Create new vsftpd user and lock to (specify) home / login directory

linux centos ftp vsftpd

209

Solution 1

Complete answer that solved my question for any others that are after a step by step walkthrough...

Install vsftpd using this as a guide.

Create user with useradd [user_name].
Create user's password with passwd [user_name]. (You'll be prompted to specify the password).
Create FTP directory in /var/ftp and then bind to the 'home' directory you wish to specify for this user with mount --bind /var/www/vhosts/domain.com/ /var/ftp/custom_name/.
Change user's home directory with usermod -d /var/ftp/custom_name/ user_name

In /etc/vsftpd/vsftpd.conf, ensure all all of the following are set:-
- chroot_local_user=YES
- chroot_list_enable=YES
- chroot_list_file=/etc/vsftpd.chroot_list

Only list users in the vsftpd.chroot_list file if you want them to have full access to anywhere on the server. By not listing them in this file, you're saying restrict all vsftpd users to their specified home directory.

In other words (for reference):-

means that by default, ALL users get chrooted except users in the file...
- chroot_local_user=YES
- chroot_list_enable=YES
means that by default, ONLY users in the file get chrooted...
- chroot_local_user=NO
- chroot_list_enable=YES

Solution 2

For me it didn't work even after the above. There was a local_root already set to a directory, and whatever I do, user's directory hasn't jailed. Finally it is worked after only changed

chroot_local_user=YES

And following procedure

vi /etc/vsftpd.conf

Add the line 'user_config_dir=/etc/vsftpd_user_conf' (no quotes)

mkdir /etc/vsftpd_user_conf;

cd /etc/vsftpd_user_conf

vi user_name;

Enter the line 'local_root=/srv/ftp/user_name'

Just my two cents if anyone else had same issue.

209

Yuvraj Talukdar

Updated on September 18, 2022

Comments

Yuvraj Talukdar almost 2 years

I am a newcomer to gnome app building. I am trying to build polari app using gnome builder on Ubuntu 18.04. I am getting the following error

meson /home/yuvraj/Projects/polari . --prefix /app The Meson build system Version: 0.45.1 Source dir: /home/yuvraj/Projects/polari Build dir: /home/yuvraj/.var/app/org.gnome.Builder/cache/gnome-builder/projects/Polari/builds/default-host-master Build type: native build Project name: polari Native C compiler: cc (gcc 7.3.0 "cc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0") Build machine cpu family: x86_64 Build machine cpu: x86_64 Program gjs found: YES (/usr/bin/gjs) Program js60 found: NO Program desktop-file-validate found: YES (/usr/bin/desktop-file-validate) Program appstream-util found: YES (/usr/bin/appstream-util) Found pkg-config: /usr/bin/pkg-config (0.29.1) Native dependency gio-2.0 found: YES 2.56.3 Native dependency gtk+-3.0 found: YES 3.22.30 Native dependency telepathy-glib found: YES 0.24.1 Native dependency gobject-introspection-1.0 found: YES 1.56.1 Native dependency gjs-1.0 found: NO found '1.52.5' but need: '>= 1.53.90'

meson.build:40:0: ERROR: Invalid version of dependency, need 'gjs-1.0' ['>= 1.53.90'] found '1.52.5'.

I did try installing all the build dependencies, but still no help. The build profile is default and Runtime is host operating system
- jirib over 10 years
  
  Sorry but have you ever considered to check vsftpd.conf?
- zigojacko over 10 years
  
  Yes. I have. It doesn't tell me how to instruct a specific user to log in to a specific directory...?
- jirib over 10 years
  
  Sure? chroot_list_enable option... Or you mean to override directory different than $HOME?
- jirib over 10 years
  
  Then usermod to change user's homedir.
- zigojacko over 10 years
  
  Like this? usermod -d /var/ftp/blah/ username
NoLand'sMan almost 10 years

Why not setting the home directory of that user directly to /var/www/vhosts/domain.com/? Is there some problem with that (like any potential risks)?
NoLand'sMan almost 10 years

I just found out that vsftp seems to forbid to grant an ftp user write permissions on the chroot top level for security reasons (but I'm not 100% sure). So that might be a reason to have this "indirection" in order to grant the ftp user write access to a specific folder while not allowing to view any sibling folder (which would be the case if you simply set his home one level up, which avoids the mentioned issue). (see ubuntuforums.org/…)
mahi about 8 years

I followed this procedure to change the root directory of vsftpd, including the additional steps by gnaanaa. Unfortunately, it doesn't work yet. Filezilla reports 530 Login incorrect. The user and password are according to the procedure above (user_name). I created a test user ftp2, and set its password. The Filezilla normal logon uses that username and password. I also set the root directory read only, and created a lower level directory with write permissions according to this post I'm using Ubuntu 16.04 if that makes any difference.
mahi about 8 years

I'm using Ubuntu 16.04 if that makes any difference, @gnaanaa. Also I thought it was odd that there was no ftp directory in /var. So I had to create /var/ftp, and then /var/ftp/user_name. code Response: 220 (vsFTPd 3.0.3) Command: USER ftp2 Response: 331 Please specify the password. Command: PASS ***** Response: 530 Login incorrect. Error: Critical error: Could not connect to server code
gnaanaa about 8 years

Firstly, look why you couldn't login to the server. You can debug the issue with jailing only after success login. Cheers.
mahi about 8 years

Does vsftp use a different user/password compared to the accounts on the machine? I discovered that smb passwords had to be set separately with smbpasswd -a. Does vsftpd work the same way?
gnaanaa about 8 years

No, it is the system user account. check this answer : askubuntu.com/questions/413677/vsftpd-530-login-incorrect
Alfabravo over 7 years

Not working either
GraehamF over 6 years

@zigojacko does your user only see their assigned home dir? For me, this defaults the user to the assigned directory, but, they still can see other folders and can snoop around all the way up to root, though with only read access.
GraehamF over 6 years

This answer, in combination with unix.stackexchange.com/questions/208960/… was the full answer for me. I ended up creating a user in a group and limited the group access to the desired directory.
Martin Eckleben over 4 years

If you use "mount" you do it only once if I'm correct? An entry in /etc/fstab would be better I think?
Dr. Aaron Dishno about 4 years

It worked for me after I changed the owner of the folder vsftpd_user_conf and user_name files in it to the vsftpd service account user (think it is root:root by default).