Restrict permissions in Linux for a ftp user

I have a requirement as below on a server running SuSE Linux Enterprise 11 with /opdata as the directory containing reports that have to be accessed. It has multiple directories within it.

1, Create a ftp user account with only access to ftp and no other services for which I created an account and mapped the home directory to /opdata. I need to restrict him now to only ftp onto the box.

2, The account should have read access to only /opdata/report1 & /opstdata/report2 directories and nothing apart.

Can you guide me in achieving this?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There are multiple parts to this.

First the account has to be create with no shell access, no home directory.

useradd -s /sbin/nologin -d /bin/false ftpuser

Permissions on the folders:

chown ftpuser /opdata/report1
chown ftpuser /opstdata/report2
chmod 500 /opdata/report1
chmod 500 /opsdata/report2

One adjustment in the useradd above.
useradd -s /sbin/nologin -d /opdata ftpuser

Open in new window

So are /opdata /optsdata two separate folders
I would also restrict this user with chroot jail but that is not possible with this directory structure.  If I restrict him to /opdata,  he would not be able to go to /opstdata, unless you make both the folders under the third folder and then we can make chroot jail for this user in that third folder.  This way the user will not be able to see anything else in the system apart from what is in the /third_folder

Do you want that?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Peddu_bhanuAuthor Commented:
Hi Experts,

I would like to re phrase the question as I now ave more clarity on the issue.

There is a existing directory /xyz , which is a application directory and has many sub directories under it having 775 or 755 permissions on the sub directories.Please note that all the sub directories  are world readable and we dont know who needs read access to them and would be affected if we change the permissions to 750 or remove permissions for others.

So given this situation, we now have a need for a user to be created whose home direcotory should be /XYZ/home and the user should not be able to access any other directory under /XYZ apart from /XYZ/home.I repeat no other directory except for his home /XYZ/HOME

NO chance for chroot jail
And I cannot tweak the permissions for other directories

Is it possible.

As per my knowledge wIthout chroot jail your user can visit other directories as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I agree with expert upanwar.  It would be too difficult to restrict system without chroot jail.  You will be doing ACLs, SELinux, other permissions to stop users and will have to encounter side effects too.  Chroot jail is the most easy, convenient and acceptable way.
Peddu_bhanuAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.