VSFTPD

[redstrike]

Hey folks,

I've currently setup a few source servers on my CentOS 5.2 box.

I've got it so that I have them all running under a different user account (servers) so the files are:

/home/servers/css1
/home/servers/css2
/home/servers/css3

etc.

Now I'm looking to setup VSFTPD so that I can give users access to the cstrike folder for each server.

person A would be able to see /css1/cstrike/ only
person B would be able to see /css2/cstrike/ only

etc.

Looking from tutorials and stuff for VSFTPD does it now mean I have to:

(1) create a user for each server? IE:

/home/css1/
/home/css2/

(2) have that user account password as the FTP password meaning insecurities through SSH?

[m0-]

Why not just use proftpd, and set proper permissions for each server so that user could only access it. And just make link from users home directory to the server so they could ssh/ftp inside it.

[txqzr4]

set users home directory to corresponding directory and add 'chroot_local_user=YES' to your config.

[redstrike]

txqzr4 Wrote:set users home directory to corresponding directory and add 'chroot_local_user=YES' to your config.

Awesome, thanks. Is there a way to restrict the FTP (and subsequent system user account) from using ssh?

[txqzr4]

redstrike Wrote:Awesome, thanks. Is there a way to restrict the FTP (and subsequent system user account) from using ssh?

set the users shell to /sbin/nologin

[m0-]

Either edit the user in /etc/passwd to /bin/false so he would have no shell, or usermod --lock [user]

[txqzr4]

/bin/false will work as well. either way, its better to get into the practice of using usermod rather than editing /etc/passwd directly. command is usermod -s, i.e.:

usermod -s /bin/false username

[redstrike]

I'm currentley using as part of my script

Code:

useradd -g ftpusers -d /home/servers/server1/ -s /sbin/nologin server1

would it be better to use /sbin/false?

[txqzr4]

redstrike Wrote:I'm currentley using as part of my script

Code:

useradd -g ftpusers -d /home/servers/server1/ -s /sbin/nologin server1

would it be better to use /sbin/false?

either works equally well

[redstrike]

Thanks for the help txqzr4.

I'm running in to a permissions problem now with VSFTPD.
Because I've got 4 users:

Code:

servers
svr1
svr2
svr3

Code:

servers home dir: /home/servers/
svr1 home dir: /home/servers/svr1
svr2 home dir: /home/servers/svr2
svr3 home dir: /home/servers/svr3

When the svr1 logs into FTP he can't access his home directory because he doesn't have permissions to /home/servers (the parent folder)

I have changed the permissions in testing you chown so that svr1 would own /home/servers and FTP works but I can't have that in the long run because of the other users.

How can I make permissions universal (or something) so that all my users can have access to:

Code:

/home/servers/

and any subfolders?

[txqzr4]

is there a reason the svr* folders must be under the home directory for the servers user? if not, i would highly recommend placing them directly under the home directory.

[redstrike]

txqzr4 Wrote:is there a reason the svr* folders must be under the home directory for the servers user? if not, i would highly recommend placing them directly under the home directory.

No, it was originally due to wanting to execute my start/stop bash scripts without permission problems.

I take it there wouldn't be a problem running things via the servers user if the files were in the /home/ dir?

[txqzr4]

no problem as long as the proper permissions are set. it might be helpful to explain exactly what you are trying to accomplish. to clarify -- are you wanting to run multiple games under the same user, or run each one under a different user? I was assuming the former, but it sounds like you are trying to do the latter. i'm confused because earlier it sounded like each server had a svr* user, but now you are talking about running them all under servers.

[redstrike]

The plan is to have 2 main users.

SERVERS
This user will run the srcds servers. They will be managed by this user via bash scripts. The bash scripts will start/stop/restart/update each of the servers.

FTP
This user will be privilege-less and only be used for running the FTP daemon.

I was then planning to use VSFTPD for my FTP. To use that I was planning to create 3 users (SVR1,SVR2,SVR3) without shell access and set their home directory to within the SERVERS account so that the bash scripts can be executed by SERVERS without permission problems. These users will be strictly for ftp access for people owning the servers.