How to create a FTP user with specific /dir/ access only on a Centos / linux installation

  • So I'm on a VPS - CentOS Linux installation. I have vsFTPd on the server. I currently have SFTP access to the server via my root user, but am now trying to create a new user with FTP access to a specific directory only on the server, I've done the following:

    1. mkdir /var/www/mydomain.com
    2. mkdir /var/www/mydomain.com/html
    3. useradd <-username>
    4. passwd <-username>
    5. chown –R <-username> /var/www/mydomain.com
    5. groupadd <-groupname>
    6. gpasswd -a <-username> <-groupname>
    7. chgrp -R <-groupname> /var/www/mydomain.com
    8. chmod -R g+rw /var/www/mydomain.com
    

    What I'm struggling to do is to create the user to ONLY have access to /var/www/mydomain.com - I observed that the user correctly logs into the right folder, however the user can then browse "back" to other directories. I want the user to stick in the specific folder and not being able to "browse" back.

    Any ideas?

    I've found different articles on chrooting, but simply haven't figured it out to use it in the steps included above.

  • Correct answer

    7 years ago

    It's quite simple.

    You have to add the following option on the vsftpd.conf file

    chroot_local_user=YES
    

    The documentation inside the configuration file is self-explanatory:

    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    

    This means, that the user will just have access on the folder you configured as HOME of the user.Below, i have an example of a user passwd entry:

    upload_ftp:x:1001:1001::/var/www/sites/:/bin/bash
    

    Set the home directory of the user with the following command

    usermod -d /var/www/my.domain.example/ exampleuser
    

    Note: In my example, this user is also a valid user for some scheduled tasks inside Linux. If you don't have this need, please change the shell of the user to /sbin/nologin instead of bash.

    Hi nwildner! Thanks so much for taking the time to answer me on this. So in my vsftpd.conf file ive added the following line "chroot_local_user=YES" - then as I understand it I need to add a line similar to the one you show for my user? Must admit im not entirely sure what to write there with the example you provide. the "1001" etc what is that? Lets assume my user is called: "im_a_linux_noob" and the directory for that user is: "/var/www/mydomain.com" - how would that look like?

    And would I be able to do this without any additional steps of what ive done in my post? So doing 1-8 and then adding what you describe should do the trick?

    Hi. The example above is just a line(modified, of course) of the `/etc/passwd` file, that represents a user called upload_ftp, 1001:1001 is his User Id and Group ID, /var/www/sites is the home directory of the user(and the parameter that vsftpd reads from) and /bin/bash, the shell. Probably what is missing on your case is a home directory to the user, and it could be solved with the following command: `usermod -d /var/www/mydomain.com `. Cheers :)

    Ahh makes sence then. So just to be sure - that line from the passwd file, is not anything to put in the vsftpd.conf file, correct? Only chroot_local_user=YES is needed in the vsftpd.conf file...? Eitherways tried both scenarios - still same output for me :/

    Also ended all of my steps with the usermod line you provided. I login in the wished folder, however I can still browse back too all other folders on the server. After uploading the vsftpd.conf file and adding the user, I also restarted httpd. Any ideas ?

    ISSUE SOLVED! I shouldnt restart httpd, however do: /etc/init.d/vsftpd restart

    Yup thanks a lot. One issue though. It works fine loggin in through normal FTP , however when I login as SFTP - then I can browse back again - any ideas?

    Certainly because sftp is being handled by your ssh server, not by your ftp server. In a "crude" way: SFTP = SSH + FTP; FTPS = FTP + SSL. There is a thread about sftp here, and i'll quote it to aviod subject duplication ok? ;) http://unix.stackexchange.com/a/64541/34720

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM