search

fauria / docker-vsftpd

🐳 vsftpd Docker image based on Centos 7. Supports passive mode and virtual users.
https://hub.docker.com/r/fauria/vsftpd/
Apache License 2.0
414 stars 341 forks source link

Manually add a new FTP user to an existing container #53

Open bguerout opened 4 years ago

bguerout commented 4 years ago

Hello,

The documentation provides an example to manually add a new FTP user to an existing container

docker exec -i -t vsftpd bash
mkdir /home/vsftpd/myuser
echo -e "myuser\nmypass" >> /etc/vsftpd/virtual_users.txt
/usr/bin/db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db
exit
docker restart vsftpd

Nevertheless each time the container is restarted, virtual_users.txt is erased in run-vsftpd.sh so the new added user is deleted.

echo -e "${FTP_USER}\n${FTP_PASS}" > /etc/vsftpd/virtual_users.txt
/usr/bin/db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db

May be I'm doing someting wrong.

GodOfLamb commented 3 years ago

This is my exact issue - would you happen to have found a resolution for this as i've spent hours on it and still not getting anywhere

917huB commented 3 years ago

+1 for any clues please.

phantom-artist commented 3 years ago

If anyone is still looking for a solution to this, I have a possibility but it involves changing quite a few of scripts and 'breaking' some of the original solution.

You can move the location of virtual_users.db to a different directory and mount it on the host using VOLUME so that the user db persists across container restarts. I also eliminated the creation of default FTP_USER and start with an empty user db, creating users manually as-needed.

I make no comment on the security of doing this. You could try adding crypt=crypt to the vsftpd_virtual?https://nasauber.de/blog/2020/howto-virtual-users-for-vsftpd/ And ensure the .db file is only readable by root user?

A number of modifications are required to the source configuration and script files to enable this, but at a high-level the steps are: 1) vsftpd_virtual Shift the location of the virtual_users.db from /etc/vsftpd to /etc/vsftpd/db 2) run-vsftpd.sh eliminate the creation of FTP_USER and FTP_PASS when the container starts. Also, eliminate the lines that load the virtual_users.txt - the goal is to have run-vsftpd.sh not create any users when it runs. You will add users manually after startup. Ensure all references to the db are updated to reflect the new path, and references to FTP_USER/FTP_PASS are removed. 3) Dockerfile amend to create the /etc/vsftpd/db folder and VOLUME /etc/vsftpd/db, also copy in the addftpuser.sh script. Ensure all references to the db are updated to reflect the new path. 4) Create a bespoke addftpuser.sh that is copied into the image that takes care of adding a user/password to virtual_users.db and creates the /home/vsftpd/user folder for the user using the techniques already described in the use-cases and existing scripts. Basically my script generates a password for the supplied user, writes it to a temp file using the username\npassword format, then loads that file into the db, then deletes the temp file. It then creates the /home/vsftpd/username folder if it doesn't exist. 5) When you run the image, mount the /etc/vsftpd/db folder to a folder on the host, so the .db persists outside of the container lifecycle e.g. -v /path/on/host:/etc/vsftpd/db

With a running container you then do: docker exec -ti container /bin/bash addftpuser.sh username

Then you can start the container, create users as you need, and assuming you also mounted the /home/vsftpd volume too, if you stop/start the container, the user config persists. Also I didn't find the need to restart the container when a new user is added, authentication seems to work fine as soon as the user is added.

There is still an issue of duplicating config in vsftpd.conf each time you restart the same container, due to run-vsftpd.sh appending config using >> when it runs. I didn't fix this yet.

DanAmel commented 2 years ago

If anyone is still looking for a solution to this, I have a possibility but it involves changing quite a few of scripts and 'breaking' some of the original solution.

You can move the location of virtual_users.db to a different directory and mount it on the host using VOLUME so that the user db persists across container restarts. I also eliminated the creation of default FTP_USER and start with an empty user db, creating users manually as-needed.

I make no comment on the security of doing this. You could try adding crypt=crypt to the vsftpd_virtual?https://nasauber.de/blog/2020/howto-virtual-users-for-vsftpd/ And ensure the .db file is only readable by root user?

A number of modifications are required to the source configuration and script files to enable this, but at a high-level the steps are:

  1. vsftpd_virtual Shift the location of the virtual_users.db from /etc/vsftpd to /etc/vsftpd/db
  2. run-vsftpd.sh eliminate the creation of FTP_USER and FTP_PASS when the container starts. Also, eliminate the lines that load the virtual_users.txt - the goal is to have run-vsftpd.sh not create any users when it runs. You will add users manually after startup. Ensure all references to the db are updated to reflect the new path, and references to FTP_USER/FTP_PASS are removed.
  3. Dockerfile amend to create the /etc/vsftpd/db folder and VOLUME /etc/vsftpd/db, also copy in the addftpuser.sh script. Ensure all references to the db are updated to reflect the new path.
  4. Create a bespoke addftpuser.sh that is copied into the image that takes care of adding a user/password to virtual_users.db and creates the /home/vsftpd/user folder for the user using the techniques already described in the use-cases and existing scripts. Basically my script generates a password for the supplied user, writes it to a temp file using the username\npassword format, then loads that file into the db, then deletes the temp file. It then creates the /home/vsftpd/username folder if it doesn't exist.
  5. When you run the image, mount the /etc/vsftpd/db folder to a folder on the host, so the .db persists outside of the container lifecycle e.g. -v /path/on/host:/etc/vsftpd/db

With a running container you then do: docker exec -ti container /bin/bash addftpuser.sh username

Then you can start the container, create users as you need, and assuming you also mounted the /home/vsftpd volume too, if you stop/start the container, the user config persists. Also I didn't find the need to restart the container when a new user is added, authentication seems to work fine as soon as the user is added.

There is still an issue of duplicating config in vsftpd.conf each time you restart the same container, due to run-vsftpd.sh appending config using >> when it runs. I didn't fix this yet.

Hello, can you share with me a sample of your addftpuser.sh file? Thanks

phantom-artist commented 2 years ago

I've posted the complete solution here https://github.com/phantom-artist/vsftpd if you want details of the scripts etc. Again, kudos to fauria for creating this great project, on which my solution is based!