Patrick asks:
How do I limit users of vsftp to only their home directory? Therefore, that user cannot go outside other directories to browser something.

Advertisement

Yesterdays VSFTPD troubleshooting note (read as post) brought me back this question.

If you do not wish FTP users to be able to access any files outside of their own home directory, set up chroot jail.

For consider following example:

  • Ftp username : user1
  • FTP home directory: /home/user1

$ ftp ftp.domain.com

Output:

Connected to ftp.domain.com.
220 (vsFTPd 2.0.5)
Name (ftp.domain.com:user1): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/user1"
ftp> cd /etc
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            7959 Mar 02 22:20 Muttrc
drwxr-xr-x    3 0        0            4096 Jul 24 12:20 Wireless
drwxr-xr-x   16 0        0            4096 Jul 30 22:58 X11
drwxr-xr-x    4 0        0            4096 Sep 05  2005 Xprint
-rw-r--r--    1 0        0            2188 Sep 05  2005 adduser.conf
-rw-r--r--    1 0        0              47 Aug 16 14:52 adjtime
-rw-------    1 0        0            4330 Aug 18  2005 afick.conf
-rw-r--r--    1 0        0             194 Sep 05  2005 aliases
-rw-r--r--    1 0        0           12288 Jul 19 21:27 aliases.db
drwxr-xr-x    2 0        0            8192 Aug 15 09:33 alternatives
...
.....
..

Now normal user can go to /etc directory (may be to all other directories) and if there is read only permission to sensitive files user can download the file via ftp.

To avoid this security problem you can lock ftp user in a jail.

Open vsftpd configuration file – /etc/vsftpd/vsftpd.conf
# vi /etc/vsftpd/vsftpd.conf

Make sure following line exists (and uncommented):
chroot_local_user=YES

Save and close the file. Restart vsftpd.
# /etc/init.d/vsftpd restart

Now all users of VSFTPD/FTP will be limited to accessing only files in their own home directory. They will not able to see /, /etc, /root and /tmp and all other directories. This is an essential security feature.

πŸ₯Ί Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🀠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

50 comments… add one
  • Bineesh Jul 3, 2009 @ 9:34

    How i can configure different chroot directory for different users.

  • Vikas Singh Jul 23, 2009 @ 12:13

    Hi, All
    I have configure ftp in fc5.
    chroot_list_enable=YES
    chroot_list_file=/etc/vsftpd/chroot_list
    but when I trying to access my ftp from web (ftp://X.X.X.X) it is not asking for username and passwd but I can access it ftp://username@X.X.X.X. I m not understanding why?

  • Matt J. Sep 8, 2009 @ 8:08

    Hi, Vikas-

    If your browser implements the spec (RFC1738) correctly, then in the case where you specify no user name, it will assume the user name is ‘anonymous’. Now back in the days when the spec was written, the password for ‘anonymous’ was an email address. But this is not so common now. Now the password is usually also ‘anonymous’.

    That is the difference between “ftp://X.X.X.X” and “ftp://username@X.X.X.X”. So the behavior you describe sounds like the browser is doing the right thing.

  • Muhammad Babar Mar 2, 2010 @ 7:24

    Hi!
    I configure a vsftpd server and they work but when i access through browser they open “Log On As” window but we can’t login. i don’t know why this happen.
    but we can access through cmd.
    We want to access my Home directory through internet-explorer.
    Plzz help meee

  • Ray Mar 2, 2010 @ 7:31

    Hey gyus, i did the chroot_local_user=yes
    chroot list enable=yes
    add the user names on /etc/vsftpd/chroot_list
    still when logging I go everywhere on /

    Any ideas?

    Thanks!

    • Phil Jun 5, 2010 @ 23:33

      If you put people in the chroot_list thats people that are NOT going to be restricted to there home directory. leave chroost list enable commented out, skip adding names to the list and just use chroot_local_user=yes

      peace easy
      -phil

      • Brian Jun 8, 2010 @ 20:29

        Works great with regular FTP, but does not jail users when using SFTP. How would I do that?

        • πŸ›‘οΈ Vivek Gite (Author and Admin) nixCraft Jun 8, 2010 @ 20:42

          VSFTPD = FTP server
          SFTP = OpenSSH server, so you need to chroot OpenSSH user. OpenSSH 5.x series do have inbuilt support for jailing users to their directories.

          Another option is to run vsftpd with SSL support only.

        • Nandakumar Sep 2, 2010 @ 12:16

          Brian πŸ™ Ò€¦.you are right. Nobody has said this that chroot not jail the user, I have wasted my time doing chroot on sftp and nothing happened yet, after seeing your post i just commented all the sftp option in vsftp config file. now i am seeing that jailing option working. Thanks a lot πŸ™‚ you saved me.

          But still my task incomplete how to jail the user in sftp and how make this ftp work in browser (integrate with apache) ?

          I am newbie so please donÒ€ℒt mistake me if raised silly questions.
          Please help meÒ€¦

      • steven Jun 30, 2010 @ 7:34

        even only set chroot_local_user=yes. it still limit user to “/” ,rather than user’s home directory. any idea how to fix this ?

        • Xavi Aug 10, 2011 @ 9:50

          Check that

          local_root=/

          is commented in your etc/vsftpd.conf file (if not, it’ll go ever to / or whatever it’s put there). Cheers

    • Xavi Aug 10, 2011 @ 9:51

      Check that

      local_root=/

      is commented in your etc/vsftpd.conf file (if not, itÒ€ℒll go ever to / or whatever itÒ€ℒs put there). Cheers

  • Danzo May 3, 2010 @ 15:20

    Edit /etc/passwd

    change :/bin/bash to /./:/bin/bash

    That should work.

    However ftp://x.x.x.x, users remain in home directories but sftp:x.x.x.x, users can access other directories.

    any advice on that one

  • Nandakumar Sep 2, 2010 @ 10:58

    I am also facing the problem like user can able to access all the folders without any restriction. I have enabled all the above said option but none of them working. I have two issues one i am not able to access ftp via browser and another one any user can access any folder with out any control. could anybody can help me to solve this issue ?

    Thanks,
    Nanda

    • Nandakumar Sep 2, 2010 @ 12:16

      Brian πŸ™ ….you are right. Nobody has said this that chroot not jail the user, I have wasted my time doing chroot on sftp and nothing happened yet, after seeing your post i just commented all the sftp option in vsftp config file. now i am seeing that jailing option working. Thanks a lot πŸ™‚ you saved me.

      But still my task incomplete how to jail the user in sftp and how make this ftp work in browser (integrate with apache) ?

      I am newbie so please don’t mistake me if raised silly questions.
      Please help me…

      Nanda

  • Jon May 24, 2011 @ 9:53

    I could use some help for the following:
    1) local user (myself) need complete access to update wordpress and by default I have what I need with the following:
    anon_mkdir_write_enable=YES
    anon_root=/srv/ftp
    anon_upload_enable=YES
    chroot_local_user=NO
    local_enable=YES
    log_ftp_protocol=YES
    max_clients=10
    max_per_ip=3
    write_enable=YES
    local_root=/srv/www/wp-content

    2) I have a web developer that requires access to another folder
    /srv/www/domainname

    How do I give him access to this domainname folder, and only that location and what lies under it? i.e the subfolder of the domainname folder. I do not want him to be able to change directory from that folder.

    Thanks

    • Joseph Nov 26, 2011 @ 6:57

      Hi Jon,

      How to give yourself full access while still restricting others using vsftpd:

      add or Uncomment the following in /etc/vsftpd/vsftpd.conf
      chroot_local_user=YES
      chroot_list_enable=YES
      chroot_list_file=/etc/vsftpd/chroot_list

      create a file called /etc/vsftpd/chroot_list (it is case sensitive)
      write your user name for admin access on line 1
      save the file

      you will be exempt from being locked in your home directory however all other users will still be locked in their home directory.

      And specifically in your case remove the line chroot_local_user=NO

      Reboot your server for changes to take effect.

      Here is the shell command for adding a user to a currently existing home directory: (directory must already exist and is case sensitive)

      mkdir /home/mystuff
      groupadd ftp_users
      chmod 777 /home/mystuff
      useradd -g ftp_users -d /home/mystuff user1

      This will create a password for the user1 account:
      passwd user1

      Best of Luck,

      Joe

  • Babu Jan 19, 2012 @ 21:58

    I have been trying all the possible options provided by you guys to jail the user to his assigned path. But, I was unsuccessful to do it.
    Is there any expert who can advise me to proceed on it.

    Your timely help would greatly help me out.

  • kirk Mar 13, 2012 @ 22:28

    for xtra security create a seperated group and user account with no shell acces.

  • Aurelian Mar 16, 2012 @ 11:18

    HI,
    I have a problem and, after reading this, I couldn’t resolve it:
    I want that a ftp user should acces /home/ftpuser and /home/share but it should NOT acces /etc or other important system directories.

    How can I do that?
    If I chroot that user, he can see /home/ftpuser but he cannot see /home/share
    If I do NOT chroot that user, he can see /home/ftpuser, /home/share and /etc.

    I do not like the “mount -bind /home/share /home/ftpuser” solution.

    Thank you alot!

    • amila Mar 13, 2013 @ 12:11

      Uncomment following and,
      __________________________________________
      chroot_list_enable=YES
      chroot_list_file=/etc/vsftpd.chroot_list
      __________________________________________

      edit “/etc/vsftpd.chroot_list”
      and put any jailed users usernames in to it

  • Stopmotionheaven Aug 14, 2013 @ 16:38

    Thanks! Very usefull!

  • 4lvin Sep 13, 2013 @ 4:22

    But how about jailing a “SPECIFIC USER ONLY” ?

  • mukesh Aug 13, 2014 @ 7:40

    how to restrict FTP users not to delete their files once upload… plz help..

  • mukesh Aug 13, 2014 @ 7:41

    how to restrict FTP users not to delete their files

  • ali epsilon Dec 12, 2014 @ 10:08

    i change chroot_local_user=YES but not jail

  • Loui Jan 8, 2015 @ 15:19

    Having similar issues with everyone elses comments on here. Having edited etc/vsftpd.conf with chroot_local_user=YES, new user still login to :/ and not specific directory.

    Where is the problem?

    Thanks

    Loui

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.