For permissions, you need to have the folder and files in it owned by myuser
so that they can be accessed from the myuser account.
If apache (or your scripts) needs to write to the folder, then the best thing to do is use chgrp
to assign the specific locations that should be written to to the www-data group, then chmod g+w
that location or file. If you are giving write access to a folder, chmod g+sw
will give write access to the folder and ensure that files created there will also belong to the www-data group.
The files and directories in this case would look something like:
drwxrwxr-x 2 myuser www-data 4096 2011-04-18 03:04 webroot
-rw-rw-r-- 1 myuser www-data 1000 2011-04-18 03:04 index.html
drwxrwsr-x 2 myuser www-data 4096 2011-04-18 03:04 folderwithg+ws
You would want to be very careful giving write access to files and folders to apache though, otherwise an attacker might figure out a way to make your scripts overwrite themselves or replace index.html, or whatever.
Otherwise, if apache does not need to write to your document directory, the permissions should be fine as it is long as all of the subdirectories and files are world readable (and directories are world accessible).
For SSL/TLS, you're missing
ssl_enable=YES
You can force users to use encryption:
force_local_logins_ssl=YES
force_local_data_ssl=YES
And there is a ssl_ciphers=
option as well, if you want to limit it to HIGH or a specific list of ciphers. If you want "implicit SSL" (instead of AUTH SSL
or AUTH TLS
commands to start encryption, the encryption is negotiated at the beginning of the connection) then that is implicit_ssl=YES
I'm presuming you're mostly asking how to prevent a user being able to use SSH as - as far as I can tell - your vsftpd config should be good to go based on the chroot_local_user option being set to yes.
You can simply change the user's shell to something like /bin/false (make sure to add it to /etc/shells to prevent possible problems with the ftp server) and your user will be able to authenticate to SSH but they'll just get dumped back out.
Alternatively you could use AllowUsers/DenyUsers in /etc/ssh/sshd_config - but this could require updating the ssh config every time you change who's allowed to login, whereas you can set the user's shell to /bin/false with your useradd command by using
useradd -s /bin/false <everything else>
Then if you later want to grant them SSH access you can just use usermod to change their shell to bash (for example).
Best Answer
Check here for VSFTPD's FAQ for the answer your looking for. Below is the important excerpt that I think will answer your question.