How do I allow users to have access to only a specific subset of folders on my Ubuntu server?

Question

I need freelancers to be able to download and upload files to some of my websites on my Ubuntu server, but not all.

How do I set it up so that each freelancer is a user who has access to only the sites that they should be able to access and nothing else?

I've followed the instructions I found to set up ftp users with access to particular folders via bind. I have added my ftp users to a group that has read, write access permissions to those folders, so all seems good from that perspective - my users can do what they need to do. But my ftp users are able to navigate to all the folders on my server and that is not good at all. How do I make sure that they are limited to their /home/thisuser folder and nothing else.

score 1 · Answer 1 · answered Mar 12 '12 at 09:55

1

I'd use chroot. That's really your best option as you'll be 100% sure that nobody can view anything else than his "home" directory.

answered Mar 12 '12 at 09:55

alexandernst

534
3
9
21

score 0 · Answer 2 · answered Mar 11 '12 at 09:01

0

I'd use SUphp and make groups for the freelancers. You can then add write/read permission on the folder they need for their group.

answered Mar 11 '12 at 09:01

Lucas Kauffman

16,880
9
58
93

score 0 · Accepted Answer · answered Mar 13 '12 at 14:44

0

I can't comment on your question as I don't have enough reputation yet, but is there a reason you are using FTP instead of SFTP? FTP will send passwords in the clear which is a very bad thing. SFTP will encrypt your exchanges between client and server.

Setting up an SFTP chroot is a several step process. These directions assume you have an ssh server installed.

In /etc/ssh/sshd_config replace the line

Subsystem sftp /usr/lib/openssh/sftp-server with this:

Subsystem sftp internal-sftp

Following this line, add the following section:

Match group sftponly

ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

ChrootDirectory /home/%u will force a user's home directory to be the root directory.
Create an sftponly group:

sudo groupadd sftponly
Add all freelancers to the sftponly group and change the user's home directory:

sudo usermod -g sftponly -d / johnnyfreelancer

'sftponly' must be the primary group of the user (this is what the -g flag does), otherwise this method will not work. The -d flag is also necessary because once the user logs in /home/%u will effectively be the topmost directory for the logged in user.

answered Mar 13 '12 at 14:44

Evan

308
1
7

Is wsftpd an ssh server? – Martin Duys Mar 14 '12 at 19:51
Do you mean vsftpd? – Evan Mar 19 '12 at 15:02
If you do, then no. vsftpd is a FTPS (FTP Secure) server. The above configuration is for SFTP (SSH File Transfer Protocol) on an ssh server. – Evan Mar 19 '12 at 15:12
Apologies. I did mean vsftpd. – Martin Duys Mar 26 '12 at 09:57
I wish I could upvote this answer. I see I asked this more than a year ago. I came today and reimplemented your advice on a new box. Thanks for your help – Martin Duys Aug 25 '13 at 16:10
PS - I also took your advice to use SFTP rather than FTP – Martin Duys Aug 25 '13 at 16:11

How do I allow users to have access to only a specific subset of folders on my Ubuntu server?

3 Answers3