LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   FTP Server permissions (https://www.linuxquestions.org/questions/linux-newbie-8/ftp-server-permissions-510684/)

bnz99 12-15-2006 08:42 AM
FTP Server permissions
 
I've configured VSFTPD on my new Fedora 6 box, created a couple of accounts and so far everything is working except for one thing. The ftp accounts which I want to be able to read and write in their home directories are also able to 'cd' anywhere in the system, as well as transfer systems files. How do you restrict them to just their home? They are part of a group called 'ftp-users' which I created. This group does not have access to anywhere else in the system as far as I can tell. Obviously I'm doing something wrong here.

If you need more info, please let me know.

Thanks in advance.

MensaWater 12-15-2006 02:00 PM
You need to setup "chroot" on the home directories. Doing a google search for that should give you tons of info on how to do it.

bnz99 12-16-2006 09:23 PM
Thanks for the reply.

From what I read it should be as easy as setting the the following options in vsftp.conf:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

I added my allowed users to the list (chroot_list) which I created. My problem now is when the log in they go directly to the root of the box. In fact, they cannot even get into their home directory (550 error).

Where am I going wrong here?

Thanks again.

JimBass 12-16-2006 11:36 PM
You should have read the comments that appear in most of the default vsftpd.conf files -

Code:
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
The users automatically get trapped once chroot_local_user gets set to YES. By writing them into the chroot list, you basicly give them a get out of jail free card.

Also, you were worried about users being able to read system files. Why? They can read almost anyplace, but other than within their home directories, they can't write. That is one of the beauties of the *nix system. Had they tried to upload a file to /etc, it would have failed. They don't have write permission there.

Peace,
JimBass

MensaWater 12-17-2006 02:18 AM
Also remember you should chroot them to the directory you want them to be in. Note that when they login that directory will appear to be root.

That is to say if the chrooted directory you created was /home/someuser then when they login they won't see /home/someuser. They'll see "/". However what they see in "/" will be whatever you as the admin see in /home/someuser. That's why you have to put in the files they'll need - they can't go anywhere except to the chrooted directory. Often you need to create etc, bin, usr/bin or other directories and contents for the chrooted directory to give them access to what you want them to have or what they need to have to login (e.g. an abreviated /etc/passwd with only their account in it should be in /home/someuser/etc/passwd).


All times are GMT -5. The time now is 11:25 AM.