When we setup an FTP server software (regardless if this is proftpd, vsftpd, etc.) we might face a dilemma: we want to restrict the access that ftp users will have (limited access to files normally in their own home directory) but also we want to allow them access to another folder that is normally in a different location (like development files for whatever work they are doing).
The problem is that if we configure the chroot restriction for the ftp users we will notice that as expected they will be locked in the chrooted folder (let’s say their home directory). If we try to create a symlink to the other folder they need access, this will just not allow them to change into that folder (break out the chroot) and this is very normal. To exemplify this let’s consider that I am using vsftpd and one user ftp_user. Chroot restriction is enabled on ftp accounts and his home is in /home/ftp_user. But I need to provide him access for another folder /var/www/dev/. Even though I am using here vsftpd the same concept applies to any other ftp server software.
The configurations for vsftpd are basic ones (but I will include them at the end of the post for reference). The important one here is:
Of course that one solution to overcome this limitation is to disable chroot and allow the ftp users full access to all the system files. This is not at all recommended and this little tip will show you how you can achieve this with chroot enabled. The solution to this little problem is to mount the needed directory using the –bind parameter… from the man page of mount: ”–bind Remount a subtree somewhere else (so that its contents are available in both places)”.
So we might do something like:
mkdir /home/ftp_user/www_dev mount --bind /var/www/dev/ /home/ftp_user/www_dev
After this the ftp user will be able to see the needed files in his home directory and use them in his ftp client as if they were local files.
If you need to make this configuration permanent you can either add the mount command in some startup script or you can just include a line in /etc/fstab:
/var/www/dev /home/ftp_user/www_dev none bind 0 0
I hope that you have found this tip useful in case you have a similar issue… Just for the reference here is the vsftpd configuration used (the important parameter is only the one noted abovechroot_local_users):
/etc/vsftpd.conf listen=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem