Denying "/opt/" access for SFTP Users other than particular dir

Question

I want to use my WebServer (Debian) as SFTPServer giving access to particular employees. The dir structure is as follows under root:

/FTPUSERS/UserName_1, ... /FTPUSERS/UserName_N.

My website is under as usually /opt/lampp/htdocs/SiteName. I want my employees to only access the dir /FTPUSERS and not others, by any means of using via console-SSH/ GUI-FTPClients. Is the chrooting right way to block them for not navigating to other dirs? Or is there any other way for blocking them? Please let me know.

One more small doubt has arisen regarding file and folder permissions regarding the LAMPP. At present the user and group under /opt/lampp/htdocs/ are all root and root. In this link php.net its mentioned that directories must run under nobody and nobody. Is this the right way of permission setting ?

EDIT:

My OS is Debian Lenny 3. The daemon running at present is the openssh-sftpserver. We've blocked the port-21 for ftp access. But sftp is running still under port-22. Employee can login via sftp and ssh on Terminal. We want to block the Console mode operating for particular users, only webmaster and root accounts must have all the access. We also want to block users from navigating outside of the /FTPUSERS dir using any GUI FTP Clients such as WinSCP.

what ftp daemon do you use, do you use sftp ? then please don't mention ftp because it's a different protocol. Also please provide your current configuration. — Kiwy, Apr 03 '14 at 11:23
please [edit] your question to make it clearer and explain what service you want with what daemon vsftp proftpd we can't guess. Then describe what you have try add your config for example then maybe someone will be able to answer you — Kiwy, Apr 03 '14 at 11:50
Please whoever has upvoted my question, try to guide me in Comments section or in Answers section :) — highlander141, Apr 04 '14 at 13:03
What part of add your config you did not understand ? how can we help you if we don't have the correct description of the situation ? — Kiwy, Apr 04 '14 at 13:04

Nils · Answer 1 · 2014-04-09T19:47:56.727

0

Have a look at your sshd_config.

You might want to set up a sftp-internal chroot.

/TFTPROOT would be your chroot-dir.

This is more secure than tftp.

Here is a good tutorial:

http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

edited Apr 09 '14 at 19:47

answered Apr 03 '14 at 14:45

Nils

18,492

Kindly elaborate the process, or provide some links where the process is defined. I will try to analyse and follow them.Thank you – highlander141 Apr 04 '14 at 04:52
@highlander141 I provided a good link. – Nils Apr 09 '14 at 19:49

score -1 · Answer 2 · edited Apr 03 '14 at 11:48

-1

Using the useradd command with the –d option you can add a certain user (ex: ftpuser), as well as his home directory (/homedir) like below:

useradd ftpuser -d /homedir
passwd ftpuser

You will be prompted to enter the new password:

Changing password for user <username>
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Edit the shell for this user to /sbin/nologin in /etc/passwd:
```
vi /etc/passwd
ftpuser:x:506:508::/homedir:/sbin/nologin
```

Enabling chroot_list:

vi /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
(default follows)
chroot_list_file=/etc/vsftpd.chroot_list

Then, you need to add the user ftpuser in the file /etc/vsftpd.chroot_list
```
vi /etc/vsftpd.chroot_list 
ftpuser
```
Restarting the vsftpd:
```
/etc/init.d/vsftpd restart
```

edited Apr 03 '14 at 11:48

Kiwy

9,534

answered Apr 03 '14 at 11:37

Charles nakhel

185

2

According to this post about useradd and adduser please do not advise someone to use useradd when adduser is seriously advise by Debian developers. Also sftp is not supported as far as I know by vsftp daemon – Kiwy Apr 03 '14 at 11:52
The question is about SFTP, not about FTP. Vsftpd is not involved and cannot help. – Gilles 'SO- stop being evil' Apr 03 '14 at 22:11

Denying "/opt/" access for SFTP Users other than particular dir

2 Answers2