# vsftpd/ chroot-jail doesn´t wok

## mayaman

Hello everyone   :Smile:  ,

I got some problems to get my ftp working properly, I used this how-to to set it up.

I created 2 users via superaduser as described in this tutorial. Here they should be able to share files used for the projects I´m working at. However, if I log in via FTP-Client I´ll be set into the root directory of the user (as wanted) but could go up till "/" (not wanted  :Smile:  ). I´ve been searching since 3 days to get an answer, I´m really tired now for searching any more and now just pasting other confs and trying it.

I tried with chroot_local_users, by chroot_list and passwd_chroot in any combination, even those without sense.

May someone put me into the right direction? Any help welcome.

This is my vsftpd.conf at the moment:

```
listen=YES

anonymous_enable=NO

write_enable=YES

#local_root=YES

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

chown_uploads=NO

xferlog_file=/var/log/vsftpd.log

idle_session_timeout=600

data_connection_timeout=120

ftpd_banner=Welcome to M@yamans FTP.

chroot_local_user=YES

ls_recurse_enable=NO

```

----------

## mamac

Hi,

What are your ftp clients?

Are you really interested in working with vsftpd? Would you mind to give a try to proftpd?

----------

## mayaman

Thank you for your quick reply,

I use Core FTP as Client as most use Windows as OS. I managed to get it working once but had to set it up again due to mistakes broken my OS ( I´m pretty new at that) but left it for a while. As I know proftpd is working via GUI, but I can only provide console as I put my ftp into the dmz my brother set up.

----------

## mamac

 *mayaman wrote:*   

> I managed to get it working once but had to set it up again due to mistakes broken my OS ( I´m pretty new at that) but left it for a while.
> 
> 

 

It's a server issue, then. I though we could do some trick on clients.

 *mayaman wrote:*   

> 
> 
> As I know proftpd is working via GUI, but I can only provide console as I put my ftp into the dmz my brother set up.

 

You can emerge proftpd and it will run as daemon without any GUI, that's what I do on my server which doesn't have any graphic card. Maybe it's woth to give it a try! :Wink:  You might take a look at this: http://gentoo-wiki.com/HOWTO_ProFTPD

----------

## mayaman

Ah, ok, then I´ll give it a try.

Thank you very much.

----------

## UberLord

The only chroot setting you should need is chroot_local_user=YES

----------

## mayaman

Thank you for your reply UberLord,

but I´m pretty lost as mentioned at my first post I already tried with this value set to true but it didn´t function.

----------

## UberLord

I have no idea about this superadduser. Post the output of `getent passwd | grep user` replacing user with the user logging in.

----------

## mayaman

Ok, here we go

```
accis:x:1000:100:,,,:/home/accis/./:/usr/bin/rssh
```

I made this 

```
/./
```

 as mentioned in the man of vsftpd.conf for passwd_chroot_enable otherwise it would be just "/" of course.

----------

## UberLord

That is not right - you use that when you want the chroot to be somewhere else

For example

/home/./accis

Would chroot accis to /home, but start off in /accis

As you don't want that, remove the /./ from the end.

----------

## mayaman

Ah, ok.

I´ll show it a bit more in detail what I tried, maybe things get more clear:

at first I fixed the passwd in /etc and /home/etc

```
dragonegg-0002 ~ # getent passwd | grep accis

accis:x:1000:100:,,,:/home/accis/:/usr/bin/rssh

```

then setup the conf in various ways

1. with chroot_list

```
# Example config file /etc/vsftpd/vsftpd.conf

listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

dirmessage_enable=YES

xferlog_enable=YES

chown_uploads=NO

xferlog_file=/var/log/vsftpd.log

idle_session_timeout=600

data_connection_timeout=120

ftpd_banner=Welcome to M@yamans FTP.

#chroot_local_user=YES

#passwd_chroot_enable=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

ls_recurse_enable=NO

```

chroot_list contains:

```
accis

spaceproject
```

2. with chroot_list & chroot_local

```
listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

dirmessage_enable=YES

xferlog_enable=YES

chown_uploads=NO

xferlog_file=/var/log/vsftpd.log

idle_session_timeout=600

data_connection_timeout=120

ftpd_banner=Welcome to M@yamans FTP.

chroot_local_user=YES

#passwd_chroot_enable=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

ls_recurse_enable=NO
```

chroot_list is empty

3. just with chroot_local_user

```
listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

dirmessage_enable=YES

xferlog_enable=YES

chown_uploads=NO

xferlog_file=/var/log/vsftpd.log

idle_session_timeout=600

data_connection_timeout=120

ftpd_banner=Welcome to M@yamans FTP.

chroot_local_user=YES

#passwd_chroot_enable=YES

#chroot_list_enable=YES

#chroot_list_file=/etc/vsftpd/chroot_list

ls_recurse_enable=NO
```

4. with chroot_passwd:

```
listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

dirmessage_enable=YES

xferlog_enable=YES

chown_uploads=NO

xferlog_file=/var/log/vsftpd.log

idle_session_timeout=600

data_connection_timeout=120

ftpd_banner=Welcome to M@yamans FTP.

#chroot_local_user=YES

passwd_chroot_enable=YES

#chroot_list_enable=YES

#chroot_list_file=/etc/vsftpd/chroot_list

ls_recurse_enable=NO
```

These are the ways I tried to get chroot function. But it looks like I can give any chroot-advise, it´ll be just ignored.

----------

## UberLord

Commenting out chroot_list_file is not enough as you assign the default - ie it will be used regardless. Remove the file or comment out all the users in it.

Then use this config

```
listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

dirmessage_enable=YES

xferlog_enable=YES

chown_uploads=NO

xferlog_file=/var/log/vsftpd.log

idle_session_timeout=600

data_connection_timeout=120

ftpd_banner=Welcome to M@yamans FTP.

chroot_local_user=YES

passwd_chroot_enable=YES

ls_recurse_enable=NO
```

----------

## mayaman

Ok, good to know. And thank you for making the config.

It seems that the configfile is not the problem as I can still leave the home-directory with the config you gave me(I deleted the chroot_list).

I thought it might have something to do with updating. So I checked the libs via ldd and copied them again into the home directory and I also copied rssh and scp, restarted ssh and vsftpd without succes.

Edit:

And because of the libs I followed this german tutorial to set up the chroot environment.

----------

## UberLord

OK, here's my vsftpd.conf file

```
# VSFTPD configuration file

background=NO

listen=YES

pasv_min_port=50000

pasv_max_port=50100

connect_from_port_20=YES

max_clients=100

max_per_ip=8

#local_umask=022

tcp_wrappers=YES

local_enable=YES

chroot_local_user=YES

chroot_list_enable=YES

nopriv_user=nobody

passwd_chroot_enable=YES

text_userdb_names=YES

anonymous_enable=YES

no_anon_password=YES

anon_upload_enable=YES

anon_umask=007

write_enable=YES

use_localtime=YES

dirmessage_enable=YES

#banner_file=/etc/banner

ftpd_banner=Welcome to UberNET FTP service.

ls_recurse_enable=YES

setproctitle_enable=YES

xferlog_enable=YES

#xferlog_std_format=YES

```

```
$ getent passwd | grep ftp

ftp:x:21:21:added by portage for ftpbase:/home/ftp:/usr/sbin/nologin
```

You probably have to enable pam as well, otherwise ensure that the shell listed in the above command is in /etc/shells and works as a shell.

----------

## mayaman

Strange, even with your config it is possible to leave the home directory. Then it seems to be another problem if it is functioning at your server. I just copied&pasted your config and set pam_service_name=ftp. But I checked my chroot-setup again and I´m sure that nothing went wrong. Is there anything else but the vsftpd.conf that might be the problem?

----------

