In this article, we discuss how to remedy the following error message in VSFTPD.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Continue reading “How to Solve the VSFTPD 500 OOPS Error”
In this article, we discuss how to remedy the following error message in VSFTPD.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Continue reading “How to Solve the VSFTPD 500 OOPS Error”
user1:x:506:521::/home/user1:/bin/bash
user2:x:505:520::/home/user2:/bin/bash
To create these users, you would use the useradd command from the command line or whatever other methods you would typically use to create users on the server.
Create the user
useradd -m -d /home/homedir newuser
Set the user password
passwd newuser
If you are setting up multiple users that all need to have access to the same directory, you will need to make sure that the users are all in the same group. Being in the same group means that each user can have group level access to the directory and allow everyone in the group to access the files that each user uploads. This level of user management is beyond the scope of this article, but be aware that things of this nature are possible.
vim /etc/proftpd.conf
DefaultRoot ~
With this set, it tells the FTP service to only allow the user to access their home directory. The ~ is a shortcut that tells the system to read whatever the user’s home directory is from the /etc/passwd file and use that value.
Using this functionality in ProFTPd, you can also define multiple DefaultRoot directives and have those restrictions match based on some criteria. You can jail some users, and not others, or jail a set of users all to the same directory if desired. This is done by matching the group that a user belongs to.
When a new user is created, as shown above, their default group will be the same as their username. You can, however, add or modify the group(s) assigned to the user after they are created if necessary.
Jail Everyone Not in the “Special-Group”
DefaultRoot ~ !special-group
Jail Group1 and Group2 to the Same Directory
DefaultRoot /path/to/uploads group1,group2
After making these changes to the proftpd.conf file you’ll need to restart the FTP service.
CentOS 6.x (init)
/etc/init.d/proftpd restart
CentOS 7.x (systemd)
systemctl restart proftpd
useradd -m -d /home/homedir/ -s /sbin/nologin username
passwd username
We need to make sure that permissions and ownership are set for the home directory to be owned by root, and the upload directory is owned by the user.
chmod 755 /home/homedir/
chown root. /home/homedir/
mkdir -p /home/homedir/upload-dir/
chown username. /home/homedir/upload-dir/
/etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match User user1,user2,user3
ChrootDirectory %h
ForceCommand internal-sftp
Jail Multiple FTP Users to a Location
Alternatively, if you wanted to have multiple users all jailed to the same location, you can set them all to be in the same group, have the same home directory, and then use a Match Group directive within the SSH configuration.
vim /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group groupname
ChrootDirectory %h
ForceCommand internal-sftp
After making these changes to the sshd_config file, restart the SSH service. One of the following commands should work for you.
CentOS 6.x (init)
/etc/init.d/sshd restart
CentOS 7.x (systemd)
systemctl restart sshd
Further Reading can be found at proftpd.org