LPI 202-450 LPIC-2 - Exam 202 (part 2 of 2), version 4.5 Exam Practice Test

The newaliases command is a Postfix command that can be used to rebuild all of the alias database files with a single invocation and without the need for any command line arguments. The newaliases command is equivalent to running the postalias command on each file specified by the alias_database parameter in the Postfix main.cf configuration file. The newaliases command reads the text files that contain the alias definitions and creates the indexed files in dbm or db format that are used for fast lookup by the mail system. The newaliases command should be executed whenever the alias database is changed, in order to update the indexed files. For example:

newaliases

The other commands are not equivalent to the newaliases command. The makealiases command is not a valid Postfix command. The postalias command can be used to rebuild a single alias database file, but it requires the file name as an argument. The postmapbuild command is not a valid Postfix command.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server
• Postfix Basic Configuration, Postfix Documentation
• Postfix manual - aliases(5), Postfix Documentation
• Postfix manual - newaliases(1), Postfix Documentation
• Postfix manual - postalias(1), Postfix Documentation

 The NFSv4 pseudo file system is a virtual file system that provides a single root directory for all the exports on the NFS server. It allows the clients to see all the exports as a single file system, regardless of their physical locations on the server. The pseudo file system usually contains bind mounts of the directory trees to be exported, which are created using the mount --bind command. Bind mounts create a second mount point for an existing directory, without changing its attributes or permissions. This way, the pseudo file system can include directories from different file systems or partitions on the server123 References:

• NFSv4Howto - Community Help Wiki
• NFSv4: Enhancements and Best Practices Guide - NetApp
• File-System Namespace in NFS Version 4 - Oracle

The LDIF file format does not accept any type of file encoding. It requires the file to be encoded in UTF-8, which is a Unicode encoding that supports all characters and languages. If the file contains non-UTF-8 characters, it may cause errors or data loss when importing or exporting LDIF data. Therefore, it is important to ensure that the LDIF file is encoded in UTF-8 before using it with LDAP tools or servers. References:

• LDIF File (What It Is and How to Open One) - Lifewire
• RFC 2849 - The LDAP Data Interchange Format (LDIF) - Technical Specification

The /etc/sysct1.conf file is used to configure kernel parameters at runtime. The net.ipv4.ip_forward parameter controls whether IP packet forwarding is enabled for IPv4. Setting it to 1 enables packet forwarding, while setting it to 0 disables it. This setting is applied at boot time and persists across system restarts. The other options are either incorrect or temporary solutions that do not survive a reboot. References: LPIC-2 201 exam objectives, LPIC-2 201-450 Exam Prep: Network Configuration

The global Postfix configuration file is located at /etc/postfix/main.cf. This file contains the main parameters that control the behavior of the Postfix mail server. It is a plain text file that consists of parameter-value pairs, comments, and blank lines. The syntax of the file is as follows:

parameter = value

commentThe parameter names are case-insensitive, and the values can be enclosed in quotes if they contain spaces or special characters. The values can also reference other parameters by using the $parameter syntax. The file can be edited manually or by using the postconf command. The postconf command can also be used to display the current values of the parameters, or to set new values. For example:

postconf -d # display default values of all parameters postconf -n # display non-default values of all parameters postconf -e ‘parameter = value’ # set a new value for a parameter

The main.cf file is read by Postfix when it starts or reloads. To reload Postfix after making changes to the file, use the command:

postfix reload

References:

• LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server
• Postfix Basic Configuration, Postfix Documentation
• Postfix Configuration Parameters, Postfix Documentation
• How do I change postfix configuration after installing it?, Server Fault
• What are the Configuration Files for Postfix, The Geek Search

The root directive in Nginx defines the file system path from which the content of the server is retrieved. It can be placed in the http, server, or location contexts. The root directive specifies the root directory that will be used to search for a file. To obtain the path of a requested file, Nginx appends the request URI to the path specified by the root directive. For example, if the root directive is set to /var/www/html and the request URI is /index.php, Nginx will look for the file /var/www/html/index.php. References: Serving Static Content | NGINX DocumentationUnderstanding and Implementing FastCGI Proxying in Nginx

The Samba service that handles the membership of a file server in an Active Directory domain is winbindd. Winbindd is a daemon that provides a number of services to the Name Service Switch (NSS) capability of the system, such as resolving user and group information from a Windows NT server and authentication. Winbindd can also be used to join a Samba file server to an Active Directory domain and authenticate domain users to access the file shares12 References:

• Chapter 4. Using Samba for Active Directory Integration Red Hat Enterprise Linux 7 - Red Hat Customer Portal
• Winbind: Use of Domain Accounts - SambaWiki

 The command exportfs is used to configure which file systems a NFS server makes available to clients. The exportfs command maintains a table of exported file systems in the /etc/exports file, which specifies the directories to be shared and the options for each host or network. The exportfs command can also be used to add, remove, or refresh the exported file systems without restarting the NFS service123 References:

• 8.6. Configuring the NFS Server - Red Hat Customer Portal
• How to configure NFS on Linux - Learn Linux Configuration
• How to configure Network File System on Linux | Enable Sysadmin

 OpenVAS is a network security scanner project that, at the core, is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications. It is an open-source tool that was forked from Nessus, a popular commercial scanner. OpenVAS can perform comprehensive scans of networks and hosts, as well as web application scanning and compliance testing. It also provides a graphical user interface (GUI) and a command-line interface (CLI) for managing scans and reports. References:

• Greenbone Vulnerability Management - Gentoo wiki
• The Best Network Vulnerability Scanners Tested in 2023 - Comparitech

 The BIND option that should be used to limit the IP addresses from which slave name servers may connect is allow-transfer. This option specifies a list of IP addresses or networks that are allowed to request zone transfers from the master name server. Zone transfers are the mechanism by which slave name servers obtain a copy of the zone data from the master name server. By limiting the IP addresses that can request zone transfers, the master name server can prevent unauthorized access to the zone data and reduce the network load123 References:

• LPIC-2 Overview
• LPIC-2 202-450
• BIND 9 Administrator Reference Manual

 In the main Postfix configuration file, which is usually /etc/postfix/main.cf, service definitions are continued on the next line by starting the following line with white space indentation. This means that the line must begin with one or more spaces or tabs. This is useful when a service definition has many parameters or options that would make the line too long or hard to read. For example, a service definition for the smtpd daemon could look like this:

The first line defines the service name, type, private flag, unpriv flag, chroot flag, wakeup time, maxproc limit, and command. The following lines, indented with white space, define additional options for the smtpd command, such as the syslog name, the SASL authentication, and the recipient restrictions. Each option is prefixed with -o and separated by white space.

References: You can find more information about the main Postfix configuration file and the service definition syntax in the following resources:

• Postfix Basic Configuration
• Postfix Architecture Overview

Sieve is a programming language used to filter emails by writing simple rules. To combine multiple conditions in a Sieve filter, you can use the allof or anyof keywords. The allof keyword means that all of the conditions must be true for the filter to apply, while the anyof keyword means that at least one of the conditions must be true. For example, the following Sieve filter will assign the label “Important” to any message that is from “boss@example.com” or has the subject “Urgent”:

if anyof (header :contains “From” “boss@example.com”, header :contains “Subject” “Urgent”) { fileinto “Important”; }

The following Sieve filter will assign the label “Spam” to any message that is not from “friend@example.com” and has the subject “Free offer”:

if allof (not header :contains “From” “friend@example.com”, header :contains “Subject” “Free offer”) { fileinto “Spam”; }

References: You can learn more about Sieve filters and logical combinations from the following sources:

• Sieve filter (advanced custom filters) | Proton
• RFC 5228 - Sieve: An Email Filtering Language

The root element of the LDAP tree holding the configuration of an OpenLDAP server that is using directory based configuration is called cn=config. This is a special entry that is not part of the regular data DITs, but rather a separate DIT that can be used to configure the OpenLDAP server online. The cn=config entry contains various subentries that define the global and database-specific settings for the server. The cn=config entry can be accessed and modified using standard LDAP tools and methods, such as ldapsearch and ldapmodify12.

References:

• OpenLDAP Software 2.6 Administrator’s Guide: Configuring slapd: The official documentation of OpenLDAP on how to configure the slapd daemon, which includes the description of the cn=config entry and its subentries.
• How To Configure OpenLDAP and Perform Administrative LDAP Tasks | DigitalOcean: A tutorial from DigitalOcean on how to configure OpenLDAP and perform administrative LDAP tasks, which includes the use of the cn=config entry and the ldapsearch and ldapmodify tools.

 The Apache HTTPD configuration directive that specifies the RSA private key that was used in the generation of the SSL certificate for the server is SSLCertificateKeyFile1. This directive sets the file path and name of the file containing the server private key2. The private key is used to decrypt the data that is encrypted with the public key contained in the certificate1. The private key must match the certificate, otherwise an error will occur when starting the server2. The other options are not valid directives for Apache HTTPD. References:

• mod_ssl - Apache HTTP Server Version 2.4
• Why is SSLCertificateKeyFile needed for Apache? - Stack Overflow

 The options rw and ro are valid in /etc/exports. They specify whether the exported file system is mounted with read-write or read-only permissions by the clients. The option rw allows the clients to modify the files on the server, while the option ro prevents any changes by the clients. These options can be applied to all or specific hosts in the /etc/exports file123 References:

• LPIC-2 Overview
• LPIC-2 202-450
• 10 practical examples to export NFS shares in Linux | GoLinuxCloud

Sieve is a language for filtering and sorting email messages on a mail server. Sieve core filters are the basic actions that can be applied to a message that matches a set of conditions. The following actions are available in Sieve core filters:

• discard: This action discards the message silently, without sending any notification to the sender or the recipient. This action is useful for deleting spam or unwanted messages.
• fileinto: This action delivers the message to a specified mailbox. The mailbox can be an existing one or a new one that is created by the action. This action is useful for organizing messages into different folders based on their content or headers.
• reject: This action rejects the message and sends a notification to the sender with a specified reason. The message is not delivered to the recipient. This action is useful for informing the sender that the message was not accepted due to some policy or error.

The other options are not valid actions in Sieve core filters. drop, relay, and fileinto are not recognized keywords by Sieve.

References:

• Sieve: An Email Filtering Language, section 2.10, “Actions”
• Sieve Tutorial, section 4, “Actions”

The command that displays NFS kernel statistics is nfsstat. This command can be used to show information about the number and type of NFS and RPC calls made by the NFS client or server. It can also be used to reset the statistics to zero, or to display information about mounted NFS file systems. The nfsstat command is part of the nfs-utils package and can be installed on most Linux distributions. For more information about the nfsstat command, you can refer to the following resources:

• 1: A Microsoft Learn article that explains the syntax and usage of the nfsstat command on Windows Server.
• 2: A Bing search result page that shows various links and snippets related to the nfsstat command.
• 3: A Red Hat article that demonstrates how to use the nfsstat and nfsiostat commands to troubleshoot NFS performance issues on Linux.

The pam_nologin module is used to prevent users from logging into the system when the /etc/nologin file exists. The file can contain a message that is displayed to the user before the login is denied. The only exception is the root user, who can always log in regardless of the existence of the /etc/nologin file. This method is useful for system maintenance or emergency situations when normal users should not access the system. References: LPIC-2 exam 201 topics, pam_nologin man page

 The line A is valid in a configuration file in /etc/pam.d/ because it follows the correct syntax and semantics of a PAM configuration file. The syntax of a PAM configuration file is:

module_interface control_flag module_name module_arguments

The module_interface specifies the type of authentication action that the module can perform. There are four types of module interface: auth, account, password, and session. The control_flag specifies how important the success or failure of the module is to the overall authentication process. There are four types of control flag: required, requisite, sufficient, and optional. The module_name specifies the name of the library that contains the module. The module_arguments are optional parameters that can modify the behavior of the module.

The line A has the following components:

• module_interface: auth, which means the module is used for user authentication.
• control_flag: required, which means the module must succeed for authentication to continue. If the module fails, the failure is recorded and the rest of the modules are executed.
• module_name: pam_unix.so, which means the module is the standard Unix authentication module that verifies the user’s password against the /etc/passwd and /etc/shadow files.
• module_arguments: try_first_pass nullok, which means the module tries to use the password that was previously entered by the user (if any), and allows users with empty passwords to log in.

The line B is invalid because it has the wrong order of the fields. The control_flag should come before the module_name, not after. The line C is invalid because it uses parentheses and colons instead of spaces to separate the fields. The line D is invalid because it has the wrong syntax for the control_flag. The control_flag should be a single word, not a word in parentheses.

 The FTP names that are recognized as anonymous users in vsftpd when the option anonymous_enable is set to yes in the configuration file are anonymous and ftp. These are the default names that vsftpd accepts as valid anonymous users, and they can be used interchangeably. The anonymous user does not need to enter a password, but can optionally enter an email address as a password. The anonymous user has limited permissions and can only access the directory specified by the anon_root directive, which is usually /var/ftp or /srv/ftp. The anonymous user can download files from the server, but cannot upload or modify files, unless the anon_upload_enable and anon_mkdir_write_enable directives are also set to yes.

The other options are not recognized as anonymous users in vsftpd. Option C is incorrect, because vsftpd will reject any username that does not belong to an existing user or an anonymous user. Option D is incorrect, because nobody is a system user that has no permissions and is not related to FTP. Option E is incorrect, because guest is not a valid FTP name, unless the guest_enable directive is set to yes, which will make all non-anonymous users log in as the guest_username, which is usually ftp.

References:

• vsftpd.conf - config file for vsftpd
• How To Set Up vsftpd for Anonymous Downloads on Ubuntu 16.04
• How to Configure vsftpd FTP Server on CentOS 8

 The htpasswd command is used to create and update user files for basic authentication of HTTP users. The command has several options, but the most relevant ones for this question are:

• -c: This option creates a new file and overwrites it if it already exists. This is not suitable for changing the password of existing users, as it would erase the previous data.
• -n: This option displays the results on standard output rather than updating a file. This is useful for generating password records for other types of data stores, but not for modifying an existing file.
• -D: This option deletes the specified user from the file. This is not what the question asks for, as it wants to change the password, not remove the user.
• -b: This option uses batch mode, which means getting the password from the command line rather than prompting for it. This option is not mentioned in the question, and it is not recommended for security reasons.

Therefore, the correct option is B, which uses the default syntax of htpasswd to change the password of an existing user in the specified file. The command will prompt for the new password and update the file accordingly.

References:

• htpasswd - Manage user files for basic authentication
• How to Create and Use .htpasswd
• Unlocking htpasswd in Linux: Comprehensive Guide with Examples

The rndc sub command that can be used in conjunction with the name of a zone in order to make BIND reread the content of the specific zone file without reloading other zones as well is reload. The reload sub command instructs the BIND server to reload the specified zone or all zones if no zone is specified. The reload sub command is useful for applying changes made to the zone files without restarting the BIND service or affecting other zones. The syntax of the reload sub command is as follows:

rndc reload [zone [class [view]]]

For example, to reload the zone example.com in the IN class and the default view, use the following command:

rndc reload example.com IN

References:

• rndc - man pages section 8: System Administration Commands, sub command “reload”
• 17.2.3. Using the rndc Utility - Red Hat Customer Portal, section “Reloading the Configuration and Zones”

To create a hidden Samba share, similar to the Windows Administration Share, the share name must end with a dollar sign ().Thiswillpreventthesharefrombeinglistedinthebrowselist,butitcanstillbeaccessedbytypingthefullsharename.OptionAshowsanexampleofahiddenSambasharenamedconfidential, with some additional parameters to configure the share. Option B is incorrect because the share name does not end with a dollar sign. Option C is incorrect because the share name is not enclosed in brackets. Option D is incorrect because the share name contains a space, which is not allowed. Option E is incorrect because the share name is not a valid file name12 References:

• Hiding samba share from browse list for unauthorised users
• Creating a samba share where everyone has write access

 Reverse DNS queries are used to find the domain name associated with an IP address. To perform reverse DNS queries, DNS servers use a special type of record called PTR (pointer) record. A PTR record maps an IP address to a hostname in the reverse lookup zone. For example, a PTR record for the IP address 185.230.63.186 would point to the hostname unalocated.63.wixsite.com. Reverse DNS queries are useful for validating email servers, troubleshooting network problems, and identifying malicious hosts. References:

• 2 Ways to Perform Reverse DNS lookups in Linux - howtouselinux
• Linux managing DNS servers (LPIC-2) · GitHub
• LPI Linux Certification/LPIC2 Exam 202/DNS - Wikibooks

The .htaccess file in the directory is configured to require a valid user. The .htpasswd file contains the username and password for usera. Therefore, usera can access the site using the password s3cr3t. References:

• LPIC-2 Overview
• LPIC-2 202-450
• Password Protecting Your Pages with htaccess

 In the context of configuring Nginx for reverse proxy, the proxy_pass directive is used to specify the protocol and address of a proxied server and an optional URI to which a location should be mapped. So, in the provided configuration sample, “proxy_pass” is the missing keyword that should precede

References:

• [NGINX Docs | NGINX Reverse Proxy]: The official documentation of Nginx on how to set up a reverse proxy with Nginx.
• [How To Configure Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 20.04 Server | DigitalOcean]: A tutorial from DigitalOcean on how to configure Nginx as a web server and reverse proxy for Apache on Ubuntu 20.04, which includes the use of the proxy_pass directive.

 A certificate signing request (CSR) is a message sent from an applicant to a certificate authority (CA) in order to apply for a digital identity certificate. The CSR contains information about the applicant’s identity, such as domain name, organization, location, etc., as well as the applicant’s public key. The CSR is digitally signed by the applicant using their private key, which proves that they own the corresponding public key. The CA will verify the CSR and issue a certificate if the applicant meets the requirements. The certificate will contain the applicant’s public key and identity information, as well as the CA’s digital signature, which validates the certificate. References: LPIC-2 Exam 202 Objectives, What is a Certificate Signing Request (CSR)? Do I need one?

 The fastcgi_pass directive is used to proxy requests to a FastCGI application in Nginx. It specifies the address of the FastCGI server or the path of the Unix-domain socket that will accept FastCGI requests. For example:

location ~ \.php$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; }

This configuration will pass any requests ending with .php to the FastCGI server listening on 127.0.0.1:9000.

The other options are not valid directives in Nginx. There is no fastcgi_proxy, proxy_fastcgi, proxy_fastcgi_pass, or fastcgi_forward directive. The proxy_pass directive is used to proxy requests to a HTTP server, not a FastCGI application.

References:

• Module ngx_http_fastcgi_module - nginx
• FastCGI Example | NGINX
• Understanding and Implementing FastCGI Proxying in Nginx

 The ErrorLog directive of the Apache HTTPD server defines the location and name of the file where the server will log any errors it encounters. The default value of this directive is logs/error_log, which means that the error log file will be stored in the logs subdirectory of the server root directory. The ErrorLog directive can also accept a filename relative to the server root, an absolute filename, or a pipe to a program that will handle the logging. For example, ErrorLog logs/my_error_log will store the error log file in the logs subdirectory with the name my_error_log, ErrorLog /var/log/httpd/error_log will store the error log file in the /var/log/httpd directory with the name error_log, and ErrorLog “|bin/rotatelogs logs/error_log 86400” will pipe the error log to the rotatelogs program that will rotate the log file every 86400 seconds. References: Log Files - Apache HTTP Server Version 2.4, Directive Quick Reference - Apache HTTP Server Version 2.4, How do I find Apache http server log files? – Code A Site Blog, mod_log_config - Apache HTTP Server Version 2.2

 The objectClass attribute of an LDAP object defines which other attributes can be set for the object. The objectClass attribute is a multi-valued attribute that specifies one or more object classes that the object belongs to. Each object class has a schema that defines the mandatory and optional attributes that the object can have. The objectClass attribute is required for every LDAP object and determines the nature and characteristics of the object. References:

• Understanding the LDAP Protocol, Data Hierarchy, and Entry Components
• LDAP Object Classes

DANE stands for DNS-based Authentication of Named Entities. It is a protocol that provides a way to verify the association of X 509 certificates to DNS host names. X 509 certificates are digital documents that contain the public key and identity information of an entity, such as a web server or an email server. They are used to establish secure connections and authenticate the identity of the entity. However, the traditional way of obtaining and validating X 509 certificates relies on a hierarchical system of trusted third parties, called certificate authorities (CAs), which can be vulnerable to attacks or compromise. DANE aims to enhance the security and trust of X 509 certificates by using DNSSEC, which is a set of extensions to DNS that provide cryptographic signatures and validation for DNS records. DANE allows the owner of a domain name to publish the X 509 certificate or its fingerprint in a DNS record, called a TLSA record, which can be verified by the DNSSEC chain of trust. This way, the client can check the authenticity of the certificate directly from the DNS, without relying on external CAs. DANE can also be used to specify which CAs are authorized to issue certificates for a domain name, or to indicate that no CA is needed at all. DANE can be applied to various protocols that use X 509 certificates, such as HTTPS, SMTP, IMAP, POP3, etc.

References:

• DANE - Wikipedia
• DNS-Based Authentication of Named Entities (DANE) - Internet Society
• DANE: Taking TLS Authentication to the Next Level Using DNSSEC

The http_port directive in squid.conf sets the port number or numbers that Squid will use to listen for client requests. You can specify multiple socket addresses with different port numbers and options. By default, Squid listens on port 3128 on all network interfaces. You can change the port number or bind the socket to a specific IP address if needed. For example, to set the port to 8080, you can write:

http_port 8080

To configure Squid to listen only on the 192.0.2.1 IP address on port 3128, you can write:

http_port 192.0.2.1:3128

References:

• Squid proxy configuration tutorial on Linux
• squid : http_port configuration directive
• Configuring the Squid Service to Listen on a Specific Port or IP Address

The command in the question is using the ldapsearch tool to query an LDAP directory. The filter expression is (|(cn=marie)(!(telephoneNumber=9*))), which means to match entries that satisfy either one of the two conditions inside the parentheses. The first condition is (cn=marie), which means the common name attribute (cn) of the entry is equal to marie. The second condition is (!(telephoneNumber=9*)), which means the telephone number attribute (telephoneNumber) of the entry is not equal to 9 followed by any number of characters. The ! operator means logical negation, and the * operator means wildcard matching. Therefore, the command will return entries that have a cn of marie or don’t have a telephoneNumber beginning with 9. References: LPIC-2 202 exam objectives, LDAP Search Filters

The client-to-client option in OpenVPN enables the VPN server to forward packets between VPN clients internally, without sending them to the IP layer of the host system. This means that the host networking stack does not see or process the client-to-client traffic at all. This option can improve the performance and efficiency of the VPN, as well as reduce the load on the host system. However, it also means that the VPN server cannot apply any firewall rules or routing policies to the client-to-client traffic, as it would if the traffic passed through the host IP layer. Therefore, this option should be used with caution and only when the VPN clients are trusted and isolated from other networks. References:

• OpenVPN 2.x HOWTO, section “Client-to-client”
• OpenVPN 2.4 man page, option “–client-to-client”

 The Linux user that is used by vsftpd to perform file system operations for anonymous FTP users is the one specified in the configuration option ftp_username. This option defines the local user that vsftpd will run as when handling anonymous FTP requests. By default, this option is set to ‘ftp’, which is a predefined user account that has limited privileges and access to the FTP server. The other options are incorrect for the following reasons:

• A. The Linux user which runs the vsftpd process. This is false because vsftpd does not use the same user that runs the daemon to handle anonymous FTP requests. Instead, it switches to the user specified by ftp_username, which is usually a different and less privileged user than the one that starts the vsftpd process.
• B. The Linux user that owns the root FTP directory served by vsftpd. This is false because vsftpd does not use the owner of the root FTP directory to perform file system operations for anonymous FTP users. The owner of the root FTP directory may or may not be the same as the user specified by ftp_username, but it does not affect the behavior of vsftpd for anonymous FTP requests.
• C. The Linux user with the same user name that was used to anonymously log into the FTP server. This is false because vsftpd does not use the user name that was used to anonymously log into the FTP server to perform file system operations. The user name that is used for anonymous FTP login is usually ‘anonymous’ or ‘ftp’, but it does not correspond to any actual Linux user account on the system. Instead, vsftpd maps these user names to the user specified by ftp_username, which is the one that actually performs the file system operations.
• D. The Linux user root, but vsftpd grants access to anonymous users only to globally read-/writeable files. This is false because vsftpd does not use the root user to perform file system operations for anonymous FTP users. The root user is the most powerful and privileged user on the system, and using it for anonymous FTP requests would pose a serious security risk. Instead, vsftpd uses the user specified by ftp_username, which is usually a low-privileged user that has limited access to the FTP server. The option anon_world_readable_only controls whether vsftpd only allows anonymous users to access files that have global read permissions, regardless of the permissions of the user specified by ftp_username.

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, Reference Manual For OpenVPN 2.4, linux - What is the anonymous user in vsftp? - Super User

How To Set Up vsftpd for Anonymous Downloads on Ubuntu 16.04