Chroot FTP users to /var/www/html Directory - CentLinux

Latest

Monday, 22 March 2021

Chroot FTP users to /var/www/html Directory

chroot-ftp-users-to-document-root-directory

In this guide, you will learn how to chroot FTP users to /var/www/html directory.

 

Table of Contents:

     

    Problem Definition:

    In some situations, we have to give FTP access to users, but we do not want to access the whole server using FTP protocol.

    For such scenarios, we configure chroot jail for FTP users to their home directories. But sometimes, we are required to chroot them to another directory, while keeping their home directories intact for ssh access.

    In this article, we will show you how to install vsftpd (Very Secure FTP) service and configure chroot jail for the FTP users to limit their FTP sessions to their respective /var/www/html/[username] directories.

     

    Environment Specification:

    We are using a minimal Red Hat Enterprise Linux 8 virtual machine with following specifications.

    • CPU - 3.4 Ghz (2 cores)
    • Memory - 2 GB
    • Storage - 40 GB
    • Operating System - RHEL 8.3
    • Hostname – apache-01.centlinux.com
    • IP Address - 192.168.116.238 /24

     

    Create Users in Linux Operating System:

    Connect with apache-01.centlinux.com as root user by using a ssh client.

    You are required to create users for accessing your FTP server. Execute following command to create users and set their respective passwords.

    [root@apache-01 ~]# useradd user1 [root@apache-01 ~]# echo "linuxpassword" | passwd --stdin user1 Changing password for user user1. passwd: all authentication tokens updated successfully. [root@apache-01 ~]# useradd user2 [root@apache-01 ~]# echo "linuxpassword" | passwd --stdin user2 Changing password for user user2. passwd: all authentication tokens updated successfully.

    Hint: If you want to disable the SSH access for these users then you can set their login shell to /sbin/nologin.

     

    Install VSFTPD Software on RHEL 8:

    VSFTPD is the default and preferred FTP server software in RHEL 8. You can install vsftpd software package from standard yum repositories, if you have configured a valid Red Hat subscription.

    [root@apache-01 ~]# dnf install -y vsftpd Updating Subscription Management repositories. Last metadata expiration check: 0:09:28 ago on Sun 21 Mar 2021 08:42:25 AM EDT. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: vsftpd x86_64 3.0.3-32.el8 rhel-8-for-x86_64-appstream-rpms 180 k Transaction Summary ================================================================================ Install 1 Package Total download size: 180 k Installed size: 343 k Downloading Packages: [MIRROR] vsftpd-3.0.3-32.el8.x86_64.rpm: Curl error (28): Timeout was reached for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/Packages/v/vsftpd-3.0.3-32.el8.x86_64.rpm [Operation timed out after 30001 milliseconds with 0 out of 0 bytes received] vsftpd-3.0.3-32.el8.x86_64.rpm 4.1 kB/s | 180 kB 00:43 -------------------------------------------------------------------------------- Total 4.1 kB/s | 180 kB 00:43 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : vsftpd-3.0.3-32.el8.x86_64 1/1 Running scriptlet: vsftpd-3.0.3-32.el8.x86_64 1/1 Verifying : vsftpd-3.0.3-32.el8.x86_64 1/1 Installed products updated. Installed: vsftpd-3.0.3-32.el8.x86_64 Complete!

     

    Create Self Signed Certificate for FTP Service:

    Create a self signed certificate for our FTP server. It is necessary, otherwise you won't be able to login as a FTP user.

    You can execute following openssl command to generate a self signed certificate and a private key.

    [root@apache-01 ~]# openssl req -x509 -nodes -keyout /etc/vsftpd/vsftpd.key -out /etc/vsftpd/vsftpd.pem -days 365 -newkey rsa:2048 Generating a RSA private key .........+++++ ......+++++ writing new private key to '/etc/vsftpd/vsftpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PK State or Province Name (full name) []:Sindh Locality Name (eg, city) [Default City]:Karachi Organization Name (eg, company) [Default Company Ltd]:Centlinux Organizational Unit Name (eg, section) []:IT Lab Common Name (eg, your name or your server's hostname) []:apache-01.centlinux.com Email Address []:ahmer@apache-01.centlinux.com

    Hint: If you have configured a Certificate Authority for your Network, then you can generate a CSR (Certificate Signing Request) and acquire a digital signature from your Certificate Authority.

     

    Configure VSFTPD Service for SSL and Chroot:

    Add your users in vsftpd user_list file. You can use vim text editor to edit user_list file.

    [root@apache-01 ~]# vi /etc/vsftpd/user_list

    Add the users in this file.

    # vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody user1 user2

    Take a backup of vsftpd.conf file and then edit it in vim text editor.

    [root@apache-01 ~]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.org [root@apache-01 ~]# vi /etc/vsftpd/vsftpd.conf

    Locate and set following directives in this file.

    userlist_enable=YES userlist_deny=NO ssl_enable=YES ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1_2=YES rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.key allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES require_ssl_reuse=NO ssl_ciphers=HIGH pasv_min_port=30000 pasv_max_port=31000 debug_ssl=YES chroot_local_user=YES local_root=/var/www/html/$USER user_sub_token=$USER allow_writeable_chroot=YES

     

    Start VSFTPD Service:

    Enable and start vsftpd service.

    [root@apache-01 ~]# systemctl enable --now vsftpd.service Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service â /usr/lib/systemd/system/vsftpd.service.

    Check the status of vsftpd service.

    [root@apache-01 ~]# systemctl status vsftpd â vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor pres> Active: active (running) since Sun 2021-03-21 09:37:18 EDT; 41s ago Process: 1643 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited> Main PID: 1644 (vsftpd) Tasks: 1 (limit: 5815) Memory: 868.0K CGroup: /system.slice/vsftpd.service ââ1644 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf Mar 21 09:37:18 apache-01.centlinux.com systemd[1]: Starting Vsftpd ftp daemon.> Mar 21 09:37:18 apache-01.centlinux.com systemd[1]: Started Vsftpd ftp daemon.

     

    Configure Linux Firewall:

    Allow the FTP service ports in Linux firewall.

    [root@apache-01 ~]# firewall-cmd --permanent --add-service=ftp success [root@apache-01 ~]# firewall-cmd --reload success

     

    Configure SELinux:

    Set the following SELinux boolean to disable SELinux MAC (Mandatory Linux Control) for FTP users.

    It is necessary because the SELinux file context for /var/www/html directory is httpd_sys_content_t. Therefore, the FTP users may face permission issues.

    [root@apache-01 ~]# setsebool -P ftpd_full_access 1

     

    Create Chroot Directories:

    Create chroot directories for your FTP users.

    [root@apache-01 ~]# mkdir /var/www/html/user{1..2}

    Set the ownership of chroot FTP directories.

    [root@apache-01 ~]# chown -R user1:apache /var/www/html/user1 [root@apache-01 ~]# chown -R user2:apache /var/www/html/user2

    Create an empty file in each directory. So you can distinguish the chroot jail directory after login by using a FTP client.

    [root@apache-01 ~]# touch /var/www/html/user1/user1_files [root@apache-01 ~]# touch /var/www/html/user2/user2_files

     

    Access the FTP Server:

    You need a FTP client to access your FTP server. The default FTP client in RHEL 8 is lftp. You can install it from standard yum repositories.

    [root@apache-01 ~]# dnf install -y lftp Updating Subscription Management repositories. Last metadata expiration check: 0:59:20 ago on Sun 21 Mar 2021 08:42:25 AM EDT. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: lftp x86_64 4.8.4-2.el8 rhel-8-for-x86_64-appstream-rpms 883 k Transaction Summary ================================================================================ Install 1 Package Total download size: 883 k Installed size: 2.9 M Downloading Packages: lftp-4.8.4-2.el8.x86_64.rpm 175 kB/s | 883 kB 00:05 -------------------------------------------------------------------------------- Total 174 kB/s | 883 kB 00:05 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : lftp-4.8.4-2.el8.x86_64 1/1 Running scriptlet: lftp-4.8.4-2.el8.x86_64 1/1 Verifying : lftp-4.8.4-2.el8.x86_64 1/1 Installed products updated. Installed: lftp-4.8.4-2.el8.x86_64 Complete!

    You can now use lftp command to access your FTP server.

    [root@apache-01 ~]# lftp user1@localhost Password: lftp user1@localhost:~> ls ls: Fatal error: Certificate verification: Not trusted (31:98:F7:05:AB:E2:0B:46:BB:39:BE:93:1F:5B:A8:BD:34:E2:71:63)

    The certification warning is due to the self signed certificate. You can suppress this warning in lftp by executing following command.

    [root@apache-01 ~]# echo "set ssl:verify-certificate no" >> /etc/lftp.conf

    Now, execute lftp command again.

    [root@apache-01 ~]# lftp user1@localhost Password: lftp user1@localhost:~> ls -rw-r--r-- 1 0 0 0 Mar 21 13:59 user1_files

    You can see that the user1 is login to his own chroot jail directory i.e. /var/www/html/user1.

    Similarly, login as user2 FTP user.

    [root@apache-01 ~]# lftp user2@localhost Password: lftp user2@localhost:~> ls -rw-r--r-- 1 0 0 0 Mar 21 13:59 user2_files

    Just like user1, user2 is login to his own chroot jail directory i.e. /var/www/html/user2.

     

    Conclusion:

    In this guide, we have successfully configured FTP server and restricted the FTP users to their respective chroot jail sub directories within /var/www/html directory. Read CompTIA Linux+ Certification All-in-One Exam Guide: Exam XK0-004 by Ted Jordan & Sandor Strohmayer, if you want to build expertise in Linux operating system.

    No comments:

    Post a comment