40.7. Restricting Users to Their Home Directories
By default, clients that log in to ProFTPD as a valid UNIX user (not anonymous) can browse your system's entire filesystem, just as they could if the user logged in via SSH or telnet. This is not always desirable on a system that has multiple untrusted users whom you want to prevent from seeing each others files. Even though UNIX permissions can be used to stop users from listing each others' directories, they cause problems if you are also running a webserver and need its httpd user to have access to everyone's files.
Fortunately, ProFTPD makes it easy to restrict users to their home directories or to some other directory. Because this only applies to FTP connections, it is pretty useless if those same users can telnet or SSH in. It is easy, however, to allow a user to connect only via FTP by giving him a shell like /bin/false. On a virtual hosting server, users only really need to upload files for their websites and do not need UNIX shell access at all. Just make sure that /bin/false or whatever nonfunctional shell that you choose is included in the /etc/shells file so that ProFTPD does not deny the users access.
To restrict the directories that FTP clients can access, follow these steps:
1. | If you want the restriction to apply to only a single virtual server, click on its icon on the module's main page and then on the Files and Directories icon on the virtual server options page. This is not advisable, however, as it may allow users to avoid the restriction by connecting to another virtual server. Instead, you should just hit the Files and Directories icon in the Global Configuration section on the main page. Any restrictions defined on it will apply to all servers. Either way, the page for configuring how the server lists directories and which ones are available (shown in Figure 40.3) will appear. Figure 40.3. The files and directories form.
|
2. | The Limit users to directories field is actually a table that allows you to enter one directory limitation at a time. It will always have one blank row, and if this is the first such restriction you have created that is all it will contain. In the Directory column, select Home directory if that is to what you want users to be restricted. You can also select the third radio button and enter a path like /home or /var/www to confine users to that directory. It is also possible to enter a path relative to the users' home directories, such as ~/public_html. In the UNIX groups column, either select Everyone to have the restriction apply to all users, or select the second radio button and enter a group name to have it apply only to the members of that group. Multiple groups can be entered by separating their names with commas, like users,staff. |
3. | Click the Save button to return to the virtual server options page. If you want to add another restriction (such as for a different group and directory), click on Files and Directories again and fill in the new blank row in the table. |
4. |
From now on when restricted users connect, they will be unable to see files outside the specified directory or even work out to which directory they have been limited. Unlike some other FTP servers that support this kind of restriction, there is no need to copy any files or libraries like /bin/ls into the directory, as ProFTPD does not depend on any external programs.