Permit access to files outside home directory for FTP user

Overview

In this article, I am going to explaining you about the access given to directories which are outside the home directory or outside the docroot of the codebase. I will tell you the scenario when we need to provide this kind of access for FTP user.

Let’s assume you have a client who wants access to two or three directories which are inside the docroot of the codebase. But you don’t want to provide access to whole docroot codebase. Ftp either provide access to the whole directory or for the only single directory inside codebase. But the client wants access to two or three directories. This time, you need to provide access to that directory outside the docroot using bind feature.

This article provides you a complete guide on creating and binding directory outside home directory or docroot codebase directory.

I assumed that you have already installed the FTP Server on system or server. If you do not yet install the FTP server then read below posts.

Read : Install vsftpd using source code on any Linux system
Read : Installation and configuration of FTP server on centos

Follow below step by step process to provide access to files outside home directory for FTP user.

Step 1: Create FTP User

First, you need to create FTP user using adduser command. When you enter the adduser command it will prompt you for Password. And asked you to fill the information related to FTP user.

root@ip-:~# adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 123456    [Enter password]
Retype new UNIX password: 123456   [Enter password]
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y

Step 2: Create Directory

Now create a directory outside the docroot of codebase directory. I have created here directory with name “/data/importftp” and Docroot directory is /data/codebase/. Inside “/data/importftp” create two directories for which we need to give access to the client. Here I have created a directory with name “mediaftp” and “varftp”.

mkdir -p /data/importftp
mkdir -p /data/importftp/mediaftp
mkdir -p /data/importftp/varftp

Step 3: Bind Directory

This is an important step which helps you to bind docroot directory with outside directory. You can bind directory using the mount command. Use below command to bind directory.

mount --bind /data/codebase/media/import  /data/importftp/mediaftp
mount --bind /data/codebase/var/import /data/importftp/varftp

Step 4: Chroot User

Chroot user means restrict user for particular directory only. The user will not able access or see any directory outside the provided directory access. Change default path of FTP user from /etc/passwd file.

vim /etc/passwd

#Default entry.
test:x:1001:1001:,,,:/home/test:/bin/bash

#Change to.
test:x:1001:1001:,,,:/data/imporftp:/sbin/nologin

vim /etc/vsftpd.conf

#change chroot_local_user from no to yes
Chroot_local_user=YES

#Add below line
allow_writeable_chroot=YES

Save & close the file.

Step 5: Add User in Group

Now provide access to the directory by adding FTP user in the group. Here you need to add FTP user in docroot group. And change the permission of docroot. So Ftp user will able to read, write in the directory.

Check docroot group name using,

root@ip-1: ls -l /data/codebase
drwxrwxr-x 5 www-data www-data 4096 Sep 18 16:56 codebase

Add Ftp user in www-data group using,

root@ip-1: usermod -g importftp www-data

Change docroot permissions,

root@ip-1: cd /data/codebase

root@ip-1: find . -type d -exec chmod 775 {} ; [This command change all directory permission to 775]

root@ip-1: find . -type d -exec chmod 664 {} ; [This command change all directory permission to 664]

Step 6: Fstab entry

Now add the bind directory in Fstab file. This will help to permanently mount a directory on the system.

vim /etc/fstab

#Add below entry in fstab file
/data/codebase/media/import /data/importftp/mediaftp none bind 0 0
/data/codebase/var/import /data/importftp/varftp none bind 0 0

Save & close the file.

Step 7: Remount Directory

To reflect the fstab entry and mount directories use below command,

$ mount  -a

This way you can provide access to two different directories outside the docroot. I hope you like the article if you find any difficulties using this article then please do comment your queries or problem via the comment section, till then stay tuned to techthings.org for more such valuable articles.

Leave a Reply

Your email address will not be published. Required fields are marked *