How to create a FTP user with specific /dir/ access only on a Centos / linux installation
It's quite simple.
You have to add the following option on the vsftpd.conf file
chroot_local_user=YES
The documentation inside the configuration file is self-explanatory:
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
This means, that the user will just have access on the folder you configured as HOME of the user.Below, i have an example of a user passwd entry:
upload_ftp:x:1001:1001::/var/www/sites/:/bin/bash
Set the home directory of the user with the following command
usermod -d /var/www/my.domain.example/ exampleuser
Note: In my example, this user is also a valid user for some scheduled tasks inside Linux. If you don't have this need, please change the shell of the user to /sbin/nologin
instead of bash
.
After you've changed your config to include chroot_local_user=YES
You could change the user's shell to /usr/sbin/nologin
so that if the password leaks you will have mitigated some risk (set the home directory too). The shell needs to be listed in /etc/shells
as well or authentication will fail.
usermod -d /var/www/my.domain.example -s /usr/sbin/nologin exampleuser
-d, --home HOME_DIR The user’s new login directory. If the -m option is given the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist.
-s, --shell SHELL The name of the user’s new login shell. Setting this field to blank causes the system to select the default login shell.
https://security.appspot.com/vsftpd/FAQ.txt
Here are steps to setup a user and allow the user access only via FTP (i.e. no SSH) and also limit access to a specific (user home) directory on proftpd:
Add new user:
adduser newusername
Set password:
passwd newusername
Modify user home directory from default to a new folder:
usermod -d /target/directory username
Edit
shells
file:vi /etc/shells
and add/dev/null
at the endModify
newusername
entry in thepasswd
file:vi /etc/passwd
to add/./
before thenewusername
so that the entry looks like this:newusername:x:502:502::/home/ftp/./newusernamehomedirectory/:/dev/null
Details for steps 4 & 5 here:
Edit
/etc/proftpd/proftpd.conf
file and uncomment the lineDefaultRoot ~