Hi guys, I am running Slackware on my machine and i have FTP (proftpd) configured on it,I have certain folders on my server that i only want certain users to have access to and others not.

Where do i start?

Hi,

I can explain you how I configured it so that each user can access only his/her folder, I have proftpd working in my machine also.

I configured it as follows,

first, create users in the /etc/passwd file, users like:

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

That means that the user called ftp can access to the /var/ftp folder and cannot login to the machine but can login the ftp server.


Then I have configured my proftpd.conf as follows:


#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD"
#ServerType standalone
ServerType inetd
DefaultServer on
<Global>
DefaultRoot ~
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on
TimesGMT off

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd/scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /usr/local/psa/var/log/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off

AuthGroupFile /etc/group

Include /etc/proftpd.include


well, good luck :-)
hope that helps.

Thanks Aizkorri

I understand DefaultRoot ~ , allows users to access directories that belongs to them only and not see others.

To go more into details, I have users, Jane, Joseph, Jack as system users,I have directories such as projects, school, work, on the server as well, now I want Jack to access only projects and not work and school, I want Joseph to have access to all three (3) directories, and Jane should not be able to go up the directory tree, Jane should remain in the directory work and not go up the system.

Does your solution cater for that? Thanks again for your help. I also tried to read the website, proftpd.com and I think it has something to do with limit commands, chroot, can you help me out here, I do not understand how to put such configuration commands such as allow, limit into operation. Thanks for your time.

For setting permission

use combination of following commands


To jail users to a particular directory.


# vi /etc/vsftpd/vsftpd.conf
#vi /etc/vsftpd.chroot_list

Is it the same configurations as for proftpd.conf

vsftpd is another kind of ftp server, it should have it's own conf file,
I haven't worked with it, it might be easier to config but cannot help you too much :-).

as for proftpd, the config I sent could work with that users only if they access the directory defined at /etc/passwd,
I think it could be done like this:

Jack's directory at /etc/passwd --> /path/to/ftp/projects
Joseph's directory at /etc/passwd --> /path/to/ftp
Jane's directory at /etc/passwd --> /path/to/ftp/work


About Allow and Limit, it depends on what for you would like to use them, anyways the above configuration should let you use that kind of users.

hope that helps.

aizkorri it's helpfull, thanks.

Here:

Joseph's directory at /etc/passwd --> /home/joseph:/bin/bash

This works perfectly fine, it shows all folders. Joseph actually has access to all 3 folders, thanks

Jack's directory at /etc/passwd --> /var/www/htdocs/projects
This unfortunately does not work at all, in the /etc/passwd file its like this
jack:x:1007:100:,,,:/var/www/hdocs/projects

jane's directory at /etc/passwd --> jane:x:1008:100:,,,:/home/work

also does not work at all,

it only works when its /home/work:/bin/bash , which i do not understand why

hmm,

for example for my ftp user I have this: /sbin/nologin instead of /bin/bash,
but I'm not sure why should be a problem not putting it.

it the other hand, take care about the security, check that the anonymous user is not working, and check that the users cannot navigate to places that they should not go :-)

For security reasons, you don't want the ftp user to have access to a shell, so it should always be something like /sbin/nologin (Slackware usually uses /bin/false)

@JuliaNeil
I think this would work if you focused on the ownership of the directories and used groups to manage access. So if you had your three directories:

projects owned by ftprojects
school owned by ftp:school
work owned by ftp:work

Then if you make your users members of the appropriate groups, that should prevent them from accessing the others. So Joseph would be a member of all three groups, but Jack would only be a member of projects.

Sorry guys for asking too much, maybe im confused or there is something i am not doing here:

drwxrwxwx 3 jack(user) users(group) projects/

drwxr--x-x 2 root root work/

drwxr--x-x 2 jane users school/

this are the permissions set for users and directories

user
jane:x:1007:100:,,,:/home/jane:/bin/bash

has access to all, the directories in the home folder.all of them. is there something i need to set in the proftpd.conf file or what am i not doing. there is something I am not doing guys, sorry but im stuck here.


@Hangdog42

thanks very much for your time.

how do i make joseph a member of 3 groups, maybe this is were im am lost.


drwxrwxwx 3 jack(user) users(group) projects/

jack owns projects, how will joseph own it also, should i make it root root,

I dont get it, the 3 directories are in the home directory. and projects, school and work are not groups, the are directories, there is only one group called users.


I think Im totaly lost, but thanks once more

One assumption I'll make is that jane is a member of the users group, in which case it should be no mystery why jane has access to the projects directory since it is owned by the users group. And of course she has access to the school group since she owns it as the user. What is a bit of a mystery is why she would have access to the work directory since that is owned by root:root and isn't world readable. However, if for some reason jane is also a member of the root group (which she really shouldn't be) then that would allow access to work as well.

I don't think this is a proftpd configuration issue as much as a permissions issue.

OK, assume that you've set up the three directories in /home using the root account. Initially they would all look something like this:

drwxr_xr_x root:root /home/work
drwxr_xr_x root:root /home/projects
drwxr_xr_x root:root /home/school

You would then use the groupadd command (see man groupadd) to create three new groups (work, school and projects) and then use chown to change the ownership to something like:

drwxrwx___ ftp:work /home/work
drwxrwx___ ftprojects /home/projects
drwxrwx___ ftp:school /home/school

In this example, I've also used chmod to set the permissions for each directory to 770, which means that any user has to be a member of the appropriate group to get in. So in the example, if jane is only a member of the users group, she couldn't get into any of the directories. To allow jane into the work directory, you would use the usermod command to put jane in the work group, which would then allow her access to the work directory. If you look in /etc/group, you'll see all the groups currently on your machine and all of the users in each group.

OOh k, Now we are speaking the same language, I get you clearly.

I did as you said, from top to bottom!

/etc/passwd
jane:x:1008:100:,,,:/home/work:/bin/bash

/etc/group
work:x:103:jane

permissions set in home directory are:
drwxrwx___ ftp:work work/
i also tried changing to
drwxrwx___ jane:work work/

Jane still can access, school and work.
Which i do not understand why. Jane is supposed to access only work.

By the way projects is not in home directory but /var/www/htdocs directory.

I think we need you to post the full paths, permissions and ownerships of the directories involved here. I'm kind of confused as to where things are and who owns what.

First let me show you my configuration file
File: /etc/proftpd.conf

# This is a basic ProFTPD configuration file.
# It establishes a single server and a single anonymous login.
# It assumes that you have a user/group "nobody" and "ftp"
# for normal/anonymous operation.

ServerName "ProFTPD jules"
#ServerType standalone
ServerType inetd
DefaultServer on
DefaultRoot /var/www/htdocs
#DefaultRoot ~

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# This next option is required for NIS or NIS+ to work properly:
#PersistentPasswd off

SystemLog /var/log/proftpd.log
TransferLog /var/log/xferlog

# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>

# A basic anonymous FTP server configuration.
# To enable this, remove the user ftp from /etc/ftpusers.
<Anonymous ~ftp>
RequireValidShell off
User julia
Group users
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message


DefaultChdir ~
# AccessGrandMsg "restrictionss apply"
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>

# An upload directory that allows storing files but not retrieving
# or creating directories.
# <Directory incoming/*>
# <Limit READ>
# DenyAll
# </Limit>
#
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>

</Anonymous>


Users file
File: /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
jane:x:1008:100:,,,:/home/work:/bin/bash
jack:x:1009:103:,,,:/var/www/htdocs/projects
joseph:x:1009:101:,,,:/home/work:/bin/bash

Group File
File: /etc/group

root:x:0:root
bin:x:1:root,bin
ftp:x:50:
#users:x:100:jane
work:x:103:jane
projects:x:104:jack
school:x:105:joseph


Directory permissions

root@nell:/home#
drwxr-xr-x 6 root root 4096 2010-09-28 10:23 ./
drwxr-xr-x 20 root root 4096 2010-09-13 12:44 ../
drwxr-xr-x 2 root root 4096 2009-06-06 20:37 ftp/
drwxr-xr-x 2 root root 4096 2010-09-28 09:14 school/
drwxrwx--- 2 ftp work 4096 2010-09-27 11:40 work/
or
drwxrwx--- 2 jane work 4096 2010-09-27 11:40 work/

root@nell:/var/www/htdocs#
drwxrwxrwx 3 jack projects 100 4096 2010-09-14 15:32 projects/

Joseph should access schools, projects, work
Jane should access only work and should not be able to move up the directory tree
Jack should access projects

school and work are in home
projects is in /var/www/htdocs

Thanks!

OK, I think this is where you need to start messing with the DefaultRoot directive a bit in your proftpd.conf. Reading the mini HowTo and this thread will probably help.

I think what you want to do is set up a few DefaultRoot directives based on the permissions you've just done. So (hopefully!) something like this will confine jane to the work directory:

DefaultRoot /home/work work,!school,!projects

Essentially, anyone who is a member of work, but not school and projects should be confined to /home/work. I think. I'm not a proftpd user, so I'm doing a bit of guessing, but in reading the documentation, this seems to be likely to work.

You'll probably have to set up a few DefaultRoot directives to cover the options that you're after.