LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-08-2013, 11:32 AM   #1
pedenski
Member
 
Registered: Feb 2012
Posts: 33

Rep: Reputation: Disabled
create a public directory for chroot ftp users


im using vsftpd & by default, when i create a user they are jailed in their directory which is /home/user i have enabled chroot_local_user=YES

on the other hand, i also wanted to create a shared folder for all the ftp users. so in a nutshell, they have their own directory and they have a shared group folder

/
+/home
+user1
+shared_folder

been trying to search this on google and i cant find any solution.

i have already tried
mount --bind /home/share/ /home/test/shared/

Last edited by pedenski; 05-08-2013 at 01:01 PM. Reason: revise question
 
Old 05-09-2013, 02:27 AM   #2
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 835

Rep: Reputation: 165Reputation: 165
The mount --bind enabled me to achieve what you describe.

I found that vsftpd would not allow the root of the chroot jail to be writable by the user. This is the error you get if the user's root directory is writable:

Code:
500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
So if /home/user1 is the normal local login home directory for user1, you can't make it his ftp chroot home directory. At least, I wasn't able to figure out a way to do it. You could set the parent /home directory as the user's chroot, but that may give him some degree of access to other directories under /home that you don't want him to have.

I decided not to allow my ftp users access to their local /home/<username> directory at all. They can login via ssh if they need to access it. For their ftp needs, I created a /home/ftpuser/<username> directory for each user. For example, for user1, /home/ftpuser/user1. I granted user1 read and execute access, but not write access, to the user1 directory, because this is their chroot home, and vsftp fails if they have write permission.

Under their chroot home I created an ftp directory and a share directory. When they login, they can change directory into either one. Both subdirectories are set up with 700 permission bits, but the share directory will have another group shared directory, /home/share, mounted on it using mount --bind. You could do the same with a public (world read/write/execute) directory if you prefer.

So with that background, here is the configuration:

Here are the relevant parts of vsftpd.conf:

Code:
local_enable=YES
write_enable=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/vsftpd.user_list
local_umask=022
user_config_dir=/etc/vsftpd/vsftpd_user_conf
This means that only users listed in the userlist_file can login, all users are chrooted except for those listed as exceptions in the chroot_list_file, and the chroot home for each user is specified in the user's config file under the user_config_dir directory.

Here is the relevant part of the directory structure under /home:

Code:
|-- ftpuser
|   |-- user1
|   |   |-- ftp
|   |   `-- share
|   |-- user2
|   |   |-- ftp
|   |   `-- share
|   `-- user3
|   |   |-- ftp
|   |   `-- share
|-- share
/home/share is the group shared directory, and the users allowed to access it are connected to the share01 group.

/etc/vsftpd/vsftpd.user_list is a list of all the ftp users allowed to login.

Code:
# cat /etc/vsftpd/vsftpd.user_list
user1
user2
user3
Directory listing of /etc/vsftpd/vsftpd_user_conf shows the config file for each allowed user.

Code:
# ls -l vsftpd_user_conf
-rw-r--r-- 1 root root   29 Dec  5 11:20 user1
-rw-r--r-- 1 root root   24 Dec  5 11:07 user2
-rw-r--r-- 1 root root   27 Dec  4 23:32 user3
The contents of /etc/vsftpd/vsftpd_user_conf/user1, user2, user3 files show the chroot home directory for each.

Code:
# cat vsftpd_user_conf/user1   
local_root=/home/ftpuser/user1
#
# cat vsftpd_user_conf/user2  
local_root=/home/ftpuser/user2
#
# cat vsftpd_user_conf/user3   
local_root=/home/ftpuser/user3
Again, the ftp user has no write access to his chroot home directory. He will see a ftp and a share subdirectory under his root when he logs in. The ftp subdirectory is his alone. The /home/ftpuser/userx/share subdirectory has the /home/share group shared directory mounted on it.

These commands mount the /home/share group shared directory on top of each users /home/ftpuser/userx/share subdirectory.

Code:
mount --bind /home/share /home/ftpuser/user1/share
mount --bind /home/share /home/ftpuser/user2/share
mount --bind /home/share /home/ftpuser/user3/share
Does this help?
 
1 members found this post helpful.
Old 05-09-2013, 08:21 AM   #3
pedenski
Member
 
Registered: Feb 2012
Posts: 33

Original Poster
Rep: Reputation: Disabled
thank you for this! its now working! and the explanation was awesome

another thing,
I hope you can clarify this, im not sure if its just me but, when i restarted the server the binded folder i created vanished, i have to re-bind them again.

is this normal?
 
Old 05-09-2013, 12:43 PM   #4
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 835

Rep: Reputation: 165Reputation: 165
Do you mean when you restarted the vsftpd server? No, I can't think of any reason why that would occur. The mount is completely independent of vsftpd. Once mounted, they should stay mounted until you reboot or issue a umount command. Issue "mount -l" to list all your mounted filesystems, they should appear.

I don't run vsftpd as a standalone daemon. I run it as a service under inetd. inetd starts and stops vsftpd as required, and my mount bindings don't go away.
 
Old 05-13-2013, 01:31 AM   #5
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 835

Rep: Reputation: 165Reputation: 165
One other thing you might try if your bind mounts are going away (although I don't see why they would) is to put them in /etc/fstab.

For example, to bind mount /home/share on /home/ftpuser/user1/share in fstab, you would add this line to /etc/fstab.

Code:
/home/share  /home/ftpuser/user1/share  none  defaults,bind  0 0
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftp two users sharing same directory both chroot.ish dxtans Linux - Security 4 01-14-2012 07:53 AM
to create public ftp server ARsenthil Linux - Newbie 2 01-30-2008 03:23 PM
Need to chroot bash users to thier home directory coloradopaul Linux - Security 1 09-16-2004 11:51 PM
I want to set up a Website and chroot the users ftp davidsch Linux - Newbie 2 11-10-2003 12:59 PM
Chroot (FTP,Home Directory) Thanewbie Linux - Security 2 05-14-2001 03:49 AM


All times are GMT -5. The time now is 02:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration