Find the answer to your Linux question:
Results 1 to 3 of 3
HI all, I have an Ubuntu server running vsftpd. I want to be able to create a limited user who will soley have access to one or two directories. I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2011
    Posts
    8

    How to setup an FTP user with limited access to a few directories?


    HI all,



    I have an Ubuntu server running vsftpd.

    I want to be able to create a limited user who will soley have access to one or two directories.

    I know by default they have access to their home directory but how can I direct their logon to the only the directory I wish them to use?

  2. #2
    Just Joined!
    Join Date
    Feb 2008
    Posts
    14
    Quote Originally Posted by GOSSSAMER View Post
    HI all,



    I have an Ubuntu server running vsftpd.

    I want to be able to create a limited user who will soley have access to one or two directories.

    I know by default they have access to their home directory but how can I direct their logon to the only the directory I wish them to use?

    I recommend you setup SFTP instead it's more secure and doesn't send user/pass over plain text.

    Edit your /etc/ssh/sshd_config file, making sure the following line is present. If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following:

    File excerpt:/etc/ssh/sshd_config

    Subsystem sftp internal-sftp
    Continue to add the following block to the end of the file:

    File excerpt:/etc/ssh/sshd_config

    Match group filetransfer
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    Restart OpenSSH as follows:

    /etc/init.d/ssh restart
    Modify User Accounts

    Create a group for the users who will only have SFTP access:

    addgroup filetransfer

    Next, you'll need to modify the user accounts that you wish to restrict to using only SFTP. Issue the following commands for each account, substituting the appropriate username. Please keep in mind that this will prevent these users from being able to log into a remote shell session. If you don't want to restrict your existing users, you may add new user accounts for file transfer purposes using the adduser command.

    usermod -G filetransfer username
    chown root:root /home/username
    chmod 755 /home/username

    After issuing these commands, the affected users won't be able to create files in their home directories as these directories will be owned by the root user. You'll want to create a set of directories for each user that they have full access to. Issue the following command for each user, changing the directories created to suit your needs:

    cd /home/username
    mkdir docs public_html
    chown username:username *

    Your users should now be able to log into their accounts via SFTP and transfer files to and from the directories located beneath their home directories, but they shouldn't be able to see the rest of the server's filesystem.

  3. #3
    Just Joined!
    Join Date
    Aug 2006
    Posts
    14
    Quote Originally Posted by GOSSSAMER View Post
    HI all,



    I have an Ubuntu server running vsftpd.

    I want to be able to create a limited user who will soley have access to one or two directories.

    I know by default they have access to their home directory but how can I direct their logon to the only the directory I wish them to use?

    If you don't want the user to have ftp access to a home directory, then set the login directory in "/etc/passwd" for that user to elsewhere.

    Set the vsftp chroot-jail option for the user to limit him to the login directory you have allowed him.

    If you only want to allocate one non-default directory for access, then that's enough.

    For more than one directory, bind-mount any other directories you want him to have access to, so they appear to be subdirectories of the one he can access.

    Each bind mount (in /etc/fstab) looks like the below:
    /dirtoaccess /dirunderlogin none ro,bind 0 0

    So if you were allowing fred acess to home and /an_other,

    /an_other /home/fred/an_other none ro,bind 0 0

    (mount point directory an_other should be created manually under /home/fred.)

    This can be tested manually with
    mount /an_other /home/fred/an_other -o ro bind

    If you don't make a directory under /home/fred, the mount will mask /home/fred until umounted.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •