I configured my vsftpd to allow virtual users to upload file. However I wanted all uploaded files to not be downloadable, thus depriving a potential attacker the usefulness of storing his nefarious files.
So I put in my /etc/vsftpd/vsftpd.conf:
file_open_mode=0777
anon_umask=0577
local_umask=0577
I figured that one of the *_umask=0577 is superfluous, but it seems to be harmless, and it cover all my bases.
However, when I upload a file, it gets a:
-rw------ (0600) permission instead of --w------ (0200).
The questions are: Why? and How to fix this?.
Incidentally, my current configuration seem to do the correct thing, that is to allow only uploads, and disallow download of uploaded files, but I don't understand why.
Just to complete the picture, I also use:
virtual_use_local_privs=NO
guest_enable=YES
guest_username=my_ftp_user
chown_uploads=YES
chown_username=my_ftp_user
that works fine, and is there to help me enforce global ftp quota.
Best Answer
You say:
I saw this as a problem, which I tracked down to virtual_use_local_privs, I needed virtual_use_local_privs=YES
Using this allowed local_umask and file_open_mode to be used correctly by the virtual users.