[SOLVED] Restrict FTP user to a directory in Linux


Written by - Omer Cakmak
Reviewed by - Deepak Prasad

FTP (File Transfer Protocol) is a file transfer protocol. Running as Server-Client, this application allows multi-user access. The user logged on to the FTP server should not access different directories. It should only be able to access the directory designated for it. Otherwise, a security problem will arise. In this article, let's look for an answer to the question "How to restrict ftp user to a directory in Linux.

 

How to restrict ftp user to a directory?

There are different configuration options available with vsftpd to restrict (allow or deny) FTP user into some specific directory in Linux. Following are some of these files:

  • chroot_local_user : If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login.
  • chroot_list_enable : If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login.
  • chroot_list_file : The option is the name of a file containing a list of local users which will be placed in a chroot() jail in their home directory.

 

Example-1: Define a single chroot directory for all users

The ftp server package of Linux operating systems (Redhat, Centos, Debian, Ubuntu etc) is vsftpd. When this package is installed, the configuration information is written to /etc/vsftpd/vsftpd.conf. The example vsftpd.conf file is as follows:

[foc@almalinux8 opt]$ cat /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
connect_from_port_20=YES
dirmessage_enable=YES
local_enable=YES
local_umask=022
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
write_enable=YES
xferlog_enable=YES
xferlog_std_format=YES

Open this file with an editor (vi, nano etc) and add the following lines (or modify existing entries if already present):

chroot_local_user=YES
local_root=/home

Save and exit file.  Here, users' /home directory is set to /(root) directory. In other words, when the user logs in, they will have access to their own directories under /home, and moving to the upper directory will be restricted.

When a user is created in Linux, the home directory is automatically created under /home. If you want to continue in this way, simply follow the steps above. The only thing you need to pay attention to is the user home directory privileges:

[foc@almalinux8 home]$ ls -la
total 4
drwxr-xr-x.  4 root    root      32 Sep  8 23:09 .
dr-xr-xr-x. 18 root    root     255 Sep  5 23:29 ..
drwx------. 18 foc     foc     4096 Sep  9 15:41 foc
drwx------   3 ftpuser ftpuser  109 Sep  8 23:10 ftpuser

As seen above, each user's home directory is set to be accessible only to him. If you have a different authorization, set it to allow only the user's home directory to be accessed with the following command:

[foc@almalinux8 home]$ sudo chmod -R 700 /home/ftpuser

Then the vsftpd service is restarted:

[foc@almalinux8 ~]$ systemctl restart vsftpd.service

Let's take a look at the service status:

[foc@almalinux8 ~]$ systemctl status vsftpd.service
● vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-09-09 15:41:17 +03; 19s ago
Process: 1667 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
Main PID: 1668 (vsftpd)
Tasks: 1 (limit: 12212)
Memory: 712.0K
CPU: 2ms
CGroup: /system.slice/vsftpd.service
└─1668 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

Sep 09 15:41:17 almalinux8 systemd[1]: Starting Vsftpd ftp daemon...
Sep 09 15:41:17 almalinux8 systemd[1]: Started Vsftpd ftp daemon.

This step is completed with the two lines we added to vsftpd.conf. Let's login with these settings:

foc@fedora:~$ ftp 192.168.122.15
Connected to 192.168.122.15 (192.168.122.15).
220 (vsFTPd 3.0.3)
Name (192.168.122.15:foc): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Let's run the ls command after logging in:

ftp> ls
227 Entering Passive Mode (192,168,122,15,151,163).
150 Here comes the directory listing.
drwx------ 18 1000 1000 4096 Sep 10 11:14 foc
drwxrwx--- 3 1001 1001 109 Sep 08 20:10 ftpuser
226 Directory send OK.

We can see that it lists the users under the /home directory. Let's try to change to the parent directory:

ftp> cd ..
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,122,15,98,212).
150 Here comes the directory listing.
drwx------ 18 1000 1000 4096 Sep 10 11:14 foc
drwxrwx--- 3 1001 1001 109 Sep 08 20:10 ftpuser
226 Directory send OK.

It has not moved to the parent directory, we are still under /home. Let's try to change to a different directory:

ftp> cd /etc
550 Failed to change directory.

or

ftp> cd foc
550 Failed to change directory.

Permission denied.  Let's go to the user's home directory:

ftp> cd ftpuser
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,122,15,121,25).
150 Here comes the directory listing.
-rwxrwx--- 1 0 0 24 Sep 08 20:10 FTP_CHECK
226 Directory send OK.

The operation is successful so we have successfully restricted user to a directory using FTP.

 

Example-2: Define a different root directory for each user

In this step, let's define a different directory for the root directory and give the home directory different from the standard when creating a new user. Let's create a directory in the /(root) directory for the ftp user home directory:

[foc@almalinux8 ~]$ sudo mkdir /ftp

Next, let's define the permissions:

[foc@almalinux8 home]$ sudo chmod 770 -R /ftp
[foc@almalinux8 home]$ sudo chown -R faruk:ftp /ftp/faruk

Create new FTP User

First of all, let's explain the steps to be considered when creating a new user.  Let's create the new user's home directory under /ftp with the -d parameter:

[foc@almalinux8 ~]$ sudo adduser faruk -d /ftp/faruk

Then let's authorize this directory to be its own only:

[foc@almalinux8 home]$ sudo chmod -R 700 /ftp/faruk
[foc@almalinux8 home]$ sudo usermod -G ftp faruk

Let's create the new user's password:

[foc@almalinux8 home]$ sudo passwd faruk
Changing password for user faruk.
Retype new password:
passwd: all authentication tokens updated successfully.

 

Configure vsftpd.conf to restrict user

In the above step, we have given the root directory of ftp users as /ftp/faruk. Let's edit vsftpd.conf to be under /ftp here. Add the following lines to vsftpd.conf:

user_config_dir=/etc/vsftpd_user_conf
allow_writeable_chroot=YES

Let's create a configuration file for the user under the /etc/vsftpd_user_conf directory:

[foc@almalinux8 ~]$ sudo touch /etc/vsftpd_user_conf/faruk

Let's define the root directory of that user for this file:

[foc@almalinux8 ~]$ sudo nano /etc/vsftpd_user_conf/faruk
local_root=/ftp/faruk

save and exit file. Then the vsftpd service is restarted:

[foc@almalinux8 ~]$ systemctl restart vsftpd.service

Now let's login with faruk user:

foc@fedora:~$ ftp 192.168.122.15
Connected to 192.168.122.15 (192.168.122.15).
220 (vsFTPd 3.0.3)
Name (192.168.122.15:foc): faruk
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,122,15,117,226).
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Sep 10 19:05 WELCOME
226 Directory send OK.
ftp> 

You can now define a different home directory for each user. You do not have to collect all users' home directories in one place. In this way, you can restrict ftp user to a directory.

 

Summary

We have explained the steps to be done for directory authorization for the user on a previously installed FTP server. You can get help for installing a new FTP server here. You can restrict ftp user with the above steps during installation.

 

References

serverfault.com - Create new vsftpd user and lock to (specify) home / login directory
unix.stackexchange.com - Limit FTP access only to the /var/www with vsftpd
man page for vsftpd.conf

 

Views: 29

Omer Cakmak

He is highly skilled at managing Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat servers. Proficient in bash scripting, Ansible, and AWX central server management, he handles server operations on OpenStack, KVM, Proxmox, and VMware. You can connect with him on LinkedIn or check his projects on GitHub page.

Categories SCP

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

4 thoughts on “[SOLVED] Restrict FTP user to a directory in Linux”

  1. I have tried both examples i.e. examples 1 & 2 but it doesn’t work in WinSCP software as from WinSCP I can move from one directory to another directory and can move copy files and move to my PC.
    can you please guide me regarding this? need urgent support.

    Reply
  2. very useful. thanks a lot. my problem is that there’ s an operational server using docker. developers deploy new version of app sometimes. but they often must upload some files for containers on operational server. such supplementary files are stored in /docker/using/this/dir on host which mounted to container. I want to give specific access to developers on /docker/using/this/dir on op server to upload supplementary files but no more access to anywhere. how should I change the configurations ?

    Reply

Leave a Comment