Find the answer to your Linux question:
Results 1 to 7 of 7
Hey everyone, I'm running slack 10.2 with the latest release of vsftpd, custom compiled (not package), running standalone. Server is going to be used to help serve patient records over ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2005
    Location
    Lowell, MA
    Posts
    6

    chrooted vsftpd is mapping users to / not home dir


    Hey everyone,

    I'm running slack 10.2 with the latest release of vsftpd, custom compiled (not package), running standalone. Server is going to be used to help serve patient records over VPN's to remote offices (I work in a hospital). I want to chroot all my users to a single common directory, but I can't even get chroot to work properly to make them map to their /home/username directories.

    What happens is that when a client connects, they only "see" /, but they aren't seeing ANYTHING in the directory. No /etc, /boot, /home, etc... and if I try and type the path in manually, aka, /home/sleeplab, it cannot find the directory.

    I have read the mans! And googled.

    Here is my vsftpd.config file

    <vsftpd.config>
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    #anon_upload_enable=YES
    #anon_mkdir_write_enable=YES
    dirmessage_enable=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    #chown_uploads=YES
    #chown_username=whoever
    xferlog_file=/var/log/vsftpd.log
    xferlog_std_format=YES
    #idle_session_timeout=600
    #data_connection_timeout=120
    nopriv_user=ftpsecure
    #async_abor_enable=YES
    #ascii_upload_enable=YES
    #ascii_download_enable=YES
    ftpd_banner=FTP Server
    #deny_email_enable=YES
    #banned_email_file=/etc/vsftpd.banned_emails
    #chroot_list_file=/etc/vsftpd.chroot_list
    ls_recurse_enable=YES
    listen=YES
    background=YES
    chroot_local_user=YES
    userlist_enable=YES
    userlist_file=/etc/vsftpd.user_list

    </vsftpd.config>

    AND - here is my passwd file

    <passwd>

    root:0:0::/root:/bin/bash
    bin:1:1:bin:/bin:
    daemon:2:2:daemon:/sbin:
    adm:3:4:adm:/var/log:
    lp:4:7:lp:/var/spool/lpd:
    sync:5:0:sync:/sbin:/bin/sync
    shutdown:6:0:shutdown:/sbin:/sbin/shutdown
    halt:7:0:halt:/sbin:/sbin/halt
    mail:8:12:mail:/:
    news:9:13:news:/usr/lib/news:
    uucp:10:14:uucp:/var/spool/uucppublic:
    operator:11:0:operator:/root:/bin/bash
    games:12:100:games:/usr/games:
    ftp:14:50::/home/ftp:
    smmsp:25:25:smmsp:/var/spool/clientmqueue:
    mysql:27:27:MySQL:/var/lib/mysql:/bin/bash
    rpc:32:32:RPC portmap user:/:/bin/false
    sshd:33:33:sshd:/:
    gdm:42:42:GDM:/var/state/gdm:/bin/bash
    pop:90:90:POP:/:
    nobody:99:99:nobody:/:
    ftpsecure:501:100::/:
    sleeplab:500:100::/home/sleeplab/./:/bin/bash
    drdambro:502:100::/home/drdambro/./:/bin/bash

    </passwd>

    Any suggestions?

  2. #2
    Just Joined!
    Join Date
    May 2005
    Posts
    52
    Perhaps not what you are looking for, but I was going through similar issue, and decided to do it a little differently.

    I used http://olivier.sessink.nl/jailkit/ to set up my jail, as I kept not quite getting mine to work. JailKit was a good way for me, and The maintainer / Author is great to work with.

    I Chose not to use ftp, and instead use sftp via ssh. I think this makes more sense for patient information etc. since the transmission is encrypted.

    Maybe not of use to you, but it worked great for me.

  3. #3
    Just Joined!
    Join Date
    Dec 2005
    Location
    Lowell, MA
    Posts
    6
    Cool. So does the jailkit replace the chrooting performed natively by linux?

    I might give it a try if there are no other ideas... vsftpd seems to be well documented.. I cant imagine no one else has ever seen this problem.

    Thanks for the tip!

  4. #4
    Just Joined!
    Join Date
    May 2005
    Posts
    52
    It doesnt really replace it. It uses chroot. Its easier because he worte scripts and a congiuragtion file to make it less cumbersome on us folks who dont set chroot enviroments all day long. at least that is my take on it.

    vsftpd is of course a very good program. It sets up its own jailed enviroment. My problem was I couldnt get it to work well with SSL or over SSH, (note: I couldnt, that doesnt mean it does not work well, I just didnt know how and couldnt find info to do it) I just wanted to make sure any information I sent was encrypted. Sending patient data un-encrypted would be a bad bad deal.

    Also, If you happen to have a windows server that needes to connect, I am useing winscp http://winscp.net/eng/index.php at one of my clients. It can be set up to work on a schedule. I know filezilla and others work fine with sftp over ssh, but winscp is an easy clean fix to send and receive at end users side if they have no linux. Good luck.

    by the way, HermanAB's site has a few good how to's under networking and such. http://www.aerospacesoftware.com/linuxhowtos.html

  5. #5
    Linux Enthusiast
    Join Date
    Jun 2005
    Posts
    668
    I can recommend winSCP here too, great program for people that need to get something from a server, but that server has no windows based access, i.e smb/ftp/http/etc


  6. #6
    Just Joined!
    Join Date
    Dec 2005
    Location
    Lowell, MA
    Posts
    6
    TheGreen: Would you mind posting an example of your jk_lsh.ini file? I'm not sure how permissions should be set up for simple FTP access.

  7. #7
    Just Joined!
    Join Date
    May 2005
    Posts
    52
    Skybolt_1

    Well As I said I am not using FTP, I am using sftp over ssh. Here is what a user "someuser" is using in their Jail I have set up.

    I will leave the examples in there. You can see mine in Green:

    jk_lsh.ini file for Someuser

    ## example for a user
    #[test]
    #paths= /usr/lib/
    #executables= /usr/lib/sftp-server
    #allow_word_expansion = 0
    #
    ##example for a group, there should be only 1 space inbetween the words!
    #[group users]
    #paths = /usr/bin
    #executables = /usr/bin/cvs
    #allow_word_expansion = 0
    #
    [Someuser]
    paths= /usr/bin, /usr/lib/
    executables= /usr/bin/scp, /usr/lib/ssh/sftp-server

    Now, remeber that these point to the jail, not to the real /usr/bin and /usr/lib and you will need to have the appropriate libraries and executables in each. In this case the /usr/lib contains libcrypto and ssh sftp etc. whatever you need them to run.

    Your jail may look like /var/ftp/jail/home/someuser or where ever you want to put it.

    OH also this may help, this is my line from /etc/passwd that contains "someuser"

    someuser:506:100::/var/ftp/jail/./home/someuser:/usr/sbin/jk_chrootsh

    I hope that helps. Most everything I needed to learn I found on hermanAB and JailKits site. Oliver Sessnik from JailKit was extremely helpful. We traded a few e-mails and he got me through a couple distrobution specific issues.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •