Skip to main content

VSFTPD-chrooted user with limited directory access

Create a user with home directory /foo. Otherwise we can create a normal user and then edit /etc/passwd to change the home directory (useradd hari -d /foo).

Here we chose the latter option since it's a sensible directory and we don't wnat to take risk by putting .bash files.

# useradd hari
# grep hari /etc/passwd

hari:x:796:796::/home/hari:/bin/bash

Now change the home directory to /foo

# vi /etc/passwd


# grep hari /etc/passwd
hari:x:796:796::/foo:/sbin/nologin


Note that we have changed the home directory from /home/hari to /foo and the shell from /bin/bash to /sbin/nologin

Added the below two lines in /etc/vsftpd/vsftpd.conf for enabling chroot functionality.
# vi /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list


Now add the user hari to Chroot List file.

# echo hari >> /etc/vsftpd.chroot_list

Now verify the permission of /foo, /foo/tux and /foo/beastie

[root@psycho ~]# ls -ld /foo/
drwxrwx--- 17 root ftpuser 4096 Feb 6 19:58 /foo/

[root@psycho ~]#
[root@psycho ~]# ll /foo/
total 81652
drwxr-xr-- 2 tiger ftpuser 4096 Sep 18 2007 alert
drwxr-xr-x 14 root root 4096 Jan 18 2008 tux
drwxr-xr-x 2 root root 4096 Jan 11 2008 log
drwx------ 2 root root 16384 Sep 6 2007 lost+found
drwxrwxr-x 4 giraffe ftpuser 048000 Feb 9 23:51 beastie
[root@psycho ~]#


/foo/tux and /foo/beastie are having read-access to all. But /foo will not be readable since the permission is 770.

So add the user "hari" to the group "ftpuser", which is the Group for /foo.

# grep ftpuser /etc/group
ftpuser:x:502:

# vi /etc/group
ftpuser:x:502:hari


Now take the list of files/directories under /foo except tux and beastie. These are the only directories user needs access.

# ls /foo | grep -v tux | grep -v beastie
alert
log
lost+found


Add these to /etc/vsftpd_user_conf/hari for restricting access by the FTP user. We have already mentioned the below in /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd_user_conf

# vi /etc/vsftpd_user_conf/hari
deny_file={alert,log,lost+found}
write_enable=NO


write_enable=NO is to restrict the user from changing the files/directories

Restart VSFTPD service.

/etc/init.d/vsftpd restart

That's it. Now the conditions satisfied are as below

1. User will be able to login through FTP protocol.
2. Default login directory will be a "chrooted HOME- /foo". User will not be able to access any other directory other than /foo.
3. User can access "tux" and "beastie" directories right from the home directory.
4. These two directories will be "read-only". User can't write/change any files/directories.
5. User cannot access any other directories under /foo except tux and beastie.
6. User will not be able to login directly to system.

Comments

Popular posts from this blog

Check remote UDP connectivity from Linux

Hi there, You all know how to check TCP port connectivity from a Linux or UNIX machine to a remote machine using telnet as per th example below $ telnet 127.0.0.1 25 but we can't adopt TELNET to check UDP connectivity. Linux and most of the UNIXes come with a network layer utility called nc (abbreviation for netcat) which is very useful to check UDP connectivity and to explore a lot with both TCP and UDP. An example is shown below # nc -v -u -z -w 3 172.24.16.131 123 Connection to 172.24.16.131 123 port [udp/ntp] succeeded!

The best putty package available

Bored of Black screened Task bar filling putty? Issues with porting Saved sessions from machine to machine? Do you like tabbed SSH sessions? Start using portaputty instead of normal putty and link it with puttycm . Puttycm supports sessions to be saved in its own Database files. You can use the Putty sessions you have saved already right inside putty. You can have any number of databases which allow you to arrange Remote servers in folders and convenient namings. I personally recommend creating Database with puttycm rather than using the sessions saved in putty which doesn't offer any option to create folders and saving sessions under that directory tree. You can even save username/password to get it logged automatically and there is an option to pass commands to be run soon after login. I can't recommend this since some bug was found with these options. Portaputty is a variant of putty which stores all the Configuration data in text files instead of MS Window

PING.sh

#!/usr/bin/env bash ## Ping all machines in a Network PING="$(which ping) -c 1 -W 1" echo "Enter Subnet(eg:192.168.0)" read Subnet echo "Do you want to PING the entire network or a RANGE of IPs ? Enter your choice" echo 1. Ping Entire Network echo 2. Ping a RANGE read choice if [ $choice = 1 ]; then { echo Pinging..... for((i=1;i<255;i++)); do ${PING} ${Subnet}.${i} > /dev/null 2> /dev/null if [ $? -eq 0 ]; then echo -e "${Subnet}.${i} is up" fi done } fi if [ $choice = 2 ]; then { echo Enter the Starting IP of Range read a echo Enter the Last IP of Range read b echo Pinging..... for((i=$a;i<$b;i++)); do ${PING} ${Subnet}.${i} > /dev/null 2> /dev/null if [ $? -eq 0 ]; then echo -e "${Subnet}.${i} is up" fi done } fi exit 0