Configuring the FTP Server in Linux
At any point, you can refer to man
vsftpd.conf for further configuration options. We will set the most common options and mention their purpose in this guide.
As with any other configuration file, it is important to make a backup copy of the original before making changes:
# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.orig
/etc/vsftpd/vsftpd.conf (the main configuration file) and edit the following options as indicated:
1. Make sure you allow anonymous access to the server (we will use the
/storage/ftp directory for this example – that’s where we will store documents for anonymous users to access) without password:
anonymous_enable=YES no_anon_password=YES anon_root=/storage/ftp/
If you omit the last setting, the ftp directory will default to
/var/ftp (the home directory of the dedicated ftp user that was created during installation).
2. To enable read-only access (thus disabling file uploads to the server), set the following variable to NO:
Important: Only use steps #3 and #4 if you choose to disable the anonymous logins.
3. Likewise, you may want to also allow local users to login with their system credentials to the FTP server. Later on this article we will show you how to restrict them to their respective home directories to store and retrieve files using FTP:
If SELinux is in enforcing mode, you will also need to set the
ftp_home_dir flag to on so that FTP is allowed to write and read files to and from their home directories:
# getsebool ftp_home_dir
If not, you can enable it permanently with:
# setsebool -P ftp_home_dir 1
The expected output is shown below:
4. In order to restrict authenticated system users to their home directories, we will use:
chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd/chroot_list
With the above chroot settings and an empty
/etc/vsftpd/chroot_list file (which YOU need to create), you will restrict ALL system users to their home directories.
Important: Please note this still requires that you ensure that none of them has write permissions to the top directory.
If you want to allow a specific user (or more) outside their home directories, insert the usernames in /etc/vsftpd/chroot_list, one per line.