My first response is simple:
Don't use FTP unless you absolutely have to. It's not secure, and there's no reason in this day in age to use it.
Instead, use SSH and/or SCP and/or SFTP (all similar and related protocols).
As far as how to do it, there are a fair number of them. I'll link to a few google search results (Not vouching for any of these):
There are tons more, just search around...
If you want to go with the SFTP only solution, I have created a blog post recently that describes exactly this including a few of the common errors:
http://blog.frands.net/sftp-only-chroot-users-with-openssh-in-debian-166/
If you want to go with the FTP solution, vsftpd is indeed a fine choice. However, when a user uploads a file it will be set with his user and group following the defined umask. You could set the user's primary group to www-data and then create a umask that fits in vsftpd.
This is a quick-howto do what I suggested:
Create the user with the www-data group, no real shell and the correct home dir, set the password afterwards
useradd -d /path/to/his/domain.com -g www-data -s /bin/false theusername
passwd theusername
Make sure that vsftpd accepts his shell. cat /etc/shells and look for /bin/false (it should not be there by default) - if it not there, add it:
echo "/bin/false" >> /etc/shells
Next, edit the vsftpd config file. Touch these parameters: (if they are commented out, remove the #)
Disable anonymous access to the server
anonymous_enable=NO
Allow local users to use FTP
local_enable=YES
Allow file uploads
write_enable=YES
Set the umask, so the files the user uploads are also writable by group (www-data)
local_umask=002
Chroot the user so he cannot move out of his home dir
chroot_local_user=YES
Now, restart vsftpd
/etc/init.d/vsftpd restart
and you should be all set.
BUT!
- FTP is generally insecure.
- If SFTP is possible, use it.
- Having the webserver allowed to write to files is a security flaw, unless the directory is used for uploads or files that the website commonly changes.
Best Answer
ProFTPd does support the concept of FTP-only users. In order to make this work, you would need to first make the following changes to your proftpd.conf file:
Make sure that the file /etc/proftpd/ftpasswd exists and is readable by the user that the proftpd daemon runs under.
In addition, you would need to add the following lines:
Restart the ProFTPd daemon. Your FTP service will now allow connections from FTP-only accounts. You can create your FTP-only account using the following syntax:
Pay close attention to the options "--uid" and "--gid". If you supply a numeric value here that does not correspond to any existing user/group, the FTP user will have the same file permissions that the user running the proftpd daemon has (typically read-only access to most directories). If you wanted to allow the FTP user to be able to actually overwrite the files, set the uid to match the UID of the actual system user which owns the directory (Something I found out from another SF Question).
For additional security, you could also add the following lines to your proftpd.conf file:
This will trick the FTP client into showing the files as if owned by the FTP-user/FTP-group in the FTP User's root directory.