About nixCraft

Topics

VSFTP chroot or jail users - limit users to only their home directory howto

Posted by Vivek Gite [Last updated: August 27, 2006]

Patrick asks:
How do I limit users of vsftp to only their home directory? Therefore, that user cannot go outside other directories to browser something.

Yesterdays VSFTPD troubleshooting note (read as post) brought me back this question.

If you do not wish FTP users to be able to access any files outside of their own home directory, set up chroot jail.

For consider following example:

$ ftp ftp.domain.com

Output: 

Connected to ftp.domain.com.
220 (vsFTPd 2.0.5)
Name (ftp.domain.com:user1): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/user1"
ftp> cd /etc
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            7959 Mar 02 22:20 Muttrc
drwxr-xr-x    3 0        0            4096 Jul 24 12:20 Wireless
drwxr-xr-x   16 0        0            4096 Jul 30 22:58 X11
drwxr-xr-x    4 0        0            4096 Sep 05  2005 Xprint
-rw-r--r--    1 0        0            2188 Sep 05  2005 adduser.conf
-rw-r--r--    1 0        0              47 Aug 16 14:52 adjtime
-rw-------    1 0        0            4330 Aug 18  2005 afick.conf
-rw-r--r--    1 0        0             194 Sep 05  2005 aliases
-rw-r--r--    1 0        0           12288 Jul 19 21:27 aliases.db
drwxr-xr-x    2 0        0            8192 Aug 15 09:33 alternatives
...
.....
..

Now normal user can go to /etc directory (may be to all other directories) and if there is read only permission to sensitive files user can download the file via ftp.

To avoid this security problem you can lock ftp user in a jail.

Open vsftpd configuration file - /etc/vsftpd/vsftpd.conf
# vi /etc/vsftpd/vsftpd.conf

Make sure following line exists (and uncommented):
chroot_local_user=YES

Save and close the file. Restart vsftpd.
# /etc/init.d/vsftpd restart

Now all users of VSFTPD/FTP will be limited to accessing only files in their own home directory. They will not able to see /, /etc, /root and /tmp and all other directories. This is an essential security feature.

E-mail this to a friend      Printable version

You may also be interested in other helpful articles:

Discussion on This Article:

  1. Tyler Says: March 16th, 2007 at 2:33 am

    What if I need a ‘root’ type FTP account; I want to chroot all but one user?

  2. Bassist Says: March 20th, 2007 at 6:43 pm

    “What if I need a ‘root’ type FTP account; I want to chroot all but one user?”

    Create a user account with the root directory as the server root directory i.e. ‘/’. Or for better security, use the main directory of all sub-directories you would like to access, as the home directory. e.g. if you have ftp accounts for /var/www/html2 and /var/www/html3, then use /var/www as the home directory for the main ftp account.

  3. joel Says: March 23rd, 2007 at 8:34 am

    hi,
    i have just installed cerberus ftp server inside my network with an ip address of 192.168.x.xx…problem is i cannot connect with it outside because i really don’t knw(noobs) how to forward port 21 to it from my internet gateway.btw, my gateway runs on mandrake 10.can u tell me what to do specifically the commands to make it work? many thanks…

  4. nixcraft Says: March 23rd, 2007 at 3:18 pm

    joel,

    You can use port forwarding from your router itself. If you want software based port forwarding use -
    Internet TCP redirection server called rinetd. You can also use iptabled DNAT rules for same.

  5. joel Says: March 24th, 2007 at 1:19 am

    hi nixcraft,

    thanks for the reply.i was just wondering can i just add this rule to your fw_proxy script that you made..

    iptables -t nat -I PREROUTING -p tcp -i INTERNET –dport 21 -j DNAT –to 192.168.x.xx:21

    will that work or is there anything else that i should add?

    thanks again :)

  6. joel Says: March 26th, 2007 at 2:41 am

    nixcraft,

    sorry, fw.proxy was posted by vivek,my apologies to him and to you also.anyway im still on my problem.i have installed fw.proxy script on my gateway machine running mandrake 10 and run all the commands there.even tried adding the iptable rule that i have just mentioned but i still cannot connect outside my network.im totally out of my mind figuring it out how to work.pls bail me out on this one…

    joel

  7. nixcraft Says: March 27th, 2007 at 5:21 am

    Lan is at eth0 and internet is eth1 (to isp router)

    Gateway ip is 192.168.0.1
    FTP server is at 192.168.0.5

    You want to redirect to 192.168.0.5 at port 21, use following
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination 192.168.0.5

    HTH

  8. Robert O'Rourke Says: December 19th, 2007 at 3:02 pm

    Hi,

    I’ve been trying this on a redhat system but its not restricting the user to their home directory. It’s all they have permission on but they can still list all the files under /,/dev,/bin etc…

    It might be because I have a symlink in their home folder to another part of the file system they have permission on. Would it be better to make the symlink the other way around? I’ve done everyhitng I can work out that I need to do so I don’t get why they can sill list any other directories…

    Cheers

  9. Paul Says: December 24th, 2007 at 4:14 pm

    Ref: chroot ftp users. This is taken from the vsftpd.conf file:

    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    chroot_list_enable=YES
    chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

    This works very well for my systems.

  10. Mentor Says: January 14th, 2008 at 3:57 pm

    Hi:

    I want to be able to add another folder to the list of folders that the users are permitted to use.

    Viz.:
    /home/user
    /var/www/html

    Is this possible?

    Rgds. Mentor

  11. Happy Says: January 25th, 2008 at 8:33 am

    Thank you very much…Works like a charm…

  12. Chris Hunt Says: February 3rd, 2008 at 3:43 pm

    You can use the command “mount –bind olddir newdir”. The call ‘–bind’ mounts part of the file system to another area. You may have try to use links but these are prohibited for security reasons.

  13. br0ken rlz Says: May 12th, 2008 at 3:17 pm

    hi guys
    i face this problem and i do the solution up
    but the same thing nothing change the user can
    able to see / & /etc
    and i have question
    what i put in chroot_user_list file
    only the username ?
    need your advice

  14. Ajay Says: May 22nd, 2008 at 10:56 am

    Suppose if I have 5 users, I want to limit only 2 users to their home directory and remaining users to have full access. How to do that?

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Copyright © 2004-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.