Configuring Multi-User FTP with User Isolation
This article is intended to give an overview of a chroot environment and configuring your FTP service for user isolation. This is done with a few lines within the main configuration file of the FTP service.
This article is also intended as a guide for our Core-Managed servers running CentOS or Ubuntu without a control panel. Our Fully Managed servers that utilize the cPanel software already have the FTP user isolation configured by default and also provide utilities for creating FTP users.
What is Chroot?
Chroot or change-root is the implementation of setting a new root directory for the environment that a user has access to. By doing this, from the user’s perspective, there will appear to be no higher directory that the user could escape to. They would be limited to the directory they start in and only see the contents inside of that directory.
If a user were to try and list the contents of the root (/) of the system, it would return the contents of their chroot environment and not the actual root of the server. Read more about this at the following link.
Installing ProFTPd
As there are many FTP options available, ProFTPd, Pure-FTPd, vsftpd, to name a few, this article will only focus on the use of ProFTPd for simplicity and brevity. This is also not intended to be a guide for installing an FTP service as it’s covered in our Knowledge Base articles below.
https://www.liquidweb.com/kb/how-to-install-proftpd-on-centos-7/
https://www.liquidweb.com/kb/how-to-install-and-configure-proftpd-on-ubuntu-14-04-lts/
User Isolation with ProFTPd
User Setup
By default, ProFTPd will read the system /etc/passwd file. These users in this file are the normal system users and are not required to be created outside of normal user creation. There are many ways to create additional FTP users, but this is one way to get started.
Here are some typical entries from the system passwd file. From left to right, you can see the username the user and group IDs, the home directory and the default shell configured for that user.
user1:x:506:521::/home/user1:/bin/bashuser2:x:505:520::/home/user2:/bin/bash
To create these users, you would use the useradd command from the command line or whatever other methods you would typically use to create users on the server.
Create the user
useradd -m -d /home/homedir newuser
Set the user password
passwd newuser
If you are setting up multiple users that all need to have access to the same directory, you will need to make sure that the users are all in the same group. Being in the same group means that each user can have group level access to the directory and allow everyone in the group to access the files that each user uploads. This level of user management is beyond the scope of this article, but be aware that things of this nature are possible.
ProFTPd User Configuration
To jail a user to their home directory within ProFTPd, you have to set the DefaultRoot value to ~.
vim /etc/proftpd.conf
DefaultRoot ~
With this set, it tells the FTP service to only allow the user to access their home directory. The ~ is a shortcut that tells the system to read whatever the user’s home directory is from the /etc/passwd file and use that value.
Using this functionality in ProFTPd, you can also define multiple DefaultRoot directives and have those restrictions match based on some criteria. You can jail some users, and not others, or jail a set of users all to the same directory if desired. This is done by matching the group that a user belongs to.
When a new user is created, as shown above, their default group will be the same as their username. You can, however, add or modify the group(s) assigned to the user after they are created if necessary.
Jail Everyone Not in the “Special-Group”
DefaultRoot ~ !special-group
Jail Group1 and Group2 to the Same Directory
DefaultRoot /path/to/uploads group1,group2
After making these changes to the proftpd.conf file you’ll need to restart the FTP service.
CentOS 6.x (init)
/etc/init.d/proftpd restart
CentOS 7.x (systemd)
systemctl restart proftpd
User Isolation with SFTP (SSH)
You can also isolate SFTP users or restrict a subset of SSH users to only have SFTP access. Again, this pertains to regular system users created using the useradd command.
While you can secure FTP communications using SSL, this is an extra level of setup and configuration. SFTP, by contrast, is used for file transfers over an SSH connection. SSH is an encrypted connection to the server and is secure by default. If you are concerned about security and are unsure about adding SSL to your FTP configuration, this may be another option to look into.
SFTP User Setup
Create the user and their home directory just like with the FTP user, but here we make sure to set the shell to not allow normal SSH login. We are presuming that you are looking for SFTP-only users and not just regular shell users, so we add the restriction on the shell to prevent non-SFTP logins.
useradd -m -d /home/homedir/ -s /sbin/nologin username
passwd username
We need to make sure that permissions and ownership are set for the home directory to be owned by root, and the upload directory is owned by the user.
chmod 755 /home/homedir/
chown root. /home/homedir/
mkdir -p /home/homedir/upload-dir/
chown username. /home/homedir/upload-dir/
SFTP Configuration
Hereby setting the ChrootDirectory to the %h variable, we are confining the user to their home directory as set up when the user was created. Using the ForceCommand directive also limits the commands the user is allowed to execute to only SFTP commands used for file transfers, again eliminating the possibility that the users will be able to break out of the jail and into a normal shell environment.
/etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match User user1,user2,user3
ChrootDirectory %h
ForceCommand internal-sftp
Jail Multiple FTP Users to a Location
Alternatively, if you wanted to have multiple users all jailed to the same location, you can set them all to be in the same group, have the same home directory, and then use a Match Group directive within the SSH configuration.
vim /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group groupname
ChrootDirectory %h
ForceCommand internal-sftp
After making these changes to the sshd_config file, restart the SSH service. One of the following commands should work for you.
CentOS 6.x (init)
/etc/init.d/sshd restart
CentOS 7.x (systemd)
systemctl restart sshd
Further Reading can be found at:
- https://www.proftpd.org/docs/directives/linked/config_ref_DefaultRoot.html
- https://www.proftpd.org/docs/howto/AuthFiles.html
- https://www.proftpd.org/docs/howto/Chroot.html