Shared chrooted directory for all users in vsftpd

From braindump
Jump to: navigation, search

The goal is to only allow a certain group of users to login to the server. After login they land in the same shared directory. Under the hood they all operate as a single user dedicated user.

This is a setup that drove me nearly mad. I was off to a bad start. PAM refused to work due to SELinux preventing IPC communication to confirm the AD credentials. Once I got that working I was still fiddling for a while to get everything right.

Prerequisites

  • Linux / Unix server (Tested on Ubuntu 14.04)
  • vsftpd (Version 3.x)


Howto

PAM configuration

The /etc/pam.d/vsftpd file needs to have the highlighted line added.

# Standard behaviour for ftpd(8).
auth    required    pam_listfile.so item=group sense=allow file=/etc/vsftpd.d/group_list onerr=fail

# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.

# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth    required    pam_shells.so

Create the group_list file defined in the pam file. The ftpgroup contains every users allowed to login via ftp.

sudo mkdir /etc/vsftpd.d
echo ftpgroup | sudo tee /etc/vsftpd.d/group_list

Create the shared FTP directory

This directory is where the users land after login. They will be landing in a chroot so they don't see any thing other than the uploaded files.

sudo mkdir -p /var/share/ftp/upload 
sudo chown -R ftp:ftp /var/share/ftp
sudo chmod 550 /var/share/ftp
sudo chmod 750 /var/share/ftp/upload

vsftpd.conf

Finally the /etc/vsftpd.conf needs to look similar to the one below.

anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd

write_enable=YES
guest_enable=YES
guest_username=ftp
chroot_local_user=YES
local_root=/var/share/ftp
virtual_use_local_privs=YES

The highlighted portion is the customized part. Restart vsftpd after the configuration change.

Summary

With this configuration every member of the group ftpgroup is able to log in with her credentials. After login the user lands in the local directory /var/share/ftp, as the user is chrooted the ftp will only show it as "/" tho. Users can then upload files to the /upload directory.

See also