![[SOLVED] Restrict FTP user to a directory in Linux](/restrict-ftp-user-to-directory/chroot_ftp_user.jpg)
FTP (File Transfer Protocol) is a file transfer protocol. Running as Server-Client, this application allows multi-user access. The user logged on to the FTP server should not access different directories. It should only be able to access the directory designated for it. Otherwise, a security problem will arise. In this article, let’s look for an answer to the question “How to restrict ftp user to a directory in Linux.
How to restrict ftp user to a directory?
There are different configuration options available with vsftpd to restrict (allow or deny) FTP user into some specific directory in Linux. Following are some of these files:
- chroot_local_user : If set to YES, local users will be (by
default) placed in a
chroot()jail in their home directory after login. - chroot_list_enable : If activated, you may provide a list of local
users who are placed in a
chroot()jail in their home directory upon login. - chroot_list_file : The option is the name of a file containing a
list of local users which will be placed in a
chroot()jail in their home directory.
Example-1: Define a single chroot directory for all users
The ftp server package of Linux operating systems (Redhat, Centos,
Debian, Ubuntu etc) is vsftpd. When this package is installed, the
configuration information is written to /etc/vsftpd/vsftpd.conf. The
example vsftpd.conf file is as follows:
[foc@almalinux8 opt]$ cat /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
connect_from_port_20=YES
dirmessage_enable=YES
local_enable=YES
local_umask=022
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
write_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
Open this file with an editor (vi, nano etc) and add the following lines (or modify existing entries if already present):
chroot_local_user=YES
local_root=/home
Save and exit file. Here, users’ /home directory is set to /(root)
directory. In other words, when the user logs in, they will have access
to their own directories under /home, and moving to the upper
directory will be restricted.
When a user is created in Linux, the home directory is automatically
created under /home. If you want to continue in this way, simply
follow the steps above. The only thing you need to pay attention to is
the user home directory privileges:
[foc@almalinux8 home]$ ls -la
total 4
drwxr-xr-x. 4 root root 32 Sep 8 23:09 .
dr-xr-xr-x. 18 root root 255 Sep 5 23:29 ..
drwx------. 18 foc foc 4096 Sep 9 15:41 foc
drwx------ 3 ftpuser ftpuser 109 Sep 8 23:10 ftpuser
As seen above, each user’s home directory is set to be accessible only to him.If you have a different authorization, set it to allow only the user’s home directory to be accessed with the following command:
[foc@almalinux8 home]$ sudo chmod -R 700 /home/ftpuser
Then the vsftpd service is restarted:
[foc@almalinux8 ~]$ systemctl restart vsftpd.service
Let’s take a look at the service status:
[foc@almalinux8 ~]$ systemctl status vsftpd.service
● vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-09-09 15:41:17 +03; 19s ago
Process: 1667 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
Main PID: 1668 (vsftpd)
Tasks: 1 (limit: 12212)
Memory: 712.0K
CPU: 2ms
CGroup: /system.slice/vsftpd.service
└─1668 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Sep 09 15:41:17 almalinux8 systemd[1]: Starting Vsftpd ftp daemon...
Sep 09 15:41:17 almalinux8 systemd[1]: Started Vsftpd ftp daemon.
This step is completed with the two lines we added to vsftpd.conf.
Let’s login with these settings:
foc@fedora:~$ ftp 192.168.122.15
Connected to 192.168.122.15 (192.168.122.15).
220 (vsFTPd 3.0.3)
Name (192.168.122.15:foc): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Let’s run the ls command after logging in:
ftp> ls
227 Entering Passive Mode (192,168,122,15,151,163).
150 Here comes the directory listing.
drwx------ 18 1000 1000 4096 Sep 10 11:14 foc
drwxrwx--- 3 1001 1001 109 Sep 08 20:10 ftpuser
226 Directory send OK.
We can see that it lists the users under the /home directory. Let’s
try to change to the parent directory:
ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,122,15,98,212).
150 Here comes the directory listing.
drwx------ 18 1000 1000 4096 Sep 10 11:14 foc
drwxrwx--- 3 1001 1001 109 Sep 08 20:10 ftpuser
226 Directory send OK.
It has not moved to the parent directory, we are still under
/home. Let’s try to change to a different directory:
ftp> cd /etc
550 Failed to change directory.
or
ftp> cd foc
550 Failed to change directory.
Permission denied. Let’s go to the user’s home directory:
ftp> cd ftpuser
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,122,15,121,25).
150 Here comes the directory listing.
-rwxrwx--- 1 0 0 24 Sep 08 20:10 FTP_CHECK
226 Directory send OK.
The operation is successful so we have successfully restricted user to a directory using FTP.
Example-2: Define a different root directory for each user
In this step, let’s define a different directory for the root directory and give the home directory different from the standard when creating a new user. Let’s create a directory in the /(root) directory for the ftp user home directory:
[foc@almalinux8 ~]$ sudo mkdir /ftp
Next, let’s define the permissions:
[foc@almalinux8 home]$ sudo chmod 770 -R /ftp
[foc@almalinux8 home]$ sudo chown -R faruk:ftp /ftp/faruk
Create new FTP User
First of all, let’s explain the steps to be considered when creating a new user. Let’s create the new user’s home directory under /ftp with the -d parameter:
[foc@almalinux8 ~]$ sudo adduser faruk -d /ftp/faruk
Then let’s authorize this directory to be its own only:
[foc@almalinux8 home]$ sudo chmod -R 700 /ftp/faruk
[foc@almalinux8 home]$ sudo usermod -G ftp faruk
Let’s create the new user’s password:
[foc@almalinux8 home]$ sudo passwd faruk
Changing password for user faruk.
Retype new password:
passwd: all authentication tokens updated successfully.
Configure vsftpd.conf to restrict user
In the above step, we have given the root directory of ftp users as
/ftp/faruk. Let’s edit vsftpd.conf to be under /ftp here. Add the
following lines to vsftpd.conf:
user_config_dir=/etc/vsftpd_user_conf
allow_writeable_chroot=YES
Let’s create a configuration file for the user under the /etc/vsftpd_user_conf directory:
[foc@almalinux8 ~]$ sudo touch /etc/vsftpd_user_conf/faruk
Let’s define the root directory of that user for this file:
[foc@almalinux8 ~]$ sudo nano /etc/vsftpd_user_conf/faruk
local_root=/ftp/faruk
save and exit file.Then the vsftpd service is restarted:
[foc@almalinux8 ~]$ systemctl restart vsftpd.service
Now let’s login with faruk user:
foc@fedora:~$ ftp 192.168.122.15
Connected to 192.168.122.15 (192.168.122.15).
220 (vsFTPd 3.0.3)
Name (192.168.122.15:foc): faruk
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,122,15,117,226).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Sep 10 19:05 WELCOME
226 Directory send OK.
ftp>
You can now define a different home directory for each user. You do not have to collect all users’ home directories in one place. In this way, you can restrict ftp user to a directory.
Summary
We have explained the steps to be done for directory authorization for the user on a previously installed FTP server. You can get help for installing a new FTP server here. You can restrict ftp user with the above steps during installation.
References
serverfault.com -Create new
vsftpd user and lock to (specify) home / login directory
unix.stackexchange.com -Limit FTP
access only to the /var/www with vsftpd
man page for
vsftpd.conf
