A while back I wrote about how to install an FTP server for your localhost. It is a very simple thing to do, and it is really useful. You can, for example, share files with other people via FTP, or access your files from any computer that has internet connection. Even with your phone. SSH is always better, of course, because it is a remote shell, but FTP is sometimes enough.
The FTP server we are using is vsftpd, and basically, any user that is registered on the machine can log in via FTP. This could be a problems. For example, I was required to give one of my clients access to my local server via FTP. I wanted to restrict the directories he has access to, but if you don’t set vsftpd properly, you can end up giving somebody full access to your machine. This is a real problem.
So, how do you add new users to vsftp properly? You need to change the configuration file for vsftpd.
First you need to create a new user, if you don’t have it yet. In my case I didn’t. Just create a user as you would normally do. On Ubuntu 11.10, just go to the User button on the top right corner, and choose the Online Accounts… option. This will open up a window, and there you can choose to create a new user.
Once your new user has been created, a home folder for that user is created too. In my case, I wanted to give this new user access to another part of the computer, so I just changed the user’s default home folder to the path of the directory I wanted to give the user access to:
usermod -d /path/to/new/homedir/ username
Just input that on the command line, and press enter. Remember to change the path, and the username to the correct values.
Once we have the user set, it is time to modify the vsftpd configuration file.
Just open the file, which should be located at /etc/vsftpd.conf
and set them as shown above. You might need to open the config file with root privileges. In that case sudo will be your friend, or gksudo if you are using a graphical text editor.
This two settings pretty much let vsftpd know that you will be using a list to specify which users will chroot() to their home directory. This means that for those users the root or topmost directory will be their home directory, thus preventing them from having access to any other part of your computer.
Since you are already editing the config file, you might want to set the local_umask directive to 022
By default vsftpd has a default umask of 077, which means that when a user uploads a file to the server, the file gets set with permission 700, and this makes it pretty much inaccessible, depending on your server configuration.
Save your changes, and create a new file on /etc/ and call it vsftpd.chroot_list
sudo touch /etc/vsftpd.chroot_list
Open this file and add the name of the users you want to chroot() to their home directory.
sudo restart vsftdp
And you are all set. Before giving your user their username and password, you might want to check that in fact everything went well, and they cannot access anything beyond their home directory.
Something I learned is that you should not put a comment after any of the directives on the config file. It will cause and error and you might have to reconfigure vsftpd.
Some articles that were useful are listed here for future reference: