Hello,
I’m using CentOS 8 x86_64 and I want to configure vsftpd service and limit a user to just specific directory. I did below steps to configure vsftpd:
1- I created an account and set a password for it:
Then opened “jason” file and added below lines into it :
local_root=/var/www/wp/
write_enable=YES
Other files are:
# cat ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
And:
# cat user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#root
#bin
#daemon
#adm
#lp
#sync
#shutdown
#halt
#mail
#news
#uucp
#operator
#games
#nobody
jason
And finally, restarted the vsftpd service. I’m using FileZilla and can connect to FTP server but jason user see its home directory and not “/var/www/wp/” and can see other parts of system too.
What is my problem? Which part is wrong?
What are the permissions and ownership of /var/www/wp/ ?
This issue seems like maybe “others” do not have read+execute permissions there.
Also, if jason needs to read/write into that directory I would suggest he be made part of a specialized group and that group be given group ownership of /var/www/wp/ and then give group rwx permissions there. For security purposes “others” should not have write permissions there, and if you chose maybe not even read+execute permissions.
Another consideration is that by default any user logging in will see the directory that is designated as their home in /etc/passwd. If your user is supposed to see only the /var/www/wp/ directory then his home directory should be just that.
I cannot give you the fine-tune details for vsftp but it looks like you are probably close.
The first thing we must do is create a directory that will house our FTP data:
# mkdir -p /data
# chmod 701 /data
Create the SFTP group and user:
# groupadd sftp_users
# useradd -g sftp_users -d /upload -s /sbin/nologin USERNAME
# passwd USERNAME
Create the new user SFTP directory
Now we're going to create an upload directory, specific to the new user, and then give the directory the proper permissions.
# mkdir -p /data/USERNAME/upload
# chown -R root:sftp_users /data/USERNAME
# chown -R USERNAME:sftp_users /data/USERNAME/upload
Configure sshd:
# nano /etc/ssh/sshd_config
At the bottom of that file, add the following:
Match Group sftp_users
ChrootDirectory /data/%u
ForceCommand internal-sftp
AllowTcpForwarding no
Match User tecmint
#specify chroot jail
ChrootDirectory /home/test
AllowTcpForwarding no
If I add my user to "apache" group then I don't need to create an extra group and below commands?
Code:
# chown -R root:sftp_users /data/USERNAME
# chown -R USERNAME:sftp_users /data/USERNAME/upload
I would create the group as suggested since that way you are not allowing the apache daemon to access and write into that directory. For security I would even be cautious about putting the upload directory directly under the /var/www tree.
The tutorial shows creating a user with home directory where the uploads occur and putting him into a chroot jail for the uploads. I think that is a very good idea even when using vsftp.
I would also look in detail at the man page for vsftpd.conf. It gives a lot of different options with their usage and might also guide you in what you want to do.
The general idea seems correct.
Although, I recommend to avoid modifying sshd_config and use the directory sshd_config.d instead.
Also ideally it’s best to create a system user useradd -r, disable password authentication and use key-based authentication.
It doesn’t really matter as the FTP protocol itself is on the verge of obsolescence the same way as Telnet and Gopher.
In addition, there’s virtually no reason in bothering with FTP/vsftpd when you can simply utilize SFTP/OpenSSH which is already preinstalled.