Labels

Tuesday, February 19, 2013

Chroot vsftpd on CentOS 6

We learn here's how to setup chroot vsftpd on CentOS 6. The need was for FTP users to be able to upload to their own directories inside /var/www/html/uploads/; if you want to another location, you can; I had to make sure user weren't able to login via ssh and that the web application had accessed the files they uploaded.

Install :

root@allnewspaper.info:~# Yum –y install vsftpd

Vsftpd :

For vsftpd. conf, set or uncomment the following:

root@allnewspaper.info:~# vim /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

The /etc/vsftpd/chroot_list has to exist, so create it:

root@allnewspaper.info:~# touch /etc/vsftpd/chroot_list

Now the vsftpd daemon can be started, so:

root@allnewspaper.info:~# chkconfig vsftpd on
root@allnewspaper.info:~# service vsftpd start

vsftpd allow without shell

So, I had to make sure that the accounts created didn't have ssh shell access. That means that when adding new users, I had to set their shell to /bin/false. But then vsftpd will not allow them to login as well. The solution is to remove the PAM (Pluggable authentication module) requirement to have a shell for vsftpd. Edit /etc/pam.d/vsftpd, and comment out the following line:

auth required pam_shells.so

To become:

#auth required pam_shells.so

skel and default directory permission

I needed the directories to have some other default directories in them. So I created a new directory for the skeleton in /etc/skel-ftp:

root@allnewspaper.info:~# mkdir /etc/skel-ftp

and put the stuff I needed default there (mostly just other directories for the web application to move the uploaded files to depending on if it was successful or not). I also needed the directory permissions to be 775, so I edit /etc/login.defs . Specifically I set the UMASK variable to 002:

UMASK 002

SELinux

We need to allow users to upload to their home directories as well as allow vsftpd to get full write access since we're allowing users to upload to the /var/www/html directory. So:

root@allnewspaper.info:~# setsebool -P allow_ftpd_full_access=on
root@allnewspaper.info:~# setsebool -P ftpd_home_dir=on

Adding new users

So with all the preparation done, we need the specific command for adding new users. Some notes and reminders:

  • Users' home directories are located in /var/www/html/uploads/ .
  • Users must not have ssh shell access.
  • Users home directories needed some default stuff in them. We'll get these from /etc/skel-ftp/ .
  • The user had to be part of the Apache group (this is somewhat a security risk, I believe). The web application has to parse the files uploaded, after which they'll be moved to a specific directory inside the user's home directory.

root@allnewspaper.info:~# useradd -m -k /etc/skel-ftp/ -b /var/www/html/uploads/ -g apache -s /bin/false USERNAME

Of course, set a password for the user after creating it:

root@allnewspaper.info:~# passwd USERNAME

That's it!
Thanks