Jail CentOS group to single dir (and dir's within) - FTP

Question

What I am ultimately looking to do is jail a group of users to only be able to FTP into their home folder. They should be able to have r&w capabilities within their home folder, and within ALL directories in that folder. I have been trying to do this for a bit, but there doesn't seem to be a simple solution that works easily. Here is what I have tried:

1. chrooting the users to their home folder by adding the following the following code to the vstfp conf:

   chroot_local_user=YES
   

   This created an issue because the users did not have full access to directories within, and some problems hung around with file permissions.

2. Removing ALL permissions for / for the group by using ACLs with the following code:

   setfacl -x g:501 /
   

   Nothing happened when I executed this command, although it is correct (as far as I know, it follows documentation verbatim).

I asked another question here about setting ACLs, and Zypher correctly informed me that messing with /'s permissions can get bad quickly, so I am looking for the best way to do what I described above. Any help is much appreciated!

Answer 1

chroot_local_user is the correct option to set. If they don't have access to files within their home directory, then the permissions on those files are wrong and they should be fixed, or accept that the user won't have full access to all of the files. I'd strongly question why files that aren't owned by the user are being placed in the user's home directory.

In a pinch, you can use extended attributes to get the behaviour you want with setfacl -m -R u:<user>:rw $(getent passwd <user> | cut -d : -f 6); setfacl -m -R d:u:<user>:rw $(getent passwd <user> | cut -d : -f 6) for all values of <user>, but it's no guarantee -- someone who can write a file into the user's home directory can remove the ACL, which puts you back to square one.