chrooted vsftpd is mapping users to / not home dir

Printable View

12-01-2005
skybolt_1

chrooted vsftpd is mapping users to / not home dir

Hey everyone,

I'm running slack 10.2 with the latest release of vsftpd, custom compiled (not package), running standalone. Server is going to be used to help serve patient records over VPN's to remote offices (I work in a hospital). I want to chroot all my users to a single common directory, but I can't even get chroot to work properly to make them map to their /home/username directories.

What happens is that when a client connects, they only "see" /, but they aren't seeing ANYTHING in the directory. No /etc, /boot, /home, etc... and if I try and type the path in manually, aka, /home/sleeplab, it cannot find the directory.

I have read the mans! And googled.

Here is my vsftpd.config file

<vsftpd.config>
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ftpd_banner=FTP Server
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
#chroot_list_file=/etc/vsftpd.chroot_list
ls_recurse_enable=YES
listen=YES
background=YES
chroot_local_user=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list

</vsftpd.config>

AND - here is my passwd file

<passwd>

root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:
ftpsecure:x:501:100::/:
sleeplab:x:500:100::/home/sleeplab/./:/bin/bash
drdambro:x:502:100::/home/drdambro/./:/bin/bash

</passwd>

Any suggestions?
12-01-2005
TheGreen

Perhaps not what you are looking for, but I was going through similar issue, and decided to do it a little differently.

I used http://olivier.sessink.nl/jailkit/ to set up my jail, as I kept not quite getting mine to work. JailKit was a good way for me, and The maintainer / Author is great to work with.

I Chose not to use ftp, and instead use sftp via ssh. I think this makes more sense for patient information etc. since the transmission is encrypted.

Maybe not of use to you, but it worked great for me.
12-01-2005
skybolt_1

Cool. So does the jailkit replace the chrooting performed natively by linux?

I might give it a try if there are no other ideas... vsftpd seems to be well documented.. I cant imagine no one else has ever seen this problem.

Thanks for the tip!
12-01-2005
TheGreen

It doesnt really replace it. It uses chroot. Its easier because he worte scripts and a congiuragtion file to make it less cumbersome on us folks who dont set chroot enviroments all day long. :-) at least that is my take on it.

vsftpd is of course a very good program. It sets up its own jailed enviroment. My problem was I couldnt get it to work well with SSL or over SSH, (note: I couldnt, that doesnt mean it does not work well, I just didnt know how and couldnt find info to do it) I just wanted to make sure any information I sent was encrypted. Sending patient data un-encrypted would be a bad bad deal.

Also, If you happen to have a windows server that needes to connect, I am useing winscp http://winscp.net/eng/index.php at one of my clients. It can be set up to work on a schedule. I know filezilla and others work fine with sftp over ssh, but winscp is an easy clean fix to send and receive at end users side if they have no linux. Good luck.

by the way, HermanAB's site has a few good how to's under networking and such. http://www.aerospacesoftware.com/linuxhowtos.html
12-01-2005
kern

I can recommend winSCP here too, great program for people that need to get something from a server, but that server has no windows based access, i.e smb/ftp/http/etc

:)
12-02-2005
skybolt_1

TheGreen: Would you mind posting an example of your jk_lsh.ini file? I'm not sure how permissions should be set up for simple FTP access.
12-02-2005
TheGreen

Skybolt_1

Well As I said I am not using FTP, I am using sftp over ssh. Here is what a user "someuser" is using in their Jail I have set up.

I will leave the examples in there. You can see mine in Green:

jk_lsh.ini file for Someuser

## example for a user
#[test]
#paths= /usr/lib/
#executables= /usr/lib/sftp-server
#allow_word_expansion = 0
#
##example for a group, there should be only 1 space inbetween the words!
#[group users]
#paths = /usr/bin
#executables = /usr/bin/cvs
#allow_word_expansion = 0
#
[Someuser]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/lib/ssh/sftp-server

Now, remeber that these point to the jail, not to the real /usr/bin and /usr/lib and you will need to have the appropriate libraries and executables in each. In this case the /usr/lib contains libcrypto and ssh sftp etc. whatever you need them to run.

Your jail may look like /var/ftp/jail/home/someuser or where ever you want to put it.

OH also this may help, this is my line from /etc/passwd that contains "someuser"

someuser:x:506:100::/var/ftp/jail/./home/someuser:/usr/sbin/jk_chrootsh

I hope that helps. Most everything I needed to learn I found on hermanAB and JailKits site. Oliver Sessnik from JailKit was extremely helpful. We traded a few e-mails and he got me through a couple distrobution specific issues.