1

I configured my vsftpd to allow virtual users to upload file. However I wanted all uploaded files to not be downloadable, thus depriving a potential attacker the usefulness of storing his nefarious files.

So I put in my /etc/vsftpd/vsftpd.conf:

file_open_mode=0777
anon_umask=0577
local_umask=0577

I figured that one of the *_umask=0577 is superfluous, but it seems to be harmless, and it cover all my bases.

However, when I upload a file, it gets a:

-rw------ (0600) permission instead of --w------ (0200).

The questions are: Why? and How to fix this?.

Incidentally, my current configuration seem to do the correct thing, that is to allow only uploads, and disallow download of uploaded files, but I don't understand why.

Just to complete the picture, I also use:

virtual_use_local_privs=NO
guest_enable=YES
guest_username=my_ftp_user
chown_uploads=YES
chown_username=my_ftp_user

that works fine, and is there to help me enforce global ftp quota.

Chen Levy
  • 283
  • 3
  • 13

2 Answers2

3

You say:

Incidentally, my current configuration seem to do the correct thing, that is to allow only >uploads, and disallow download of uploaded files, but I don't understand why.

I saw this as a problem, which I tracked down to virtual_use_local_privs, I needed virtual_use_local_privs=YES

Using this allowed local_umask and file_open_mode to be used correctly by the virtual users.

ottov123
  • 31
  • 2
1

I've read many posts and answers looking for a solution to this issue.

Users were uploading files to my vsftpd server but the permissions were not being set correctly. Specifically I wanted files to be created with a chmod of 664.

To enable this I tried setting the vsftpd.conf local_umask to 0002. It did not work. The group permissions were not set to write in the file uploaded.

I discovered that the umask of the user uploading the file also needed to be set to 0002.

But most importantly, the user umask has to be set by a umask 0002 command in the user's ~/.bashrc file.

If you set the umask elsewhere - e.g. in the ~/.bash_profile file it does not work.

Mark Jeynes
  • 11
  • 1