If you want to go with the SFTP only solution, I have created a blog post recently that describes exactly this including a few of the common errors:
http://blog.frands.net/sftp-only-chroot-users-with-openssh-in-debian-166/
If you want to go with the FTP solution, vsftpd is indeed a fine choice. However, when a user uploads a file it will be set with his user and group following the defined umask. You could set the user's primary group to www-data and then create a umask that fits in vsftpd.
This is a quick-howto do what I suggested:
Create the user with the www-data group, no real shell and the correct home dir, set the password afterwards
useradd -d /path/to/his/domain.com -g www-data -s /bin/false theusername
passwd theusername
Make sure that vsftpd accepts his shell. cat /etc/shells and look for /bin/false (it should not be there by default) - if it not there, add it:
echo "/bin/false" >> /etc/shells
Next, edit the vsftpd config file. Touch these parameters: (if they are commented out, remove the #)
Disable anonymous access to the server
anonymous_enable=NO
Allow local users to use FTP
local_enable=YES
Allow file uploads
write_enable=YES
Set the umask, so the files the user uploads are also writable by group (www-data)
local_umask=002
Chroot the user so he cannot move out of his home dir
chroot_local_user=YES
Now, restart vsftpd
/etc/init.d/vsftpd restart
and you should be all set.
BUT!
- FTP is generally insecure.
- If SFTP is possible, use it.
- Having the webserver allowed to write to files is a security flaw, unless the directory is used for uploads or files that the website commonly changes.
You have the guest_enable
option enabled. This means that operations by non-anonymous users are performed as the guest_username
user (which defaults to ftp
). You either want to disable guest_enable
, or make sure that the ftp
user has write access to the directory you're trying to upload to.
Best Answer
AFAIK, Pure-FTPd doesn't support per directory access control.
.ftpaccess
belongs to ProFTPD.You probably want to switch to ProFTPD with something like this: