Tuesday, February 10, 2009

VSFTPD-chrooted user with limited directory access

Create a user with home directory /foo. Otherwise we can create a normal user and then edit /etc/passwd to change the home directory (useradd hari -d /foo).

Here we chose the latter option since it's a sensible directory and we don't wnat to take risk by putting .bash files.

# useradd hari
# grep hari /etc/passwd

hari:x:796:796::/home/hari:/bin/bash

Now change the home directory to /foo

# vi /etc/passwd


# grep hari /etc/passwd
hari:x:796:796::/foo:/sbin/nologin


Note that we have changed the home directory from /home/hari to /foo and the shell from /bin/bash to /sbin/nologin

Added the below two lines in /etc/vsftpd/vsftpd.conf for enabling chroot functionality.
# vi /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list


Now add the user hari to Chroot List file.

# echo hari >> /etc/vsftpd.chroot_list

Now verify the permission of /foo, /foo/tux and /foo/beastie

[root@psycho ~]# ls -ld /foo/
drwxrwx--- 17 root ftpuser 4096 Feb 6 19:58 /foo/

[root@psycho ~]#
[root@psycho ~]# ll /foo/
total 81652
drwxr-xr-- 2 tiger ftpuser 4096 Sep 18 2007 alert
drwxr-xr-x 14 root root 4096 Jan 18 2008 tux
drwxr-xr-x 2 root root 4096 Jan 11 2008 log
drwx------ 2 root root 16384 Sep 6 2007 lost+found
drwxrwxr-x 4 giraffe ftpuser 048000 Feb 9 23:51 beastie
[root@psycho ~]#


/foo/tux and /foo/beastie are having read-access to all. But /foo will not be readable since the permission is 770.

So add the user "hari" to the group "ftpuser", which is the Group for /foo.

# grep ftpuser /etc/group
ftpuser:x:502:

# vi /etc/group
ftpuser:x:502:hari


Now take the list of files/directories under /foo except tux and beastie. These are the only directories user needs access.

# ls /foo | grep -v tux | grep -v beastie
alert
log
lost+found


Add these to /etc/vsftpd_user_conf/hari for restricting access by the FTP user. We have already mentioned the below in /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd_user_conf

# vi /etc/vsftpd_user_conf/hari
deny_file={alert,log,lost+found}
write_enable=NO


write_enable=NO is to restrict the user from changing the files/directories

Restart VSFTPD service.

/etc/init.d/vsftpd restart

That's it. Now the conditions satisfied are as below

1. User will be able to login through FTP protocol.
2. Default login directory will be a "chrooted HOME- /foo". User will not be able to access any other directory other than /foo.
3. User can access "tux" and "beastie" directories right from the home directory.
4. These two directories will be "read-only". User can't write/change any files/directories.
5. User cannot access any other directories under /foo except tux and beastie.
6. User will not be able to login directly to system.

No comments: