We adminster Opensuse servers for some of our customers at server hosters – e.g. at Strato, a Telekom subsidiary. Sometimes some web server files have to be upgraded either by us or by specific users of the customer. But only sometimes. Under normal operative conditions the FTP access to the server shall not be allowed.
To enable a FTP service we have installed „vsftp“. We further want the FTP users of our customers not to be able to access a shell on the server and restrict their FTP access to a certain directory. However, some of our own admins shall be able to access other server directories by FTP also.
Some basics of how you may set up and configure a vsftp server on an Opensuse system have already been described in my article
vsftp unter Opensuse 12.2 und 12.3.
The basic settings are valid for Opensuse 13.1, too. The settings discussed in the named article already restricted FTP users to a specific directory.
Sporadic FTP access
We solve the sporadic access requirement as follows:
The firewall on the server blocks all ports (with the exception of a dedicated SSH-Port for certificate based SSH logins and http/https ports) under normal operation conditions. But a trained user at the customer site can open a SSH connection and is allowed to start (but not change) a shell script (running with root rights) that temporarily opens ports for FTP connections for a defined IP (the WAN IP of the customer) to the vsftp server.
A simplified example for such a shell script that manipulates a IP chain called „zugriff“ may look like:
#!/bin/bash iptables -N zugriff iptables -F zugriff myip=CUSTOMER_IP_ADDRESS iptables -A zugriff -p TCP -s $myip --dport ftp -j ACCEPT iptables -A zugriff -p TCP -s $myip --dport 62050:62100 -j ACCEPT iptables -t filter -I INPUT 4 -j zugriff echo "vsftp port and IP rules were set for : " $myip systemctl start vsftpd.service echo "vsftp started"
A related simple stop script would be:
#!/bin/bash iptables -F zugriff iptables -t filter -D INPUT -j zugriff systemctl stop vsftpd.service echo "FTP services stopped. FTP ports blocked in firewall."
The choice of the passive vsftp ports (in our example the range between 62050 and 62200) must of course correspond to the passive port settings in the vsftp configuration. Set the following options in the vsftpd.conf file:
You may also combine the script commands given above with further commands to start a time interval after which the ports are blocked automatically again. (To prevent possible harm if your trained customer user forgets to stop the vsftp service manually by the given stop scipt).
Grant FTP access to users of a defined list
The vsftp configuration given in my previous article vsftp unter Opensuse 12.2 und 12.3. allows for the access of all locally defined users on the server. They get chrooted to a defined chroot directory.
Note that the single FTP user discussed in the named article got the shell „/bin/false“. Note further that we did not allow anonymous FTP access.
At our customer several users with different UIDs shall get the right to transfer files to the server. The different UIDs shall give us a chance to distinguish their actions in log protocols. (Note that logging the action of users may require special working contract conditions in Germany).
All of the FTP users become members of a special
group. The main FTP directory – let it e.g. be „/srv/www/htdocs/webs“ – which becomes their home dir and to which they are restricted by the vsftpd options
– gets group ownership of this special group. In addition the SGID bit is set. All of the customer’s FTP users get the shell „bin/false“.
Now, how to restrict the FTP access to defined users among others (e.g. from our own company) and how to extend the directory access for our own admins?
To restrict FTP access to users of a defined list requires the following options:
and a file „/etc/vsftpd.user_list“ with just the UIDs of the users you want to rant FTP access – each UID in a separate line. The first option tells the vsftpd daemon that the users enlisted in the file „/etc/vsftpd.user_list“ get the FTP access granted and shall not be denied it.
Note 1: I had considerable difficulties with my first userlist file, which I had generated and edited with vi on the server. Probably, I did some mistypes whilst editing… Be sure that your userlist file does not contain any special characters not visible on your terminal and that each UID is followed by a line break! Create the file from scratch if you experience unexplainable difficulties or read errors for the file in you FTP client. See: https://groups.google.com/forum/#!msg/alt-f/jtslOMt5aTA/1TW2kGkvmbkJ
Note 2: The file must be readable to the user running the vsftpd process on the server. On Opensuse systems this is presently „root“ or „ftpsecure“ – depending a bit on how you start the process. You may change ownership of the file to the user „ftpsecure“ and drop the standard readability right for „others“ – depending on security conditiosn.
Due to the vsftpd option „chroot_local_user=YES“ the users get jailed to a certain directory (in our example to directories below „/srv/www/htdocs/webs“). We may want to circumvent this restriction for our own admins whereas for the customer’s users it shall hold and work. To define such an exception requires further vsftp options:
If „chroot_local_use“ is set to „YES“ then UIDs given (one per line) in the file „vsftpd.chroot_list“ are NOT jailed to a chroot directory. In this case the file „/etc/vsftpd.chroot_list“ defines exceptions from the chroot-rule. Note, however, that if you had set
the opposite would be true: In this case the file „/etc/vsftpd.chroot_list“ defines users to be explicitly jailed!
So, now we have combined all our objectives:
We open FTP access when we need it, we grant access to a list of users with most of them jailed to a certain directory
and we grant access to all directories for selected admins.
Have much fun with vsftp on Opensuse!