VSFTPD chroot jail funtion not working

[amithad]

Hi,

trying to get chroot jail option in VSFTPD working but it does not functioning properly. The users given inside chroot_jail file as well as the other users are also able to browse beyond their home directory. I s this a bug or misconfiguaration problem? I'm using VSFTPD 2.3.4

my vsftpd.conf file is as follows

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=This is a FTP Server
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsfpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
anon_world_readable_only=NO
pasv_max_port=1024
dirlist_enable=NO
chmod_enable=NO
passwd_chroot_enable=YES

thanks

[hrfister]

amithad,
This may sound like a dumb question, but you'd be surprised how many people forget the "little" things. Did you restart vsftp? On Centos, for example, the command is: /etc/init.d/vsftpd restart. On my configuration, I have the following commented out:

#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsfpd/chroot_list


At the bottom of this configuration file I have the following:

pam_service_name=vsftpd
userlist_file=/etc/vsftpd.userlist
userlist_enable=YES
listen=YES
tcp_wrappers=YES
chroot_local_user=NO
userlist_deny=NO

list your users in /etc/vsftpd.userlist

Save everything and restart vsftp.

Try it out.

[amithad]

Dear hrfister,

followed what you have suggested but the same result still local users can browse the root file system though I comment

#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsfpd/chroot_list

entries.

N.B. I'm using WinSCP software to sync files with the SFTP server. Through that software root file system browsing is possible

[qatqat]

Disable the list and only leave uncommented

Chroot_local_user=YES

be careful with chroot_list option as it has opposite behavior if chroot_local_user is enabled.

Qatqat

[antony_pradeep]

just edit in vsftpd.conf that following lines..
chroot_list_enable=YES
chroot_list_file=/etc/vsfpd/chroot_list
passwd_chroot_enable=YES

and open that file and enter the local users list that u wanted login:
#vim /etc/vsftpd/chroot_list
user1
user2

save and exit..
and restart the vsftpd daemon..
thats enough.. make sure that user is existing and set the password too.. then only it ll work..
still u r facing it then it could be firewall problem.. most people forget to check selinux.. well if it is problem with selinux that
enable that boolean (#setsebool -P ftp_home_dir on)..
and check tcp wrappers and iptables also..
hopes this will help .. reply us if u got solution..

[amithad]

Dear Qatqat & Pradeep,

Thanks for your replies. The problem persists eventhough I made changes accordingly. The only two FTP options I have enabled in SE Linux are

1. Allow internal-sftp to read and write files in the user ssh home directory
2. Allow sftp-internal to read and write files in the user home directory

I'm using Fedora13 as my FTP server OS. The strange thing is even though I unchecked all the entries in SE Linux pertains to ftp and uncheck the FTP option in Firewall still the WinSCP programe is able to connect to the relevant user directories :-O. (SSH port in the firewall is open)

N.B. Im testing with two local users in the server. one user is added to the ftp user group other one is not. but both can connect to the sftp server

[tdsan]

Dear Qatqat & Pradeep,

Thanks for your replies. The problem persists eventhough I made changes accordingly. The only two FTP options I have enabled in SE Linux are

1. Allow internal-sftp to read and write files in the user ssh home directory
2. Allow sftp-internal to read and write files in the user home directory

I'm using Fedora13 as my FTP server OS. The strange thing is even though I unchecked all the entries in SE Linux pertains to ftp and uncheck the FTP option in Firewall still the WinSCP programe is able to connect to the relevant user directories :-O. (SSH port in the firewall is open)

N.B. Im testing with two local users in the server. one user is added to the ftp user group other one is not. but both can connect to the sftp server

-----------------------------------

# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=NO
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list

Once I made these changes and added my user name to the /etc/vsftpd.chroot_list, I was good to go, I could not go outside of my directory.

Tdsan

[amithad]

Dear Tdsan,

Thanks for the reply. this change also not working to restrict the user to their home directory.

[antony_pradeep]

Dear Tdsan,

Thanks for the reply. this change also not working to restrict the user to their home directory.

we know that amit.. because u r not using normal ftp client like ftp, lftp client actually ur ftp server chrooted very very well, but ur using sftp.. its like ssh login.. so it should show all files with read permission (default for file is 644).. the only way is u need to chroot ur ssh login itself then only sftp will work as u expected.. this are links for tutorial for chrooting ssh..
please dont do that in live servers ..
to install rssh
here
----------------------------------------
pkgs.repoforge.org/rssh/rssh-2.3.3-1.el5.rf.i386.rpm
----------------------------------------
tutorial
----------------------------------------
cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
------------------------------------
Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

yesterday i tried that tutorial but i couldnt succeed and i didnt get enough time to..

best of luck ..

[tdsan]

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
async_abor_enable=YES
ascii_upload_enable=NO
ascii_download_enable=NO
chroot_local_user=NO
chroot_list_enable=YES
ls_recurse_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem

These are my setting from the file. When I logged in the machine and did an ls from the prompt:

ftp>ls
drwxr-xr-x 5 1000 0 4096 Mar 10 18:19 vmware
drwxr-xr-x 2 1000 0 4096 Nov 02 2010 vote
drwxr-xr-x 2 1000 0 4096 Jan 18 13:11 wimax
drwxr-xr-x 2 1000 0 4096 Nov 13 2010 zack
226 Directory send OK.

ftp> pwd
257 "/"

ftp> cd /home/tdsan
550 Failed to change directory.

ftp> ls
drwxr-xr-x 5 1000 0 4096 Mar 10 18:19 vmware
drwxr-xr-x 2 1000 0 4096 Nov 02 2010 vote
drwxr-xr-x 2 1000 0 4096 Jan 18 13:11 wimax
drwxr-xr-x 2 1000 0 4096 Nov 13 2010 zack
226 Directory send OK.

ftp> cd /root
550 Failed to change directory.

As it stands, zack is a directory in my home directory, so this is the root of my home directory.

I hope this helps.

Tdsan