VSFTP chroot or jail users – limit users to only their home directory howto

by on August 17, 2006 · 46 comments· LAST UPDATED August 27, 2006

in , ,

Patrick asks:
How do I limit users of vsftp to only their home directory? Therefore, that user cannot go outside other directories to browser something.

Yesterdays VSFTPD troubleshooting note (read as post) brought me back this question.

If you do not wish FTP users to be able to access any files outside of their own home directory, set up chroot jail.

For consider following example:

  • Ftp username : user1
  • FTP home directory: /home/user1

$ ftp ftp.domain.com

Output:

Connected to ftp.domain.com.
220 (vsFTPd 2.0.5)
Name (ftp.domain.com:user1): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/user1"
ftp> cd /etc
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            7959 Mar 02 22:20 Muttrc
drwxr-xr-x    3 0        0            4096 Jul 24 12:20 Wireless
drwxr-xr-x   16 0        0            4096 Jul 30 22:58 X11
drwxr-xr-x    4 0        0            4096 Sep 05  2005 Xprint
-rw-r--r--    1 0        0            2188 Sep 05  2005 adduser.conf
-rw-r--r--    1 0        0              47 Aug 16 14:52 adjtime
-rw-------    1 0        0            4330 Aug 18  2005 afick.conf
-rw-r--r--    1 0        0             194 Sep 05  2005 aliases
-rw-r--r--    1 0        0           12288 Jul 19 21:27 aliases.db
drwxr-xr-x    2 0        0            8192 Aug 15 09:33 alternatives
...
.....
..

Now normal user can go to /etc directory (may be to all other directories) and if there is read only permission to sensitive files user can download the file via ftp.

To avoid this security problem you can lock ftp user in a jail.

Open vsftpd configuration file - /etc/vsftpd/vsftpd.conf
# vi /etc/vsftpd/vsftpd.conf

Make sure following line exists (and uncommented):
chroot_local_user=YES

Save and close the file. Restart vsftpd.
# /etc/init.d/vsftpd restart

Now all users of VSFTPD/FTP will be limited to accessing only files in their own home directory. They will not able to see /, /etc, /root and /tmp and all other directories. This is an essential security feature.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 46 comments… read them below or add one }

1 Tyler March 16, 2007 at 2:33 am

What if I need a ‘root’ type FTP account; I want to chroot all but one user?

Reply

2 Bassist March 20, 2007 at 6:43 pm

“What if I need a ‘root’ type FTP account; I want to chroot all but one user?”

Create a user account with the root directory as the server root directory i.e. ‘/’. Or for better security, use the main directory of all sub-directories you would like to access, as the home directory. e.g. if you have ftp accounts for /var/www/html2 and /var/www/html3, then use /var/www as the home directory for the main ftp account.

Reply

3 joel March 23, 2007 at 8:34 am

hi,
i have just installed cerberus ftp server inside my network with an ip address of 192.168.x.xx…problem is i cannot connect with it outside because i really don’t knw(noobs) how to forward port 21 to it from my internet gateway.btw, my gateway runs on mandrake 10.can u tell me what to do specifically the commands to make it work? many thanks…

Reply

4 Anon Junior October 27, 2012 at 3:50 pm

192.168.x.x is a private IP. If you only have one static or dynamic IP shared between all computers on the network, even if multiple gateways and subnets are used. Then use port forwarding. Doing a google search will suffice.

Reply

5 nixCraft March 23, 2007 at 3:18 pm

joel,

You can use port forwarding from your router itself. If you want software based port forwarding use –
Internet TCP redirection server called rinetd. You can also use iptabled DNAT rules for same.

Reply

6 joel March 24, 2007 at 1:19 am

hi nixcraft,

thanks for the reply.i was just wondering can i just add this rule to your fw_proxy script that you made..

iptables -t nat -I PREROUTING -p tcp -i INTERNET –dport 21 -j DNAT –to 192.168.x.xx:21

will that work or is there anything else that i should add?

thanks again :)

Reply

7 joel March 26, 2007 at 2:41 am

nixcraft,

sorry, fw.proxy was posted by vivek,my apologies to him and to you also.anyway im still on my problem.i have installed fw.proxy script on my gateway machine running mandrake 10 and run all the commands there.even tried adding the iptable rule that i have just mentioned but i still cannot connect outside my network.im totally out of my mind figuring it out how to work.pls bail me out on this one…

joel

Reply

8 nixCraft March 27, 2007 at 5:21 am

Lan is at eth0 and internet is eth1 (to isp router)

Gateway ip is 192.168.0.1
FTP server is at 192.168.0.5

You want to redirect to 192.168.0.5 at port 21, use following
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination 192.168.0.5

HTH

Reply

9 Robert O'Rourke December 19, 2007 at 3:02 pm

Hi,

I’ve been trying this on a redhat system but its not restricting the user to their home directory. It’s all they have permission on but they can still list all the files under /,/dev,/bin etc…

It might be because I have a symlink in their home folder to another part of the file system they have permission on. Would it be better to make the symlink the other way around? I’ve done everyhitng I can work out that I need to do so I don’t get why they can sill list any other directories…

Cheers

Reply

10 Paul December 24, 2007 at 4:14 pm

Ref: chroot ftp users. This is taken from the vsftpd.conf file:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

This works very well for my systems.

Reply

11 Matt Borja October 6, 2011 at 4:14 pm

This is also required on some dedicated servers and cloud solutions (e.g. Rackspace). Having chroot_local_user=YES is not sufficient in such cases and requires chroot_list_enable and chroot_list_file to both be uncommented.

Also, it’s probably worth mentioning that while this will chroot FTP users, it will not chroot SFTP over SSH users. This is an upcoming feature that will be present in CentOS 6, but as of now, Ubuntu, all current distributions of Red Hat, and CentOS 5 do not support chrooting of SFTP/SSH accounts

Reply

12 Mentor January 14, 2008 at 3:57 pm

Hi:

I want to be able to add another folder to the list of folders that the users are permitted to use.

Viz.:
/home/user
/var/www/html

Is this possible?

Rgds. Mentor

Reply

13 Happy January 25, 2008 at 8:33 am

Thank you very much…Works like a charm…

Reply

14 Chris Hunt February 3, 2008 at 3:43 pm

You can use the command “mount –bind olddir newdir”. The call ‘–bind’ mounts part of the file system to another area. You may have try to use links but these are prohibited for security reasons.

Reply

15 br0ken rlz May 12, 2008 at 3:17 pm

hi guys
i face this problem and i do the solution up
but the same thing nothing change the user can
able to see / & /etc
and i have question
what i put in chroot_user_list file
only the username ?
need your advice

Reply

16 Ajay May 22, 2008 at 10:56 am

Suppose if I have 5 users, I want to limit only 2 users to their home directory and remaining users to have full access. How to do that?

Reply

17 modjo-jojo October 15, 2008 at 1:40 pm

Ajay, you have 2 options:

.) chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/nonchroot.list
Where file /etc/vsftpd/nonchroot.list should contail the users you don’t want to chroot.

.) chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot.list
Where the file etc/vsftpd/chroot.list should contain the users you want to be chrooted to their home. By default all other users should have access to the / (root).

BR,
modjo-jojo

Reply

18 ug August 17, 2012 at 3:17 pm

Useful information. It helped me.

Reply

19 Stan January 14, 2009 at 12:35 pm

Thanks Chris! I’ve been looking for ways to mount my FTP pub directory in home dir of some users… This solution have finally solved my problems. Keep the good work. Thanks.

Reply

20 Bjarte Aune Olsen February 1, 2009 at 5:31 pm

I have the same problem as some others have mentioned. When “chroot_local_user” is set to NO, the user starts up in his home folder, and can navigate everywhere on the system. When “chroot_local_user” is set to YES, the user can only WRITE to his home directory, but he can navigate anywhere and see the whole folder structure of the machine, which I don’t like.

Even worse, when “chroot_local_user” is set to YES, the user starts up in the root folder, “/” and not in his home directory. Which means that if he isn’t that familiar with Linux system, he will have a hard time finding his home directory where he’s able to upload files.

- Bjarte

Reply

21 Mizan February 3, 2009 at 1:07 pm

I have a Apache webserver. I want to access the thml directory to my web developer so that he can upload file through ftp. I use vsftp server. I careate a user for him and assing /var/www/html as home directgory. the problem is when he want to upload file it shows “File could not be opended by server. 553 could not create file” . I think it is permission problem. What permision can I provide the user to mention directory without sacrifice the security. thank you.

Reply

22 Martin March 15, 2009 at 10:36 pm

To Bjarte Aune Olsen:
search in the configuration file the directive local_root=… and comment it out (thus local_root will be unset). If this directive was set then vsftpd always respect him, so after loging in, he put the user in the directory that was set by local_root=…
I hope that will help you.

-Martin-

Reply

23 srinivas June 9, 2009 at 6:10 am

my vsftpd setup has following

->useradd -d /var/www/html/site ftpupload
->chown ftp:ftp /var/www/html/site
->chmod g+w /var/www/html/site
->vi /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
-> vi /etc/vsftpd/chroot_list
ftpupload

this works fine when i tried from command mode from another linux
box using both ftp and lftp commands and my user restricting to his home
directory.

this is the same with the case if i use WinSCP with ftp as protocol.
but if i use sftp as the protocol i am able to chroot to another directories too

anybody has this problem ??
i need help..

Thanks in advance

Reply

24 Bineesh July 3, 2009 at 9:34 am

How i can configure different chroot directory for different users.

Reply

25 Vikas Singh July 23, 2009 at 12:13 pm

Hi, All
I have configure ftp in fc5.
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
but when I trying to access my ftp from web (ftp://X.X.X.X) it is not asking for username and passwd but I can access it ftp://username@X.X.X.X. I m not understanding why?

Reply

26 Matt J. September 8, 2009 at 8:08 am

Hi, Vikas-

If your browser implements the spec (RFC1738) correctly, then in the case where you specify no user name, it will assume the user name is ‘anonymous’. Now back in the days when the spec was written, the password for ‘anonymous’ was an email address. But this is not so common now. Now the password is usually also ‘anonymous’.

That is the difference between “ftp://X.X.X.X” and “ftp://username@X.X.X.X”. So the behavior you describe sounds like the browser is doing the right thing.

Reply

27 Muhammad Babar March 2, 2010 at 7:24 am

Hi!
I configure a vsftpd server and they work but when i access through browser they open “Log On As” window but we can’t login. i don’t know why this happen.
but we can access through cmd.
We want to access my Home directory through internet-explorer.
Plzz help meee

Reply

28 Ray March 2, 2010 at 7:31 am

Hey gyus, i did the chroot_local_user=yes
chroot list enable=yes
add the user names on /etc/vsftpd/chroot_list
still when logging I go everywhere on /

Any ideas?

Thanks!

Reply

29 Phil June 5, 2010 at 11:33 pm

If you put people in the chroot_list thats people that are NOT going to be restricted to there home directory. leave chroost list enable commented out, skip adding names to the list and just use chroot_local_user=yes

peace easy
-phil

Reply

30 Brian June 8, 2010 at 8:29 pm

Works great with regular FTP, but does not jail users when using SFTP. How would I do that?

Reply

31 nixCraft June 8, 2010 at 8:42 pm

VSFTPD = FTP server
SFTP = OpenSSH server, so you need to chroot OpenSSH user. OpenSSH 5.x series do have inbuilt support for jailing users to their directories.

Another option is to run vsftpd with SSL support only.

Reply

32 Nandakumar September 2, 2010 at 12:16 pm

Brian :( ….you are right. Nobody has said this that chroot not jail the user, I have wasted my time doing chroot on sftp and nothing happened yet, after seeing your post i just commented all the sftp option in vsftp config file. now i am seeing that jailing option working. Thanks a lot :) you saved me.

But still my task incomplete how to jail the user in sftp and how make this ftp work in browser (integrate with apache) ?

I am newbie so please don’t mistake me if raised silly questions.
Please help me…

Reply

33 steven June 30, 2010 at 7:34 am

even only set chroot_local_user=yes. it still limit user to “/” ,rather than user’s home directory. any idea how to fix this ?

Reply

34 Xavi August 10, 2011 at 9:50 am

Check that

local_root=/

is commented in your etc/vsftpd.conf file (if not, it’ll go ever to / or whatever it’s put there). Cheers

Reply

35 Xavi August 10, 2011 at 9:51 am

Check that

local_root=/

is commented in your etc/vsftpd.conf file (if not, it’ll go ever to / or whatever it’s put there). Cheers

Reply

36 Danzo May 3, 2010 at 3:20 pm

Edit /etc/passwd

change :/bin/bash to /./:/bin/bash

That should work.

However ftp://x.x.x.x, users remain in home directories but sftp:x.x.x.x, users can access other directories.

any advice on that one

Reply

37 Nandakumar September 2, 2010 at 10:58 am

I am also facing the problem like user can able to access all the folders without any restriction. I have enabled all the above said option but none of them working. I have two issues one i am not able to access ftp via browser and another one any user can access any folder with out any control. could anybody can help me to solve this issue ?

Thanks,
Nanda

Reply

38 Nandakumar September 2, 2010 at 12:16 pm

Brian :( ….you are right. Nobody has said this that chroot not jail the user, I have wasted my time doing chroot on sftp and nothing happened yet, after seeing your post i just commented all the sftp option in vsftp config file. now i am seeing that jailing option working. Thanks a lot :) you saved me.

But still my task incomplete how to jail the user in sftp and how make this ftp work in browser (integrate with apache) ?

I am newbie so please don’t mistake me if raised silly questions.
Please help me…

Nanda

Reply

39 Jon May 24, 2011 at 9:53 am

I could use some help for the following:
1) local user (myself) need complete access to update wordpress and by default I have what I need with the following:
anon_mkdir_write_enable=YES
anon_root=/srv/ftp
anon_upload_enable=YES
chroot_local_user=NO
local_enable=YES
log_ftp_protocol=YES
max_clients=10
max_per_ip=3
write_enable=YES
local_root=/srv/www/wp-content

2) I have a web developer that requires access to another folder
/srv/www/domainname

How do I give him access to this domainname folder, and only that location and what lies under it? i.e the subfolder of the domainname folder. I do not want him to be able to change directory from that folder.

Thanks

Reply

40 Joseph November 26, 2011 at 6:57 am

Hi Jon,

How to give yourself full access while still restricting others using vsftpd:

add or Uncomment the following in /etc/vsftpd/vsftpd.conf
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

create a file called /etc/vsftpd/chroot_list (it is case sensitive)
write your user name for admin access on line 1
save the file

you will be exempt from being locked in your home directory however all other users will still be locked in their home directory.

And specifically in your case remove the line chroot_local_user=NO

Reboot your server for changes to take effect.

Here is the shell command for adding a user to a currently existing home directory: (directory must already exist and is case sensitive)

mkdir /home/mystuff
groupadd ftp_users
chmod 777 /home/mystuff
useradd -g ftp_users -d /home/mystuff user1

This will create a password for the user1 account:
passwd user1

Best of Luck,

Joe

Reply

41 Babu January 19, 2012 at 9:58 pm

I have been trying all the possible options provided by you guys to jail the user to his assigned path. But, I was unsuccessful to do it.
Is there any expert who can advise me to proceed on it.

Your timely help would greatly help me out.

Reply

42 kirk March 13, 2012 at 10:28 pm

for xtra security create a seperated group and user account with no shell acces.

Reply

43 Aurelian March 16, 2012 at 11:18 am

HI,
I have a problem and, after reading this, I couldn’t resolve it:
I want that a ftp user should acces /home/ftpuser and /home/share but it should NOT acces /etc or other important system directories.

How can I do that?
If I chroot that user, he can see /home/ftpuser but he cannot see /home/share
If I do NOT chroot that user, he can see /home/ftpuser, /home/share and /etc.

I do not like the “mount -bind /home/share /home/ftpuser” solution.

Thank you alot!

Reply

44 amila March 13, 2013 at 12:11 pm

Uncomment following and,
__________________________________________
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
__________________________________________

edit “/etc/vsftpd.chroot_list”
and put any jailed users usernames in to it

Reply

45 Stopmotionheaven August 14, 2013 at 4:38 pm

Thanks! Very usefull!

Reply

46 4lvin September 13, 2013 at 4:22 am

But how about jailing a “SPECIFIC USER ONLY” ?

Reply

Leave a Comment

Previous post:

Next post: