FTP (File Transfer Protocol) is a file transfer protocol. Running as Server-Client, this application allows multi-user access. The user logged on to the FTP server should not access different directories. It should only be able to access the directory designated for it. Otherwise, a security problem will arise. In this article, let's look for an answer to the question "How to restrict ftp user to a directory in Linux.
How to restrict ftp user to a directory?
There are different configuration options available with vsftpd to restrict (allow or deny) FTP user into some specific directory in Linux. Following are some of these files:
- chroot_local_user : If set to YES, local users will be (by default) placed in a
chroot()
jail in their home directory after login. - chroot_list_enable : If activated, you may provide a list of local users who are placed in a
chroot()
jail in their home directory upon login. - chroot_list_file : The option is the name of a file containing a list of local users which will be placed in a
chroot()
jail in their home directory.
Example-1: Define a single chroot directory for all users
The ftp server package of Linux operating systems (Redhat, Centos, Debian, Ubuntu etc) is vsftpd. When this package is installed, the configuration information is written to /etc/vsftpd/vsftpd.conf
. The example vsftpd.conf file is as follows:
[foc@almalinux8 opt]$ cat /etc/vsftpd/vsftpd.conf anonymous_enable=NO connect_from_port_20=YES dirmessage_enable=YES local_enable=YES local_umask=022 listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES write_enable=YES xferlog_enable=YES xferlog_std_format=YES
Open this file with an editor (vi, nano etc) and add the following lines (or modify existing entries if already present):
chroot_local_user=YES
local_root=/home
Save and exit file. Here, users' /home
directory is set to /
(root) directory. In other words, when the user logs in, they will have access to their own directories under /home
, and moving to the upper directory will be restricted.
When a user is created in Linux, the home directory is automatically created under /home
. If you want to continue in this way, simply follow the steps above. The only thing you need to pay attention to is the user home directory privileges:
[foc@almalinux8 home]$ ls -la
total 4
drwxr-xr-x. 4 root root 32 Sep 8 23:09 .
dr-xr-xr-x. 18 root root 255 Sep 5 23:29 ..
drwx------. 18 foc foc 4096 Sep 9 15:41 foc
drwx------ 3 ftpuser ftpuser 109 Sep 8 23:10 ftpuser
As seen above, each user's home directory is set to be accessible only to him. If you have a different authorization, set it to allow only the user's home directory to be accessed with the following command:
[foc@almalinux8 home]$ sudo chmod -R 700 /home/ftpuser
Then the vsftpd service is restarted:
[foc@almalinux8 ~]$ systemctl restart vsftpd.service
Let's take a look at the service status:
[foc@almalinux8 ~]$ systemctl status vsftpd.service ● vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2022-09-09 15:41:17 +03; 19s ago Process: 1667 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS) Main PID: 1668 (vsftpd) Tasks: 1 (limit: 12212) Memory: 712.0K CPU: 2ms CGroup: /system.slice/vsftpd.service └─1668 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf Sep 09 15:41:17 almalinux8 systemd[1]: Starting Vsftpd ftp daemon... Sep 09 15:41:17 almalinux8 systemd[1]: Started Vsftpd ftp daemon.
This step is completed with the two lines we added to vsftpd.conf
. Let's login with these settings:
foc@fedora:~$ ftp 192.168.122.15
Connected to 192.168.122.15 (192.168.122.15).
220 (vsFTPd 3.0.3)
Name (192.168.122.15:foc): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Let's run the ls command after logging in:
ftp> ls
227 Entering Passive Mode (192,168,122,15,151,163).
150 Here comes the directory listing.
drwx------ 18 1000 1000 4096 Sep 10 11:14 foc
drwxrwx--- 3 1001 1001 109 Sep 08 20:10 ftpuser
226 Directory send OK.
We can see that it lists the users under the /home
directory. Let's try to change to the parent directory:
ftp> cd .. 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (192,168,122,15,98,212). 150 Here comes the directory listing. drwx------ 18 1000 1000 4096 Sep 10 11:14 foc drwxrwx--- 3 1001 1001 109 Sep 08 20:10 ftpuser 226 Directory send OK.
It has not moved to the parent directory, we are still under /home
. Let's try to change to a different directory:
ftp> cd /etc
550 Failed to change directory.
or
ftp> cd foc
550 Failed to change directory.
Permission denied. Let's go to the user's home directory:
ftp> cd ftpuser 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (192,168,122,15,121,25). 150 Here comes the directory listing. -rwxrwx--- 1 0 0 24 Sep 08 20:10 FTP_CHECK 226 Directory send OK.
The operation is successful so we have successfully restricted user to a directory using FTP.
Example-2: Define a different root directory for each user
In this step, let's define a different directory for the root directory and give the home directory different from the standard when creating a new user. Let's create a directory in the /(root) directory for the ftp user home directory:
[foc@almalinux8 ~]$ sudo mkdir /ftp
Next, let's define the permissions:
[foc@almalinux8 home]$ sudo chmod 770 -R /ftp
[foc@almalinux8 home]$ sudo chown -R faruk:ftp /ftp/faruk
Create new FTP User
First of all, let's explain the steps to be considered when creating a new user. Let's create the new user's home directory under /ftp with the -d parameter:
[foc@almalinux8 ~]$ sudo adduser faruk -d /ftp/faruk
Then let's authorize this directory to be its own only:
[foc@almalinux8 home]$ sudo chmod -R 700 /ftp/faruk
[foc@almalinux8 home]$ sudo usermod -G ftp faruk
Let's create the new user's password:
[foc@almalinux8 home]$ sudo passwd faruk
Changing password for user faruk.
Retype new password:
passwd: all authentication tokens updated successfully.
Configure vsftpd.conf to restrict user
In the above step, we have given the root directory of ftp users as /ftp/faruk
. Let's edit vsftpd.conf
to be under /ftp
here. Add the following lines to vsftpd.conf
:
user_config_dir=/etc/vsftpd_user_conf
allow_writeable_chroot=YES
Let's create a configuration file for the user under the /etc/vsftpd_user_conf directory:
[foc@almalinux8 ~]$ sudo touch /etc/vsftpd_user_conf/faruk
Let's define the root directory of that user for this file:
[foc@almalinux8 ~]$ sudo nano /etc/vsftpd_user_conf/faruk
local_root=/ftp/faruk
save and exit file. Then the vsftpd service is restarted:
[foc@almalinux8 ~]$ systemctl restart vsftpd.service
Now let's login with faruk user:
foc@fedora:~$ ftp 192.168.122.15 Connected to 192.168.122.15 (192.168.122.15). 220 (vsFTPd 3.0.3) Name (192.168.122.15:foc): faruk 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,122,15,117,226). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Sep 10 19:05 WELCOME 226 Directory send OK. ftp>
You can now define a different home directory for each user. You do not have to collect all users' home directories in one place. In this way, you can restrict ftp user to a directory.
Summary
We have explained the steps to be done for directory authorization for the user on a previously installed FTP server. You can get help for installing a new FTP server here. You can restrict ftp user with the above steps during installation.
References
serverfault.com - Create new vsftpd user and lock to (specify) home / login directory
unix.stackexchange.com - Limit FTP access only to the /var/www with vsftpd
man page for vsftpd.conf
I use centos 7 and vsftpd 3.0.2
very useful. thanks a lot. my problem is that there’ s an operational server using docker. developers deploy new version of app sometimes. but they often must upload some files for containers on operational server. such supplementary files are stored in /docker/using/this/dir on host which mounted to container. I want to give specific access to developers on /docker/using/this/dir on op server to upload supplementary files but no more access to anywhere. how should I change the configurations ?
I am using Centos with this version CentOS Linux release 7.4.1708 (Core) and the vsftp rpm is vsftpd-3.0.2-22.el7.x86_64
I have tried both examples i.e. examples 1 & 2 but it doesn’t work in WinSCP software as from WinSCP I can move from one directory to another directory and can move copy files and move to my PC.
can you please guide me regarding this? need urgent support.