LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-29-2005, 08:04 AM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Rep: Reputation: 73
vsFTPd Setup (Need Help)


OK - I have an FTP server. Let me give you a very quick and easy setup of the server so my questions makes more sense...

The FTP server has 4 home directories which are as follows.

- carlos
- ftp
- laura
- stricom

From the four listed users above, only 3 of them are obviously shell users. The "ftp" home directory is installed by my vsFTPd server utility and I don' think it allows you to login with that username as a shell user.

The "carlos" home directory is my home. I place all my data in this home dir and I think I am the only direct shell user who logins in directly to the Debian machine as well as FTP.

The "laura" home directory is identical to the "carlos" directory as in this is my girls username and she also stores data in this folder and may from time to time login directly to the box but mainly just uses ftp or ssh to get into the machine. Laura is limited to her home directory only via FTP connections but not ssh. I will try and figure out how to limit "laura" no read / write / execute access to other shell home directoris.

The "ftp" dirctory is something vsFTPd created I think for anonymous logins for the FTP server. It's important to understand that my ftp server is configured to deny anonymous logins.

The "stricom" is the last shell user I have created because I disabled anonymous logins for FTP users & I wanted a universal account that I can give to friends and family for FTP access. So the "stricom" user is someone who will just login to "/home/stricom/" and upload and download files to that directory and sub directories of that home directory.

My Question:

Is there a way I can modify the permissions for "stircom" username to only be able to read and write to their own home directory? I don't want them to be able to connect to the server via SSH and then "cd" to "any other shell users" home" directory and view the files or folders. I ONLY want stricom to read and write their own home directory. This also includes a restriction on the "stricom" user not being allowed to delete any files from their own home directory, just the ability to read & write.

Thanks for any help.
 
Old 12-29-2005, 08:21 AM   #2
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Hello,

Here are some handy /etc/vsftpd/vsftpd.conf options:

1) You can jail ALL shell users to their respective home directories using
Code:
chroot_local_user=YES
2) You can selectively jail users to the home diretories using
Code:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
of course you need to create the file /etc/vsftpd.chroot_list for the second method, and list the usernames that are to be jailed.

PS: Be carful if you combine the two methods using
Code:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
cause then the file list has the opposite effect, in the sense that it lists users that ARE NOT jailed to their home directories.

Hope this helps.

[edit]
users logging in via ssh are still able to browse the directories outside their home. You should deny ssh login to users that you don't want to be able to do that.
[/edit]

Last edited by Notwerk; 12-29-2005 at 08:25 AM.
 
Old 12-29-2005, 08:36 AM   #3
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 73
Notwerk - Thanks for all the info.

I already have it setup in vsFTPd so that "carlos" is the only user who's not jailed to their own home directory but everyone else is.

If you login as "laura" or "stricom", you can't leave their home directories via FTP. My questions is how can limit their permissions in their own home directory? I don't want to allow "stricom" to delete files. I do want "stricom" to read & write to "/home/stricom".
 
Old 12-29-2005, 09:31 AM   #4
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Oh i see.... i didn't catch that part...

Well, if you want to set some configurations on a user-specific level, you should add:
Code:
user_config_dir=/etc/vsftpd_user_conf/%username%
Then create the 4 needed files %username%={carlos, ftp. carla, stricom}.

Each of these files should contain the settings that are applied to the relevant user account. You can then use /etc/vsfptd_usr_conf/stircom to set:
Code:
local_umask=[edit]333[/edit]
So that any files that are uploaded are only readable once they get to the server.

Last edited by Notwerk; 12-29-2005 at 02:09 PM.
 
Old 12-29-2005, 09:55 AM   #5
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 73
Notwerk - I am a little confused and before I make any changes in fear of breaking FTP, I just want to be sure that the above will allow anyone who logs in as "stricom" via shell or FTP to only read and write to their home directory but not delete or move files. This when when "joe" logs in as stricom via ftp and uploads a mp3, "derek" can't login one hour later as stricom and delete the mp3 that "joe" uploaded. I do want "derek" to be able to download the .mp3 file that "joe" uploaded.
 
Old 12-29-2005, 10:48 AM   #6
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
if you set user_config_dir=/etc/... then the settings in each file are applied to ANY session that is started by the corresponding username. Therefore, if users X, Y and Z login to ftp using the username "stricom" the setting of /etc/vsftpd_user_config/stricom will be applied to all three session.

Don't forget to place the "umask" statement in stricom's settings.

When in doubt:
$man vsftpd.conf
and backup the files before you change anything

[edit]
again... this applies to FTP but not ssh, or shell.
One more thing.... i messed up the umask value igave you in the previous reply.... it should be 333...
[/edit]

Last edited by Notwerk; 12-29-2005 at 02:09 PM.
 
  


Reply

Tags
ftp, restriction


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd SETUP gurumaster Linux - Networking 20 01-21-2009 01:54 AM
vsftpd setup davidhk Fedora 1 08-06-2005 06:13 AM
VSFTPD Setup carlosinfl Linux - Networking 3 07-22-2005 07:53 AM
vsftpd setup help t3___ Linux - Software 1 11-24-2003 07:15 PM
vsftpd...setup...!!!1 maseby Red Hat 1 10-28-2003 11:14 AM


All times are GMT -5. The time now is 03:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration