Configuring VSFTPD Default Permissions: Setting 775 for New Files and Directories


2 views

When working with VSFTPD (Very Secure FTP Daemon), newly created files and directories inherit permissions based on the server's umask setting. The default configuration often results in stricter permissions (typically 755 for directories and 644 for files) than what developers might prefer for collaborative environments.

Unix-style permissions work inversely through umask - it specifies what permissions to remove from the default maximum permissions. To achieve 775 permissions (rwxrwxr-x), we need to reverse-engineer the appropriate umask value:

# Default maximum permissions:
Directories: 777 (rwxrwxrwx)
Files: 666 (rw-rw-rw-)

# Desired permissions:
Directories: 775 (rwxrwxr-x) → umask = 777 - 775 = 002
Files: 664 (rw-rw-r--) → umask = 666 - 664 = 002

Edit your vsftpd.conf file (typically located at /etc/vsfptd.conf) and add these directives:

# Set umask for files and directories
local_umask=002
# Optional: Force directory permissions (recommended)
file_open_mode=0775
# Optional: For anonymous uploads
anon_umask=002

For more complex setups where you need different permissions based on user groups:

# Example using pam_umask with vsftpd
session    optional     pam_umask.so umask=002

Combine this with group permissions management:

# Create shared group
sudo groupadd ftpaccess
sudo usermod -a -G ftpaccess username1
sudo usermod -a -G ftpaccess username2

# Set SGID bit on directories
chmod g+s /path/to/shared/folder

If permissions don't apply as expected:

  • Check vsftpd is running with correct config: sudo systemctl restart vsftpd
  • Verify parent directory permissions: ls -ld /path/to/parent
  • Test with different users: sudo -u testuser touch testfile

For a web development team working on WordPress sites:

# /etc/vsftpd.conf
local_umask=002
file_open_mode=0775
chown_uploads=YES
chown_username=www-data
allow_writeable_chroot=YES

This configuration ensures:

  1. New files are group-writable (664)
  2. Directories have proper execute bits (775)
  3. Uploaded files maintain web server compatibility

When working with VSFTPD (Very Secure FTP Daemon), newly created files and directories inherit permissions based on the server's umask setting. The default configuration often results in stricter permissions (typically 755 for directories and 644 for files) than what developers need for collaborative environments.

To achieve 775 permissions (rwxrwxr-x), we need to understand how umask works:

Desired Permission: 775 (directory) or 664 (file)
Umask Formula: 777 - desired_permission
Required Umask: 002 (for directories) or 113 (for files)

VSFTPD provides several ways to control permissions:

1. Global Umask Setting

# /etc/vsftpd.conf
local_umask=002
file_open_mode=0664

2. Per-User Settings

# Add to /etc/vsftpd.conf
user_config_dir=/etc/vsftpd_user_conf
# Then create individual files for users
# /etc/vsftpd_user_conf/username
local_umask=002

3. Using Anon_umask for Anonymous Users

anon_umask=002
anon_upload_enable=YES

After making changes, ensure they work properly:

# Restart VSFTPD
sudo systemctl restart vsftpd

# Test by creating file through FTP
ftp localhost
# (login and create test file)

# Check permissions locally
ls -l /path/to/ftp/upload
  • Parent directory permissions may override settings
  • SELinux contexts might interfere
  • User home directory umask could affect results
  • Group ownership must be properly set

For more control, combine with these settings:

chown_uploads=YES
chown_username=ftpadmin
chmod_enable=YES
force_dot_files=YES

Remember that these settings must align with your server's security requirements. Always test changes in a staging environment before applying to production.