How To Set Up FTP isolation in CentOS or Ubuntu

Reading Time: 4 minutes

Configuring Multi-User FTP with User Isolation

This article is intended to give an overview of a chroot environment and configuring your FTP service for user isolation. This is done with a few lines within the main configuration file of the FTP service.

This article is also intended as a guide for our Core-Managed servers running CentOS or Ubuntu without a control panel. Our Fully Managed servers that utilize the cPanel software already have the FTP user isolation configured by default and also provide utilities for creating FTP users.

What is Chroot?

Chroot or change-root is the implementation of setting a new root directory for the environment that a user has access to. By doing this, from the user’s perspective, there will appear to be no higher directory that the user could escape to. They would be limited to the directory they start in and only see the contents inside of that directory.

If a user were to try and list the contents of the root (/) of the system, it would return the contents of their chroot environment and not the actual root of the server. Read more about this at the following link.

 

Installing ProFTPd

As there are many FTP options available, ProFTPd, Pure-FTPd, vsftpd, to name a few, this article will only focus on the use of ProFTPd for simplicity and brevity. This is also not intended to be a guide for installing an FTP service as it’s covered in our Knowledge Base articles below.

https://www.staging.liquidweb.com/kb/how-to-install-proftpd-on-centos-7/

https://www.staging.liquidweb.com/kb/how-to-install-and-configure-proftpd-on-ubuntu-14-04-lts/

 

User Isolation with ProFTPd

User Setup

By default, ProFTPd will read the system /etc/passwd file. These users in this file are the normal system users and are not required to be created outside of normal user creation. There are many ways to create additional FTP users, but this is one way to get started.

Here are some typical entries from the system passwd file. From left to right, you can see the username the user and group IDs, the home directory and the default shell configured for that user.

user1:x:506:521::/home/user1:/bin/bashuser2:x:505:520::/home/user2:/bin/bash

To create these users, you would use the useradd command from the command line or whatever other methods you would typically use to create users on the server.

Create the user

useradd -m -d /home/homedir newuser

Set the user password

passwd newuser

If you are setting up multiple users that all need to have access to the same directory, you will need to make sure that the users are all in the same group. Being in the same group means that each user can have group level access to the directory and allow everyone in the group to access the files that each user uploads. This level of user management is beyond the scope of this article, but be aware that things of this nature are possible.

ProFTPd User Configuration

To jail a user to their home directory within ProFTPd, you have to set the DefaultRoot value to ~.

vim /etc/proftpd.conf

DefaultRoot ~

With this set, it tells the FTP service to only allow the user to access their home directory. The ~ is a shortcut that tells the system to read whatever the user’s home directory is from the /etc/passwd file and use that value.

Using this functionality in ProFTPd, you can also define multiple DefaultRoot directives and have those restrictions match based on some criteria. You can jail some users, and not others, or jail a set of users all to the same directory if desired. This is done by matching the group that a user belongs to.

When a new user is created, as shown above, their default group will be the same as their username. You can, however, add or modify the group(s) assigned to the user after they are created if necessary.

Jail Everyone Not in the “Special-Group”

DefaultRoot ~ !special-group

Jail Group1 and Group2 to the Same Directory

DefaultRoot /path/to/uploads group1,group2

After making these changes to the proftpd.conf file you’ll need to restart the FTP service.

CentOS 6.x (init)

/etc/init.d/proftpd restart

CentOS 7.x (systemd)

systemctl restart proftpd

 

User Isolation with SFTP (SSH)

You can also isolate SFTP users or restrict a subset of SSH users to only have SFTP access. Again, this pertains to regular system users created using the useradd command.

While you can secure FTP communications using SSL, this is an extra level of setup and configuration. SFTP, by contrast, is used for file transfers over an SSH connection. SSH is an encrypted connection to the server and is secure by default. If you are concerned about security and are unsure about adding SSL to your FTP configuration, this may be another option to look into.

 

SFTP User Setup

Create the user and their home directory just like with the FTP user, but here we make sure to set the shell to not allow normal SSH login. We are presuming that you are looking for SFTP-only users and not just regular shell users, so we add the restriction on the shell to prevent non-SFTP logins.

useradd -m -d /home/homedir/ -s /sbin/nologin username

passwd username

We need to make sure that permissions and ownership are set for the home directory to be owned by root, and the upload directory is owned by the user.

chmod 755 /home/homedir/

chown root. /home/homedir/

mkdir -p /home/homedir/upload-dir/

chown username. /home/homedir/upload-dir/

 

SFTP Configuration

Hereby setting the ChrootDirectory to the %h variable, we are confining the user to their home directory as set up when the user was created. Using the ForceCommand directive also limits the commands the user is allowed to execute to only SFTP commands used for file transfers, again eliminating the possibility that the users will be able to break out of the jail and into a normal shell environment.

/etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match User user1,user2,user3
ChrootDirectory %h
ForceCommand internal-sftp

Jail Multiple FTP Users to a Location

Alternatively, if you wanted to have multiple users all jailed to the same location, you can set them all to be in the same group, have the same home directory, and then use a Match Group directive within the SSH configuration.

vim /etc/ssh/sshd_config

Subsystem sftp internal-sftp
Match Group groupname
ChrootDirectory %h
ForceCommand internal-sftp

After making these changes to the sshd_config file, restart the SSH service. One of the following commands should work for you.

CentOS 6.x (init)

/etc/init.d/sshd restart

CentOS 7.x (systemd)

systemctl restart sshd

Further Reading can be found at:

 

How to Install ProFTPD on Fedora 21

Reading Time: < 1 minute
Note:
Please note that this article is considered legacy documentation because Fedora 21 has reached its end-of-life support.

FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server; a wide array of FTP servers, such as ProFTPD, and clients exist for every platform.

Pre-Flight Check
  • These instructions are intended specifically for installing the ProFTPD on Fedora 21.
  • I’ll be working from a Liquid Web Self Managed Fedora 21 server, and I’ll be logged in as root.

Continue reading “How to Install ProFTPD on Fedora 21”

How to Install ProFTPD on Fedora 20

Reading Time: < 1 minute
Note:
Please note that this article is considered legacy documentation because Fedora 20 has reached its end-of-life support.

FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server; a wide array of FTP servers, such as ProFTPD, and clients exist for every platform.

Pre-Flight Check
  • These instructions are intended specifically for installing the ProFTPD on Fedora 20.
  • I’ll be working from a Liquid Web Self Managed Fedora 20 server, and I’ll be logged in as root.

Continue reading “How to Install ProFTPD on Fedora 20”

How to Install and Configure ProFTPD on Ubuntu 14.04 LTS

Reading Time: < 1 minute

FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server; a wide array of FTP servers, such as ProFTPD, and clients exist for every platform.

Pre-Flight Check
  • These instructions are intended specifically for installing the ProFTPD on Ubuntu 14.04 LTS.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 14.04 LTS server, and I’ll be logged in as root.

Continue reading “How to Install and Configure ProFTPD on Ubuntu 14.04 LTS”

How to Install and Configure ProFTPD on Ubuntu 12.04 LTS

Reading Time: < 1 minute

FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server; a wide array of FTP servers, such as ProFTPD, and clients exist for every platform.

Pre-Flight Check
  • These instructions are intended specifically for installing the ProFTPD on Ubuntu 12.04 LTS.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 12.04 LTS server, and I’ll be logged in as root.

Continue reading “How to Install and Configure ProFTPD on Ubuntu 12.04 LTS”

How to Install ProFTPD on CentOS 7

Reading Time: < 1 minute

FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server; a wide array of FTP servers, such as ProFTPD, and clients exist for every platform.

Pre-Flight Check
  • These instructions are intended specifically for installing the ProFTPD on CentOS 7.
  • I’ll be working from a Liquid Web Self Managed CentOS 7 server, and I’ll be logged in as root.

Continue reading “How to Install ProFTPD on CentOS 7”

How to Install ProFTPD on CentOS 6

Reading Time: < 1 minute

FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server; a wide array of FTP servers, such as ProFTPD, and clients exist for every platform.

Pre-Flight Check
  • These instructions are intended specifically for installing the ProFTPD on CentOS 6.
  • I’ll be working from a Liquid Web Core Managed CentOS 6.5 server, and I’ll be logged in as root.

Continue reading “How to Install ProFTPD on CentOS 6”