LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-14-2012, 11:22 AM   #1
thecomputerguy06
LQ Newbie
 
Registered: Nov 2012
Posts: 5

Rep: Reputation: Disabled
Question How to create an FTP user restricted to certain directories?


I know this is a common question, I found it all over with my Google search. The problem is most instances a person successfully implemented this don't have details or have details that are above my level of understanding with Linux. For instance, one post advised a chroot jail then said all I had to do was link to folders I want accessed to the user's /home. I don't know how to link folders so....

I am using Fedora release 14 (Laughlin). I would like to give a client access to a set of files to update their Magento theme themselves. I don't want them browsing the rest of my server.

I only want them to have access to /var/www/html/magento/app/desing/frontent/%storename% and
/var/www/html/magento/skin/frontend/%storename%

The client currently doesn't have any login or access. Only I have access to the server as root. I know that's not awesome please spare me the lecture.

So to summarize, I need to create an FTP user account that only has read and write access to the two previously mentioned directories.

Can someone please give me some step by step instructions on this. Please make the instructions as basic as possible. Some posts I read reference VSFTP. I don't know what that is but it is installed on my server. I did 'service vsftpd status' and it returned 'vsftpd is stopped'. Not sure if that's helpful but...

I access the server using WinSCP with the root username and password.

Last edited by thecomputerguy06; 11-14-2012 at 11:49 AM.
 
Old 11-14-2012, 12:47 PM   #2
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,935
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
I am not in front of my system currently but this should would (you have to test it out first)

First edit your vsftpd.conf file and make sure you have the following entries

Code:
anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
Now create the user

Code:
 
groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser
add /bin/true to your shells

Code:
echo "/bin/true" >> /etc/shells

Go and create the symlinks

Code:
ln -s /ftp/username/store1 /var/www/html/magento/app/desing/frontent/%storename%
ln -s /ftp/username/store2 /var/www/html/magento/skin/frontend/%storename%
Start FTP

Code:
service vsftpd start
Note: I'm doing these from memory so some "trial and error" will need to be done on your part

HTH
 
Old 11-14-2012, 01:53 PM   #3
thecomputerguy06
LQ Newbie
 
Registered: Nov 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thanks for your reply. I'm a little confused when it comes to creating the user.

"groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser"

So ftpuser is the group. I assume you put FTP USER in all caps becuase I'm supposed to enter in the real user's name in there correct?
What is /ftp/username? Am I supposed to create that directory first? Is there really going to be a directory called username or do I substitute the real user's name in there? Let's just say the user is 'barry', would it be:
groupadd ftpuser
useradd -c "barry" -u 1066 -g ftpuser -d /ftp/barry -m -s /bin/true ftpuser?

When I entered in groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser, I got en error msg that the directory could not be created. I decided to create an ftp directory in /home and update the command accordingly. No error msg then.

Tried logging in with WinSCP (SFTP mode) but I realized we never set a password on the user account.

Any ideas?
 
Old 11-14-2012, 05:12 PM   #4
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,935
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by thecomputerguy06 View Post
Thanks for your reply. I'm a little confused when it comes to creating the user.

"groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser"

So ftpuser is the group. I assume you put FTP USER in all caps becuase I'm supposed to enter in the real user's name in there correct?
What is /ftp/username? Am I supposed to create that directory first? Is there really going to be a directory called username or do I substitute the real user's name in there? Let's just say the user is 'barry', would it be:
groupadd ftpuser
useradd -c "barry" -u 1066 -g ftpuser -d /ftp/barry -m -s /bin/true ftpuser?

When I entered in groupadd ftpuser
useradd -c "FTP USER" -u 1066 -g ftpuser -d /ftp/username -m -s /bin/true ftpuser, I got en error msg that the directory could not be created. I decided to create an ftp directory in /home and update the command accordingly. No error msg then.

Tried logging in with WinSCP (SFTP mode) but I realized we never set a password on the user account.

Any ideas?
Let's say your user is "barry"

Code:
groupadd ftpuser
useradd -c "barry" -u 1066 -g ftpuser -d /ftp/barry -m -s /bin/true barry?
Create a password with

Code:
passwd barry
 
Old 11-14-2012, 08:24 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
SFTP != FTP, (or even FTP+TLS).

sftp is part of the ssh pkg (also includes scp); has nothing to do with FTP tools.
 
Old 11-15-2012, 09:39 AM   #6
thecomputerguy06
LQ Newbie
 
Registered: Nov 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
OK so after playing with the symlink commands a little I finally got it to link.
ln -s /var/www/html/magento/skin/frontend/%storename%/default/ /ftp/FTP USER/skin is what ended up working
HOWEVER, when I log in as this user, I am unable to get into skin. Cannot change directory is the message I get. I played with permissions to no avail. For testing I even made the directories 0777, but still cannot change directory in WinSCP.

Last edited by thecomputerguy06; 11-15-2012 at 10:07 AM.
 
Old 11-15-2012, 12:03 PM   #7
thecomputerguy06
LQ Newbie
 
Registered: Nov 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
OK now that I've thoroughly screwed up the directory permissions on my production eCommerce server, I give up!

As stated above, I got the user created. The user was restricted to the directory I chose. The user did not have write access to anything in the directory without adding write permission for the group. When I added a sym link to another directory the user needs access to, he couldn't change directory into it. I made the sym link and linked directory 777 and still cannot change directory.

In the process, I inadvertently made an unspecified amount of unrelated folders 777. I don't know what sort of security problems I will have now but I'm completely bass ackwards and side down up right now and I don't care anymore!

"I'm doing these from memory so some "trial and error" will need to be done on your part" I just don't have enough linux experience for that.

Thanks for the help anyway.
 
Old 11-17-2012, 03:54 PM   #8
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,935
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Is SELinux turned on?

Check with

Code:
getenforce
--C
 
Old 11-20-2012, 11:27 PM   #9
arun5002
Member
 
Registered: Aug 2011
Location: Chennai,India
Distribution: Redhat,Centos,Ubuntu,Dedian
Posts: 549
Blog Entries: 5

Rep: Reputation: Disabled
Quote:

ln -s /ftp/username/store1 /var/www/html/magento/app/desing/frontent/%storename%
ln -s /ftp/username/store2 /var/www/html/magento/skin/frontend/%storename%
Symlinks flushes out whenever the server reboot .So make a permanent mount in /etc/fstab .


Quote:
Code:
echo "/bin/true" >> /etc/shells
Instead of changing the shell of user you can create a vsftpd with virtual user.Look after the below link

http://www.cyberciti.biz/tips/centos...ual-users.html



SeLinux prevents vsftpd access to home directories,Set these parameter

setsebool -P ftp_home_dir=1

Last edited by arun5002; 11-20-2012 at 11:30 PM.
 
Old 12-03-2012, 12:36 PM   #10
thecomputerguy06
LQ Newbie
 
Registered: Nov 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
I eventually had to create two separate logins so this guy can access both locations because I just couldn't get the sym links on directories to work correctly. I also had to make all folders he needed access to 777 which really bites but it's whatever for now.
Thanks for all the tips.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Create User restricted to var/www/ with editing abilites Wad3 Linux - Newbie 4 08-02-2012 01:28 AM
create restricted area user anaskoara Linux - Newbie 2 02-16-2011 11:17 AM
Need to create a restricted user(Centos) ankushpandit Linux - Newbie 7 09-10-2009 09:24 AM
Create restricted user account that can only administer printers davholla Linux - General 2 06-24-2009 08:54 AM
How do I make ftp up- and downloads the only thing a restricted user can do? jgilels Linux - Security 3 08-15-2003 01:38 PM


All times are GMT -5. The time now is 07:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration