you are not using PAM, then vsftpd will do its own check for a valid 47user shell in /etc/shells. You may need to disable this if you use an invalid 48shell to disable logins other than FTP logins. Put check_shell=NO in your 49/etc/vsftpd.conf. 50 51Q) Help! Uploads or other write commands give me "500 Unknown command.". 52A) By default, write commands, including uploads and new directories, are 53disabled. This is a security measure. To enable writes, put write_enable=YES 54in your /etc/vsftpd.conf. 55 56Q) Help! What are the security implications referred to in the 57"chroot_local_user" option? 58A) Firstly note that other ftp daemons have the same implications. It is a 59generic problem. 60The problem isn't too severe, but it is this: Some people have FTP user 61accounts which are not trusted to have full shell access. If these 62accounts can also upload files, there is a small risk. A bad user now has 63control of the filesystem root, which is their home directory. The ftp 64daemon might cause some config file to be read - e.g. /etc/some_file. With 65chroot(), this file is now under the control of the user. vsftpd is 66careful in this area. But, the system's libc might want to open locale 67config files or other settings... 68 69Q) Help! Uploaded files are appearing with permissions -rw-------. 70A1) Depending on if this is an upload by a local user or an anonymous user, 71use "local_umask" or "anon_umask" to change this. For example, use 72"anon_umask=022" to give anonymously uploaded files permissions 73-rw-r--r--. Note that the "0" before the "22" is important. 74A2) Also see the vsftpd.conf.5 man page for the new "file_open_mode" 75parameter. 76 77Q) Help! How do I integrate with LDAP users and logins? 78A) Use vsftpd's PAM integration to do this, and have PAM authenticate against 79an LDAP repository. 80 81Q) Help! Does vsftpd do virtual hosting setups? 82A1) Yes. If you integrate vsftpd with xinetd, you can use xinetd to bind to 83several different IP addresses. For each IP address, get xinetd to launch 84vsftpd with a different config file. This way, you can get different behaviour 85per virtual address. 86A2) Alternatively, run as many copies as vsftpd as necessary, in standalone 87mode. Use "listen_address=x.x.x.x" to set the virtual IP. 88 89Q) Help! Does vsftpd support virtual users? 90A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd.conf. This 91has the effect of mapping every non-anonymous successful login to the local 92username specified in "guest_username". Then, use PAM and (e.g.) its pam_userdb 93module to provide authentication against an external (i.e. non-/etc/passwd) 94repository of users. 95Note - currently there is a restriction that with guest_enable enabled, local 96users also get mapped to guest_username. 97There is an example of virtual users setup in the "EXAMPLE" directory. 98 99Q) Help! Does vsftpd support different settings for different users? 100A) Yes - in a very powerful way. Look at the setting "user_config_dir" in the 101manual page. 102 103Q) Help! Can I restrict vsftpd data connections to a specific range of ports? 104A) Yes. See the config settings "pasv_min_port" and "pasv_max_port". 105 106Q) Help! I'm getting the message "OOPS: chdir". 107A) If this is for an anonymous login, check that the home directory for the 108user "ftp" is correct. If you are using the config setting "anon_root", check 109that is correct too. 110 111Q) Help! vsftpd is reporting times as GMT times and not local times! 112A) This behaviour can be changed with the setting "use_localtime=YES". 113 114Q) Help! Can I disable certain FTP commands? 115A) Yes. There are some individual settings (e.g. dirlist_enable) or you can 116specify a complete set of allowed commands with "cmds_allowed". 117 118Q) Help! Can I change the port that vsftpd runs on? 119A1) Yes. If you are running vsftpd in standalone mode, use the "listen_port" 120directive in vsftpd.conf. 121A2) Yes. If you are running vsftpd from an inetd or xinetd program, this 122becomes an inetd or xinetd problem. You must change the inetd or xinetd 123configuration files (perhaps /etc/inetd.conf or /etc/xinetd.d/vsftpd) 124 125Q) Help! Will vsftpd authenticate against an LDAP server? What about a 126MySQL server? 127A) Yes. vsftpd uses PAM for authentication, so you need to configure PAM 128to use pam_ldap or pam_mysql modules. This may involve installing the PAM 129modules and then editing the PAM config file (perhaps /etc/pam.d/vsftpd). 130 131Q) Help! Does vsftpd support per-IP limits? 132A1) Yes. If you are running vsftpd standalone, there is a "max_per_ip" 133setting. 134A2) Yes. If you are running vsftpd via xinetd, there is an xinetd config 135variable "per_source". 136 137Q) Help! Does vsftpd support bandwidth limiting? 138A) Yes. See vsftpd.conf.5 man page and investigate settings such as 139"anon_max_rate" and "local_max_rate". 140 141Q) Help! Does vsftpd support IP-based access control? 142A1) Yes. vsftpd can integrate with tcp_wrappers (if built with this support). 143It is enabled with the setting "tcp_wrappers=YES". 144A2) Yes. vsftpd can be run from xinetd, which supports tcp_wrappers 145integration. 146 147Q) Help! Does vsftpd support IPv6? 148A) Yes, as of version 1.2.0. Read the vsftpd.conf.5 man page. 149 150Q) Help! vsftpd doesn't build, it fails with an error about being unable to 151find -lcap. 152A) Install the libcap package and retry the build. Seems to affect Debian 153users a lot. 154A) Install the libcap-devel. This certainly affects Fedora. 155 156Q) Help! I've put settings in /etc/vsftpd.conf, but they are not taking 157effect! 158A) This is affecting some RedHat users - some RedHat versions put the config 159file in /etc/vsftpd/vsftpd.conf. 160 161Q) Help! vsftpd doesn't build, it complains about problems with incomplete 162types in sysutil.c. 163A) Your system probably doesn't have IPv6 support. Either use a more modern 164system, use an older vsftpd (e.g. v1.1.3), or wait for a version of vsftpd 165without this problem! 166 167Q) Help! I'm getting messages along the lines of 500 OOPS: vsf_sysutil_bind 168when trying to do downloads (particularly lots of small files). 169A) vsftpd-1.2.1 should sort this out. 170 171Q) Help! Does vsftpd support hiding or denying certain files? 172A) Yes. Look at the hide_file and deny_file options in the manual page. 173 174Q) Help! Does vsftpd support FXP? 175A) Yes. An FTP server does not have to do anything special to support FXP. 176However, you many get tripped up by vsftpd's security precautions on IP 177addresses. In order to relax these precautions, have a look in the 178vsftpd.conf.5 for pasv_promiscuous (and the less advisable port_promiscuous). 179 180Q) Help! I'm getting the error "426 Failure writing network stream." on 181downloads. 182A) You shouldn't see this with v1.2.1 or newer versions of vsftpd. Older 183versions of vsftpd can give this error if the user tries to download 184something from an unusual filesystem (e.g. FAT), which don't support 185performance features used by vsftpd. With vsftpd-1.1.3 and newer there is a 186config workaround, use_sendfile=NO. 187 188Q) Help! I'm using the pam_userdb login module and the login hangs. 189A) This could be a bad interaction with glibc version 2.3 and PAM. A Debian 190user reported this. The initial report is here: 191http://lists.debian.org/debian-glibc/2003/debian-glibc-200309/msg00310.html 192 193Q) Help! Does vsftpd support large files (>2Gb?). 194A) Yes, it does. 195 196Q) Help! Well, large file support doesn't seem to be working, then! 197A1) Large file support first appeared in v1.1.0. 198A2) Solaris large file support wasn't fixed until v1.2.2. 199A3) FreeBSD large file support wasn't fixed until v1.2.2. 200A4) The early Linux 2.6 kernels had a bug in this area - use v2.6.6 or newer. 201A5) Are you sure your FTP _client_ correctly supports large files? 202 203Q) Help! The built-in vsftpd listener is hanging or crashing! 204A) A bug in this area is fixed in vsftpd v1.2.2. The problem has always existed 205but seems to frequently trigger only on certain platforms. For example, 206Fedora Core 1 - the suspected trigger is a glibc-2.3 platform, possibly in 207combination with a NPTL-enabled kernel. 208 209Q) Help! I'm using Solaris / Veritas and vsftpd is hanging! 210A) Suspected bug with the Solaris / Veritas combination. With vsftpd-1.2.3 211there is a possible workaround: no_log_lock=YES in your vsftpd.conf.5. 212 213Q) Does vsftpd support SSL / TLS based encryption? 214A) Yes, as of v2.0.0, this is supported for the control and data connections 215(hurrah). You need a build of vsftpd with this support enabled, and then you 216need to activate the ssl_enable setting. NOTE there are security considerations 217with this support. Please make sure to read the ssl_enable section in the 218vsftpd.conf.5 man page thoroughly before using. 219 220Q) Help! I'm using FlashFXP and getting truncated files on download. 221A) FlashFXP is buggy - particularly with SSL transfers. Upgrade to v3.0RC4 222or newer, which is reported to be fixed. 223 224Q) Help! I'm trying to build vsftpd, and I get an error along the lines of 225"krb5.h: no such file or directory". 226A) Yes, seems to be a problem with some RedHat setups. See 227http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111301 for details and 228suggested workarounds. 229 230Q) Help! I'm getting the error "OOPS: capset" when I try to connect to vsftpd. 231A) This is an issue with SELinux enabled distributions. The solution is to 232make sure the capability kernel module is loaded. 233 234Q) Help! I'm getting the error "ftp: netin: Interrupted system call". 235A) Seems to be a bug in ftp-tls, particularly with SSL transfers with 236bandwidth limiting in effect. 237 238Q) Help! When trying SSL transfers, users log in and are no longer restricted 239to their home directory! They can browse the entire filesystem! 240A) Most likely, your FTP client is in fact using the SSH protocol rather than 241the FTP protocol - so sshd is in control and not vsftpd! 242A) Of course, make sure you turn on the chroot_local_user option!! 243 244Q) Help! I'm getting connections dropped whilst using gFTP for an SSL 245connection. 246A) The version of gFTP on my Fedora Core 10 installation appears to send the 247"SIZE" command plain text during an SSL connection, which obviously breaks the 248SSL connection. 249 250Q) Help! SSL data connections are not working. 251A) As of v2.1.0, vsftpd only accepts data connections that are reused sessions 252of the control connection. This is a security measure. Unfortunately, not all 253FTP clients reuse sessions (e.g. curl). You can disable this requirement by 254changing require_ssl_reuse to NO. 255 256Q) Help! My LDAP / mysql / etc. authentication and / or username lookup are 257failing! 258A) As of v2.2.0, the built-in sandboxing uses network isolation on Linux. This 259may be interfering with any module that needs to use the network to perform 260operations or lookups. Try changing isolate_network to NO. 261 262Q) Blah.. blah.. 263A) For a good idea of what vsftpd can do, read the vsftpd.conf.5 man page 264and the EXAMPLES. 265 266