vsftpd - how to restrict to home directory, while following symlinks

Shaggs · #1 21st June 2008, 05:01 AM

I'm trying to set up vsftpd to allow people to download certain files from my server. The files in question are in various directories on my server, along with directories I dont wish to share. I figured the best way to acheive this would be to:
1) Set up a single ftp group.
2) Create home directory for this ftp group.
3) in this ftp home directory, create a few symlinks to the specific directories I wish to share.
4) Add ftp users to this group, and ensure they are restricted to the home directory.

I have had mixed success with this. When I first tried it, it kind of worked OK - the user started off in the home directory (/home/ftp-user). They were able to browse the symlinked directories. Unfortunatly they were also able to change back to the root directory of the server, and browse other directories.

After a considerable amount of playing around with vsftpd.conf (In the end I added "chroot_local_user=YES"), I was able to restrict the user to the home directory - but this worked too well. They are now unable to switch to the symlinked directories.

So - how do I acheive what I want? Allow the user to switch to the symlinked directories within /home/ftp-user, without being able to brows the server root?

Thanks.

scottro · #2 21st June 2008, 11:31 AM

I wonder if mount -o bind would work? That is, mount the shared directory in /var/ftp/ (or wherever the home, chrooted directory is with the bind option, e.g.

mount -o bind share /var/ftp/userhome

That's never been a problem for me with pure-ftpd, however, I don't think I've ever shared directories above /var/ftp/home, so I may be wasting your time. (Aside from the fact that this was with pure-ftpd rather than vsftpd.)

Shaggs · #3 21st June 2008, 11:57 AM

Thanks - that did the trick nicely.

scottro · #4 21st June 2008, 12:27 PM

Glad to hear it. By the way, you seem to have double posted, you should probably edit the other one (that has no replies) until the mods get to it to clean it up. (By edit, I mean put something like please ignore, accidental double post in the subject line.)
Double posting, of course, is against the rules, but these forums are sometimes so slow that many of us, including <gasp> myself, have done it by accident.
Back to the subject at hand, thanks for posting that it worked--as I said in my original post, I wasn't sure that it would as it was untested in that particular situation.

Shaggs · #5 21st June 2008, 12:32 PM

Thanks - but it isnt a double post. It is a related but slightly different issue.

I have directories on both the fedora machine, and some windows machines, which I wish to share. Originally none of them were working. Your solution has enabled the directories on the fedora machine to work fine, but those on the windows share directories still do not. I suspect it is a different issue - perhaps a samba permission issue?