LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-21-2014, 06:29 PM   #1
ASTRAPI
Member
 
Registered: Feb 2007
Posts: 210

Rep: Reputation: 16
Question VSFTPD and user lock to a path


Hi

I try to lock a user "ftpuser1" and add on a group "sftponly" to a path and have access only on this folder and subfolders and files on it like:

Code:
/home/nginx/domains/mydomain.com/public/uploads
And i have on config:

Code:
chroot_local_user=YES
local_enable=YES
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
local_root=/home/nginx/domains/mydomain.com/public/uploads
But the user has no permissions for this folder at all

How can i change the permissions for this user from:

Code:
/home/ftpuser1
and lock him at:

Code:
/home/nginx/domains/mydomain.com/public/uploads
?

Thanks
 
Old 11-22-2014, 02:58 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,520

Rep: Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502
Hi,

You can change the user's homedir using the usermod command.
Then you need to change ownership of /home/nginx/domains/mydomain.com/public/uploads, so your user can write in that directory
BTW in this case you don't need the "local_root..." directive.

Regards
 
Old 11-22-2014, 09:52 AM   #3
ASTRAPI
Member
 
Registered: Feb 2007
Posts: 210

Original Poster
Rep: Reputation: 16
Yes i use the command:

Code:
usermod --home /home/nginx/domains/mydomain.com/public/uploads

What permissions should i use then?

I try with userftp1:sftponly but the user is going again to /
 
Old 11-22-2014, 01:03 PM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,520

Rep: Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502
Quote:
What permissions should i use then?
If your user is userftp1, run
Code:
chown -R userftp1 /home/nginx/domains/mydomain.com/public/uploads

Quote:
I try with userftp1:sftponly but the user is going again to /
Mind that with chroot the / for the user in question is actually its homedir
 
Old 11-22-2014, 05:02 PM   #5
ASTRAPI
Member
 
Registered: Feb 2007
Posts: 210

Original Poster
Rep: Reputation: 16
Ok i did it and i login to the server and when i try to go from / to /home/nginx/ i got this:

Code:
Error:	Directory /home/nginx: permission denied


Then i set permissions for nginx folder to ftpuser1 and grgoup nginx and it works but now my site is not working as nginx doesn't like the permissions

Last edited by ASTRAPI; 11-22-2014 at 05:18 PM.
 
Old 11-23-2014, 03:50 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,520

Rep: Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502
Quote:
Then i set permissions for nginx folder to ftpuser1 and grgoup nginx and it works but now my site is not working as nginx doesn't like the permissions
How doesn't nginx like the permissions? What is the error you get? What's in error_log?
Using 755 for directories and 644 for files (usually the default) should work.
 
Old 11-23-2014, 09:39 AM   #7
ASTRAPI
Member
 
Registered: Feb 2007
Posts: 210

Original Poster
Rep: Reputation: 16
404 not found

Yes i have 755 for folders and 644 for files but the forum stop working when i change the group from nginx to ftpuser1

When i change it back to nginx the forum is working again...
 
Old 11-23-2014, 11:13 AM   #8
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,520

Rep: Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502
Quote:
Originally Posted by ASTRAPI View Post
404 not found

Yes i have 755 for folders and 644 for files but the forum stop working when i change the group from nginx to ftpuser1

When i change it back to nginx the forum is working again...
It should work.
What's about the 404 error in error_log?
You can also try to add your user in nginx group and chown/chgrp the docroot accordingly
 
Old 11-23-2014, 11:49 AM   #9
ASTRAPI
Member
 
Registered: Feb 2007
Posts: 210

Original Poster
Rep: Reputation: 16
Almost done

The problem was the nginx permissions had set GID and i remove it and now working both user and site

Now i have only two problems one big and one small

1)The user can view the contents of .php files own by nginx user and group (small problem)
2)The user can go back to / and view the /backup folder and the backups inside that created by root and download them (big one)

Thanks

Last edited by ASTRAPI; 11-23-2014 at 11:54 AM.
 
Old 11-23-2014, 02:06 PM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,520

Rep: Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502
Quote:
2)The user can go back to / and view the /backup folder and the backups inside that created by root and download them (big one)
If you have set the user homedir as /home/nginx/domains/mydomain.com/public/uploads, he cannot escape the jail and go upwards to /home/nginx/domains/mydomain.com/public, as he sees just the /, unless you've changed something in vsftpd config
 
Old 11-23-2014, 04:18 PM   #11
ASTRAPI
Member
 
Registered: Feb 2007
Posts: 210

Original Poster
Rep: Reputation: 16
I use the config that i post in my topic ....

Code:
chroot_local_user=YES
local_enable=YES
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
local_root=/home/nginx/domains/mydomain.com/public/uploads
and this:

Code:
usermod --home /home/nginx/domains/mydomain.com/public/uploads
Info:
Code:
[root@server ~]# id ftpuser1
uid=502(ftpuser1) gid=502(ftpuser1) groups=502(ftpuser1)

Last edited by ASTRAPI; 11-23-2014 at 06:53 PM.
 
Old 11-23-2014, 06:41 PM   #12
ASTRAPI
Member
 
Registered: Feb 2007
Posts: 210

Original Poster
Rep: Reputation: 16
This is also what i have on /etc/passwords


Code:
ftpuser1:x:502:502::/home/nginx/domains/mydomain.com/public/uploads:/bin/bash

And yes now the user when logins goes to the correct folder automaticaly:

Code:
/home/nginx/domains/mydomain.com/public/uploads
But he can go back to /backup and download the root backup files....

Last edited by ASTRAPI; 11-23-2014 at 08:06 PM.
 
Old 11-24-2014, 02:04 AM   #13
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 664

Rep: Reputation: 80
is this option chroot_list_enable enabled ? I am just asking dont try anything yet or read man page.
 
Old 11-24-2014, 03:34 AM   #14
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,520

Rep: Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502Reputation: 1502
@OP
Quote:
I use the config that i post in my topic ....

chroot_local_user=YES
local_enable=YES
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
local_root=/home/nginx/domains/mydomain.com/public/uploads
Your config is good. In fact I've tested here and it doesn't allow me to go outside local_root.
As a side note:
You have used 2 times "chroot_local_user=YES", but I'd guess it's not the issue here.
Also as I've already told you, you don't need "local_root=...", since you have setup that directory as the user homedir in /etc/passwd.

So ,do you restart vsftpd after making changes to vsftpd.conf?
And are you sure you're using the correct vsftpd.conf?
 
Old 11-24-2014, 11:45 AM   #15
ASTRAPI
Member
 
Registered: Feb 2007
Posts: 210

Original Poster
Rep: Reputation: 16
chroot_list_enable ?

i have this with the comment:

Code:
#chroot_list_enable=YES
maybe i must uncomment it and use it as YES ?

and the config file that i use is:

Code:
/etc/vsftpd/vsftpd.conf

Last edited by ASTRAPI; 11-24-2014 at 11:53 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to edit PAM DB of VSFTPD (..add user, delete user, change user password ) jsaravana87 Linux - Server 1 10-02-2012 09:49 AM
Disable lock session (lock screen) when switch user in KDE 4.x Murz Linux - Desktop 4 12-01-2010 09:28 AM
set up java_home path in /home/user/.bashrc but use path in /usr/lib/java vitalstrike82 Slackware 4 01-14-2009 12:25 AM
vsftpd - How to lock users into a specified directory tree? nyle Linux - Software 6 02-11-2008 07:34 PM
VSFTPD - lock user to home directory ohleary Linux - Software 3 11-20-2003 03:04 PM


All times are GMT -5. The time now is 12:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration