Shared chrooted directory for all users in vsftpd
The goal is to only allow a certain group of users to login to the server. After login they land in the same shared directory. Under the hood they all operate as a single user dedicated user.
This is a setup that drove me nearly mad. I was off to a bad start. PAM refused to work due to SELinux preventing IPC communication to confirm the AD credentials. Once I got that working I was still fiddling for a while to get everything right.
- Linux / Unix server (Tested on Ubuntu 14.04)
- vsftpd (Version 3.x)
The /etc/pam.d/vsftpd file needs to have the highlighted line added.
# Standard behaviour for ftpd(8). auth required pam_listfile.so item=group sense=allow file=/etc/vsftpd.d/group_list onerr=fail # Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so. # Standard pam includes @include common-account @include common-session @include common-auth auth required pam_shells.so
Create the group_list file defined in the pam file. The ftpgroup contains every users allowed to login via ftp.
sudo mkdir /etc/vsftpd.d echo ftpgroup | sudo tee /etc/vsftpd.d/group_list
This directory is where the users land after login. They will be landing in a chroot so they don't see any thing other than the uploaded files.
sudo mkdir -p /var/share/ftp/upload sudo chown -R ftp:ftp /var/share/ftp sudo chmod 550 /var/share/ftp sudo chmod 750 /var/share/ftp/upload
Finally the /etc/vsftpd.conf needs to look similar to the one below.
anonymous_enable=NO local_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd write_enable=YES guest_enable=YES guest_username=ftp chroot_local_user=YES local_root=/var/share/ftp virtual_use_local_privs=YES
The highlighted portion is the customized part. Restart vsftpd after the configuration change.
With this configuration every member of the group ftpgroup is able to log in with her credentials. After login the user lands in the local directory /var/share/ftp, as the user is chrooted the ftp will only show it as "/" tho. Users can then upload files to the /upload directory.