# restrict ftp users to their home directory

## svancouw

I have been working on my first serious attempt at building a production web server. I have installed and configured apache2 and vsftpd, and gotten them both working.

My problem now is how to keep my ftp users in their home directories. I need to make sure that not only can they not move out of their home directory (already taken care of), but how do I keep them from landing in a directory other than their home directory?

I must admit that I am rather rusty on permissions, but it seems to me that this is a vsftpd configuration issue that I have not been able to find.

Thanks in advance!

Sean

----------

## truc

(man vsftpd.conf) !!

eg for local users:

```
local_enable=YES

chroot_local_user=YES

local_root=/home/ftp/

```

----------

## svancouw

I had read through the manual, but I went through it again just in case.

It doesn't seem like the local_root=/home/ftp will solve my problem, as I need to set the user's home direcotory to allow them to ftp their web files to /home/*/public_html.

I worked on this for several more hours after posting, and here is what I have come up with:

Every user will be local, and set their home directory to /home/[user].

local_enable=YES

chroot_local_user=YES

chroot_list_enable=YES

chroot_list_file_/etc/vsftpd/chroot_list (essentially empty)

I have set permissions so that they cannot go down to the /home directory once they are in, so they can only move up through their own tree.

Unfortunately, the chroot option appears to not be working. If a user specifies a different remote directory when using an ftp client, then they can land wherever they want to. Any ideas?

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=YES

ftpd_banner=*

userlist_enable=YES

listen=YES

tcp_wrappers=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

chroot_local_user=YES

----------

## Sephiroth81

Look for rssh. I've used it and it's working great. Of course use it to get ftp via ssh

----------

## svancouw

I would rather get vsftpd running properly instead of switching to another program and starting from scratch.

I was actually wondering if my poblems are the result of my running vsftpd via inet.d and rc-update add vsftpd default. I have the listen=YES option, but am wondering if my running via inet.d invalidates all of the security I have been trying to configure.

----------

## magic919

 *Quote:*   

> chroot_list_file_/etc/vsftpd/chroot_list (essentially empty) 

 

That's why the chroot is not working.  It's an (essentially empty) list of users to chroot.

----------

## svancouw

Normally you are correct about the chroot_list, but I have the chroot_local_user=YES option. According to the vsftpd.conf file, the chrtoot_local_user=YES changes the chroot_list so that any users listed in there will NOT chroot. I would rather have a list of users to NOT chroot than the other way around.

----------

## truc

here is how I do  (with xinetd) , every user (anon and local) are chrooted in /home/ftp:

```
anonymous_enable=YES

no_anon_password=YES

anon_root=/home/ftp/

anon_upload_enable=NO

anon_mkdir_write_enable=NO

local_enable=YES

chroot_local_user=YES

local_root=/home/ftp/

check_shell=NO

hide_ids=YES

write_enable=YES

local_umask=007

dirmessage_enable=YES

connect_from_port_20=YES

chown_uploads=YES

chown_username=truc

nopriv_user=nobody

ftpd_banner=***************** --------------------------- *****************

userlist_enable=YES

userlist_deny=NO

chroot_list_enable=NO

vsftpd_log_file=/var/log/vsftpd/vsftpd.log

dual_log_enable=NO

xferlog_enable=YES

xferlog_std_format=NO

xferlog_file=/var/log/vsftpd/xferlog

```

/etc/vsftpd/user_list

```
cat /etc/vsftpd/user_list 

localUserName

anonymous

ftp

```

----------

## svancouw

Truc, thank you for your information.

I will look it over in detail and post on this list in a day or so with additional thoughts. Your settings just set off a lightbulb that may help me out.

----------

## svancouw

Since I last posted I made some progress. During my research I found that I had not implemented some good user/group practices. I now have every user in their own group, and have modified the user's home directory permissions so that nobody that is not in their group can have access to it, but still allowing web users to view their sites. While this does create alot of commands, I have made a couple of scripts to handle this for me (with some initial assistance).

I am at the point where FTP is largey working for me. I never did get the chroot jail to work, and users can navigate most of my system, but are not able to make any changes to it. I have followed the suggestions in this forum, plus a few other experiments along those lines, and I have still gotten no effect with the chroot jail.

Unless anyone has further ideas, I am going to leave this as-is for now, and revisit it in a month or two. I have other projects that are approaching critical at the moment.Last edited by svancouw on Thu Feb 16, 2006 7:10 pm; edited 1 time in total

----------

## truc

could you give us your current vsftpd.conf?

----------

## svancouw

Sorry for the oversight...

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=YES

nopriv_user=ftpsecure

ftpd_banner=Welcome to the x.com website FTP service. Authorized use only!

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

chroot_local_user=YES

local_root=/home/

#ls_recurse_enable=YES

#force_local_logins_ssl=YES

#pam_service_name=vsftpd

#userlist_enable=YES

background=YES

listen=YES

tcp_wrappers=YES

----------

## truc

Are you aware that /etc/vsftpd/chroot_list contains the names of the users who won't be in a chroot jail?

----------

## svancouw

Yes, I am aware of this. My list is entirely empty, but I did have a user temporarily listed in there for testing purposes.

It seemed to make no difference whether or not someone is listed in that file. The only thing I have come accross is that I run vsftpd via init.d (rc-update), and I read somewhere that in order for the chroot jail to work you cannot run it via inet.d. This makes no sense to me, especially since you appear to be doing the same thing I am (according to one of your earlier posts).

----------

## truc

that's really strange, I'm still running it with xinetd (don't forget to restart it after every change /etc/init.d/xinetd restart for me with xinetd )

every user are chrooted for me, but I tried to set 

chroot_list_enable=YES  as you did, but it works!

really strange! 

If you want to chroot everybody, you can try to set chroot_list_enable=NO

So my conf is

 *vsftpd.conf wrote:*   

> anonymous_enable=YES
> 
> no_anon_password=YES
> 
> anon_root=/home/ftp/
> ...

 

 *user_list wrote:*   

> confcat /etc/vsftpd/user_list 
> 
> jule
> 
> anonymous
> ...

 

Your settings should be something like this

 *vsftpd.conf wrote:*   

> anonymous_enable=YES
> 
> no_anon_password=YES
> 
> anon_root=/home/ftp/
> ...

 

 *user_list wrote:*   

> truc
> 
> jule
> 
> anonymous
> ...

 

 *chroot_list wrote:*   

> truc

 

assuming you cant the user truc not to be chrooted  :Smile: 

Hope that helps

----------

## svancouw

My only question to your settings is whether or not the local_chroot must =/home/ftp for this to work, as I need my users be get access to /home/[username]/*. I want to disallow anonymous users (anonymous_enable=NO), and that should not affect this in any form. I currently require that users SSH their connections, but connect_from_port_20=YES should not affect this (?).

I also want ALL users to be chrooted but for root and one other user. For the purposes of my linux box, this will take out another regular step.

Am I missing anything? Could other installed software be causing a conflict that will cause this to not happen (I have very little installed: Perl, mono, PHP, vsftpd, apache2, lingerd, mySQL, diskquotas). Do my users have to be a member of the FTP group for this to work (a little late to ask that question, I know...)?

Thanks for taking your time to help me on this matter.

----------

## truc

 *vsftpd.conf.example wrote:*   

> You may specify an explicit list of local users to chroot() to their home
> 
> # directory. If chroot_local_user is YES, then this list becomes a list of
> 
> # users to NOT chroot().

 

I suppose local_root is then the user home dir, (in man vsftpd.conf, it's said local_root is "none" by default, so this "none" seems to be interpreted as $HOME right? )

----------

## svancouw

I found and corrected a mounting/fs error on /hda4 (/home), but the resolution of that issue still did not make the chroot work correctly (although my quotas now work).

I find this very odd, and I will give it some time to see if I can come up with a solution (or if I have a hidden problem causing this to fail) down the line. Thank you, truc, for your assistance on this matter.

----------

## Unaimed

Hello svancouw.

I have encountered the exact same problem. This is my config to start with:

```

listen=YES

background=YES

anonymous_enable=NO

local_enable=YES

userlist_enable=YES

userlist_deny=NO

chroot_list_enable=YES

```

The users in the user_list are the only users that are allowed access. If chroot_list_enable=YES is set users will be sent to /. If chroot_list_enable=NO users will be sent to their home directories without being chrooted.

I would be glad if you had found the problem. I have not atm.

//Unaimed

EDIT: Problem fixed. Upgraded to vsftpd-2.0.4-r1 which as not be marked stable on x86, nevertheless it works now.

----------

## svancouw

I had tried the previous posters suggestion, and it did not fix this.

I was working with a vendor who noticed my problem. In the ssh configuration file, we turned off SFTP, and in the vsftpd.conf we commented out local_root=/home/.

Now the chroot is working perfectly.

Hope this helps for anyone in the future who has a problem similar to this.

Sean

----------

