Centos – How to add a new user to vsftpd and let root access the FTP server

centosftpvsftpd

How can I add a new vsftpd user on CentOS 5 ? I would like that user to default to a certain directory other than its own. Note that chroot is on. Should I do something like this?

useradd vsftpuser1 -d /home/mainaccount
passwd vsftpuser1

Do I have to edit anything in vsftpd or is this it?

Also, in /etc/vsftpd.ftpusers it has root in with a group of users that are not allowed to login via ftp . If I remove root from this, will root be able to sftp in without chroot restrictions? Is there any threat to my system by let root in in this manner?

Best Answer

Follow the manual for adding new users. That's why they are written.

You won't allow root to access the FTP server! This is the highest security risk you can expose your host to. FTP transmits the password in clear text over the wire. Everybody having access to the network can easily sniff the password. Having the password you give everybody full control over your server! In other words: Don't do that!!

SFTP is another protocol and has nothing to do with FTP beside the name. A protocol related to FTP is FTPS which is nothing else than FTP over SSL. SFTP is something like FTP alternative over SSH.

Related Solutions

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

# semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"

Be sure to include the (/.*)? at the end of the directory name.

I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of type public_content_t; this is equivalent to turning on allow_ftpd_full_access, if I understood it correctly

Essentially, yes; since SELinux allows directories/files labeled with public_content_t to be shared between different services. However, further access control is in place through the use of sebooleans (or sebool, more precisely).

Giving "ftpd full access", doesn't mean giving it the rights to do/read/write what and where it wants. SELinux has designated policies in place for the services on your system; meaning, ftpd is allowed to read files if the directory's file context (fcontext) is public_content_t. SELinux gives write permissions to the ftp server if the directory's fcontext is public_content_rw_t; other services such as samba, apache, etc. have to be allowed write permissions to those directories through the booleans, according to the pertaining RedHat Documentation. If your "local policy" gives ftpd write access in directories labelled public_content_t, it essentially strips away a layer of security. Therefore, I suggest labeling the directory with the public_content_rw_t context, and removing your custom generated local policy.

For further information and details, please see the SELinux wiki pages.

Ftp – vsftpd: access SFTP on local user without shell access with specific directory

Sorry but it looks like you are confusing the protocols. I.e. SFTP and FTPS. SFTP is for SSH FTPS is used for and by the FTP server.

If you really want to lock the user down. Add /usr/sbin/nologin /etc/shells (this will stop SSH access) Add your user 'max' to /etc/vsftpd/chroot_list

Configure your filezilla to use FTPS

Best Answer

Related Solutions

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

Ftp – vsftpd: access SFTP on local user without shell access with specific directory

Related Topic