Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 22
Hi, trying to get chroot jail option in VSFTPD working but it does not functioning properly. The users given inside chroot_jail file as well as the other users are also ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160

    Question VSFTPD chroot jail funtion not working


    Hi,

    trying to get chroot jail option in VSFTPD working but it does not functioning properly. The users given inside chroot_jail file as well as the other users are also able to browse beyond their home directory. I s this a bug or misconfiguaration problem? I'm using VSFTPD 2.3.4

    my vsftpd.conf file is as follows

    # Example config file /etc/vsftpd/vsftpd.conf
    #
    # The default compiled in settings are fairly paranoid. This sample file
    # loosens things up a bit, to make the ftp daemon more usable.
    # Please see vsftpd.conf.5 for all compiled in defaults.
    #
    # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
    # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
    # capabilities.
    #
    # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
    anonymous_enable=NO
    #
    # Uncomment this to allow local users to log in.
    local_enable=YES
    #
    # Uncomment this to enable any form of FTP write command.
    write_enable=YES
    #
    # Default umask for local users is 077. You may wish to change this to 022,
    # if your users expect that (022 is used by most other ftpd's)
    local_umask=022
    #
    # Uncomment this to allow the anonymous FTP user to upload files. This only
    # has an effect if the above global write enable is activated. Also, you will
    # obviously need to create a directory writable by the FTP user.
    #anon_upload_enable=YES
    #
    # Uncomment this if you want the anonymous FTP user to be able to create
    # new directories.
    #anon_mkdir_write_enable=YES
    #
    # Activate directory messages - messages given to remote users when they
    # go into a certain directory.
    dirmessage_enable=YES
    #
    # Activate logging of uploads/downloads.
    xferlog_enable=YES
    #
    # Make sure PORT transfer connections originate from port 20 (ftp-data).
    connect_from_port_20=YES
    #
    # If you want, you can arrange for uploaded anonymous files to be owned by
    # a different user. Note! Using "root" for uploaded files is not
    # recommended!
    #chown_uploads=YES
    #chown_username=whoever
    #
    # You may override where the log file goes if you like. The default is shown
    # below.
    #xferlog_file=/var/log/vsftpd.log
    #
    # If you want, you can have your log file in standard ftpd xferlog format.
    # Note that the default log file location is /var/log/xferlog in this case.
    xferlog_std_format=YES
    #
    # You may change the default value for timing out an idle session.
    #idle_session_timeout=600
    #
    # You may change the default value for timing out a data connection.
    #data_connection_timeout=120
    #
    # It is recommended that you define on your system a unique user which the
    # ftp server can use as a totally isolated and unprivileged user.
    #nopriv_user=ftpsecure
    #
    # Enable this and the server will recognise asynchronous ABOR requests. Not
    # recommended for security (the code is non-trivial). Not enabling it,
    # however, may confuse older FTP clients.
    #async_abor_enable=YES
    #
    # By default the server will pretend to allow ASCII mode but in fact ignore
    # the request. Turn on the below options to have the server actually do ASCII
    # mangling on files when in ASCII mode.
    # Beware that on some FTP servers, ASCII support allows a denial of service
    # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
    # predicted this attack and has always been safe, reporting the size of the
    # raw file.
    # ASCII mangling is a horrible feature of the protocol.
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    #
    # You may fully customise the login banner string:
    ftpd_banner=This is a FTP Server
    #
    # You may specify a file of disallowed anonymous e-mail addresses. Apparently
    # useful for combatting certain DoS attacks.
    #deny_email_enable=YES
    # (default follows)
    #banned_email_file=/etc/vsftpd/banned_emails
    #
    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    chroot_local_user=YES
    chroot_list_enable=YES
    # (default follows)
    chroot_list_file=/etc/vsfpd/chroot_list
    #
    # You may activate the "-R" option to the builtin ls. This is disabled by
    # default to avoid remote users being able to cause excessive I/O on large
    # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
    # the presence of the "-R" option, so there is a strong case for enabling it.
    #ls_recurse_enable=YES
    #
    # When "listen" directive is enabled, vsftpd runs in standalone mode and
    # listens on IPv4 sockets. This directive cannot be used in conjunction
    # with the listen_ipv6 directive.
    listen=YES
    #
    # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
    # sockets, you must run two copies of vsftpd with two configuration files.
    # Make sure, that one of the listen options is commented !!
    #listen_ipv6=YES

    pam_service_name=vsftpd
    userlist_enable=YES
    tcp_wrappers=YES
    anon_world_readable_only=NO
    pasv_max_port=1024
    dirlist_enable=NO
    chmod_enable=NO
    passwd_chroot_enable=YES
    thanks

  2. #2
    Just Joined!
    Join Date
    Jul 2011
    Location
    Houston, Texas, USA
    Posts
    9
    amithad,
    This may sound like a dumb question, but you'd be surprised how many people forget the "little" things. Did you restart vsftp? On Centos, for example, the command is: /etc/init.d/vsftpd restart. On my configuration, I have the following commented out:

    #chroot_local_user=YES
    #chroot_list_enable=YES
    # (default follows)
    #chroot_list_file=/etc/vsfpd/chroot_list


    At the bottom of this configuration file I have the following:

    pam_service_name=vsftpd
    userlist_file=/etc/vsftpd.userlist
    userlist_enable=YES
    listen=YES
    tcp_wrappers=YES
    chroot_local_user=NO
    userlist_deny=NO

    list your users in /etc/vsftpd.userlist

    Save everything and restart vsftp.

    Try it out.

  3. #3
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160
    Dear hrfister,

    followed what you have suggested but the same result still local users can browse the root file system though I comment

    #chroot_local_user=YES
    #chroot_list_enable=YES
    # (default follows)
    #chroot_list_file=/etc/vsfpd/chroot_list
    entries.

    N.B. I'm using WinSCP software to sync files with the SFTP server. Through that software root file system browsing is possible

  4. #4
    Just Joined!
    Join Date
    Nov 2010
    Posts
    4
    Disable the list and only leave uncommented

    Chroot_local_user=YES

    be careful with chroot_list option as it has opposite behavior if chroot_local_user is enabled.

    Qatqat

  5. #5
    Just Joined!
    Join Date
    Apr 2010
    Location
    Bangalore, India.
    Posts
    12
    just edit in vsftpd.conf that following lines..
    chroot_list_enable=YES
    chroot_list_file=/etc/vsfpd/chroot_list
    passwd_chroot_enable=YES

    and open that file and enter the local users list that u wanted login:
    #vim /etc/vsftpd/chroot_list
    user1
    user2

    save and exit..
    and restart the vsftpd daemon..
    thats enough.. make sure that user is existing and set the password too.. then only it ll work..
    still u r facing it then it could be firewall problem.. most people forget to check selinux.. well if it is problem with selinux that
    enable that boolean (#setsebool -P ftp_home_dir on)..
    and check tcp wrappers and iptables also..
    hopes this will help .. reply us if u got solution..
    Last edited by antony_pradeep; 07-05-2011 at 06:49 AM. Reason: forgot one step

  6. #6
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160
    Dear Qatqat & Pradeep,

    Thanks for your replies. The problem persists eventhough I made changes accordingly. The only two FTP options I have enabled in SE Linux are

    1. Allow internal-sftp to read and write files in the user ssh home directory
    2. Allow sftp-internal to read and write files in the user home directory

    I'm using Fedora13 as my FTP server OS. The strange thing is even though I unchecked all the entries in SE Linux pertains to ftp and uncheck the FTP option in Firewall still the WinSCP programe is able to connect to the relevant user directories :-O. (SSH port in the firewall is open)

    N.B. Im testing with two local users in the server. one user is added to the ftp user group other one is not. but both can connect to the sftp server

  7. #7
    Just Joined!
    Join Date
    Sep 2007
    Location
    Silver Spring, MD
    Posts
    95

    Modifications to the /etc/vsftpd.conf file

    Quote Originally Posted by amithad View Post
    Dear Qatqat & Pradeep,

    Thanks for your replies. The problem persists eventhough I made changes accordingly. The only two FTP options I have enabled in SE Linux are

    1. Allow internal-sftp to read and write files in the user ssh home directory
    2. Allow sftp-internal to read and write files in the user home directory

    I'm using Fedora13 as my FTP server OS. The strange thing is even though I unchecked all the entries in SE Linux pertains to ftp and uncheck the FTP option in Firewall still the WinSCP programe is able to connect to the relevant user directories :-O. (SSH port in the firewall is open)

    N.B. Im testing with two local users in the server. one user is added to the ftp user group other one is not. but both can connect to the sftp server
    -----------------------------------

    # You may restrict local users to their home directories. See the FAQ for
    # the possible risks in this before using chroot_local_user or
    # chroot_list_enable below.
    chroot_local_user=NO
    #
    # You may specify an explicit list of local users to chroot() to their home
    # directory. If chroot_local_user is YES, then this list becomes a list of
    # users to NOT chroot().
    #chroot_local_user=YES
    chroot_list_enable=YES
    # (default follows)
    #chroot_list_file=/etc/vsftpd.chroot_list

    Once I made these changes and added my user name to the /etc/vsftpd.chroot_list, I was good to go, I could not go outside of my directory.

    Tdsan

  8. #8
    Linux Newbie amithad's Avatar
    Join Date
    Sep 2006
    Location
    Sri Lanka
    Posts
    160
    Dear Tdsan,

    Thanks for the reply. this change also not working to restrict the user to their home directory.

  9. #9
    Just Joined!
    Join Date
    Apr 2010
    Location
    Bangalore, India.
    Posts
    12
    Quote Originally Posted by amithad View Post
    Dear Tdsan,

    Thanks for the reply. this change also not working to restrict the user to their home directory.
    we know that amit.. because u r not using normal ftp client like ftp, lftp client actually ur ftp server chrooted very very well, but ur using sftp.. its like ssh login.. so it should show all files with read permission (default for file is 644).. the only way is u need to chroot ur ssh login itself then only sftp will work as u expected.. this are links for tutorial for chrooting ssh..
    please dont do that in live servers ..
    to install rssh
    here
    ----------------------------------------
    pkgs.repoforge.org/rssh/rssh-2.3.3-1.el5.rf.i386.rpm
    ----------------------------------------
    tutorial
    ----------------------------------------
    cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
    ------------------------------------
    Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

    yesterday i tried that tutorial but i couldnt succeed and i didnt get enough time to..

    best of luck ..

  10. #10
    Just Joined!
    Join Date
    Sep 2007
    Location
    Silver Spring, MD
    Posts
    95

    Modifications to the /etc/vsftpd.conf file version 2

    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    dirmessage_enable=YES
    use_localtime=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    async_abor_enable=YES
    ascii_upload_enable=NO
    ascii_download_enable=NO
    chroot_local_user=NO
    chroot_list_enable=YES
    ls_recurse_enable=NO
    secure_chroot_dir=/var/run/vsftpd/empty
    pam_service_name=vsftpd
    rsa_cert_file=/etc/ssl/private/vsftpd.pem

    These are my setting from the file. When I logged in the machine and did an ls from the prompt:

    ftp>ls
    drwxr-xr-x 5 1000 0 4096 Mar 10 18:19 vmware
    drwxr-xr-x 2 1000 0 4096 Nov 02 2010 vote
    drwxr-xr-x 2 1000 0 4096 Jan 18 13:11 wimax
    drwxr-xr-x 2 1000 0 4096 Nov 13 2010 zack
    226 Directory send OK.

    ftp> pwd
    257 "/"

    ftp> cd /home/tdsan
    550 Failed to change directory.

    ftp> ls
    drwxr-xr-x 5 1000 0 4096 Mar 10 18:19 vmware
    drwxr-xr-x 2 1000 0 4096 Nov 02 2010 vote
    drwxr-xr-x 2 1000 0 4096 Jan 18 13:11 wimax
    drwxr-xr-x 2 1000 0 4096 Nov 13 2010 zack
    226 Directory send OK.

    ftp> cd /root
    550 Failed to change directory.

    As it stands, zack is a directory in my home directory, so this is the root of my home directory.

    I hope this helps.

    Tdsan

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •