I need to allow broad anonymous download access via vsftpd, but restrict uploads to only a single path. Is there any way to do this is other than with the filesystem permissions?
There are two main problems with trying to lock down the filesystem:
- It affects all users — this is a heterogeneous system, so it's difficult to ensure everyone except the FTP user has access.
- It doesn't appear to be hierarchical — even if we can lock down the top-level directories, it seems easy for someone to create an FTP-writeable subdirectory, at which point vsftpd appears to happily allow things to be uploaded to it.
Right now #2 is the bigger concern, so we actually have the read-only area mounted as a read-only filesystem, but this is causing its own problems.
Best Answer
You can use the
bind
mount option to map/remount an already mounted part of a file system hierarchy to somewhere else. Say you have a samba share with Videos and a second with an Image library and you want to offer those as a read only FTP downloads.Then make those file systems read-only:
The file system permissions remain unaltered, but everything under Videos and Images is now read-only. So it is unlikely that a sub-directory with
drwx------
can be accessed by the FTP user, but neither can the FTP user write to in a sub-directory withdrwxrwxrwx
permissions.The bind mount doesn't take options so to achieve a read-only mount requires a remount and therefore I think you can't use fstab to make this persistent and need to script this instead.
Next set up the upload directory:
Then configure vsftpd properly for anonymous downloads and chroot() the anonymous FTP user to /var/ftp. It's been a while since I did that, but roughly and untested:
Of course there are a lot more relevant options to include.