The vsftpd package contains a very secure and very small FTP daemon. This is useful for serving files over a network.
This package is known to build and work properly using an LFS-11.0 platform.
Download (HTTP): https://security.appspot.com/downloads/vsftpd-3.0.5.tar.gz
Download MD5 sum: efbf362a65bec771bc15ad311f5a982e
Download size: 210 KB
Estimated disk space required: 1.9 MB
Estimated build time: less than 0.1 SBU
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/vsftpd
For security reasons, running vsftpd as an unprivileged user and group is
encouraged. Also, a user should be created to map anonymous users.
As the root user, create the needed
directories, users, and groups with the following commands:
install -v -d -m 0755 /usr/share/vsftpd/empty && install -v -d -m 0755 /home/ftp && groupadd -g 47 vsftpd && groupadd -g 45 ftp && useradd -c "vsftpd User" -d /dev/null -g vsftpd -s /bin/false -u 47 vsftpd && useradd -c anonymous_user -d /home/ftp -g ftp -s /bin/false -u 45 ftp
Gcc-10 and later flags an error for an implicit type cast. Make it explicit:
sed -e "s/kVSFSysStrOpenUnknown;/(enum EVSFSysUtilOpenMode)&/" -i sysstr.c
Build vsftpd as an unprivileged user using the following command:
make
This package does not come with a test suite.
Once again, become the root user
and install vsftpd with the
following commands:
install -v -m 755 vsftpd /usr/sbin/vsftpd && install -v -m 644 vsftpd.8 /usr/share/man/man8 && install -v -m 644 vsftpd.conf.5 /usr/share/man/man5 && install -v -m 644 vsftpd.conf /etc
install -v -d ...:
This creates the directory that anonymous users will use
(/home/ftp) and the directory the
daemon will chroot into (/usr/share/vsftpd/empty).
![[Note]](../images/note.png)
/home/ftp should not be owned by
the user vsftpd, or the user
ftp.
echo "#define VSF_BUILD_TCPWRAPPERS" >>builddefs.h: Use this prior to make to add support for tcpwrappers.
echo "#define VSF_BUILD_SSL" >>builddefs.h: Use this prior to make to add support for SSL.
install -v -m ...:
The Makefile uses non-standard
installation paths. These commands install the files in
/usr and /etc.
vsftpd comes with a basic
anonymous-only configuration file that was copied to /etc above. While still as root, this file should be modified because it
is now recommended to run vsftpd in standalone mode.
Also, you should specify the privilege separation user created
above. Finally, you should specify the chroot directory. man vsftpd.conf will give you
all the details.
cat >> /etc/vsftpd.conf << "EOF"
background=YES
nopriv_user=vsftpd
secure_chroot_dir=/usr/share/vsftpd/empty
EOF
The vsftpd daemon uses seccomp to improve security by default.
But it's known to cause vsftpd unable to handle ftp LIST command with recent kernel versions. Append
a line to /etc/vsftpd.conf (as the
root user) to disable seccomp and
workaround this issue:
cat >> /etc/vsftpd.conf << "EOF"
seccomp_sandbox=NO
EOF
To enable local logins, append the following to the /etc/vsftpd.conf file (as the root user):
cat >> /etc/vsftpd.conf << "EOF"
local_enable=YES
EOF
In addition, if using Linux-PAM
and vsftpd with local user
logins, you will need a Linux-PAM configuration file. As the
root user, create the
/etc/pam.d/vsftpd file, and add the
needed configuration changes for Linux-PAM session support using the
following commands:
cat > /etc/pam.d/vsftpd << "EOF" &&# Begin /etc/pam.d/vsftpd auth required /lib/security/pam_listfile.so item=user sense=deny \ file=/etc/ftpusers \ onerr=succeed auth required pam_shells.so auth include system-auth account include system-account session include system-sessionEOF cat >> /etc/vsftpd.conf << "EOF"session_support=YES pam_service_name=vsftpdEOF
Install the vsftpd.service unit included in the
blfs-systemd-units-20210819 package:
make install-vsftpd
Last updated on