LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   create a public directory for chroot ftp users (https://www.linuxquestions.org/questions/linux-newbie-8/create-a-public-directory-for-chroot-ftp-users-4175461164/)

pedenski 05-08-2013 10:32 AM
create a public directory for chroot ftp users
 
im using vsftpd & by default, when i create a user they are jailed in their directory which is /home/user i have enabled chroot_local_user=YES

on the other hand, i also wanted to create a shared folder for all the ftp users. so in a nutshell, they have their own directory and they have a shared group folder

/
+/home
+user1
+shared_folder

been trying to search this on google and i cant find any solution.

i have already tried
mount --bind /home/share/ /home/test/shared/

Z038 05-09-2013 01:27 AM
The mount --bind enabled me to achieve what you describe.

I found that vsftpd would not allow the root of the chroot jail to be writable by the user. This is the error you get if the user's root directory is writable:

Code:
500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
So if /home/user1 is the normal local login home directory for user1, you can't make it his ftp chroot home directory. At least, I wasn't able to figure out a way to do it. You could set the parent /home directory as the user's chroot, but that may give him some degree of access to other directories under /home that you don't want him to have.

I decided not to allow my ftp users access to their local /home/<username> directory at all. They can login via ssh if they need to access it. For their ftp needs, I created a /home/ftpuser/<username> directory for each user. For example, for user1, /home/ftpuser/user1. I granted user1 read and execute access, but not write access, to the user1 directory, because this is their chroot home, and vsftp fails if they have write permission.

Under their chroot home I created an ftp directory and a share directory. When they login, they can change directory into either one. Both subdirectories are set up with 700 permission bits, but the share directory will have another group shared directory, /home/share, mounted on it using mount --bind. You could do the same with a public (world read/write/execute) directory if you prefer.

So with that background, here is the configuration:

Here are the relevant parts of vsftpd.conf:

Code:
local_enable=YES
write_enable=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/vsftpd.user_list
local_umask=022
user_config_dir=/etc/vsftpd/vsftpd_user_conf
This means that only users listed in the userlist_file can login, all users are chrooted except for those listed as exceptions in the chroot_list_file, and the chroot home for each user is specified in the user's config file under the user_config_dir directory.

Here is the relevant part of the directory structure under /home:

Code:
|-- ftpuser
|  |-- user1
|  |  |-- ftp
|  |  `-- share
|  |-- user2
|  |  |-- ftp
|  |  `-- share
|  `-- user3
|  |  |-- ftp
|  |  `-- share
|-- share
/home/share is the group shared directory, and the users allowed to access it are connected to the share01 group.

/etc/vsftpd/vsftpd.user_list is a list of all the ftp users allowed to login.

Code:
# cat /etc/vsftpd/vsftpd.user_list
user1
user2
user3
Directory listing of /etc/vsftpd/vsftpd_user_conf shows the config file for each allowed user.

Code:
# ls -l vsftpd_user_conf
-rw-r--r-- 1 root root  29 Dec  5 11:20 user1
-rw-r--r-- 1 root root  24 Dec  5 11:07 user2
-rw-r--r-- 1 root root  27 Dec  4 23:32 user3
The contents of /etc/vsftpd/vsftpd_user_conf/user1, user2, user3 files show the chroot home directory for each.

Code:
# cat vsftpd_user_conf/user1 
local_root=/home/ftpuser/user1
#
# cat vsftpd_user_conf/user2 
local_root=/home/ftpuser/user2
#
# cat vsftpd_user_conf/user3 
local_root=/home/ftpuser/user3
Again, the ftp user has no write access to his chroot home directory. He will see a ftp and a share subdirectory under his root when he logs in. The ftp subdirectory is his alone. The /home/ftpuser/userx/share subdirectory has the /home/share group shared directory mounted on it.

These commands mount the /home/share group shared directory on top of each users /home/ftpuser/userx/share subdirectory.

Code:
mount --bind /home/share /home/ftpuser/user1/share
mount --bind /home/share /home/ftpuser/user2/share
mount --bind /home/share /home/ftpuser/user3/share
Does this help?

pedenski 05-09-2013 07:21 AM
thank you for this! its now working! and the explanation was awesome :)

another thing,
I hope you can clarify this, im not sure if its just me but, when i restarted the server the binded folder i created vanished, i have to re-bind them again.

is this normal?

Z038 05-09-2013 11:43 AM
Do you mean when you restarted the vsftpd server? No, I can't think of any reason why that would occur. The mount is completely independent of vsftpd. Once mounted, they should stay mounted until you reboot or issue a umount command. Issue "mount -l" to list all your mounted filesystems, they should appear.

I don't run vsftpd as a standalone daemon. I run it as a service under inetd. inetd starts and stops vsftpd as required, and my mount bindings don't go away.

Z038 05-13-2013 12:31 AM
One other thing you might try if your bind mounts are going away (although I don't see why they would) is to put them in /etc/fstab.

For example, to bind mount /home/share on /home/ftpuser/user1/share in fstab, you would add this line to /etc/fstab.

Code:
/home/share  /home/ftpuser/user1/share  none  defaults,bind  0 0


All times are GMT -5. The time now is 05:42 AM.