So I’m on a VPS – CentOS Linux installation. I have vsFTPd on the server.
I currently have SFTP access to the server via my root user, but am now trying to create a new user with FTP access to a specific directory only on the server, I’ve done the following:
1. mkdir /var/www/mydomain.com 2. mkdir /var/www/mydomain.com/html 3. useradd <-username> 4. passwd <-username> 5. chown –R <-username> /var/www/mydomain.com 5. groupadd <-groupname> 6. gpasswd -a <-username> <-groupname> 7. chgrp -R <-groupname> /var/www/mydomain.com 8. chmod -R g+rw /var/www/mydomain.com
What I’m struggling to do is to create the user to ONLY have access to /var/www/mydomain.com – I observed that the user correctly logs into the right folder, however the user can then browse “back” to other directories. I want the user to stick in the specific folder and not being able to “browse” back.
Any ideas?
I’ve found different articles on chrooting, but simply haven’t figured it out to use it in the steps included above.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
It’s quite simple.
You have to add the following option on the vsftpd.conf file
chroot_local_user=YES
The documentation inside the configuration file is self-explanatory:
# You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot().
This means, that the user will just have access on the folder you configured as HOME of the user.Below, i have an example of a user passwd entry:
upload_ftp:x:1001:1001::/var/www/sites/:/bin/bash
Set the home directory of the user with the following command
usermod -d /var/www/my.domain.example/ exampleuser
Note: In my example, this user is also a valid user for some scheduled tasks inside Linux. If you don’t have this need, please change the shell of the user to /sbin/nologin instead of bash.
Method 2
After you’ve changed your config to include chroot_local_user=YES
You could change the user’s shell to /usr/sbin/nologin so that if the password leaks you will have mitigated some risk (set the home directory too). The shell needs to be listed in /etc/shells as well or authentication will fail.
usermod -d /var/www/my.domain.example -s /usr/sbin/nologin exampleuser
-d, –home HOME_DIR
The user’s new login directory. If the -m option is given the contents of the current home directory will be moved to the new home directory, which is created if it does
not already exist.-s, –shell SHELL
The name of the user’s new login shell. Setting this field to blank causes the system to select the default login shell.
https://security.appspot.com/vsftpd/FAQ.txt
Method 3
Here are steps to setup a user and allow the user access only via FTP (i.e. no SSH) and also limit access to a specific (user home) directory on proftpd:
-
Add new user:
adduser newusername -
Set password:
passwd newusername -
Modify user home directory from default to a new folder:
usermod -d /target/directory username -
Edit
shellsfile:vi /etc/shellsand add/dev/nullat the end -
Modify
newusernameentry in thepasswdfile:vi /etc/passwdto add/./before thenewusernameso that the entry looks like this:newusername:x:502:502::/home/ftp/./newusernamehomedirectory/:/dev/null -
Edit
/etc/proftpd/proftpd.conffile and uncomment the lineDefaultRoot ~
Method 4
Run this command:
useradd -d ftp_user:chown 711 /etc/init.d/
Method 5
Set the root folder permissions to 711 with your root account.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0