Results 1 to 3 of 3
HI all, I have an Ubuntu server running vsftpd. I want to be able to create a limited user who will soley have access to one or two directories. I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 01-31-2012 #1
- Join Date
- Mar 2011
How to setup an FTP user with limited access to a few directories?
I have an Ubuntu server running vsftpd.
I want to be able to create a limited user who will soley have access to one or two directories.
I know by default they have access to their home directory but how can I direct their logon to the only the directory I wish them to use?
- 02-01-2012 #2
- Join Date
- Feb 2008
I recommend you setup SFTP instead it's more secure and doesn't send user/pass over plain text.
Edit your /etc/ssh/sshd_config file, making sure the following line is present. If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following:
Subsystem sftp internal-sftp
Continue to add the following block to the end of the file:
Match group filetransfer
Restart OpenSSH as follows:
Modify User Accounts
Create a group for the users who will only have SFTP access:
Next, you'll need to modify the user accounts that you wish to restrict to using only SFTP. Issue the following commands for each account, substituting the appropriate username. Please keep in mind that this will prevent these users from being able to log into a remote shell session. If you don't want to restrict your existing users, you may add new user accounts for file transfer purposes using the adduser command.
usermod -G filetransfer username
chown root:root /home/username
chmod 755 /home/username
After issuing these commands, the affected users won't be able to create files in their home directories as these directories will be owned by the root user. You'll want to create a set of directories for each user that they have full access to. Issue the following command for each user, changing the directories created to suit your needs:
mkdir docs public_html
chown username:username *
Your users should now be able to log into their accounts via SFTP and transfer files to and from the directories located beneath their home directories, but they shouldn't be able to see the rest of the server's filesystem.
- 02-01-2012 #3
- Join Date
- Aug 2006
If you don't want the user to have ftp access to a home directory, then set the login directory in "/etc/passwd" for that user to elsewhere.
Set the vsftp chroot-jail option for the user to limit him to the login directory you have allowed him.
If you only want to allocate one non-default directory for access, then that's enough.
For more than one directory, bind-mount any other directories you want him to have access to, so they appear to be subdirectories of the one he can access.
Each bind mount (in /etc/fstab) looks like the below:
/dirtoaccess /dirunderlogin none ro,bind 0 0
So if you were allowing fred acess to home and /an_other,
/an_other /home/fred/an_other none ro,bind 0 0
(mount point directory an_other should be created manually under /home/fred.)
This can be tested manually with
mount /an_other /home/fred/an_other -o ro bind
If you don't make a directory under /home/fred, the mount will mask /home/fred until umounted.