Restrict user to a directory vsftpd
The manual:
https://www.krizna.com/ubuntu/setup-ftp-server-on-ubuntu-14-04-vsftpd/
Setup FTP server on Ubuntu 14.04
Step 1 » Update repositories.
$ sudo apt-get update
Step 2 » Install VsFTPD package using the below command.
$ sudo apt-get install vsftpd
Step 3 » After installation open /etc/vsftpd.conf file and make changes as follows.
»Uncomment the below lines (line no:29 and 33).
write_enable=YES
local_umask=022
» Uncomment the below line (line no: 120 ) to prevent access to the other folders outside the Home directory.
chroot_local_user=YES
and add the following line at the end.
allow_writeable_chroot=YES
» Add the following lines to enable passive mode.
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=40100
Step 4 » Restart vsftpd service using the below command.
$ sudo service vsftpd restart
Step 5 » Now ftp server will listen on port 21. Create user with the below command.
Use /usr/sbin/nologin shell to prevent access to the bash shell for the ftp users .
$ sudo useradd -m john -s /usr/sbin/nologin
$ sudo passwd john
Step 6 » Allow login access for nologin shell . Open /etc/shells and add the following line at the end.
/usr/sbin/nologin
Related videos on Youtube
Chris G.
Updated on September 18, 2022Comments
-
Chris G. over 1 year
I have a machine on a local network, that I have exposed to the Internet via port forwarding in the router.
Now how can I expose the serving machine running Kubernetes on docker for mac?
using minikube you can do:
minikube tunnel
But how to do it on mac for mac/desktop?
Normally the LoadBalancer is created for you if you use a cloud provider.
-
Nephente over 8 yearsDid you set the option
chroot_local_user=YES
in/etc/vsftpd.conf
and restarted the process afterwards? -
Shikhar Baheti over 8 yearsYes I did that, I set chroot_local_user=YES and then restarted the process but service vsftpd restart. Here is my config file: pastebin.com/S1tf1X6r
-
Nephente over 8 yearsStrange. I just tried it with
vsftpd
version 3.0.2. Setlocal_enable=YES; chroot_local_user=YES; allow_writable_chroot=YES
. I can log in with a local user account and the server jails me to my homedirectory, as it should. -
Shikhar Baheti over 8 yearsI'm too in my home directory, but what the problem is, I can see other directories too. Which I don't want to happen.
-
Nephente over 8 yearsYou mean you can browse out of your home dir and view the content of
/home
? -
Shikhar Baheti over 8 yearsThat is exactly what I mean. I allotted my user to /home/jer. But what can jer do is go anywhere and see everything. He can't edit, download or upload anything but he can still see everything, open it and copy materials from it. Which I don't want.
-
Nephente over 8 yearsIs the user
jer
in/etc/vsftpd.chroot_list
? Together withchroot_local_user=YES
this becomes a list of users NOT to chroot. -
Shikhar Baheti over 8 yearsWhy is that I can't see see the file /etc/vsftpd.chroot.list? i.imgur.com/EPnDRNQ.png
-
Shikhar Baheti over 8 yearsI'm sorry, I reinstalled vsftpd now and I made a vsftpd.chroot list file myself. i.imgur.com/3EPAr8D.png. But there is nothing in it even when I restarted the vsftpd.
-
Shikhar Baheti over 8 years"3) Make all necessary changes within the "files" subdirectory." When I did the process again, It was found that, when I upload things in the /home/test/file, the file wasn't being uploaded because of permission denied. Then I changed file folder's owner to test(username). This is what I meant with "bugged before" i.imgur.com/fwuJ5qs.png
-
Shikhar Baheti over 8 yearsThere are weirdly two chroot_local_users=YES, which is should be uncommented?
-
Marko E almost 3 yearsYes, you just need to add the port you want it to listen on and the port you are forwarding it to in the pod:
kubectl port-forward pod/pod-name local_port:pod_port
, I think. Something along those lines. :) -
Chris G. almost 3 yearsThanks, but I am looking for using Istio(ingress gateway) not only for pods.
-
-
Marko E almost 3 yearsThanks for updating the command from my comment. :)
-
Chris G. almost 3 yearsThanks, but I am looking for using Istio(ingress gateway) not only for pods.
-
Matt almost 3 yearsJust expose the istio ingress gateway pod/service. because Istio gateway IS a pod