In the current trend of cloud storage, FTP as a file transfer protocol seems a bit “old-fashioned”. However, FTP solutions have a mature software ecosystem and perfect permission control. You hardly need to do any development; you just need to choose the right software to create a file sharing server. It can be used for storing and sharing work documents or publishing digital products. If you, like me, want to set up an FTP server on Raspberry Pi, I will introduce how to install and configure a complete permission-controlled FTP service using vsftpd.
Different permission controls for different users. Considering the security of the server, the physical user login is disabled, and a virtual account verification mechanism is used, setting different permissions for different virtual accounts. To ensure the performance of the server, it is also necessary to limit the number of client connections and download speeds according to the user’s level.
Install vsftpd
sudo apt-get install vsftpd vim db-util
Create User Database
1. Create a user text file. First, create a user text file vsftpd_virtualuser.txt and add two virtual accounts, a public account share and a client account upload.
sudo mkdir /etc/vsftpd
touch /etc/vsftpd/vsftpd_virtualuser.txt
vim /etc/vsftpd/vsftpd_virtualuser.txt
Format:
Virtual Account 1
Password
Virtual Account 2
Password
For example:
share
123456
upload
456789
Save and exit. 2. Generate the database. The text file storing the virtual accounts and passwords cannot be directly called by the system account. We need to use the db_load command to generate the db database file.
sudo db_load -T -t hash -f /etc/vsftpd/vsftpd_virtualuser.txt /etc/vsftpd/vsftpd_virtualuser.db
3. Modify the database file access permissions. The database file stores the password information of the virtual accounts. To prevent illegal users from stealing, we can modify the access permissions of this file. The generated authentication file’s permissions should be set to read and write only for the root user, i.e., 600.
sudo chmod 600 /etc/vsftpd/vsftpd_virtualuser.db
Configure PAM File
To allow the server to use the database file for client authentication, the system’s PAM module needs to be called. PAM (Pluggable Authentication Module) is a pluggable authentication module that does not require reinstalling the application system. By modifying the specified configuration file, the authentication method for this program can be adjusted. The PAM module configuration file path is /etc/pam.d/, which contains a large number of configuration files related to authentication, named after the service name. Modify the PAM configuration file corresponding to vsftpd /etc/pam.d/vsftpd, comment out all default configurations using “#”, and add the corresponding fields.
auth required pam_userdb.so db=/etc/vsftpd/vsftpd_virtualuser
account required pam_userdb.so db=/etc/vsftpd/vsftpd_virtualuser
Create System Users Corresponding to Virtual Accounts
For the public account and client account, since different permissions need to be configured, the directories of the two accounts can be isolated to control user file access. The public account share corresponds to the system account ftpshare, with its home directory specified as /home/pi/ftp/share, while the client account upload corresponds to the system account ftpupload, with the home directory specified as /home/pi/ftp/upload.
If executable user login is not set, it will report an error that the directory cannot be changed.
mkdir /home/pi/ftp
mkdir /home/pi/ftp/share
mkdir /home/pi/ftp/upload
sudo useradd -d /home/pi/ftp/share ftpshare
sudo useradd -d /home/pi/ftp/upload ftpupload
sudo chmod -R 500 /home/pi/ftp/share/
sudo chmod -R 700 /home/pi/ftp/upload/
The public account share only allows downloads, and the permissions of the share directory for other users are modified to rx (read and execute). The client account upload allows both uploading and downloading, so the permission settings for the upload directory are rwx (read, write, and execute).
Create Configuration File
To set different permissions for multiple virtual accounts, if a single configuration file cannot achieve this, independent configuration files need to be established for each virtual account and configured accordingly. 1. Modify the vsftpd.conf main configuration file. In the main configuration file /etc/vsftpd.conf, add common settings for virtual accounts and add the user_config_dir field to define the virtual account configuration file directory. Disable anonymous user login and enable local user login settings:
anonymous_enable=NO
local_enable=YES
# Restrict all local users to their home directories; NO means no restriction
chroot_local_user=YES
# Configure PAM module used by vsftpd as vsftpd
pam_service_name=vsftpd
# Set the main directory for virtual accounts to /vuserconfig
user_config_dir=/etc/vsftpd/vuserconfig
# Set the maximum number of clients for the FTP server to 300
max_clients=300
# Set the maximum number of connections per IP address to 10
max_per_ip=10
allow_writeable_chroot=YES
pasv_enable=YES
pasv_min_port=10000
pasv_max_port=20000
2. Create virtual account configuration files. In the specified path of user_config_dir, create configuration files with the same name as the virtual accounts and add corresponding configuration fields. First, create the configuration file for the public account share:
sudo mkdir /etc/vsftpd/vuserconfig
sudo vi /etc/vsftpd/vuserconfig/share
# Enable virtual account login
guest_enable=yes
# Set the system account corresponding to ftp as ftpshare
guest_username=ftpshare
# Allow anonymous users to browse the entire server's file system
anon_world_readable_only=no
# Limit the transmission rate to 500KB/s
anon_max_rate=500000
Note: The speed limit for file transfers in vsftpd is not locked at an absolute value; it varies between 80% and 120%. For example, if you set it to 100KB/s, the actual speed will fluctuate between 80KB/s and 120KB/s.
Below is the configuration file for the client account upload:
sudo vi /etc/vsftpd/vuserconfig/upload
# Enable virtual account login
guest_enable=yes
# Set the system account corresponding to ftp as ftpupload
guest_username=ftpupload
# Allow anonymous users to browse the entire server's file system
anon_world_readable_only=no
# Allow write permissions in the file system
write_enable=yes
# Allow creating folders
anon_mkdir_write_enable=yes
# Enable anonymous account upload functionality
anon_upload_enable=yes
# Limit transmission speed to 1000KB/s
anon_max_rate=1000000
If permissions need to be deleted, you can add the following to the configuration:
anon_other_write_enable=YES
Restart vsftpd to Apply Configuration
sudo systemctl restart vsftpd
sudo service vsftpd restart
Click the link in the text to read the original article at the end
More Exciting Content
Make a Motorcycle Dashboard with Raspberry Pi
Make an Intelligent Pet Feeder with Raspberry Pi
Build an Intelligent Planet Observer Based on Raspberry Pi
Handmade Metal Wire Frame X-Wing Clock
Arduino + 280 LEDs DIY Music Spectrum Light
DIY Stanford Pupper 12 Degree of Freedom Quadruped Robot Dog
Barrier: Keyboard and Mouse Sharing Solution Between PC and Raspberry Pi