Comments on: VSFTP chroot or jail users – limit users to only their home directory howto

By: Babu

Babu — Thu, 19 Jan 2012 21:58:00 +0000

I have been trying all the possible options provided by you guys to jail the user to his assigned path. But, I was unsuccessful to do it.
Is there any expert who can advise me to proceed on it.

Your timely help would greatly help me out.

By: Joseph

Joseph — Sat, 26 Nov 2011 06:57:47 +0000

Hi Jon,

How to give yourself full access while still restricting others using vsftpd:

add or Uncomment the following in /etc/vsftpd/vsftpd.conf
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

create a file called /etc/vsftpd/chroot_list (it is case sensitive)
write your user name for admin access on line 1
save the file

you will be exempt from being locked in your home directory however all other users will still be locked in their home directory.

And specifically in your case remove the line chroot_local_user=NO

Reboot your server for changes to take effect.

Here is the shell command for adding a user to a currently existing home directory: (directory must already exist and is case sensitive)

mkdir /home/mystuff
groupadd ftp_users
chmod 777 /home/mystuff
useradd -g ftp_users -d /home/mystuff user1

This will create a password for the user1 account:
passwd user1

Best of Luck,

Joe

By: Matt Borja

Matt Borja — Thu, 06 Oct 2011 16:14:16 +0000

This is also required on some dedicated servers and cloud solutions (e.g. Rackspace). Having chroot_local_user=YES is not sufficient in such cases and requires chroot_list_enable and chroot_list_file to both be uncommented.

Also, it’s probably worth mentioning that while this will chroot FTP users, it will not chroot SFTP over SSH users. This is an upcoming feature that will be present in CentOS 6, but as of now, Ubuntu, all current distributions of Red Hat, and CentOS 5 do not support chrooting of SFTP/SSH accounts

By: Xavi

Xavi — Wed, 10 Aug 2011 09:51:21 +0000

Check that

local_root=/

is commented in your etc/vsftpd.conf file (if not, it’ll go ever to / or whatever it’s put there). Cheers

By: Xavi

Xavi — Wed, 10 Aug 2011 09:50:18 +0000

Check that

local_root=/

is commented in your etc/vsftpd.conf file (if not, it’ll go ever to / or whatever it’s put there). Cheers

By: Jon

Jon — Tue, 24 May 2011 09:53:41 +0000

I could use some help for the following:
1) local user (myself) need complete access to update wordpress and by default I have what I need with the following:
anon_mkdir_write_enable=YES
anon_root=/srv/ftp
anon_upload_enable=YES
chroot_local_user=NO
local_enable=YES
log_ftp_protocol=YES
max_clients=10
max_per_ip=3
write_enable=YES
local_root=/srv/www/wp-content

2) I have a web developer that requires access to another folder
/srv/www/domainname

How do I give him access to this domainname folder, and only that location and what lies under it? i.e the subfolder of the domainname folder. I do not want him to be able to change directory from that folder.

Thanks

By: Nandakumar

Nandakumar — Thu, 02 Sep 2010 12:16:45 +0000

Brian :( ….you are right. Nobody has said this that chroot not jail the user, I have wasted my time doing chroot on sftp and nothing happened yet, after seeing your post i just commented all the sftp option in vsftp config file. now i am seeing that jailing option working. Thanks a lot :) you saved me.

But still my task incomplete how to jail the user in sftp and how make this ftp work in browser (integrate with apache) ?

I am newbie so please don’t mistake me if raised silly questions.
Please help me…

By: Nandakumar

Nandakumar — Thu, 02 Sep 2010 12:16:11 +0000

But still my task incomplete how to jail the user in sftp and how make this ftp work in browser (integrate with apache) ?

I am newbie so please don’t mistake me if raised silly questions.
Please help me…

Nanda

By: Nandakumar

Nandakumar — Thu, 02 Sep 2010 10:58:48 +0000

I am also facing the problem like user can able to access all the folders without any restriction. I have enabled all the above said option but none of them working. I have two issues one i am not able to access ftp via browser and another one any user can access any folder with out any control. could anybody can help me to solve this issue ?

Thanks,
Nanda

By: steven

steven — Wed, 30 Jun 2010 07:34:03 +0000

even only set chroot_local_user=yes. it still limit user to “/” ,rather than user’s home directory. any idea how to fix this ?

By: Vivek Gite

Vivek Gite — Tue, 08 Jun 2010 20:42:15 +0000

VSFTPD = FTP server
SFTP = OpenSSH server, so you need to chroot OpenSSH user. OpenSSH 5.x series do have inbuilt support for jailing users to their directories.

Another option is to run vsftpd with SSL support only.

By: Brian

Brian — Tue, 08 Jun 2010 20:29:25 +0000

Works great with regular FTP, but does not jail users when using SFTP. How would I do that?

By: Phil

Phil — Sat, 05 Jun 2010 23:33:55 +0000

If you put people in the chroot_list thats people that are NOT going to be restricted to there home directory. leave chroost list enable commented out, skip adding names to the list and just use chroot_local_user=yes

peace easy
-phil

By: Ray

Ray — Tue, 02 Mar 2010 07:31:50 +0000

Hey gyus, i did the chroot_local_user=yes
chroot list enable=yes
add the user names on /etc/vsftpd/chroot_list
still when logging I go everywhere on /

Any ideas?

Thanks!

By: Muhammad Babar

Muhammad Babar — Tue, 02 Mar 2010 07:24:46 +0000

Hi!
I configure a vsftpd server and they work but when i access through browser they open “Log On As” window but we can’t login. i don’t know why this happen.
but we can access through cmd.
We want to access my Home directory through internet-explorer.
Plzz help meee

By: Matt J.

Matt J. — Tue, 08 Sep 2009 08:08:22 +0000

Hi, Vikas-

If your browser implements the spec (RFC1738) correctly, then in the case where you specify no user name, it will assume the user name is ‘anonymous’. Now back in the days when the spec was written, the password for ‘anonymous’ was an email address. But this is not so common now. Now the password is usually also ‘anonymous’.

That is the difference between “ftp://X.X.X.X” and “ftp://username@X.X.X.X”. So the behavior you describe sounds like the browser is doing the right thing.

By: Vikas Singh

Vikas Singh — Thu, 23 Jul 2009 12:13:28 +0000

Hi, All
I have configure ftp in fc5.
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
but when I trying to access my ftp from web (ftp://X.X.X.X) it is not asking for username and passwd but I can access it ftp://username@X.X.X.X. I m not understanding why?

By: Bineesh

Bineesh — Fri, 03 Jul 2009 09:34:28 +0000

How i can configure different chroot directory for different users.

By: srinivas

srinivas — Tue, 09 Jun 2009 06:10:39 +0000

my vsftpd setup has following

->useradd -d /var/www/html/site ftpupload
->chown ftp:ftp /var/www/html/site
->chmod g+w /var/www/html/site
->vi /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
-> vi /etc/vsftpd/chroot_list
ftpupload

this works fine when i tried from command mode from another linux
box using both ftp and lftp commands and my user restricting to his home
directory.

this is the same with the case if i use WinSCP with ftp as protocol.
but if i use sftp as the protocol i am able to chroot to another directories too

anybody has this problem ??
i need help..

Thanks in advance

By: Martin

Martin — Sun, 15 Mar 2009 22:36:11 +0000

To Bjarte Aune Olsen:
search in the configuration file the directive local_root=… and comment it out (thus local_root will be unset). If this directive was set then vsftpd always respect him, so after loging in, he put the user in the directory that was set by local_root=…
I hope that will help you.

-Martin-