How to Chroot FTP Configuration in RHEL 8

Share on Social Media

In this guide, you will learn chroot FTP configuration to restrict users to /var/www/html directory. #centlinux #linux #chroot

Problem Definition

In some situations, we have to give FTP access to users, but we do not want to access the whole server using FTP protocol.

For such scenarios, we do chroot FTP configuration for users to restrict them to their home directories. But sometimes, we are required to restrict them to another directory, while keeping their home directories intact for ssh access.

In this article, we will show you how to install vsftpd (Very Secure FTP) service and configure chroot jail for the FTP users to limit their FTP sessions to their respective /var/www/html/[username] directories.

Read Also: How to configure Chroot SFTP Server in Linux

Environment Specification

We are using a minimal Red Hat Enterprise Linux 8 virtual machine with following specifications.

  • CPU – 3.4 Ghz (2 cores)
  • Memory – 2 GB
  • Storage – 40 GB
  • Operating System – RHEL 8.3
  • Hostname – apache-01.centlinux.com
  • IP Address – 192.168.116.238 /24

Recommended Online Training: Learn Bash Shell in Linux for Beginners

745772 0021

Create Users in Linux Operating System

Connect with apache-01.centlinux.com as root user by using a ssh client

You are required to create users for accessing your FTP server.

Therefore, execute following commands at Linux bash prompt to create users and set their respective passwords.

# useradd user1
# echo "linuxpassword" | passwd --stdin user1
Changing password for user user1.
passwd: all authentication tokens updated successfully.

# useradd user2
# echo "linuxpassword" | passwd --stdin user2
Changing password for user user2.
passwd: all authentication tokens updated successfully.

Hint: If you want to disable the SSH access for these users then you can set their login shell to /sbin/nologin.

Install VSFTPD on RHEL 8

VSFTPD is the default and preferred FTP server software in famous Linux distros including RHEL 8.

You can install the software package from standard yum repositories, if you have configured a valid Red Hat subscription.

# dnf install -y vsftpd
...Installed:
  vsftpd-3.0.3-32.el8.x86_64

Complete!

Generate SSL Certificate for FTP Service

Create a self signed SSL certificate for our FTP server. It is necessary, otherwise you won’t be able to login as a FTP user.

You can execute following openssl command to generate a self signed SSL certificate and a private key.

# openssl req -x509 -nodes -keyout /etc/vsftpd/vsftpd.key -out /etc/vsftpd/vsftpd.pem -days 365 -newkey rsa:2048
Generating a RSA private key
.........+++++
......+++++
writing new private key to '/etc/vsftpd/vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:Centlinux
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:apache-01.centlinux.com
Email Address []:ahmer@apache-01.centlinux.com

Hint: If you have configured a Certificate Authority for your Network, then you can generate a CSR (Certificate Signing Request) and acquire a digital signature from your Certificate Authority.

Chroot FTP Configuration

Add your users in vsftpd user_list file. You can use vim text editor to edit user_list file.

# vi /etc/vsftpd/user_list

Add the users in this file.

# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
user1
user2

Take a backup of vsftpd.conf file and then edit it in vim text editor.

# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.org
# vi /etc/vsftpd/vsftpd.conf

Locate and set following directives in this file. These settings are related to chroot FTP configuration and SSL configurations.

userlist_enable=YES
userlist_deny=NO
ssl_enable=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1_2=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.key
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=30000
pasv_max_port=31000
debug_ssl=YES
chroot_local_user=YES
local_root=/var/www/html/$USER
user_sub_token=$USER
allow_writeable_chroot=YES

Start FTP Service

Enable and start FTP Service.

# systemctl enable --now vsftpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service â /usr/lib/systemd/system/vsftpd.service.

Check the status of FTP service.

# systemctl status vsftpd
â vsftpd.service - Vsftpd ftp daemon
   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor pres>
   Active: active (running) since Sun 2021-03-21 09:37:18 EDT; 41s ago
  Process: 1643 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited>
 Main PID: 1644 (vsftpd)
    Tasks: 1 (limit: 5815)
   Memory: 868.0K
   CGroup: /system.slice/vsftpd.service
           ââ1644 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

Mar 21 09:37:18 apache-01.centlinux.com systemd[1]: Starting Vsftpd ftp daemon.>
Mar 21 09:37:18 apache-01.centlinux.com systemd[1]: Started Vsftpd ftp daemon.

Configure Linux Firewall

Allow the FTP service ports in Linux firewall.

# firewall-cmd --permanent --add-service=ftp
success
# firewall-cmd --reload
success

Configure SELinux Boolean

Set the following SELinux boolean to disable SELinux MAC (Mandatory Linux Control) for FTP users.

It is necessary because the SELinux file context for /var/www/html directory is httpd_sys_content_t. Therefore, the FTP users may face permission issues.

# setsebool -P ftpd_full_access 1

Create Chroot FTP Directories

Create chroot FTP directories for your users.

# mkdir /var/www/html/user{1..2}

Set the ownership of chroot jail directories.

# chown -R user1:apache /var/www/html/user1
# chown -R user2:apache /var/www/html/user2

Create an empty file in each directory. So you can distinguish the chroot jail directory after login by using a FTP client.

# touch /var/www/html/user1/user1_files
# touch /var/www/html/user2/user2_files

Accessing FTP Server

You need a FTP client to access your FTP server. The default FTP client in RHEL 8 is lftp. You can install it from standard yum repositories.

# dnf install -y lftp

You can now use lftp command to access your FTP server.

# lftp user1@localhost
Password:
lftp user1@localhost:~> ls
ls: Fatal error: Certificate verification: Not trusted (31:98:F7:05:AB:E2:0B:46:BB:39:BE:93:1F:5B:A8:BD:34:E2:71:63)

The certification warning is due to the self signed certificate. You can suppress this warning in lftp by executing following command at Linux bash prompt.

#echo "set ssl:verify-certificate no" >> /etc/lftp.conf

Now, execute lftp command again.

 lftp user1@localhost
Password:
lftp user1@localhost:~> ls
-rw-r--r--    1 0        0               0 Mar 21 13:59 user1_files

You can see that the user1 is login to his own chroot FTP jail i.e. /var/www/html/user1.

Similarly, login as user2 FTP user.

# lftp user2@localhost
Password:
lftp user2@localhost:~> ls
-rw-r--r--    1 0        0               0 Mar 21 13:59 user2_files

Just like user1, user2 is login to his own chroot FTP jail i.e. /var/www/html/user2.

Our Chroot FTP Configurations are working fine.

Final Thoughts

In this guide, we have successfully performed Chroot FTP Configuration and restricted the FTP users to their respective chroot FTP jails within /var/www/html directory. Read CompTIA Linux+ Certification All-in-One Exam Guide: Exam XK0-004 (PAID LINK) by Ted Jordan & Sandor Strohmayer, if you want to build expertise in Linux operating system.

Leave a Comment