Create a user with home directory /foo. Otherwise we can create a normal user and then edit /etc/passwd to change the home directory (useradd hari -d /foo).
Here we chose the latter option since it's a sensible directory and we don't wnat to take risk by putting .bash files.
# useradd hari
# grep hari /etc/passwd
hari:x:796:796::/home/hari:/bin/bash
Now change the home directory to /foo
# vi /etc/passwd
# grep hari /etc/passwd
hari:x:796:796::/foo:/sbin/nologin
Note that we have changed the home directory from /home/hari to /foo and the shell from /bin/bash to /sbin/nologin
Added the below two lines in /etc/vsftpd/vsftpd.conf for enabling chroot functionality.
# vi /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
Now add the user hari to Chroot List file.
# echo hari >> /etc/vsftpd.chroot_list
Now verify the permission of /foo, /foo/tux and /foo/beastie
[root@psycho ~]# ls -ld /foo/
drwxrwx--- 17 root ftpuser 4096 Feb 6 19:58 /foo/
[root@psycho ~]#
[root@psycho ~]# ll /foo/
total 81652
drwxr-xr-- 2 tiger ftpuser 4096 Sep 18 2007 alert
drwxr-xr-x 14 root root 4096 Jan 18 2008 tux
drwxr-xr-x 2 root root 4096 Jan 11 2008 log
drwx------ 2 root root 16384 Sep 6 2007 lost+found
drwxrwxr-x 4 giraffe ftpuser 048000 Feb 9 23:51 beastie
[root@psycho ~]#
/foo/tux and /foo/beastie are having read-access to all. But /foo will not be readable since the permission is 770.
So add the user "hari" to the group "ftpuser", which is the Group for /foo.
# grep ftpuser /etc/group
ftpuser:x:502:
# vi /etc/group
ftpuser:x:502:hari
Now take the list of files/directories under /foo except tux and beastie. These are the only directories user needs access.
# ls /foo | grep -v tux | grep -v beastie
alert
log
lost+found
Add these to /etc/vsftpd_user_conf/hari for restricting access by the FTP user. We have already mentioned the below in /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd_user_conf
# vi /etc/vsftpd_user_conf/hari
deny_file={alert,log,lost+found}
write_enable=NO
write_enable=NO is to restrict the user from changing the files/directories
Restart VSFTPD service.
/etc/init.d/vsftpd restart
That's it. Now the conditions satisfied are as below
1. User will be able to login through FTP protocol.
2. Default login directory will be a "chrooted HOME- /foo". User will not be able to access any other directory other than /foo.
3. User can access "tux" and "beastie" directories right from the home directory.
4. These two directories will be "read-only". User can't write/change any files/directories.
5. User cannot access any other directories under /foo except tux and beastie.
6. User will not be able to login directly to system.
