[SOLVED] How to create an FTP user restricted to certain directories?

thecomputerguy06 · 11-14-2012, 11:22 AM

I know this is a common question, I found it all over with my Google search. The problem is most instances a person successfully implemented this don't have details or have details that are above my level of understanding with Linux. For instance, one post advised a chroot jail then said all I had to do was link to folders I want accessed to the user's /home. I don't know how to link folders so....

I am using Fedora release 14 (Laughlin). I would like to give a client access to a set of files to update their Magento theme themselves. I don't want them browsing the rest of my server.

I only want them to have access to /var/www/html/magento/app/desing/frontent/%storename% and
/var/www/html/magento/skin/frontend/%storename%

The client currently doesn't have any login or access. Only I have access to the server as root. I know that's not awesome please spare me the lecture.

So to summarize, I need to create an FTP user account that only has read and write access to the two previously mentioned directories.

Can someone please give me some step by step instructions on this. Please make the instructions as basic as possible. Some posts I read reference VSFTP. I don't know what that is but it is installed on my server. I did 'service vsftpd status' and it returned 'vsftpd is stopped'. Not sure if that's helpful but...

I access the server using WinSCP with the root username and password.

custangro · 11-14-2012, 12:47 PM

I am not in front of my system currently but this should would (you have to test it out first)

First edit your vsftpd.conf file and make sure you have the following entries

Code:

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES

Now create the user

Code:

 
groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser

add /bin/true to your shells

Code:

echo "/bin/true" >> /etc/shells

Go and create the symlinks

Code:

ln -s /ftp/username/store1 /var/www/html/magento/app/desing/frontent/%storename%
ln -s /ftp/username/store2 /var/www/html/magento/skin/frontend/%storename%

Start FTP

Code:

service vsftpd start

Note: I'm doing these from memory so some "trial and error" will need to be done on your part

HTH

thecomputerguy06 · 11-14-2012, 01:53 PM

Thanks for your reply. I'm a little confused when it comes to creating the user.

"groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser"

So ftpuser is the group. I assume you put FTP USER in all caps becuase I'm supposed to enter in the real user's name in there correct?
What is /ftp/username? Am I supposed to create that directory first? Is there really going to be a directory called username or do I substitute the real user's name in there? Let's just say the user is 'barry', would it be:
groupadd ftpuser
useradd -c "barry" -u 1066 -g ftpuser -d /ftp/barry -m -s /bin/true ftpuser?

When I entered in groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser, I got en error msg that the directory could not be created. I decided to create an ftp directory in /home and update the command accordingly. No error msg then.

Tried logging in with WinSCP (SFTP mode) but I realized we never set a password on the user account.

Any ideas?

custangro · 11-14-2012, 05:12 PM

Quote:

Originally Posted by thecomputerguy06

Thanks for your reply. I'm a little confused when it comes to creating the user.

"groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser"

So ftpuser is the group. I assume you put FTP USER in all caps becuase I'm supposed to enter in the real user's name in there correct?
What is /ftp/username? Am I supposed to create that directory first? Is there really going to be a directory called username or do I substitute the real user's name in there? Let's just say the user is 'barry', would it be:
groupadd ftpuser
useradd -c "barry" -u 1066 -g ftpuser -d /ftp/barry -m -s /bin/true ftpuser?

When I entered in groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser, I got en error msg that the directory could not be created. I decided to create an ftp directory in /home and update the command accordingly. No error msg then.

Tried logging in with WinSCP (SFTP mode) but I realized we never set a password on the user account.

Any ideas?

Let's say your user is "barry"

Code:

groupadd ftpuser
useradd -c "barry" -u 1066 -g ftpuser -d /ftp/barry -m -s /bin/true barry?

Create a password with

Code:

passwd barry

chrism01 · 11-14-2012, 08:24 PM

SFTP != FTP, (or even FTP+TLS).

sftp is part of the ssh pkg (also includes scp); has nothing to do with FTP tools.

thecomputerguy06 · 11-15-2012, 09:39 AM

OK so after playing with the symlink commands a little I finally got it to link.
ln -s /var/www/html/magento/skin/frontend/%storename%/default/ /ftp/FTP USER/skin is what ended up working
HOWEVER, when I log in as this user, I am unable to get into skin. Cannot change directory is the message I get. I played with permissions to no avail. For testing I even made the directories 0777, but still cannot change directory in WinSCP.

thecomputerguy06 · 11-15-2012, 12:03 PM

OK now that I've thoroughly screwed up the directory permissions on my production eCommerce server, I give up!

As stated above, I got the user created. The user was restricted to the directory I chose. The user did not have write access to anything in the directory without adding write permission for the group. When I added a sym link to another directory the user needs access to, he couldn't change directory into it. I made the sym link and linked directory 777 and still cannot change directory.

In the process, I inadvertently made an unspecified amount of unrelated folders 777. I don't know what sort of security problems I will have now but I'm completely bass ackwards and side down up right now and I don't care anymore!

"I'm doing these from memory so some "trial and error" will need to be done on your part" I just don't have enough linux experience for that.

Thanks for the help anyway.

custangro · 11-17-2012, 03:54 PM

Is SELinux turned on?

Check with

Code:

getenforce

--C

arun5002 · 11-20-2012, 11:27 PM

Quote:

ln -s /ftp/username/store1 /var/www/html/magento/app/desing/frontent/%storename%
ln -s /ftp/username/store2 /var/www/html/magento/skin/frontend/%storename%

Symlinks flushes out whenever the server reboot .So make a permanent mount in /etc/fstab .

Quote:

Code:
echo "/bin/true" >> /etc/shells

Instead of changing the shell of user you can create a vsftpd with virtual user.Look after the below link

http://www.cyberciti.biz/tips/centos...ual-users.html

SeLinux prevents vsftpd access to home directories,Set these parameter

setsebool -P ftp_home_dir=1

thecomputerguy06 · 12-03-2012, 12:36 PM

I eventually had to create two separate logins so this guy can access both locations because I just couldn't get the sym links on directories to work correctly. I also had to make all folders he needed access to 777 which really bites but it's whatever for now.
Thanks for all the tips.