32.2. Setup an FTP user account minus shells

It's important to give to your strictly FTP users no real shell account on the Linux system. In this manner, if for any reasons someone could successfully get out of the FTP chrooted environment, it would not have the possibility of executing any user tasks since it doesn't have a bash shell. First, create new users for this purpose;

This has to be separate from a regular user account with unlimited access because of how the chroot environment works. Chroot makes it appear from the user's perspective as if the level of the file system you've placed them in is the top level of the file system.

Use the following command to create users in the /etc/passwd file. This step must be done for each additional new user you allow to access your FTP server.

These users will be the users allowed to connect to your FTP server.

[root@deep ] /# mkdir /home/ftp [root@deep ] /# useradd -d /home/ftp/ftpadmin/ -s /dev/null ftpadmin > /dev/null 2>&1 [root@deep ] /# passwd ftpadmin

Changing password for user ftpadmin New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully

    • The mkdir command will create the ftp directory under the /home directory to handle all FTP users' home directories we'll have on the server.

    • The useradd command will add the new user named ftpadmin to our Linux server.

    • Finally, the passwd command will set the password for this user ftpadmin.

Once the home/ftp/ directory has been created you don't have to use this command again for additional FTP users.

    1. Edit the /etc/shells file, vi /etc/shells and add a non-existent shell name like null, for example. This fake shell will limit access on the system forFTP users.

              1. [root@deep ] /# vi /etc/shells

              2. /bin/bash /bin/sh /bin/ash /bin/bsh /bin/tcsh /bin/csh /dev/null

    1. /dev/null, This is our added no-existent shell. With Red Hat Linux, a special device name /dev/null exists for purposes such as these.

    2. Now, edit your /etc/passwd file and add manually the /./ line to divide the /home/ftp directory with the /ftpadmin directory where the userftpadmin should be automatically chdir'd to. This step must be done for each FTP user you add to your passwd file.

              1. ftpadmin:x:502:502::/home/ftp/ftpadmin/:/dev/null

    1. To read:

              1. ftpadmin:x:502:502::/home/ftp/./ftpadmin/:/dev/null ^^

    1. The account is ftpadmin, but you'll notice the path to the home directory is a bit odd. The first part /home/ftp/ indicates the filesystem that should be considered their new root directory. The dot . divides that from the directory they should be automatically chdir'd. change directory'd into,/ftpadmin/.

Once again, the /dev/null part disables their login as a regular user. With this modification, the user ftpadmin now has a fake shell instead of a real shell resulting in properly limited access on the system.

Fix for the chroot Error: http://www.boxtricks.com/500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/

wget http://ftp.us.debian.org/debian/pool/main/v/vsftpd/vsftpd_3.0.2-3_amd64.deb

dpkg -i vsftpd_3.0.2-3_amd64.deb

echo "allow_writeable_chroot=YES" >> /etc/vsftpd.conf

echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf

service vsftpd reload