I've found tons of entries for this topic - but I've still not managed to get the following running:
I like to provide a new user for accessing a specific already existing folder, whose owner must not be changed. Folder permissions should be added by ACL's. The user must not access any other folder than that. The user should upload files in that folder.
I already tried configuring it with sshd - but that way the folder seems to need root owner. Next I tried with vsftp and followed several guides. I came to that point, that the user could login, but its entry point is at root "/" with no permissions or anywhere.
I didn't manage to restrict the user to just one directory.
With the actual configuration I cannot even login anymore:
Details: CentOS Linux release 7.9.2009 (Core)
Steps: create testuser + ftpusers group
testuser:x:1009:1010::/ftp/upload:/usr/sbin/nologin
for testing purposes:
chown -R testuser:ftpusers /ftp
vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
allow_writeable_chroot=YES
local_umask=0000
file_open_mode=0777
pasv_min_port=30000
pasv_max_port=31000
chroot_local_user=YES
local_root=/ftp/upload
user_sub_token=$USER
getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> on
ftpd_full_access --> on
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_home_dir --> on
cat user_list
testuser
systemctl restart vsftpd
ftp to server
Connected to ftp-server (x.x.x.x).
220 Works!
Name (ftp-server:root): testuser
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
--> note: "userlist_deny=NO" already configured
0 Answers