Is there any logical reason for having both /etc/vsftpd.ftpusers and /etc/vsftpd.user_list, and requiring both to be edited by default to allow access? I think vsftpd.user_list should be killed, and go back to the RHL <=9 behavior of just one blacklist by default
Hm, well, the issue is that the semantics of vsftpd.user_list change depending on the config, so it sometimes needs to be separate.
But in the current default cocnfiguration, vsftpd.ftpusers and vsftpd.user_list are completely redundant. vsftpd.user_list should be disabled by default, since it only gets interesting when configured differently than the current default (and in which case, it should have different contents).... I agree that both can be useful if one's a whitelist and the other's a blacklist. Currently they're just duplicate blacklists, which is pointless
vsftpd.ftpusers is black list only, OTOH vsftpd.user_list can be used as a white list or black list according to configuration. But it can't serve both list in one file, that's why ftpusers file is still needed.