i would like to make an ftp user on my computer that i can give out to anyone, and not worry about them being mischevious on my computer. i have set one up temporarily by creating a user with no login script. i feel fiarly safe about no one being able ot edit my data, but the user can still view the contents of / and all the standard sub dirs that regular users can see.

my question is this. is there any way to limit a user to having access to only their home dir, and not being able to see anything else?
the user only needs to be able to login to ftp and upload and download.

if it makes a difference, im usinf vsftp for my server
and right now im stuck with FC1... thats right, one. ....i'll upgrade when i can

please and thanks for any help

This is called a chroot server, as in you have changed the root directory. I don't have a howto handy, unfortunately.

This is a configuration problem of the FTP server.

Personally, I use this: http://www.pureftpd.org/

It does not come with Fedora, so you might have to compile from source. But it allows you
to easily create FTP accounts so that the FTP user cannot move out of his home directory.
They don't need a login shell either. It also supports FTP control connection encryption, though
unfortunately not data connection encryption. If interested, I will point you to my howto on this.

I don't know what FTP server comes with Fedora, becauseI never bother to install the package.

In /etc/vsftpd

edit your vsftpd.conf and add this line

"chroot_list_enable=YES'


then in your /etc

make a file called 'vsftpd.chroot_list"

in this file, you add the username of the user you want to add to the ftp.
this will "lock' this user in whatever home dir you have specified in /etc/passwd for that user.

be sure to restart the vsftpd service.

let me know how that works out for ya.

Hi Ryan

I followed your example above, however I am still experiencing the same issue as poiuytrewq...

- Uncommented line "chroot_list_enable=YES" in vsftpd.conf.
- Made a file called '/etc/vsftpd.chroot_list", added userid to this file.
- service vsftpd restart

Logged into ftp with userid, successfully "cd /".

Also tried the following but ended up with the same result:

- Uncommented line "chroot_list_enable=YES" in vsftpd.conf.
- Uncommented line "chroot_list_file=/etc/vsftpd.chroot_list" n vsftpd.conf.
- Made a file called '/etc/vsftpd.chroot_list", added userid to this file.
- service vsftpd restart

Is there any settings I'm missing for vsftpd? Or should I go for pureftpd as Yatima mentions?

Thanks for any help.

Ashley

this might be a dumb question, but you dont have the quotes around the code do you?? if so, take them out.. my mistake.

Nah, no quotes ;-)

Yatima:

can you give me the howto for pureftp! I would like to set up a ftp server, but I want it secure as well. If pureftp works easily then I want it...

Hi Rob

I'm in the process of setting up pureftp. I came across these which you may be interested in:

www.pureftpd.org

RPM packages: ftp://ftp.pureftpd.org/pub/pure-ftpd/releases/binaries/redhat/

Installation: http://www.pureftpd.org/README

Virtual (chrooted) users: http://www.pureftpd.org/README.Virtual-Users

Instructions seem pretty straight-forward, so far!

Cheers

Ashley

AShleysnix:

Thanks for the information, and I appreciate you taking the time to look into for me and of course yourself. I will download it and do a lot of reading once I get home. I am working the midnight shift at work tonight.

Thanks again...

Hey Rob

I didn't have much luck with pure-ftpd, with chroot issues as above with vsftpd.

I tried another package called proftpd (http://www.proftpd.org / http://download.fedora.us/fedora/fedora/3/i386/RPMS.extras/proftpd-1.2.10-2.i386.rpm).

After starting it without any config (service proftpd start):
- my local user account couldn't "cd /" to the root directory.
- root user couldn't login.
- anonymous user couldn't login.

So a good start there, for what I need for myself.

I altered /etc/proftpd.conf a little (it's getting late here in Vic & I have work in the morning...):

# Set the user and group that the server normally runs at.
User ftp # changed from nobody
Group ftp # changed from nobody

Added an "FTP" user from the prompt:

useradd -g ftp -d /home/userid userid
passwd userid

service proftpd restart

Logged in ok with userid. When I did a "cd /" then a "ls -l", I could only view the files listed under /home/userid (which is what I needed).

Hope this info helps.

Any feedback about what I've done much appreciated.

Thanks

Ashley

Im not sure what the problem with your vsftpd is.... Im running out of things to look at which would be the problem...

sorry...

This is a really stupid question ,but I have pureftp installed and working. But I tried logging in through ftp with root user and pass and it didnt work. how do i make a user account that works with ftp"

Here are some notes I took long ago. They should work with the last pureftpd versions, but I don't know as I have switched to sftp entirely :-P

PAM setup

In the pam subdirectory of the distribution:

$ install -m 644 -g root -o root pure-ftpd /etc/pam.d/

The text below shows the contents; I added the #%PAM-1.0 at the front. Not sure whether it's necessary, it works well without. However, the detection mode of pam_listfile.so has been changed. Instead of refusing a list of users, we allow a list of users. This is saner:

#%PAM-1.0
# auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftplockout onerr=succeed
auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ftpallow onerr=fail
auth required /lib/security/pam_unix.so
auth required /lib/security/pam_shells.so
account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so
password sufficient /lib/security/pam_unix.so

# If authentication doesn't work for you, try to add 'shadow' (without quotes)
# after pam_unix.so - suggested by Joe Silva.
# If it still doesn't work for you, you can also try to add "md5" after
# "pam_unix.so"

In the original setup, the first line of the PAM setup will cause PAM to check in /etc/ftplockout for users that are NOT permitted access! Originally, in the file provided, this file was called /etc/ftpusers which may cause confusion. (I actually posted a bug report for 1.0.12)

The PAM setup coming with 1.0.18 is as below. We do not yet adopt it, especially on RH 7.3. q

#%PAM-1.0
# Sample PAM configuration file for Pure-FTPd.
# Install it in /etc/pam.d/pure-ftpd or add to /etc/pam.conf
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

Reference for PAM: http://www.kernel.org/pub/linux/libs/pam/

Implement /etc/ftpallow to let some users in:

$ touch /etc/ftpallow
$ chmod 644 /etc/ftpallow

Whenever some user shall have access, add his username to this list.

In particular, see http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.13 for a description of pam-listfile, which we cite here:

> The list-file module provides a way to deny or allow services based on an arbitrary file.
>
> Recognized arguments:
>
> onerr=succeed|fail; sense=allow|deny; file=filename; item=user|tty|rhost|ruser|group|shell apply=user|@group
>
> Description:
>
> The module gets the item of the type specified -- user specifies the username, PAM_USER;
> tty specifies the name of the terminal over which the request has been made, PAM_TTY;
> rhost specifies the name of the remote host (if any) from which the request was made, PAM_RHOST;
> and ruser specifies the name of the remote user (if available) who made the request, PAM_RUSER
> -- and looks for an instance of that item in the file filename. filename contains one line per
> item listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned, causing the
> authorization request to succeed; else if sense=deny, PAM_AUTH_ERR is returned, causing the
> authorization request to fail.
>
> If an error is encountered (for instance, if filename does not exist, or a poorly-constructed
> argument is encountered), then if onerr=succeed, PAM_SUCCESS is returned, otherwise if
> onerr=fail, PAM_AUTH_ERR or PAM_SERVICE_ERR (as appropriate) will be returned.
>
> An additional argument, apply=, can be used to restrict the application of the above to a
> specific user (apply=username) or a given group (apply=@groupname). This added restriction
> is only meaningful when used with the tty, rhost and shell items.
>
> Besides this last one, all arguments should be specified; do not count on any default behavior,
> as it is subject to change.
>
> No credentials are awarded by this module

For Vsftp

In /etc/passwd - take notice to the period after the home path -


username:x:100:100:/home/dir/./:/sbin/tru

Everything previously posted is correct but in order to jail has to be specified in passwd file with . / proceeding the path to directory you want that user jailed in
(Note: no space between the period and forward slash)