Allowing FTP access to files outside the home directory chroot

When we setup an FTP server software (regardless if this is proftpd, vsftpd, etc.) we might face a dilemma: we want to restrict the access that ftp users will have (limited access to files normally in their own home directory) but also we want to allow them access to another folder that is normally in a different location (like development files for whatever work they are doing).

The problem is that if we configure the chroot restriction for the ftp users we will notice that as expected they will be locked in the chrooted folder (let’s say their home directory). If we try to create a symlink to the other folder they need access, this will just not allow them to change into that folder (break out the chroot) and this is very normal. To exemplify this let’s consider that I am using vsftpd and one user ftp_user. Chroot restriction is enabled on ftp accounts and his home is in /home/ftp_user. But I need to provide him access for another folder /var/www/dev/. Even though I am using here vsftpd the same concept applies to any other ftp server software.

The configurations for vsftpd are basic ones (but I will include them at the end of the post for reference). The important one here is:

chroot_local_user=YES

Of course that one solution to overcome this limitation is to disable chroot and allow the ftp users full access to all the system files. This is not at all recommended and this little tip will show you how you can achieve this with chroot enabled. The solution to this little problem is to mount the needed directory using the –bind parameter… from the man page of mount: “–bind Remount a subtree somewhere else (so that its contents are available in both places)”.

So we might do something like:

mkdir /home/ftp_user/www_dev
mount --bind /var/www/dev/ /home/ftp_user/www_dev

After this the ftp user will be able to see the needed files in his home directory and use them in his ftp client as if they were local files.

If you need to make this configuration permanent you can either add the mount command in some startup script or you can just include a line in /etc/fstab:

/var/www/dev  /home/ftp_user/www_dev    none    bind    0       0

I hope that you have found this tip useful in case you have a similar issue… Just for the reference here is the vsftpd configuration used (the important parameter is only the one noted above chroot_local_users):

/etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
comments powered by Disqus