53

So I'm on a VPS - CentOS Linux installation. I have vsFTPd on the server. I currently have SFTP access to the server via my root user, but am now trying to create a new user with FTP access to a specific directory only on the server, I've done the following:

1. mkdir /var/www/mydomain.com
2. mkdir /var/www/mydomain.com/html
3. useradd <-username>
4. passwd <-username>
5. chown –R <-username> /var/www/mydomain.com
5. groupadd <-groupname>
6. gpasswd -a <-username> <-groupname>
7. chgrp -R <-groupname> /var/www/mydomain.com
8. chmod -R g+rw /var/www/mydomain.com

What I'm struggling to do is to create the user to ONLY have access to /var/www/mydomain.com - I observed that the user correctly logs into the right folder, however the user can then browse "back" to other directories. I want the user to stick in the specific folder and not being able to "browse" back.

Any ideas?

I've found different articles on chrooting, but simply haven't figured it out to use it in the steps included above.

Luke Brown
  • 103
user1231561
  • 633
  • 1
  • 6
  • 4
  • https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-centos-7 You can follow this to solve your issue – Jack Jul 31 '18 at 04:17
  • for those who are on Ubuntu 18 here is the version specific https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-ubuntu-18-04 – Dung Jul 04 '19 at 16:30

5 Answers5

46

It's quite simple.

You have to add the following option on the vsftpd.conf file

chroot_local_user=YES

The documentation inside the configuration file is self-explanatory:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().

This means, that the user will just have access on the folder you configured as HOME of the user.Below, i have an example of a user passwd entry:

upload_ftp:x:1001:1001::/var/www/sites/:/bin/bash

Set the home directory of the user with the following command

usermod -d /var/www/my.domain.example/ exampleuser

Note: In my example, this user is also a valid user for some scheduled tasks inside Linux. If you don't have this need, please change the shell of the user to /sbin/nologin instead of bash.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
  • Hi nwildner! Thanks so much for taking the time to answer me on this.

    So in my vsftpd.conf file ive added the following line "chroot_local_user=YES" - then as I understand it I need to add a line similar to the one you show for my user?

    Must admit im not entirely sure what to write there with the example you provide. the "1001" etc what is that? Lets assume my user is called: "im_a_linux_noob" and the directory for that user is: "/var/www/mydomain.com" - how would that look like?

     – user1231561 Jul 16 '13 at 14:16
  • And would I be able to do this without any additional steps of what ive done in my post? So doing 1-8 and then adding what you describe should do the trick? – user1231561 Jul 16 '13 at 14:18
  • Hi. The example above is just a line(modified, of course) of the /etc/passwd file, that represents a user called upload_ftp, 1001:1001 is his User Id and Group ID, /var/www/sites is the home directory of the user(and the parameter that vsftpd reads from) and /bin/bash, the shell. Probably what is missing on your case is a home directory to the user, and it could be solved with the following command: usermod -d /var/www/mydomain.com <username>. Cheers :) –  Jul 16 '13 at 14:23
  • Ahh makes sence then.

    So just to be sure - that line from the passwd file, is not anything to put in the vsftpd.conf file, correct? Only chroot_local_user=YES is needed in the vsftpd.conf file...? Eitherways tried both scenarios - still same output for me :/

     – user1231561 Jul 16 '13 at 15:15
  • Also ended all of my steps with the usermod line you provided. I login in the wished folder, however I can still browse back too all other folders on the server. After uploading the vsftpd.conf file and adding the user, I also restarted httpd. Any ideas ? – user1231561 Jul 16 '13 at 15:16
  • ISSUE SOLVED! I shouldnt restart httpd, however do: /etc/init.d/vsftpd restart – user1231561 Jul 16 '13 at 16:07
  • 3
    Yup thanks a lot. One issue though. It works fine loggin in through normal FTP , however when I login as SFTP - then I can browse back again - any ideas? – user1231561 Jul 16 '13 at 16:36
  • 1
    Certainly because sftp is being handled by your ssh server, not by your ftp server. In a "crude" way: SFTP = SSH + FTP; FTPS = FTP + SSL. There is a thread about sftp here, and i'll quote it to aviod subject duplication ok? ;) http://unix.stackexchange.com/a/64541/34720 –  Jul 16 '13 at 17:08
7

After you've changed your config to include chroot_local_user=YES

You could change the user's shell to /usr/sbin/nologin so that if the password leaks you will have mitigated some risk (set the home directory too). The shell needs to be listed in /etc/shells as well or authentication will fail.

usermod -d /var/www/my.domain.example -s /usr/sbin/nologin exampleuser

-d, --home HOME_DIR The user’s new login directory. If the -m option is given the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist.

-s, --shell SHELL The name of the user’s new login shell. Setting this field to blank causes the system to select the default login shell.

https://security.appspot.com/vsftpd/FAQ.txt

patricktokeeffe
  • 259
Shapeshifter
  • 501
5

Here are steps to setup a user and allow the user access only via FTP (i.e. no SSH) and also limit access to a specific (user home) directory on proftpd:

  1. Add new user: adduser newusername

  2. Set password: passwd newusername

  3. Modify user home directory from default to a new folder:

    usermod -d /target/directory username

  4. Edit shells file: vi /etc/shells and add /dev/null at the end

  5. Modify newusername entry in the passwd file: vi /etc/passwd to add /./ before the newusername so that the entry looks like this:

    newusername:x:502:502::/home/ftp/./newusernamehomedirectory/:/dev/null

    Details for steps 4 & 5 here:

  6. Edit /etc/proftpd/proftpd.conf file and uncomment the line DefaultRoot ~

DopeGhoti
  • 76,081
pTeJa
  • 51
-4

Run this command:

useradd -d ftp_user:chown 711 /etc/init.d/
Michael Mrozek
  • 93,103
  • 40
  • 240
  • 233
Lunix Pro
  • 1
  • 2
    You should consider expanding your post to have, at least, some helpful explanation or documentation. – HalosGhost Oct 18 '14 at 06:00
  • 1
    This is an awful answer. You're essentially giving the ftp user full access to the /etc/init.d/ directory - complete madness.

    711 explained - http://permissions-calculator.org/decode/0711/

     – Tisch May 18 '15 at 11:31
-6

Set the root folder permissions to 711 with your root account.

Ramesh
  • 39,297
Leping Zou
  • 1