The "vs" in vsftpd stands for "very secure". It was designed from the ground up for security. The FTP server will refuse to start up without a few requirements:
- the user "ftp" with a valid home directory
- the user "nobody"
- an empty directory (/usr/share/empty)
If installed from a package, all requirements should be met.
Configuration file
The default configuration file is vsftpd.conf.
Only anonymous connections are allowed unless this option is set:
# Uncomment this to allow local users to log in.
local_enable=YES
No users, local or anonymous, can upload files unless this option is set:
# Uncomment this to enable any form of FTP write command.
write_enable=YES
The anonymous user cannot upload files unless this option is set:
anon_upload_enable=YES
AND the write_enable option is set AND the anonymous user has write permissions to the upload directory (the home directory of user "ftp").
Locking users in a chroot jail
Edit the vsftpd.conf file and set these options:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
Then, create/edit the chroot file, vsftpd.chroot_list, and add local users that should be jailed. When a user from the list logs in with FTP, they see their home directory as the root directory. The user home directory can be changed to any location the user has permissions.
