0

System: Ubuntu 18.04 Server VSFTPD installed.

What I got so far:

sudo adduser user sudo mkdir -p /opt/chroot/transfer sudo chown user /opt/chroot/transfer

# */etc/ssh/sshd_config*

Include /etc/ssh/sshd_config.d/*.conf
Port 22
ChallengeResponseAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
#ChrootDirectory /opt/chroot/transfer               (
AcceptEnv LANG LC_*
Subsystem sftp  /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
Match User user
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
PasswordAuthentication yes


# */etc/vsftpd.conf*

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=NO
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

allow_writeable_chroot=YES

I can't get any further. User can access anywhere. :/ User is supposed only have access via ssh (port 22) to /opt/chroot/transfer

nm82
  • 11
  • 7
  • (1) AFAIK `vsftpd` is for [FTP(S) which is not SFTP](https://superuser.com/q/677966/432690). Do you want FTP(S) or SFTP? or both? (2) The only line containing `/opt/chroot/transfer` in the configs you posted is commented out (because of `#` in front). – Kamil Maciorowski Dec 07 '22 at 18:59
  • (1) vsftpd only (2) yes, because otherwise it locks out the user via ssh – nm82 Dec 07 '22 at 20:21
  • If strictly "`vstpd` only" then no access via SSH. `vsftpd` has nothing to do with SSH. If you want to limit the user to `/opt/chroot/transfer` both for FTP(S) (`vsftpd`) and for SSH (including SFTP and SCP) then these are two *distinct* problems with configuration of two different tools: `vsftpd` and `sshd`. – Kamil Maciorowski Dec 07 '22 at 20:43
  • Yes, and how do I do this? – nm82 Dec 07 '22 at 21:33
  • The first thing to do is deciding if this question is about FTP(S) or SSH(+SFTP+SCP) and [edit]ing the question accordingly. One topic per question please. If you need help with both then you should ask a second question that will cover the topic not covered here. It seems to me you were unaware `vsftpd` has nothing to do with SSH, so I understand why you asked a single question involving both. Now it's time to sort it out. – Kamil Maciorowski Dec 07 '22 at 21:58
  • Ok, first I want to have a user that when accessing the server via e.g. winSCP only has access to that specific folder so he can't snoop around anywhere. – nm82 Dec 07 '22 at 22:05
  • WinSCP supports FTP *and* SFTP/SCP. I'm telling you that on the server side these require two separate tools, each with its own configuration. So you need two questions. Unless you e.g. drop FTP(S) and allow only SSH and related protocols. – Kamil Maciorowski Dec 07 '22 at 22:10
  • FTP is more important so I drop the SSH. I need a user who only can have access to this particular direction using FTP. – nm82 Dec 07 '22 at 22:39
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/141162/discussion-between-nm82-and-kamil-maciorowski). – nm82 Dec 07 '22 at 22:43

1 Answers1

0

The solution:

Install vsftpd using this as a guide.

  • Create user with useradd [user_name].

  • Create user's password with passwd [user_name]. (You'll be prompted to specify the password).

  • Create FTP directory in /var/ftp and then bind to the 'home' directory you wish to specify for this user with mount --bind /var/www/vhosts/domain.com/ /var/ftp/custom_name/.

  • Change user's home directory with usermod -d /var/ftp/custom_name/ user_name

In /etc/vsftpd/vsftpd.conf, ensure all all of the following are set:-

 *chroot_local_user=YES
 chroot_list_enable=YES
 chroot_list_file=/etc/vsftpd.chroot_list*

Only list users in the vsftpd.chroot_list file if you want them to have full access to anywhere on the server. By not listing them in this file, you're saying restrict all vsftpd users to their specified home directory.

In other words (for reference):-

  1. means that by default, ALL users get chrooted except users in the file...

    chroot_local_user=YES chroot_list_enable=YES

  2. means that by default, ONLY users in the file get chrooted...

chroot_local_user=NO chroot_list_enable=YES

Source: User zigojacko

https://serverfault.com/questions/544850/create-new-vsftpd-user-and-lock-to-specify-home-login-directory

nm82
  • 11
  • 7