Skip to content

fix(ftp): agent self-heals vsftpd config + /etc/shells (fixes 530 login)#24

Merged
nechodom merged 1 commit into
mainfrom
fix/ftp-vsftpd-config-selfheal
Jul 1, 2026
Merged

fix(ftp): agent self-heals vsftpd config + /etc/shells (fixes 530 login)#24
nechodom merged 1 commit into
mainfrom
fix/ftp-vsftpd-config-selfheal

Conversation

@nechodom

@nechodom nechodom commented Jul 1, 2026

Copy link
Copy Markdown
Owner

The bug

FTP set the system user's password fine, but login was refused (530 Login incorrect) because vsftpd was never actually configured for local-user FTP on the node — that setup only lived in the one-time install script. A node installed before that block existed (or where vsftpd got auto-installed later by the agent) ends up with:

  • Debian's stock /etc/vsftpd.conf (local_enable commented → NO) → local users can't log in; and/or
  • an /etc/shells without /usr/sbin/nologin → the vsftpd PAM's pam_shells rejects every hosting user (they have a nologin shell).

ensure_vsftpd_running only started the service — its doc even claimed it wrote "our local config block", but it never did.

Fix

New ensure_vsftpd_configured(), called on every FTP-enable, idempotently:

  • installs the Hyperion vsftpd.conf (local_enable/chroot/pam_service_name/…), backing up the original as *.hyperion-orig (mirrors the installer);
  • adds /usr/sbin/nologin + /bin/false to /etc/shells;
  • restarts vsftpd only when the config was actually wrong.

So FTP works regardless of when/how the node was set up.

On s4 after deploy

Update, then re-hit Set FTP password on the hosting — that runs the self-heal (writes config + /etc/shells + restarts vsftpd) and the login will work.

Test

clippy -D warnings clean; config-directive sanity test + adapters suite green.

🤖 Generated with Claude Code

…lly works

FTP set the system user's password correctly, but login was refused with "530
Login incorrect" because vsftpd wasn't actually CONFIGURED for local-user FTP on
the node — the config only ever came from the one-time install script. A node
installed before that block existed, or where vsftpd was auto-installed later by
ensure_vsftpd_running, has:
  - Debian's stock /etc/vsftpd.conf (local_enable commented → NO), and/or
  - an /etc/shells without /usr/sbin/nologin, so the vsftpd PAM's pam_shells
    rejects every hosting user (they have a nologin shell).

ensure_vsftpd_running only STARTED vsftpd (its doc claimed it wrote "our local
config block" — it never did). Add ensure_vsftpd_configured(), called on every
FTP-enable, which idempotently installs the Hyperion vsftpd.conf (backing up the
original) + adds /usr/sbin/nologin,/bin/false to /etc/shells + restarts vsftpd
only when the config was wrong.

clippy -D warnings clean; config-directive sanity test + adapters suite green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@nechodom nechodom merged commit 5133f33 into main Jul 1, 2026
1 check passed
@nechodom nechodom deleted the fix/ftp-vsftpd-config-selfheal branch July 1, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant