Davoud Teimouri – Virtualization and Data Center

Restrict FTP Users To Their Home Directory Without Using OpenSSH – Oracle Linux

Sometimes, we want to grant access to some users for uploading and downloading (Transferring files) file via FTP server on your Linux machine.

By default, any user has access to view his home directory and other directories on remote machine but we want to restrict all FTP users to their home directory and prevent uploading files from other users home directory. Also we want to disallow the user to make SSH connection and use SFTP.

As the first step, you need to install “VSFTPD” as FTP server on your Linux machine and then configure some configuration files.

Also we want to create a group and grant FTP permissions to the group.

Here is the instructions and configurations:

Step 1: Create group, users and change the users home directories:

mkdir /FTP/ftpuser1
mkdir /FTP/ftpuser1/incoming
mkdir /FTP/ftpuser1/outgoing
groupadd ftpusers
useradd -d /FTP/ftpuser1 -g ftpusers ftpuser1
passwd ftpuser1
chown root:root /FTP/ftpuser1
chmod 750 /FTP/ftpuser1
setfacl -m u:ftpuser1:rwx /FTP/ftpuser1/incoming
setfacl -m u:ftpuser1:rwx /FTP/ftpuser1/outgoing

Step 2: Deny the group access to SSH by editing ‘/etc/ssh/sshd_config”:

Find and comment the below line:
Subsystem      sftp    /usr/libexec/openssh/sftp-server
Add the below line:
Denygroup ftpusers

Save and exit. Then restart “sshd” service.

Step 3: Add the below lines to “/etc/vsftpd/vsftpd.conf”

anonymous_enable=NO
chroot_local_user=YES
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list_access
userlist_deny=NO

Step 4: Create a file (“/etc/vsftpd/user_list_access”) and add the usernames to the file and then restart “vsftpd” service.

Step 5: Test FTP connection by run “ftp x.x.x.x” command and logon to FTP server by the ftpuser.

Hope, this post help you to keep safe your FTP server.

Update: If you want to disable the user logon, you should change the below line in “/etc/passwd”:

ftpuser:x:500:500::/FTP:/bin/bash

Change to:

ftpuser:x:500:500::/FTP:/sbin/nologin

 

Exit mobile version