Fixing Write Permissions for Chrooted FTP Users in vsftpd

Abstract

The vsftpd version that comes with Ubuntu 12.04 Precise does not permit chrooted local users to write by default.

The vsftpd version that comes with Ubuntu 12.04 Precise does not permit chrooted local users to write by default. By default you will have this in /etc/vsftpd.conf:

chroot_local_user=YES
write_enable=YES

In order to allow local users to write, you need to add the following parameter:

allow_writeable_chroot=YES

The solution is to update your vsftpd version i.e

$ sudo add-apt-repository ppa:thefrontiergroup/vsftpd
$ sudo apt-get update
$ sudo apt-get install vsftpd

If you want additional fake the local user to i.e www-data which means to get all files owned to www-data (apache user ) written by your local user you may configure /etc/vsftpd.conf like this:

listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
guest_enable=YES
ftp_username=www-data
chmod_enable=YES
chown_uploads=YES
chown_username=www-data
guest_username=www-data
force_dot_files=YES
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=1024
pasv_max_port=65535
max_clients=10
max_per_ip=10
port_promiscuous=YES
port_enable=YES
listen_port=21
ftp_data_port=20
user_sub_token=$USER
hide_ids=YES
user_config_dir=/etc/vsftpd
chroot_local_user=YES
allow_writeable_chroot=YES

also do

$ mkdir /etc/vsftpd
$ cd /etc/vsftpd

Then create a file with the users name like this:

$ nano <youruser>
local_root=/var/www/www.exmaple.com/htdocs

Important

Local users means they have to exist in /etc/passwd.

I couldn't make the solution worked with lucid and libpam-pwdfile, which makes totally virtual users possible with an alternate authfile, in which users where created with apache util htpasswd.

Looks like this depends on changing the password crypt mech in precise and always need local login rights via PAM.

Some links say ,use of -d Force CRYPT encryption of the password in htpasswd should whork, after all it did not work at my server.

Robert Schetterer, 25. March 2013