Loading ...
Allowing FTP access to files outside the home directory chroot
When we setup an FTP server software (regardless if this is proftpd, vsftpd, etc.) we might face a dilemma: we want to restrict the access that ftp users will have (limited access to files normally in their own home directory) but also we want to allow them access to another folder that is normally in a different location (like development files for whatever work they are doing).
The problem is that if we configure the chroot restriction for the ftp users we will notice that as expected they will be locked in the chrooted folder (let’s say their home directory). If we try to create a symlink to the other folder they need access, this will just not allow them to change into that folder (break out the chroot) and this is very normal.
To exemplify this let’s consider that I am using vsftpd and one user ftp_user. Chroot restriction is enabled on ftp accounts and his home is in /home/ftp_user. But I need to provide him access for another folder /var/www/dev/. Even though I am using here vsftpd the same concept applies to any other ftp server software.
The configurations for vsftpd are basic ones (but I will include them at the end of the post for reference). The important one here is:
chroot_local_user=YESOf course that one solution to overcome this limitation is to disable chroot and allow the ftp users full access to all the system files. This is not at all recommended and this little tip will show you how you can achieve this with chroot enabled. The solution to this little problem is to mount the needed directory using the –bind parameter… from the man page of mount: “–bind Remount a subtree somewhere else (so that its contents are available in both places)“.
So we might do something like:
mkdir /home/ftp_user/www_dev
mount --bind /var/www/dev/ /home/ftp_user/www_devAfter this the ftp user will be able to see the needed files in his home directory and use them in his ftp client as if they were local files.
If you need to make this configuration permanent you can either add the mount command in some startup script or you can just include a line in /etc/fstab:
/var/www/dev /home/ftp_user/www_dev none bind 0 0I hope that you have found this tip useful in case you have a similar issue… Just for the reference here is the vsftpd configuration used (the important parameter is only the one noted above chroot_local_users):
/etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
5th August 2006, 16:17
this was great just what I needed
13th August 2006, 18:09
very useful - smart solution
16th August 2006, 02:29
real real cool one. Loved every bit of it .. Thanks!!!
4th October 2006, 05:04
Doesn’t work.
After I mount /var/www to /home/user/www directory /home/user/www disappeared from user’s ftp folder. User is in root group and has a permission to /var/www directory.
6th October 2006, 17:53
Nick,
This works for sure. If you are having problem, test first locally (to eliminate the ftp client/server) and see if that works for the ftp user. If this works then you should proceed with http://ftp. I can’t tell from this information what is wrong, but what I can tell you is that this definitely works and I have used this trick several times without any problems.
13th November 2006, 15:04
Great tip, but doesn’t work for me either. The bound directory contents can be listed ok from a terminal but doesn’t show up on an ftp console. I’ve even used your sample vsftpd.conf
14th December 2006, 09:38
Dave,
This definately works fine. I can’t see why this is not working for you… but if you still have problems, I might be available to help you out and troubleshoot this (just use the contact form to send me an email).
10th January 2007, 14:44
I have a similar problem. Fedora 6, brand new installation. Have a proper user set up and can login and see stuff great using the mount –bind option as above. But I am interested in having access to some file systems mounted as /u3 (stuff on different disk drives) and they will not show.
You can create a directory in the /home/user file and mount /u2 to /home/user/u2 and see it perfectly after logging in with a terminal. But the moment you use vsftp to login, the folders are gone!
14th January 2007, 11:02
does not work for me either
so Marius - you always tell us it works fine - but now we are
already 3 on which computers it does not work
so - do not state it works fine again
the idea is good but something is wrong
14th January 2007, 12:38
Rainer
I know now a little bit more
your trick does not work if you mount /var/www/html
that is the apache root folder
if I mount other folders it works
Peter RAINER
17th January 2007, 23:37
Rainer,
What are the permissions on that folder (/var/www/html)? Do you see a difference between that folder and one that worked for you? What happens when you mount it and try to use it?
It is hard for me to help you out, without even knowing what os you have, what ftp server, etc. Even so if you want I would like to help you troubleshoot this (just contact me on email if you are interested).
- Marius -
28th February 2007, 09:58
I had the same problem, luckily, I’ve found this
http://www.linuxforums.org/forum/linux-networking/45487-vsftp-help-mount-bind-giving-hard-time.html
So change the SE settings, and it should work. It works for me.
10th May 2007, 16:41
I am confused…. isnt ‘mount –bind source target’ the order required?
10th May 2007, 17:29
Michael,
yes you are correct that is the usage of the command…. maybe in my above example i was not clear enough, but /var/www/dev/ is the source and /home/ftp_user/www_dev the target.
11th July 2007, 09:34
Well i don’t know what happens i can bind my /home/ftp-docs with my /var/www/html/development but now when i am trying to connect with client to my remote server this error occurs
Can’t connect to remote server. Socket error = #10065
Please help me in this regard.
Thanks
11th July 2007, 09:58
Junaid Ali: this is probably not related to the mount/bind thing. Are you sure you can connect to the server without this change? Can you properly reach the ftp server (firewalls, etc.)?
11th July 2007, 10:11
Well I try to connect offline and i can access server because server is in our Local Network. well i have one more problem . I can create an alias in APACHE for /home/ftp-docs. but when i try to access web page in browser then this error encounter
You don’t have permission to access /development1/index.htm on this server.
well i can set permission 777 for this folder
I am waiting for your positive reponse
11th July 2007, 10:19
Ali, regarding your last question you need to ensure that the web server user (www-data, apache, nobody, etc. depending on your setup) has proper access to read the folder and also to the file (index.htm).
11th July 2007, 10:22
well i can make a copy of that file and paste into html folder and try to access that file from client and its working but when i can access this file from /home/ftp-docs alias then its not working and told me that i have no permission to access that file on server
11th July 2007, 10:53
Marius,
Please also tell me how can i check that web server user (www-data, apache) has properly access to read the folder as i am newbie in linux thats why i am asking this thing.
Thanks
11th July 2007, 17:37
Ali, a quick search on google returns many good docs on linux permissions:
http://www.google.com/search?hl=en&q=linux+permissions&btnG=Google+Search
hth, m.
23rd July 2007, 18:14
Looking for valid suggestions!!!!
Can connect to vsftpd server from cmd line and execute ls to see mounted folder.. Works ok..
From XP flashFTP client I cannot connect using passive node.. (I get Opening data connection IP: xx.xx.xx.yy PORT: abcd, then Data Socket Error: No route to Host List Error)
FTP server on public IP via Netopia box (Firewall not active yet anywhere).. If I uncheck use Passive mode, then I can connect (same user/pwd as cmd line) but am unable to see mounted folder.. User is chrooted in home folder.. Mount folder created in user’s home dir and ‘mount –bind’ used to mount to other folder.. (User set as owner of folder) I know this works as I have it working on another PC.. Problem PC is FC4 with vsftpd-2.03-1.. I am curious why I cannot see mounted folder when I connect… TIA ..
26th July 2007, 13:13
Issue resolved.. I was wrong about no Firewall.. Security was enabled on the FC4 box and IPtables was running.. If I stop IPtables, I can connect with FlashFTP in passive mode.. I now need to identify a solution that will work with the Firewall still operational..
26th July 2007, 15:09
mr.T.: can you please paste the related firewall rules here? After that I should be able to give you some details on how to fix that issue.
2nd August 2007, 00:46
Hi!
Thanks for the great tip - that’s exactly what I’ve needed. I use vsftpd with pam_mysql and local_root=/home/vsftpd/$USER.
I have run into Apache2 problems too - The main problem is that, with my setup, (and rightly so) all files uploaded are masked 022 and belong to vsftpd:nogroup.
But, I want ftp users to have the same ownership as www-data in the mounted dir, so that they can upload, delete, etc files with www-data:www-data ownership.
To put it another way, I guess I’m trying to find a way to let the ftp users to create all files as www-data:www-data in the mounted dir, and not as vsftpd:nobody.
Side note background: I would not like to run Apache 2 in any mounted www dir as anything else than www-data. Apache’s config should stay as it is - I would rather alter my vsftpd config.
Can this be done, and is it safe? What would you recommend? Isn’t this a common problem in a shared hosting environment (I am new to web host setup).
Thanks again for this useful resource.
29th August 2007, 20:01
Mate you are a hero, I sat with this problem for over a week.
Well done and thanks.
cheers
David.
2nd September 2007, 18:51
Great, works like a charm.
5th November 2007, 10:26
to avoid in proftpd i add this line to the /etc/proftpd/proftpd.conf
DefaultRoot ~
Easy, doesnt?
chears clsox
9th November 2007, 08:37
Great… Its work… Thanksss….
But why if i connect from windows i cant write or delete a file…
Please help..
Thanks
9th November 2007, 16:59
Dhany: you mean that using the same ftp user you see different results on win compared to linux?
12th November 2007, 01:16
Yup thats right…. in linux i can write or delete a file but not in windows…
Thanks
12th November 2007, 08:27
Dhany: no idea what could be wrong… Maybe try with a different ftp program? Are you sure that the file permissions are ok? It doesn’t make any sense to be able to do this from linux and not from windows… Sorry but without seeing this happening it is hard for me to help you more on this issue.
15th November 2007, 02:45
Windows message
“An Error occurred creating a new folder on the FTP Server”
“Details :
550 Create directory operation failed”
thanks for your positive respond.
15th November 2007, 07:46
Dhany: if you want please use the contact form to send me a message with your contacts so we can discuss on some instant message to give me more details so I can help you on this. Sorry without seeing this it is impossible for me to help you as I can’t understand what might be wrong on your setup. So again ping me and I will take a look at your server setup and help you out.
15th May 2008, 22:41
[...] I already have an existing CentOS 5.1 server running Asterisk with several VoIP phones scattered throughout the country for Sators.com running smooth and I gave myself the pat on the back after getting that all setup. I previously had all of my working files for development and my documents stored on a Buffalo Linkstation with everybody talking gigabit to each other. That was fine and dandy, especially cause the Linkstation can talk Samba, but the main thing that I miss about a previous setup is having FTP users for each of my web clients for them to login, transfer content for the project, and it be delivered right to their client project folder for easy access. I was able to mount the Linkstation in CentOS and get FTP users to login and be mapped to the Linkstation, however the problem arose when files were tried to be uploaded. vsftpd tried to assign owner/permissions and the Linkstation not happy with that. So I scrounged up several hard drives that weren’t being used and used the CentOS Logical Volume Manager to create a Samba store drive that I mounted to /samba/ and spent the last 12 hours copying 125GB of data to the CentOS box and working on remapping everything. Thanks MDLog:/sysadmin. [...]
28th June 2008, 22:16
Thanks for this, works for what I need, just one question:
after setting the mount –bind to the system directory from my FTP program (FileZilla) I cannot see the exsiting files in the system directory.
e.g. mount –bind /home/dir1 /home/ftpuser/dir1
and /home/dir1 already has files in it, but when I connect I cannot see these existing files via my http://FTP.
Anyone any ideas how I can get to see the existing files that are in the system folder when I FTP in?
29th June 2008, 07:05
CaludonAdministrator: that is normal as the mount will hide the existing files in dir1 directory. You should use an empty folder to mount this as you will not be able to show the files in the original /home/dir1 folder (even from the local system not only from ftp).
hth, -M.
29th June 2008, 07:21
Marius: Thanks, in a good way the files to appear, been more persistent with it and in reality it was [me] it seemed to take a couple of mins for the mount –bind and a few closedowns of my FTP client, now all files appear.
Once I tweaked the security permissions I could then drwx and update the web site files as nedded.
My bad I think and was just too impatient.
29th June 2008, 07:25
CaludonAdministrator: I guess I misunderstood your problem. Anyway the important thing is that all is working for you
.
Cheers,
- Marius -
29th June 2008, 07:34
Normally when that happens, it was my explanation(!)
Thanks
12th August 2008, 17:21
Just wonderful, was looking for a way to give one user ftp access to upload a theme for moodle, and this is just perfect. THANK YOU.
20th November 2008, 17:39
It works !! In a first time not but I found !
Be careful with privileges rwx, the user must have the write privilege on the directory /home/ftp_user/www_dev and on /var/www/dev/ (so on /var/www/ too…) and the associate group for /var/www must be http://ftp...
Pedro
3rd February 2009, 21:29
Awesome! I used this to setup access to /var/www and it worked like a charm.
17th May 2009, 03:41
Great stuff -thank you very much.