Limit Directory Access for FTP Access

[MichaelJohn]

I am now running 'vsftpd' on my machine (Mint 13). After disabling 'anonymous access' I can limit access to Users I have set up via 'Users & Groups'. The problem is that I need to limit them to a specific directory and below but seem able to either give them unfettered access to the directory structure or none at all! How can I set this up? If it helps all these Users need access to the same directory.

Many thanks...

[txba516]

Hi MichaelJohn,

The feature you are looking for is termed chroot. See here for configuring a restricted directory for users.
http://www.cyberciti.biz/tips/vsftp-chr ... ctory.html
So you could set the home directory for the desired accounts to the target directory they need access to and that will limit them only to that root location and below.

Cheers!

[MichaelJohn]

I came across an article in “thegeekstuff” where you used "sshd" rather than "vsftpd" to set this up. Hours wasted as it did not work and just prevented any "ftp" login! Another article suggested changing the "passwd" file entry from "/sbin/bash" to "/sbin/bash -r" to restrict access – again this prevented login. Following the article linked to the the above post resulted in unfettered access if "vsftpd.chroot_file" was used and no access if "vsftpd.nonchroot_list" was used. This issue is now becoming a show stopper! It is obvious from what I have seen on the web that I am not the only person with this issue but the various solutions fail for as many people as they work for. This inconsistency does not help move Linux into the mainstream!

[txba516]

So is there an issue setting the user home directories to the intended target directory that they need access to and keeping them solely contained to that directory?
It's not clear what is required for the users in whole. You can create a user group for these users and allow them to only open certain directories by file system permissions settings. The downside to this is that they will still see all of the other directories that they do not have access into.
If you can give examples of what is needed that would be helpful. Such as...
User1 logs into FTP and default home is /ftp/users/User1
User1 needs to have access to /ftp/shared/share123
or
User2, User3, User4 each log into FTP and default home is /ftp/shared/share123.

Cheers!

[MichaelJohn]

Thank you for replying. Each of the FTP users need to access the same directory, and its sub-directories, to pull back files only. They may also wish to delete those they have pulled back and processed. The directory is a subdirectory of another user, e.g. /home/ano/data. There are a number of administrator and user logins that should not be affected by any changes.

I did find a reference on the web that the version of 'vsftpd' I was using is buggy and has specific issue with chroot(), and advised a back port. I did this and now the 'vsftpd' service will not even start. So that is the next hour or so tied up. Linux could do with a 'restore' function.

[DanielR]

I'm not very knowledgeable about FTP but might the following be a solution to your task: http://unix.stackexchange.com/questions ... -directory ?

[MichaelJohn]

This is one of the posts I saw whilst trawling the web. Unfortunately it does not work as there is a bug in chroot(). However I had another go at the back port and it worked this time. The trick is to make sure that 'vsftpd' and every configuration file is completely and utterly removed before installing the back port! I had to then edit the new configuration files but it all works. It has highlighted another issue in that the process that imports the data files that the ftpusers need to 'get' sets inappropriate permissions. But then I am moving forward.

The link for those interested is:- http://www.mikestechblog.com/joomla/ope ... hroot.html