LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-25-2010, 10:53 AM   #1
stormcloud
Member
 
Registered: Apr 2009
Posts: 32

Rep: Reputation: 15
Q: vsftp how to specify several different user login directories


Hi,

I'm having trouble setting up a vsftp server correctly. What I want to do is allow a number of users to log on (no anonymous user) and each of them to be taken to their own "top level directory" from which they can not escape.

I've got most of this working, but I can't find a way to automatically transfer each user to *their* working area. The "local_root" directive doesn't quite do what I want as everybody has to share the same working area (potentially users could interfere with each other). On the other hand I don't want each user to work from their home directory because there are loads of special files there that I don't want users playing with.

To add one extra compilation, I'm also running an html server on the same machine. One of the directories the html server can see is one of the ftp area root directories (So what I'm trying to do is give one special user ability to ftp files onto the html server. Other users must *NOT* have this ability)

Any ideas?

Thanks.
 
Old 01-26-2010, 08:57 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,189
Blog Entries: 1

Rep: Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051
Quote:
I'm having trouble setting up a vsftp server correctly. What I want to do is allow a number of users to log on (no anonymous user) and each of them to be taken to their own "top level directory" from which they can not escape.

I've got most of this working, but I can't find a way to automatically transfer each user to *their* working area. The "local_root" directive doesn't quite do what I want as everybody has to share the same working area (potentially users could interfere with each other). On the other hand I don't want each user to work from their home directory because there are loads of special files there that I don't want users playing with.
You can jail your users under a directory (/foo for example) and use:
Code:
local_enable=YES
local_root=/foo/$USER
user_sub_token=$USER
This way each user will chrooted under /foo/<username> (of course you have to create these directories) and will not mess with /home/<username>

If you want users to "interfere" then create a common folder for them (e.g. /foo/common) create a mountpoint in each user's dir (/foo/<username>/common) and use mount --bind to mount the share folder:
Code:
mount --bind /foo/common /foo/user1/common
mount --bind /foo/common /foo/user2/common
Don't forget to assign the appropriate permissions.
Code:
chgrp -R users /foo
chmod -R 775 /foo
The last is more generic. You can be more restrictive if you want.

Quote:
To add one extra compilation, I'm also running an html server on the same machine. One of the directories the html server can see is one of the ftp area root directories (So what I'm trying to do is give one special user ability to ftp files onto the html server. Other users must *NOT* have this ability)
Use the same mount --bind technique to mount the html directory in that user's homedir.

Regards
 
1 members found this post helpful.
Old 01-27-2010, 03:35 AM   #3
stormcloud
Member
 
Registered: Apr 2009
Posts: 32

Original Poster
Rep: Reputation: 15
That's absolutely perfect

I didn't know that I could use /foo/$USER to point at individual directories. Rather then using mount points I could use symbolic links...
 
Old 01-27-2010, 03:54 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,189
Blog Entries: 1

Rep: Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051
You cannot use symlinks in vsftpd, that's why you have to mount --bind the directories you want your users to have access

Regards
 
Old 01-28-2010, 02:56 AM   #5
stormcloud
Member
 
Registered: Apr 2009
Posts: 32

Original Poster
Rep: Reputation: 15
Thank you once again for getting back to me.

I tied symbolic links after I posted my reply yesterday. They appear to have worked as I expected. Now I'm curious - is there a problem that I've missed?

BTW, the links are to links on my local disc.
 
Old 01-28-2010, 03:13 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,189
Blog Entries: 1

Rep: Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051
How have you created those symlinks? Are you sure you cat put/get files in the symlinked directories?
Because vsftpd is known to not support symlinks outside the chrooted directory of each user.
 
Old 01-29-2010, 03:36 AM   #7
stormcloud
Member
 
Registered: Apr 2009
Posts: 32

Original Poster
Rep: Reputation: 15
Hi,

What I did was:

# Set up vsftp to only allow specific user to up and down load files to their dirs
vi /etc/vsftpd/vsftpd.conf
write_enable=YES
download_enable=YES
anonymous_enable=NO
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list.valid
user_sub_token=$USER
local_root=/ftp/$USER

# define my list of valid users
vi /etc/vsftpd/user_list.valid
user_1
user_ftp
user_html

mkdir -p /ftp/user_1 # user_1 is a regular ftp user
mkdir -p /ftp/user_ftp # user_ftp is also a regular ftp user
ln -s /www/root/extra /ftp/user_html # user_html needs to modify the existing html scripts
chmod -R a+wr /ftp/user_1 # Allow read write access to directories
chmod -R a+wr /ftp/user_ftp # Global access is probably OK as only specific users can ftp in, and
chmod -R a+wr /www/root/extra # only root user can ssh in


I've tried this with a couple of test files and everything looks OK. The two regular ftp users can change their private directories (into which they are jail locked). The html_user can see and upload into the html server directory.

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftp virtual user access to different directories chandj Linux - Networking 0 10-03-2006 12:54 PM
How to allow specific user to login Vsftp server winxandlinx Linux - Networking 4 05-24-2006 06:47 AM
How do you enable user directories for vsFTP under SELinux? SparceMatrix Linux - Security 2 04-12-2006 04:17 AM
VSFTP user directories SBSAdam Linux - Networking 0 02-23-2004 08:42 AM
anonymous user can't login vsftp java8964 Linux - General 1 08-07-2002 08:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration