VSFTPD Limit user acess to specific folder only
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
In my application i have folder /LD and one user as test_user. I want to give access to user to only this /LD folder only. But when i try to connect through filezila ftp client then by defualt /LD is loaded but user can navigate other folders also. I want users access to that folder only. I am using linux 4.9 Embedded system. below command i have chroot,adduser,addgroup,chmod. i dont have usermod command. Please suggest is this possible .If yes then how?
linux embedded vsftpd
asked Mar 24 at 3:45
Rahul Tungar
12
add a comment |Â
up vote
0
down vote
favorite
In my application i have folder /LD and one user as test_user. I want to give access to user to only this /LD folder only. But when i try to connect through filezila ftp client then by defualt /LD is loaded but user can navigate other folders also. I want users access to that folder only. I am using linux 4.9 Embedded system. below command i have chroot,adduser,addgroup,chmod. i dont have usermod command. Please suggest is this possible .If yes then how?
linux embedded vsftpd
asked Mar 24 at 3:45
Rahul Tungar
12
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
In my application i have folder /LD and one user as test_user. I want to give access to user to only this /LD folder only. But when i try to connect through filezila ftp client then by defualt /LD is loaded but user can navigate other folders also. I want users access to that folder only. I am using linux 4.9 Embedded system. below command i have chroot,adduser,addgroup,chmod. i dont have usermod command. Please suggest is this possible .If yes then how?
linux embedded vsftpd
asked Mar 24 at 3:45
Rahul Tungar
12
In my application i have folder /LD and one user as test_user. I want to give access to user to only this /LD folder only. But when i try to connect through filezila ftp client then by defualt /LD is loaded but user can navigate other folders also. I want users access to that folder only. I am using linux 4.9 Embedded system. below command i have chroot,adduser,addgroup,chmod. i dont have usermod command. Please suggest is this possible .If yes then how?
linux embedded vsftpd
asked Mar 24 at 3:45
Rahul Tungar
12
asked Mar 24 at 3:45
Rahul Tungar
12
asked Mar 24 at 3:45
Rahul Tungar
12
asked Mar 24 at 3:45
Rahul Tungar
12
12
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
First, you'll have to make /LD be the home directory of test_user. You said you don't have the usermod command; then use vipw instead, or if that is not available either, just ensure the user is not currently logged in and edit /etc/passwd directly.
Then, check the vsftpd.conf man page and read the descriptions of options chroot_local_user, chroot_list_enable and chroot_list_file.
If you wish all (or most) users' FTP connections to be restricted to their home directories, you can set chroot_local_user to YES and use the /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option) to specify exceptions.
If only test_user must be restricted, then leave chroot_local_user to NO, and instead set chroot_list_enable to YES, and then add test_user to /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option). You can create the file if it does not already exist.
As a result of these actions, when test_user logs in on an FTP connection, they will see the /LD directory as the root directory (/). As a result, it will be impossible for them to navigate outside the /LD directory tree, as for their FTP connection the rest of the filesystem just won't exist. The user may still be able to access any sub-directories of /LD; if this is not desirable, use filesystem permissions to block that.
First identify the user(s) and/or group(s) that need to access the sub-directories of /LD. Ideally, all the users of sub-directories of /LD shoud belong to a single group (let's call it LDsub) and test_user should not be part of that group. The test_user should be alone in another group (let's call it LDftp for example). The members of the LDsub group may or may not be members of the LDftp group too, depending on whether or not they need write access to the /LD directory itself.
If you don't have the usermod or groupmod commands, you can edit the group memberships via vigr or just by editing /etc/group.
Now, you can use the chown command to set the ownership of the /LD directory and chmod to set the permissions:
chown root:LDftp /LD
chmod 775 /LD #this will be drwxrwxr-x
Now test_user will have write access to the /LD directory via the group membership, but they won't be the owner of the directory so they cannot change its permissions. The "everyone r-x" permissions will allow the members of the LDsub group to pass through this directory to access its sub-directories as allowed by their permissions.
The subdirectories of /LD can be owned by anyone as required, as long as it isn't the test_user. The group of those sub-directories should be set to LDsuband permissions as follows:
chgrp LDsub /LD/subdirectory # or chown <not_test_user>:LDsub /LD/subdirectory
chmod 770 /LD/subdirectory # this will be drwxrwx---
Be aware that if test_user has write access to /LD, it necessarily means that they can rename any sub-directories, create new ones and delete any empty sub-directories.
If your requirements are more complex than this, it may be easier to make sure the ACL support is enabled in the filesystem and use ACLs to specify the user(s) and/or group(s) allowed to access to the sub-directories of /LD. See the man pages of the getfacl and setfacl commands, and/or this webpage for details.
Alternatively, you could consider moving the sub-directories of /LD to another location and using symbolic links to make the directory paths work as before.
mv /LD/subdirectory /elsewhere/subdirectory
ln -s /elsewhere/subdirectory /LD/subdirectory
For any user other than test_user in a FTP session, these symbolic links will be usable as usual. But since test_user's FTP session will be chrooted to /LD, for them these symbolic links will appear as unusable broken links. If test_user has write access to /LD, they can delete the "broken" links though.
answered Mar 24 at 7:28
telcoM
10.6k11132
can you share steps to do so?
– Rahul Tungar
Mar 26 at 4:15
Edited my answer; if you need more clarification, please specify which part you're having problems with.
– telcoM
Mar 26 at 8:10
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
First, you'll have to make /LD be the home directory of test_user. You said you don't have the usermod command; then use vipw instead, or if that is not available either, just ensure the user is not currently logged in and edit /etc/passwd directly.
Then, check the vsftpd.conf man page and read the descriptions of options chroot_local_user, chroot_list_enable and chroot_list_file.
If you wish all (or most) users' FTP connections to be restricted to their home directories, you can set chroot_local_user to YES and use the /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option) to specify exceptions.
If only test_user must be restricted, then leave chroot_local_user to NO, and instead set chroot_list_enable to YES, and then add test_user to /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option). You can create the file if it does not already exist.
As a result of these actions, when test_user logs in on an FTP connection, they will see the /LD directory as the root directory (/). As a result, it will be impossible for them to navigate outside the /LD directory tree, as for their FTP connection the rest of the filesystem just won't exist. The user may still be able to access any sub-directories of /LD; if this is not desirable, use filesystem permissions to block that.
First identify the user(s) and/or group(s) that need to access the sub-directories of /LD. Ideally, all the users of sub-directories of /LD shoud belong to a single group (let's call it LDsub) and test_user should not be part of that group. The test_user should be alone in another group (let's call it LDftp for example). The members of the LDsub group may or may not be members of the LDftp group too, depending on whether or not they need write access to the /LD directory itself.
If you don't have the usermod or groupmod commands, you can edit the group memberships via vigr or just by editing /etc/group.
Now, you can use the chown command to set the ownership of the /LD directory and chmod to set the permissions:
chown root:LDftp /LD
chmod 775 /LD #this will be drwxrwxr-x
Now test_user will have write access to the /LD directory via the group membership, but they won't be the owner of the directory so they cannot change its permissions. The "everyone r-x" permissions will allow the members of the LDsub group to pass through this directory to access its sub-directories as allowed by their permissions.
The subdirectories of /LD can be owned by anyone as required, as long as it isn't the test_user. The group of those sub-directories should be set to LDsuband permissions as follows:
chgrp LDsub /LD/subdirectory # or chown <not_test_user>:LDsub /LD/subdirectory
chmod 770 /LD/subdirectory # this will be drwxrwx---
Be aware that if test_user has write access to /LD, it necessarily means that they can rename any sub-directories, create new ones and delete any empty sub-directories.
If your requirements are more complex than this, it may be easier to make sure the ACL support is enabled in the filesystem and use ACLs to specify the user(s) and/or group(s) allowed to access to the sub-directories of /LD. See the man pages of the getfacl and setfacl commands, and/or this webpage for details.
Alternatively, you could consider moving the sub-directories of /LD to another location and using symbolic links to make the directory paths work as before.
mv /LD/subdirectory /elsewhere/subdirectory
ln -s /elsewhere/subdirectory /LD/subdirectory
For any user other than test_user in a FTP session, these symbolic links will be usable as usual. But since test_user's FTP session will be chrooted to /LD, for them these symbolic links will appear as unusable broken links. If test_user has write access to /LD, they can delete the "broken" links though.
answered Mar 24 at 7:28
telcoM
10.6k11132
can you share steps to do so?
– Rahul Tungar
Mar 26 at 4:15
Edited my answer; if you need more clarification, please specify which part you're having problems with.
– telcoM
Mar 26 at 8:10
add a comment |Â
up vote
0
down vote
First, you'll have to make /LD be the home directory of test_user. You said you don't have the usermod command; then use vipw instead, or if that is not available either, just ensure the user is not currently logged in and edit /etc/passwd directly.
Then, check the vsftpd.conf man page and read the descriptions of options chroot_local_user, chroot_list_enable and chroot_list_file.
If you wish all (or most) users' FTP connections to be restricted to their home directories, you can set chroot_local_user to YES and use the /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option) to specify exceptions.
If only test_user must be restricted, then leave chroot_local_user to NO, and instead set chroot_list_enable to YES, and then add test_user to /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option). You can create the file if it does not already exist.
As a result of these actions, when test_user logs in on an FTP connection, they will see the /LD directory as the root directory (/). As a result, it will be impossible for them to navigate outside the /LD directory tree, as for their FTP connection the rest of the filesystem just won't exist. The user may still be able to access any sub-directories of /LD; if this is not desirable, use filesystem permissions to block that.
First identify the user(s) and/or group(s) that need to access the sub-directories of /LD. Ideally, all the users of sub-directories of /LD shoud belong to a single group (let's call it LDsub) and test_user should not be part of that group. The test_user should be alone in another group (let's call it LDftp for example). The members of the LDsub group may or may not be members of the LDftp group too, depending on whether or not they need write access to the /LD directory itself.
If you don't have the usermod or groupmod commands, you can edit the group memberships via vigr or just by editing /etc/group.
Now, you can use the chown command to set the ownership of the /LD directory and chmod to set the permissions:
chown root:LDftp /LD
chmod 775 /LD #this will be drwxrwxr-x
Now test_user will have write access to the /LD directory via the group membership, but they won't be the owner of the directory so they cannot change its permissions. The "everyone r-x" permissions will allow the members of the LDsub group to pass through this directory to access its sub-directories as allowed by their permissions.
The subdirectories of /LD can be owned by anyone as required, as long as it isn't the test_user. The group of those sub-directories should be set to LDsuband permissions as follows:
chgrp LDsub /LD/subdirectory # or chown <not_test_user>:LDsub /LD/subdirectory
chmod 770 /LD/subdirectory # this will be drwxrwx---
Be aware that if test_user has write access to /LD, it necessarily means that they can rename any sub-directories, create new ones and delete any empty sub-directories.
If your requirements are more complex than this, it may be easier to make sure the ACL support is enabled in the filesystem and use ACLs to specify the user(s) and/or group(s) allowed to access to the sub-directories of /LD. See the man pages of the getfacl and setfacl commands, and/or this webpage for details.
Alternatively, you could consider moving the sub-directories of /LD to another location and using symbolic links to make the directory paths work as before.
mv /LD/subdirectory /elsewhere/subdirectory
ln -s /elsewhere/subdirectory /LD/subdirectory
For any user other than test_user in a FTP session, these symbolic links will be usable as usual. But since test_user's FTP session will be chrooted to /LD, for them these symbolic links will appear as unusable broken links. If test_user has write access to /LD, they can delete the "broken" links though.
answered Mar 24 at 7:28
telcoM
10.6k11132
can you share steps to do so?
– Rahul Tungar
Mar 26 at 4:15
Edited my answer; if you need more clarification, please specify which part you're having problems with.
– telcoM
Mar 26 at 8:10
add a comment |Â
up vote
0
down vote
up vote
0
down vote
First, you'll have to make /LD be the home directory of test_user. You said you don't have the usermod command; then use vipw instead, or if that is not available either, just ensure the user is not currently logged in and edit /etc/passwd directly.
Then, check the vsftpd.conf man page and read the descriptions of options chroot_local_user, chroot_list_enable and chroot_list_file.
If you wish all (or most) users' FTP connections to be restricted to their home directories, you can set chroot_local_user to YES and use the /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option) to specify exceptions.
If only test_user must be restricted, then leave chroot_local_user to NO, and instead set chroot_list_enable to YES, and then add test_user to /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option). You can create the file if it does not already exist.
As a result of these actions, when test_user logs in on an FTP connection, they will see the /LD directory as the root directory (/). As a result, it will be impossible for them to navigate outside the /LD directory tree, as for their FTP connection the rest of the filesystem just won't exist. The user may still be able to access any sub-directories of /LD; if this is not desirable, use filesystem permissions to block that.
First identify the user(s) and/or group(s) that need to access the sub-directories of /LD. Ideally, all the users of sub-directories of /LD shoud belong to a single group (let's call it LDsub) and test_user should not be part of that group. The test_user should be alone in another group (let's call it LDftp for example). The members of the LDsub group may or may not be members of the LDftp group too, depending on whether or not they need write access to the /LD directory itself.
If you don't have the usermod or groupmod commands, you can edit the group memberships via vigr or just by editing /etc/group.
Now, you can use the chown command to set the ownership of the /LD directory and chmod to set the permissions:
chown root:LDftp /LD
chmod 775 /LD #this will be drwxrwxr-x
Now test_user will have write access to the /LD directory via the group membership, but they won't be the owner of the directory so they cannot change its permissions. The "everyone r-x" permissions will allow the members of the LDsub group to pass through this directory to access its sub-directories as allowed by their permissions.
The subdirectories of /LD can be owned by anyone as required, as long as it isn't the test_user. The group of those sub-directories should be set to LDsuband permissions as follows:
chgrp LDsub /LD/subdirectory # or chown <not_test_user>:LDsub /LD/subdirectory
chmod 770 /LD/subdirectory # this will be drwxrwx---
Be aware that if test_user has write access to /LD, it necessarily means that they can rename any sub-directories, create new ones and delete any empty sub-directories.
If your requirements are more complex than this, it may be easier to make sure the ACL support is enabled in the filesystem and use ACLs to specify the user(s) and/or group(s) allowed to access to the sub-directories of /LD. See the man pages of the getfacl and setfacl commands, and/or this webpage for details.
Alternatively, you could consider moving the sub-directories of /LD to another location and using symbolic links to make the directory paths work as before.
mv /LD/subdirectory /elsewhere/subdirectory
ln -s /elsewhere/subdirectory /LD/subdirectory
For any user other than test_user in a FTP session, these symbolic links will be usable as usual. But since test_user's FTP session will be chrooted to /LD, for them these symbolic links will appear as unusable broken links. If test_user has write access to /LD, they can delete the "broken" links though.
answered Mar 24 at 7:28
telcoM
10.6k11132
First, you'll have to make /LD be the home directory of test_user. You said you don't have the usermod command; then use vipw instead, or if that is not available either, just ensure the user is not currently logged in and edit /etc/passwd directly.
Then, check the vsftpd.conf man page and read the descriptions of options chroot_local_user, chroot_list_enable and chroot_list_file.
If you wish all (or most) users' FTP connections to be restricted to their home directories, you can set chroot_local_user to YES and use the /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option) to specify exceptions.
If only test_user must be restricted, then leave chroot_local_user to NO, and instead set chroot_list_enable to YES, and then add test_user to /etc/vsftpd.chroot_list file (or whatever file is specified by the chroot_list_file option). You can create the file if it does not already exist.
As a result of these actions, when test_user logs in on an FTP connection, they will see the /LD directory as the root directory (/). As a result, it will be impossible for them to navigate outside the /LD directory tree, as for their FTP connection the rest of the filesystem just won't exist. The user may still be able to access any sub-directories of /LD; if this is not desirable, use filesystem permissions to block that.
First identify the user(s) and/or group(s) that need to access the sub-directories of /LD. Ideally, all the users of sub-directories of /LD shoud belong to a single group (let's call it LDsub) and test_user should not be part of that group. The test_user should be alone in another group (let's call it LDftp for example). The members of the LDsub group may or may not be members of the LDftp group too, depending on whether or not they need write access to the /LD directory itself.
If you don't have the usermod or groupmod commands, you can edit the group memberships via vigr or just by editing /etc/group.
Now, you can use the chown command to set the ownership of the /LD directory and chmod to set the permissions:
chown root:LDftp /LD
chmod 775 /LD #this will be drwxrwxr-x
Now test_user will have write access to the /LD directory via the group membership, but they won't be the owner of the directory so they cannot change its permissions. The "everyone r-x" permissions will allow the members of the LDsub group to pass through this directory to access its sub-directories as allowed by their permissions.
The subdirectories of /LD can be owned by anyone as required, as long as it isn't the test_user. The group of those sub-directories should be set to LDsuband permissions as follows:
chgrp LDsub /LD/subdirectory # or chown <not_test_user>:LDsub /LD/subdirectory
chmod 770 /LD/subdirectory # this will be drwxrwx---
Be aware that if test_user has write access to /LD, it necessarily means that they can rename any sub-directories, create new ones and delete any empty sub-directories.
If your requirements are more complex than this, it may be easier to make sure the ACL support is enabled in the filesystem and use ACLs to specify the user(s) and/or group(s) allowed to access to the sub-directories of /LD. See the man pages of the getfacl and setfacl commands, and/or this webpage for details.
Alternatively, you could consider moving the sub-directories of /LD to another location and using symbolic links to make the directory paths work as before.
mv /LD/subdirectory /elsewhere/subdirectory
ln -s /elsewhere/subdirectory /LD/subdirectory
For any user other than test_user in a FTP session, these symbolic links will be usable as usual. But since test_user's FTP session will be chrooted to /LD, for them these symbolic links will appear as unusable broken links. If test_user has write access to /LD, they can delete the "broken" links though.
answered Mar 24 at 7:28
telcoM
10.6k11132
edited Mar 26 at 7:22
answered Mar 24 at 7:28
telcoM
10.6k11132
answered Mar 24 at 7:28
telcoM
10.6k11132
answered Mar 24 at 7:28
telcoM
10.6k11132
10.6k11132
can you share steps to do so?
– Rahul Tungar
Mar 26 at 4:15
Edited my answer; if you need more clarification, please specify which part you're having problems with.
– telcoM
Mar 26 at 8:10
add a comment |Â
can you share steps to do so?
– Rahul Tungar
Mar 26 at 4:15
Edited my answer; if you need more clarification, please specify which part you're having problems with.
– telcoM
Mar 26 at 8:10
can you share steps to do so?
– Rahul Tungar
Mar 26 at 4:15
can you share steps to do so?
– Rahul Tungar
Mar 26 at 4:15
Edited my answer; if you need more clarification, please specify which part you're having problems with.
– telcoM
Mar 26 at 8:10
Edited my answer; if you need more clarification, please specify which part you're having problems with.
– telcoM
Mar 26 at 8:10
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f433198%2fvsftpd-limit-user-acess-to-specific-folder-only%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password