Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi guys, I am running Slackware on my machine and i have FTP (proftpd) configured on it,I have certain folders on my server that i only want certain users to have access to and others not.
I can explain you how I configured it so that each user can access only his/her folder, I have proftpd working in my machine also.
I configured it as follows,
first, create users in the /etc/passwd file, users like:
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
That means that the user called ftp can access to the /var/ftp folder and cannot login to the machine but can login the ftp server.
Then I have configured my proftpd.conf as follows:
#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD"
#ServerType standalone
ServerType inetd
DefaultServer on
<Global>
DefaultRoot ~
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on
TimesGMT off
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.
#Include directive should point to place where FTP Virtual Hosts configurations
#preserved
ScoreboardFile /var/run/proftpd/scoreboard
# Primary log file mest be outside of system logrotate province
TransferLog /usr/local/psa/var/log/xferlog
#Change default group for new files and directories in vhosts dir to psacln
I understand DefaultRoot ~ , allows users to access directories that belongs to them only and not see others.
To go more into details, I have users, Jane, Joseph, Jack as system users,I have directories such as projects, school, work, on the server as well, now I want Jack to access only projects and not work and school, I want Joseph to have access to all three (3) directories, and Jane should not be able to go up the directory tree, Jane should remain in the directory work and not go up the system.
Does your solution cater for that? Thanks again for your help. I also tried to read the website, proftpd.com and I think it has something to do with limit commands, chroot, can you help me out here, I do not understand how to put such configuration commands such as allow, limit into operation. Thanks for your time.
vsftpd is another kind of ftp server, it should have it's own conf file,
I haven't worked with it, it might be easier to config but cannot help you too much :-).
as for proftpd, the config I sent could work with that users only if they access the directory defined at /etc/passwd,
I think it could be done like this:
Jack's directory at /etc/passwd --> /path/to/ftp/projects
Joseph's directory at /etc/passwd --> /path/to/ftp
Jane's directory at /etc/passwd --> /path/to/ftp/work
About Allow and Limit, it depends on what for you would like to use them, anyways the above configuration should let you use that kind of users.
Joseph's directory at /etc/passwd --> /home/joseph:/bin/bash
This works perfectly fine, it shows all folders. Joseph actually has access to all 3 folders, thanks
Jack's directory at /etc/passwd --> /var/www/htdocs/projects
This unfortunately does not work at all, in the /etc/passwd file its like this
jack:x:1007:100:,,,:/var/www/hdocs/projects
jane's directory at /etc/passwd --> jane:x:1008:100:,,,:/home/work
also does not work at all,
it only works when its /home/work:/bin/bash , which i do not understand why
for example for my ftp user I have this: /sbin/nologin instead of /bin/bash,
but I'm not sure why should be a problem not putting it.
it the other hand, take care about the security, check that the anonymous user is not working, and check that the users cannot navigate to places that they should not go :-)
for example for my ftp user I have this: /sbin/nologin instead of /bin/bash,
but I'm not sure why should be a problem not putting it.
For security reasons, you don't want the ftp user to have access to a shell, so it should always be something like /sbin/nologin (Slackware usually uses /bin/false)
@JuliaNeil
I think this would work if you focused on the ownership of the directories and used groups to manage access. So if you had your three directories:
projects owned by ftprojects
school owned by ftp:school
work owned by ftp:work
Then if you make your users members of the appropriate groups, that should prevent them from accessing the others. So Joseph would be a member of all three groups, but Jack would only be a member of projects.
Sorry guys for asking too much, maybe im confused or there is something i am not doing here:
drwxrwxwx 3 jack(user) users(group) projects/
drwxr--x-x 2 root root work/
drwxr--x-x 2 jane users school/
this are the permissions set for users and directories
user
jane:x:1007:100:,,,:/home/jane:/bin/bash
has access to all, the directories in the home folder.all of them. is there something i need to set in the proftpd.conf file or what am i not doing. there is something I am not doing guys, sorry but im stuck here.
@Hangdog42
thanks very much for your time.
how do i make joseph a member of 3 groups, maybe this is were im am lost.
drwxrwxwx 3 jack(user) users(group) projects/
jack owns projects, how will joseph own it also, should i make it root root,
I dont get it, the 3 directories are in the home directory. and projects, school and work are not groups, the are directories, there is only one group called users.
has access to all, the directories in the home folder.all of them. is there something i need to set in the proftpd.conf file or what am i not doing. there is something I am not doing guys, sorry but im stuck here.
One assumption I'll make is that jane is a member of the users group, in which case it should be no mystery why jane has access to the projects directory since it is owned by the users group. And of course she has access to the school group since she owns it as the user. What is a bit of a mystery is why she would have access to the work directory since that is owned by root:root and isn't world readable. However, if for some reason jane is also a member of the root group (which she really shouldn't be) then that would allow access to work as well.
I don't think this is a proftpd configuration issue as much as a permissions issue.
Quote:
how do i make joseph a member of 3 groups, maybe this is were im am lost.
OK, assume that you've set up the three directories in /home using the root account. Initially they would all look something like this:
You would then use the groupadd command (see man groupadd) to create three new groups (work, school and projects) and then use chown to change the ownership to something like:
In this example, I've also used chmod to set the permissions for each directory to 770, which means that any user has to be a member of the appropriate group to get in. So in the example, if jane is only a member of the users group, she couldn't get into any of the directories. To allow jane into the work directory, you would use the usermod command to put jane in the work group, which would then allow her access to the work directory. If you look in /etc/group, you'll see all the groups currently on your machine and all of the users in each group.
I think we need you to post the full paths, permissions and ownerships of the directories involved here. I'm kind of confused as to where things are and who owns what.
First let me show you my configuration file
File: /etc/proftpd.conf
# This is a basic ProFTPD configuration file.
# It establishes a single server and a single anonymous login.
# It assumes that you have a user/group "nobody" and "ftp"
# for normal/anonymous operation.
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# This next option is required for NIS or NIS+ to work properly:
#PersistentPasswd off
# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>
# A basic anonymous FTP server configuration.
# To enable this, remove the user ftp from /etc/ftpusers.
<Anonymous ~ftp>
RequireValidShell off
User julia
Group users
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message
DefaultChdir ~
# AccessGrandMsg "restrictionss apply"
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
# An upload directory that allows storing files but not retrieving
# or creating directories.
# <Directory incoming/*>
# <Limit READ>
# DenyAll
# </Limit>
#
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>
root@nell:/var/www/htdocs#
drwxrwxrwx 3 jack projects 100 4096 2010-09-14 15:32 projects/
Joseph should access schools, projects, work
Jane should access only work and should not be able to move up the directory tree
Jack should access projects
school and work are in home
projects is in /var/www/htdocs
OK, I think this is where you need to start messing with the DefaultRoot directive a bit in your proftpd.conf. Reading the mini HowTo and this thread will probably help.
I think what you want to do is set up a few DefaultRoot directives based on the permissions you've just done. So (hopefully!) something like this will confine jane to the work directory:
DefaultRoot /home/work work,!school,!projects
Essentially, anyone who is a member of work, but not school and projects should be confined to /home/work. I think. I'm not a proftpd user, so I'm doing a bit of guessing, but in reading the documentation, this seems to be likely to work.
You'll probably have to set up a few DefaultRoot directives to cover the options that you're after.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.