Data security and data integrity are critical for the successful functioning of any enterprise infrastructure. Setting up file servers to transfer files via FTP & SFTP is common practice. Some files being transferred and shared using FTP servers could have very important information like customer and billing data. Accidental deletion of such files could cause a major problem for the system administrator. If the passwords for the accounts being used to access these files get leaked and someone purposefully deletes the files then this could also cause a major issue. In one of our previous articles, we demonstrated how to configure chrooted sftp user accounts wherein the user was not permitted to access any folder outside the realm of it’s own home directory. This is a secure setup and is frequently implemented in organizations across the globe.
In this article, we’ll shift our focus back to ftp and show you step by step how you could prevent specific users from deleting any files they might have access to.
Step 1: Add the test user
For the purpose of this demonstration we’ll be working on a Centos 6.8 system and will use a user account named nixuser to test our setup. So, first we’ll add this user.
[root@linuxnix ~]# useradd -s /bin/false nixuser [root@linuxnix ~]# passwd nixuser Changing password for user nixuser. New password: BAD PASSWORD: it is WAY too short BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully. [root@linuxnix ~]#
Step 2: Ensure that the vsftpd service is running
[root@linuxnix ~]# service vsftpd status vsftpd (pid 6243) is running... [root@linuxnix ~]#
We would have to add firewall rules for ports 20 and 21 but since this is a lab setup we’ve disabled iptables and also set SELinux to permissive mode.
Step 3: Create vsftpd_user_conf directory
Now we will create a directory named vsftpd_user_conf under the /etc/vsftpd directory. This directory will contain configuration files for individual ftp users.
[root@linuxnix ~]# mkdir /etc/vsftpd/vsftpd_user_conf [root@linuxnix ~]# ls -ld /etc/vsftpd/vsftpd_user_conf drwxr-xr-x. 2 root root 4096 Jul 20 10:00 /etc/vsftpd/vsftpd_user_conf [root@linuxnix ~]#
Step 4: Create configuration file for user under /etc/vsftpd/vsftpd_user_conf
Now that we have created the /etc/vsftpd/vsftpd_user_conf we’ll create a configuration file named nixuser for our test user nixuser within this directory and populate it with the below content:
[root@linuxnix ~]# cat /etc/vsftpd/vsftpd_user_conf/nixuser #Disable access to the below command# cmds_denied=DELE,RMD [root@linuxnix ~]#
Step 5: Update /etc/vsftpd/vsftpd.conf file
We’ll noe add the directive user_config_dir in the /etc/vsftpd/vsftpd.conf file and specify the location as /etc/vsftpd/vsftpd_user_conf.
[root@linuxnix ~]# grep user_config_dir /etc/vsftpd/vsftpd.conf user_config_dir=/etc/vsftpd/vsftpd_user_conf [root@linuxnix ~]#
In order for the changes to take effect we need to reload the vsftpd service.
[root@linuxnix ~]# service vsftpd reload Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] [root@linuxnix ~]#
Step 6: Validate the configuration
To test our setup I’ve placed a couple of in the home directory of nixuser and the files are owned by nixuser.
[root@linuxnix nixuser]# pwd /home/nixuser [root@linuxnix nixuser]# ls -ltr total 0 -rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file5 -rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file4 -rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file3 -rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file2 -rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file1 [root@linuxnix nixuser]#
Now we’ll log in to our FTP server as nixuser and try to delete some files.
[root@linuxnix ~]# ftp 172.31.27.196 Connected to 172.31.27.196 (172.31.27.196). 220 (vsFTPd 2.2.2) Name (172.31.27.196:root): nixuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,31,27,196,253,121). 150 Here comes the directory listing. -rw-rw-r-- 1 501 502 0 Jul 22 08:57 file1 -rw-rw-r-- 1 501 502 0 Jul 22 08:57 file2 -rw-rw-r-- 1 501 502 0 Jul 22 08:57 file3 -rw-rw-r-- 1 501 502 0 Jul 22 08:57 file4 -rw-rw-r-- 1 501 502 0 Jul 22 08:57 file5 226 Directory send OK. ftp> rm file1 550 Permission denied. ftp> rm file4 550 Permission denied. ftp> 221 Goodbye. [root@linuxnix ~]#
As you can observe from the above command line output we were not able to delete any files while logged in as the nixuser even though the files were owned by nixuser. This successful test confirms the validity of the setup.
In this article we demonstrated how we could prevent users logged in via ftp from deleting files even when the files are owned by the currently logged in users themselves. This setup could help to serve as an additional safety measure in an enterprise FTP server. We hope that you’ve found this article to be useful and we look forward towards your suggestions and feedback.
Latest posts by Sahil Suri (see all)
- Setting up chrooted ssh jails in Linux - October 8, 2019
- How To exclude copying of specific directories in Linux using cp/scp/rsync - October 7, 2019
- Docker container ports explained - September 27, 2019
- Docker Volumes explained - September 25, 2019
- Docker networking commands explained - September 24, 2019