When setting up FTP access with vsftpd, proper user confinement is crucial for security. The standard approach involves creating chrooted environments where users can't navigate outside their designated directories.
First, let's create a dedicated system user and configure directory restrictions:
# Create user with no shell access
sudo useradd -d /var/ftp/restricted_user -s /sbin/nologin restricted_user
# Set password
sudo passwd restricted_user
# Create and secure the directory
sudo mkdir -p /var/ftp/restricted_user
sudo chown restricted_user:restricted_user /var/ftp/restricted_user
sudo chmod 750 /var/ftp/restricted_userEdit your vsftpd configuration (/etc/vsftpd/vsftpd.conf) with these essential parameters:
# Enable chroot
chroot_local_user=YES
allow_writeable_chroot=YES
# Security settings
user_sub_token=$USER
local_root=/var/ftp/$USER
pasv_min_port=40000
pasv_max_port=50000For situations where you need to provide access to existing directories without moving them:
# Create mount point
sudo mkdir -p /var/ftp/restricted_user/data
# Bind the target directory
sudo mount --bind /path/to/actual/data /var/ftp/restricted_user/data
# Make persistent across reboots
echo "/path/to/actual/data /var/ftp/restricted_user/data none bind 0 0" | sudo tee -a /etc/fstabAfter making changes, always test your configuration:
sudo systemctl restart vsftpd
ftp localhostCommon issues to check:
- SELinux contexts (use restorecon -Rv /var/ftp if needed)
- Directory permissions
- Firewall rules for passive mode ports
For temporary access scenarios, consider implementing an expiration script:
#!/bin/bash
# user_expire.sh
USERNAME="temp_user"
EXPIRY_DAYS=7
useradd -d /var/ftp/$USERNAME -s /sbin/nologin $USERNAME
passwd $USERNAME
chage -E $(date -d "+$EXPIRY_DAYS days" +%Y-%m-%d) $USERNAMEWhen setting up temporary FTP access on CentOS with vsftpd, we often need to restrict users to specific directories while maintaining system security. The standard approach involves more than just creating users and directories - it requires proper jail configuration.
Here's the complete process to create a chrooted FTP user:
# Create the system user with restricted shell
sudo useradd -d /var/ftp/restricted_user -s /sbin/nologin restricted_user
# Set the password
sudo passwd restricted_user
# Create the directory structure
sudo mkdir -p /var/ftp/restricted_user
sudo chown restricted_user:restricted_user /var/ftp/restricted_user
sudo chmod 750 /var/ftp/restricted_user
Edit your vsftpd configuration (typically /etc/vsftpd/vsftpd.conf) with these critical settings:
# Enable chroot jail
chroot_local_user=YES
allow_writeable_chroot=YES
# Restrict users to their home directories
user_sub_token=$USER
local_root=/var/ftp/$USER
For binding specific content directories into the jail (more secure approach):
# Create mount point
sudo mkdir -p /var/ftp/restricted_user/content
# Bind the target directory
sudo mount --bind /path/to/actual/content /var/ftp/restricted_user/content
# Make binding persistent (add to /etc/fstab)
/path/to/actual/content /var/ftp/restricted_user/content none bind 0 0
After restarting vsftpd (sudo systemctl restart vsftpd), test with:
ftp localhost
# Login with restricted_user credentials
pwd # Should show "/"
ls # Should only show allowed content
Consider these additional security measures:
- Implement iptables rules to limit source IP access
- Set appropriate umask (022 recommended) in vsftpd.conf
- Regularly audit user directories and permissions