Add more than 10 users on the FTP server

[jappish84]

I have a few friends that need access to my FTP share from time to time. I just noticed that the maximum number of allowed users is 10. Would it possible to increase this?

I tried adding more users by changing '/etc/vsftpd.conf' file but my changes are reverted to original file after a reboot.

I have tried stopping vsftpd before changing the file with 'service stop.vsftpd'
Even though the console said it worked, the server was still running and I could connect to it

 

[ColinTaylor]

'service stop.vsftpd' is not a valid command. Typing "service <anything>" will always return "Done".

To test temporary changes just "killall vsftpd" followed by "vsftpd /etc/vsftpd.conf".

To make permanent changes you'll need to create a vsftpd.postconf script.

 

[jappish84]

Ok, thanks ColinTaylor !

Does this look like correct usage of postconf scripts?

/jffs/scripts/vsftpd.postconf

#!/bin/sh
CONFIG=$1

source /usr/sbin/helper.sh

pc_replace "max_clients=10" "max_clients=20" $CONFIG
pc_replace "ftpd_banner=Welcome to ASUS RT-AC3200 FTP service." "My custom message" $CONFIG

 

[ColinTaylor]

Yes that looks correct. Either reboot the router to effect the changes or I think the following will work:

service restart_ftpsamba

 

[Jack Yaz]

Yes that looks correct. Either reboot the router to effect the changes or I think the following will work:

service restart_ftpsamba

I think either of the below will work if Colin's doesn't!

service restart_nasapps

or

service restart_ftpd

 

[jappish84]

Ok,

I tried all three restart commands mentioned above, none seem to work. They all return "Done" but service isn't actually restarted. I went on and rebooted the router instead, but the postconf script doesn't seem to do anything.

Checking

/etc/vsftpd.conf

shows unchanged lines

Using the Web-UI, the add-user button is greyed out.

I have made sure that JFFS custom scripts and configs are enabled under Administrator --> System

I even tried commenting out the last line in:

/jffs/scripts/vsftpd.postconf

#!/bin/sh
CONFIG=$1

source /usr/sbin/helper.sh

pc_replace "max_clients=10" "max_clients=20" $CONFIG
# pc_replace "ftpd_banner=Welcome to ASUS RT-AC3200 FTP service." "My custom message" $CONFIG

Still no change to "max_clients" after reboot

 

[Jack Yaz]

Does syslog show the postconf file is being run? If not, make sure you've made the script executable.

chmod +x /jffs/scripts/vsftpd.postconf

 

[jappish84]

Does syslog show the postconf file is being run? If not, make sure you've made the script executable.

chmod +x /jffs/scripts/vsftpd.postconf

I didn't make the script executable on my first 2 tries, but I did make it executable before my last reboot.
I can see it's being run in the syslog:

Mar 12 13:55:22 custom_script: Running /jffs/scripts/vsftpd.postconf (args: /etc/vsftpd.conf)
Mar 12 13:55:22 FTP_server: daemon is started

I can see that the script has been run even before I ran:

chmod +x /jffs/scripts/vsftpd.postconf

 

[ColinTaylor]

Did you create the file in "Unix format" rather than Windows (i.e. with an editor like vi or nano)?

If the later try this to fix the file format:

dos2unix /jffs/scripts/vsftpd.postconf

 

[ColinTaylor]

Using the Web-UI, the add-user button is greyed out.

Allow anonymous login must be Off.

 

[jappish84]

I wrote the "/jffs/scripts/vsftpd.postconf" file using nano through ssh

I tried runnning the "dos2unix" command and restarted the FTP-service using the "FTP enable" toggle switch in the web-ui

I can now see that "/etc/vsftpd.conf" has been configured to "max_clients=20"

The "add user" button is still greyed out though and I still can't add more users. "Allow anonymous login" is off, and has always been. It's greyed out because I have 10 users in the list + admin-account. I have made sure to reload the page.


EDIT: could it be that the web-ui does not check vsftpd.conf but uses the 10 user limitation defined elsewhere?

 

[RMerlin]

The webui limit is hardcoded. Changing vsftpd will only allow more simultaneous users to log in (something your router's CPU will probably struggle with).

 

[jappish84]

That's a shame - any chance this can be changed in future FW updates?

On the other hand, shouldn't I be able to add users manually following vsftpd instructions?
The thing is, the odds that all the users will be using the ftp service simultaneously are low. But I still can't give them the same login credentials since they need different access to different folders

 

[ColinTaylor]

On the other hand, shouldn't I be able to add users manually following vsftpd instructions?

If you're willing to administer it through SSH instead of the GUI you could probably use a vsftpd.conf.add file to add the extra users.

 

[jappish84]

If you're willing to administer it through SSH instead of the GUI you could probably use a vsftpd.conf.add file to add the extra users.

Thanks for the tip with .add @ColinTaylor

Will read up on setting up users with vsftpd and give it shot.

Cheers

 

[jappish84]

vsftp question:

The guides I found for configuring new users to vsftpd instruct to creat a chroot folder where the new user will have access to.

It seems this is a bit different from how the current configuration in the FW works because I can see some .__username_var.txt and .__sameusername_var.txt.193 (with some users it ends with "229", "219", "204" and "257") files on my ftp share where access to folders seems to be defined. Could I simply

Currently I'm looking at these instructions

I can also see that userlist_enable=YES doesn't seem to be the way vsftpd is configured at the moment, so how does vsftpd know which users to grant access, through the .txt files mentioned above?

 

[ColinTaylor]

Asuswrt's implementation of vsftpd is very non-standard with regard to user accounts. I guess they've attempted to dumb-it-down for non-technical users. You can pretty much ignore everything written in the official doc's.

As you've discovered they use the hidden files in the root of the USB drive to keep track of folders, users and permissions! It's used for both FTP and Samba I believe. You can either try and reverse engineer what they're doing and modify those files, or just ignore it and work around it. I think you'll have more luck with the later.

Have a look in /etc /passwd and /etc /group. You'll see the current users in there. Try adding to those files with /jffs/configs/passwd.add and /jffs/configs/group.add. Then add extra FTP sections with vsftpd.conf.add.

 

[ColinTaylor]

OK This is more complicated than I remembered. I was conflating the Samba users with the FTP users in my mind.

vsftpd seems to rely directly on the user accounts and passwords stored in NVRAM variables acc_num and acc_list. You could try increasing that account list beyond 10 and seeing what happens.

EDIT: I've just tried increasing it to 16 (but I'm using John's firmware not Merlin's). If I then go to the GUI FTP page I can see all the accounts and it creates the corresponding hidden files on the USB drive, and populates etc passwd and group. YMMV

 

[jappish84]

Ok, that's great, have you tried connecting to the newly created users as well?

Ok, so I took a look at /etc / passwd and /etc / group and they seem to simply count to 10, no?
I'm sorry, I'm not following, what do you mean with FTP sections in the vsftpd.conf file?

I'm gonna need some help with NVRAM, I can see the values in acc_num and acc_list, how do I modify them to have them permanently set?

 

[ColinTaylor]

I'm sorry, I'm not following, what do you mean with FTP sections in the vsftpd.conf file?

Sorry, ignore what I said about that. That was the part where I got confused between vsftpd and samba. With samba you can add sections to the config for each share.

Let's try something simple and see if it works:

nvram get acc_num
nvram get acc_list

So assuming that acc_num is 10 lets increase it to 11.

nvram set acc_num=11

Now lets add the corresponding account (user test1 and password mypassword) to the existing list. Note that the user name has angle brackets (<>) around it.

nvram set acc_list="$(nvram get acc_list)<test1>mypassword"

Now load the GUI's FTP page (or refresh it) and hopefully you'll see the new account. Applying the settings on this page will commit the NVRAM changes we made earlier.