How to create a FTP user with specific /dir/ access only on a Centos / linux installation

It's quite simple.

You have to add the following option on the vsftpd.conf file

chroot_local_user=YES

The documentation inside the configuration file is self-explanatory:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().

This means, that the user will just have access on the folder you configured as HOME of the user.Below, i have an example of a user passwd entry:

upload_ftp:x:1001:1001::/var/www/sites/:/bin/bash

Set the home directory of the user with the following command

usermod -d /var/www/my.domain.example/ exampleuser

Note: In my example, this user is also a valid user for some scheduled tasks inside Linux. If you don't have this need, please change the shell of the user to /sbin/nologin instead of bash.


After you've changed your config to include chroot_local_user=YES

You could change the user's shell to /usr/sbin/nologin so that if the password leaks you will have mitigated some risk (set the home directory too). The shell needs to be listed in /etc/shells as well or authentication will fail.

usermod -d /var/www/my.domain.example -s /usr/sbin/nologin exampleuser

-d, --home HOME_DIR The user’s new login directory. If the -m option is given the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist.

-s, --shell SHELL The name of the user’s new login shell. Setting this field to blank causes the system to select the default login shell.

https://security.appspot.com/vsftpd/FAQ.txt


Here are steps to setup a user and allow the user access only via FTP (i.e. no SSH) and also limit access to a specific (user home) directory on proftpd:

  1. Add new user: adduser newusername

  2. Set password: passwd newusername

  3. Modify user home directory from default to a new folder:

    usermod -d /target/directory username

  4. Edit shells file: vi /etc/shells and add /dev/null at the end

  5. Modify newusername entry in the passwd file: vi /etc/passwd to add /./ before the newusername so that the entry looks like this:

    newusername:x:502:502::/home/ftp/./newusernamehomedirectory/:/dev/null

    Details for steps 4 & 5 here:

  6. Edit /etc/proftpd/proftpd.conf file and uncomment the line DefaultRoot ~

Tags:

Ftp

Centos

Chroot

Vsftpd

Recent Posts