1

I'm a bit confused about the difference regarding vsftpd configuration between local users and virtual users. From the point of view of vsftpd, it doesn't know if a user is a local user or a virtual user, isn't? vsftpd just connect to the PAM module set in pam_service_name, and if the credentials are correct according to PAM, the login is accepted.

So, why does vsftpd documentation makes a difference between them?

For instance, I have got a personalized PAM module that takes login credentials from a database that doesn't use system local (/etc/passwd) users, and consequently, I cannot log using any system account, even when local_enable is set to YES in my documentation.

This confusion is what makes me not fully understand the purpose of virtual_user_local_privs. Under which circunstances does vsftpd treats a logged user as local or virtual? Does PAM notifies it to vsftpd in some way or what? O is there something that I've completely misunderstood?

Are this configuration options, maybe, still present because of legacy reasons?

All of this confusion comes from vsftp not providing actual documentation, but just a reference.

ABu
  • 499
  • 1
  • 6
  • 19

2 Answers2

0

It is all about the permissions. All files and directories in Linux have a standard set of access permissions. These access permissions control who can access what files, and provides a fundamental level of security to the files and directories in a system. The main difference between virtual and local users is that local users own their home dirs Virtual users by default have same as anonymous user permissions.

badbuka
  • 1
  • 1
0

The difference I was looking for is extracted from one of the vsftpd configuration examples in this forked github repo:

guest_enable=YES

guest_username=virtual

The guest_enable is very important - it activates virtual users! And guest_username says that all virtual users are mapped to the real user "virtual" that we set up above.

So local users are just any user that can be logged-in according to the configured PAM service, and virtual users are local (PAM) users that acts (after being logged-in) as a same actual local (/etc/passwd) user. I guess that you can change your guest_username on a per-user basis to identify "virtual ftp user groups".

When you personalize your PAM service to create non-system users (a custom list of usernames and passwords that doesn't exists in /etc/passwd), vsftpd cannot work properly since these users don't really exists in the system, so permissions cannot be checked when uploading or reading directories or files.

So you need a system user acting on behalf of them. That's where guest_enable comes into play: every logged user will act as guest_username, that must exists as /etc/passwd user.

ABu
  • 499
  • 1
  • 6
  • 19