Ok, as for me I don’t like ftp since I’ve discovered ssh. But not all of my customers have discovered ssh and most of them never will. So when I ask my customers to move to DigitalOcean hosting I probably should provide ftp access to their sites.
So one day I decided to install ftpd on my $5/month worth DigitalOcean droplet (worth every penny, I might add).
The DigitalOcean instruction was pretty straightforward:
install vsftpd, uncomment a pair of strings in config, restart service
and you are good to go!
“Not so fast”, said my inner paranoid, and was right…
Let’s begin with what we want. We definitely do not want to provide root ftp access to our
precious server. So perhaps we need a user account with ftp-access caged in it’s home directory.
Step 1. Install server.
Well that is obvious:
sudo apt-get install vsftpd
Step 2. Configure server
Now, open /etc/vsftpd.conf:
sudo nano /etc/vsftpd.conf
Set/uncomment the following params as shown below
local_enable=YES write_enable=YES chroot_local_user=YES chroot_list_enable=NO chroot_list_file=/etc/vsftpd.chroot_list allow_writeable_chroot=YES
Step 3. Restart ftp server
Restart ftp server
sudo service vsftpd restart
For the hasty ones, that’s it!
For the nerds like me, a few explanations.
Grab the link for vsftpd.conf detailed description.
This enables local linux users to login by ftp using their linux credentials.
This enables ftp users upload data, not only download.
chroot_local_user=YES chroot_list_enable=NO chroot_list_file=/etc/vsftpd.chroot_list
And this is my favorite part. It defines what will ftp users see as their root folder. I’ve spent an hour figuring out how it works, due to the fact that my ftp client cached the results and I thought, that those options do not work!
Below is the table that depicts what folder ftp user will see as a root folder
|Users who ARE in vsftpd.chroot_list||Users who ARE NOT in vsftpd.chroot_list|
|chroot_local_user=NO, chroot_list_enable=NO||Server root folder: /||Server root folder: /|
|chroot_local_user=YES, chroot_list_enable=NO||Home folder:
|chroot_local_user=NO, chroot_list_enable=YES||Server root folder: /||Home folder:
|chroot_local_user=YES, chroot_list_enable=YES||Home folder:
|Server root folder: /|
That’s all folks!
Just one little bonus that I found when figuring out how these chroot_* options work. If you want to trap your users inside Home folder not only by ftp but by ssh as well, here’s the magic spell (imagine you have the user madmax):
usermod -s /bin/rbash madmax
Here’s the link on what’s going on here. And if you want to undo spell:
usermod -s /bin/bash madmax