Introduction

Data security and data integrity are critical for the successful functioning of any enterprise infrastructure. Setting up file servers to transfer files via FTP & SFTP is common practice. Some files being transferred and shared using FTP servers could have very important information like customer and billing data. Accidental deletion of such files could cause a major problem for the system administrator. If the passwords for the accounts being used to access these files get leaked and someone purposefully deletes the files then this could also cause a major issue. In one of our previous articles, we demonstrated how to configure chrooted sftp user accounts wherein the user was not permitted to access any folder outside the realm of it’s own home directory. This is a secure setup and is frequently implemented in organizations across the globe.
In this article, we’ll shift our focus back to ftp and show you step by step how you could prevent specific users from deleting any files they might have access to.

Step 1: Add the test user
For the purpose of this demonstration we’ll be working on a Centos 6.8 system and will use a user account named nixuser to test our setup. So, first we’ll add this user.

[root@linuxnix ~]# useradd -s /bin/false nixuser
[root@linuxnix ~]# passwd nixuser
Changing password for user nixuser.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@linuxnix ~]#

Step 2: Ensure that the vsftpd service is running

[root@linuxnix ~]# service vsftpd status
vsftpd (pid 6243) is running...
[root@linuxnix ~]#

We would have to add firewall rules for ports 20 and 21 but since this is a lab setup we’ve disabled iptables and also set SELinux to permissive mode.

Step 3: Create vsftpd_user_conf directory
Now we will create a directory named vsftpd_user_conf under the /etc/vsftpd directory. This directory will contain configuration files for individual ftp users.

[root@linuxnix ~]# mkdir /etc/vsftpd/vsftpd_user_conf
[root@linuxnix ~]# ls -ld /etc/vsftpd/vsftpd_user_conf
drwxr-xr-x. 2 root root 4096 Jul 20 10:00 /etc/vsftpd/vsftpd_user_conf
[root@linuxnix ~]#

Step 4: Create configuration file for user under /etc/vsftpd/vsftpd_user_conf
Now that we have created the /etc/vsftpd/vsftpd_user_conf we’ll create a configuration file named nixuser for our test user nixuser within this directory and populate it with the below content:

[root@linuxnix ~]# cat /etc/vsftpd/vsftpd_user_conf/nixuser
#Disable access to the below command#
cmds_denied=DELE,RMD
[root@linuxnix ~]#

Step 5: Update /etc/vsftpd/vsftpd.conf file
We’ll noe add the directive user_config_dir in the /etc/vsftpd/vsftpd.conf file and specify the location as /etc/vsftpd/vsftpd_user_conf.

[root@linuxnix ~]# grep user_config_dir /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd/vsftpd_user_conf
[root@linuxnix ~]#

In order for the changes to take effect we need to reload the vsftpd service.

[root@linuxnix ~]# service vsftpd reload
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@linuxnix ~]#

Step 6: Validate the configuration
To test our setup I’ve placed a couple of in the home directory of nixuser and the files are owned by nixuser.

[root@linuxnix nixuser]# pwd
/home/nixuser
[root@linuxnix nixuser]# ls -ltr
total 0
-rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file5
-rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file4
-rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file3
-rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file2
-rw-r--r--. 1 nixuser nixuser 0 Jul 20 10:17 file1
[root@linuxnix nixuser]#

Now we’ll log in to our FTP server as nixuser and try to delete some files.

[root@linuxnix ~]# ftp 172.31.27.196
Connected to 172.31.27.196 (172.31.27.196).
220 (vsFTPd 2.2.2)
Name (172.31.27.196:root): nixuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (172,31,27,196,253,121).
150 Here comes the directory listing.
-rw-rw-r-- 1 501 502 0 Jul 22 08:57 file1
-rw-rw-r-- 1 501 502 0 Jul 22 08:57 file2
-rw-rw-r-- 1 501 502 0 Jul 22 08:57 file3
-rw-rw-r-- 1 501 502 0 Jul 22 08:57 file4
-rw-rw-r-- 1 501 502 0 Jul 22 08:57 file5
226 Directory send OK.
ftp> rm file1
550 Permission denied.
ftp> rm file4
550 Permission denied.
ftp> 221 Goodbye.
[root@linuxnix ~]#

As you can observe from the above command line output we were not able to delete any files while logged in as the nixuser even though the files were owned by nixuser. This successful test confirms the validity of the setup.

 

Conclusion

In this article we demonstrated how we could prevent users logged in via ftp from deleting files even when the files are owned by the currently logged in users themselves. This setup could help to serve as an additional safety measure in an enterprise FTP server. We hope that you’ve found this article to be useful and we look forward towards your suggestions and feedback.

Post Views: 10,434
The following two tabs change content below.

Sahil Suri

He started his career in IT in 2011 as a system administrator. He has since worked with HP-UX, Solaris and Linux operating systems along with exposure to high availability and virtualization solutions. He has a keen interest in shell, Python and Perl scripting and is learning the ropes on AWS cloud, DevOps tools, and methodologies. He enjoys sharing the knowledge he's gained over the years with the rest of the community.