LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-30-2005, 08:12 AM   #1
bzolnowski
LQ Newbie
 
Registered: Nov 2005
Location: Killeen, TX
Distribution: Red Hat Enterprise Linux AS
Posts: 5

Rep: Reputation: 0
vsftpd + chroot problem


Hi,
I have problem with being able to jail my users to a particular directory. I have sajmoon user who is directed by default to /home/ftp-docs/ftp_stuff and it logs him in to this directory be default. I want all of my users to be able to ftp to this directory and all of them are members of the ftp-users group. However every single one can navigate to any directory in the system. I have tried every solution in different posts I was able to run across but none of them worked for me. In my /etc/vsftpd/vsftpd.conf I have these two lines pertaining to chroot:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

and I have sajmonn added to my
vsftpd.chroot_list

I have also tried just chroot_local_user=YES with all the lines commented out above and it still did not work.
I need help with that. I am about to give up and change vsftp to different ftp as the chroot does not seem to work and I run out of ideas. Any help is greatly appreciated.
Thanks

Last edited by bzolnowski; 11-30-2005 at 08:15 AM.
 
Old 12-01-2005, 06:05 AM   #2
openbysource
Member
 
Registered: Oct 2005
Location: Rajasthan
Distribution: RHEL 4 ES
Posts: 66

Rep: Reputation: 15
Hello friend,

I think you want this:

All the users belonging to ftp-users group goes into /home/ftp-docs/ftp_stuff by default when they login. They cannot navigate in other directories and are restricted to this particular directory.

You do this:

Create a directory by issuing the following command as root:

mkdir -p /home/ftp-docs/ftp_stuff

Then do this:-

chgrp ftp-users /home/ftp-docs/ftp_stuff
chmod 3777 /home/ftp-docs/ftp_stuff

In the /etc/vsftpd/vsftpd.conf write this
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

Put all you ftp-users group userś name in /etc/vsftpd.chroot_list
Then in the /etc/passwd file make the home directory of all the users belonging to ftp-users group to /home/ftp-docs/ftp_stuff.
Then do the following:

service vsftpd restart

Then login via any user belonging to ftp-users group you will lend into /home/ftp-docs/ftp_stuff. You cant go to the other higher level directories.

When you will issue this
ftp > pwd

You will get to see this
"/"
Don't bother this.
You will remain in /home/ftp-docs/ftp_stuff only. You can check that out by
doing ls.


Any Query be frank to ask.

Take Care
Be Open By Source

Last edited by openbysource; 12-02-2005 at 08:19 AM.
 
Old 12-02-2005, 08:02 AM   #3
bzolnowski
LQ Newbie
 
Registered: Nov 2005
Location: Killeen, TX
Distribution: Red Hat Enterprise Linux AS
Posts: 5

Original Poster
Rep: Reputation: 0
Still have a problem

Hi,
Thank you for your post. This is what I have done so far. I have moved all the files to /var/ftp/pub and made it available to the ftp-users. Now one odd thing that I noticed was that when I run chgrp /var/ftp/pub ftp-users it tells me "invalid group name" and I do not know why since I created the group. When I try to add the ftp-users group it tells me that it already exists. So I run chgrp root:ftp-users /var/ftp/pub and then it finally changed the files ownership to ftp-users. After I have done all of that and gave the necessary permissions to the files it still did not work like it is supposed to. Another thing that I found odd was that I can ftp my linux server from Windows using Winscp (but the jail function still does not work) but when I ftp it from my linux server as one of the users from the ftp-users group it gives me an error such as "500 OOPS: cannot locate user entry:ftpsecure." I still have my /etc/vsftpd/vsftpd.conf with these two lines pertaining to chroot:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

and I have sajmonn added to my
vsftpd.chroot_list
At this point I am not sure what is going on wrong. Please help.
Thank you.
 
Old 12-02-2005, 08:16 AM   #4
openbysource
Member
 
Registered: Oct 2005
Location: Rajasthan
Distribution: RHEL 4 ES
Posts: 66

Rep: Reputation: 15
The solution I provided here worked out for me.


I want to clarify you one thing which is:


Quote:
Now one odd thing that I noticed was that when I run chgrp /var/ftp/pub ftp-users it tells me "invalid group name"

The command will give error:

chgrp /var/ftp/pub ftp-users

Make it like this:

chgrp ftp-users /var/ftp/pub

This is correct.

And the main problem is under testing by me.
I will soon reply
Tell me one thing is sajmonn is a local user and does he belongs to the ftp-users group or not.
sajmonn should be having ftp-users has his primary group. Otherwise he will login into the /home/ftp-docs/ftp_stuff and will easily navigate into other system directories.

Last edited by openbysource; 12-02-2005 at 08:33 AM.
 
Old 12-02-2005, 08:52 AM   #5
bzolnowski
LQ Newbie
 
Registered: Nov 2005
Location: Killeen, TX
Distribution: Red Hat Enterprise Linux AS
Posts: 5

Original Poster
Rep: Reputation: 0
Continuing

Thanks for clarification It worked out this time. Here is what I have for sajmonn in my /etc/passwd

sajmonn:x:501::/var/ftp/pub:/bin/bash

and here is an entry in /etc/group

ftp-users:x:501:sajmonn

When I log in as sajmonn and run groups cmmand it comes back up with

ftp-users

From what I understand sajmonn is a local user and he belongs to ftp-users group.
Let me know if there is anything else I can provide.
I will be waiting for your response.
Thanks a lot for your help.
Thank you.
 
Old 12-03-2005, 10:55 PM   #6
bzolnowski
LQ Newbie
 
Registered: Nov 2005
Location: Killeen, TX
Distribution: Red Hat Enterprise Linux AS
Posts: 5

Original Poster
Rep: Reputation: 0
Now, I finally found out that even though my vsftpd demon is stopped I can still ftp my linux box using Winscp from Windows (using SFTP on port 22), thus I am assuming that another demon is taking over priority of serving ftp service over my vsftp. That would explain why chroot would not work. How do I find out what kind of ftp is running on my system by default? Once I get it disabled and vftp started it should work just fine. Thank you for any suggestions.

Last edited by bzolnowski; 12-03-2005 at 11:09 PM.
 
Old 12-04-2005, 02:27 PM   #7
wym
LQ Newbie
 
Registered: Oct 2005
Location: Toronto
Distribution: Red Hat 8.0
Posts: 26

Rep: Reputation: 15
My vsftp works fine, and it restricts the users root directory, for your reference, my setting is:

- in /etc/vsftpd.conf
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

- and in /etc/vsftpd.chroot_list, I put in those usernames who are allowed to change their root directory, those who are not in the list can not change the root directory. My version is vsftpd-1.1.0-1 in Red Hat 8.0, hope this helps.
 
Old 12-04-2005, 09:00 PM   #8
openbysource
Member
 
Registered: Oct 2005
Location: Rajasthan
Distribution: RHEL 4 ES
Posts: 66

Rep: Reputation: 15
Hello,

I agree with the other member.
My vsftp is also working fine. I am also able to restrict the users specified in chroot_list to their home directories.
My version of Linux is RedHat Enterprise 4 WS

In case you are enabling any other FTP server I don't know the method to disable it. You can check issuing this command as root user:

#ntsysv

This command list all the services whether enabled/disabled. You can check with your service here.

Thanks
 
Old 12-05-2005, 03:41 PM   #9
bzolnowski
LQ Newbie
 
Registered: Nov 2005
Location: Killeen, TX
Distribution: Red Hat Enterprise Linux AS
Posts: 5

Original Poster
Rep: Reputation: 0
vsftpd problem

Hi,
Thank you' all for help. I was finally able to get it to work (not 100% but it works). I am able to ftp from the command line and have the users jailed to their directories and it works in the UNIX environment. However, when I use Winscp it still does not work and I do not know why, since it should not make a difference. Because most of the people are using Winscp running on Windows to upload and download files from my server, I am trying to figure why Winscp would let them to run all over the place while it works just fine from the UNIX command line. Does anyone have any suggestions? I really appreciate you help.
Thanks
 
Old 05-07-2007, 01:32 AM   #10
dnar
Member
 
Registered: Feb 2002
Location: Perth, Australia
Distribution: FC5 ::: Coyote ::: SCO Unixware :::
Posts: 201

Rep: Reputation: 30
Quote:
Originally Posted by bzolnowski
Hi,
Thank you' all for help. I was finally able to get it to work (not 100% but it works). I am able to ftp from the command line and have the users jailed to their directories and it works in the UNIX environment. However, when I use Winscp it still does not work and I do not know why, since it should not make a difference. Because most of the people are using Winscp running on Windows to upload and download files from my server, I am trying to figure why Winscp would let them to run all over the place while it works just fine from the UNIX command line. Does anyone have any suggestions? I really appreciate you help.
Thanks
That is because WinSCP is connecting to ssh NOT vsftp... Try stopping vsftp and run WinSCP, it should still work!

You need to create a root jail for ssh and then it will work as your expecting.
 
Old 07-23-2011, 02:59 PM   #11
simon.sweetman
Member
 
Registered: Mar 2009
Posts: 32

Rep: Reputation: 22
Sorry to dig up an old post like this, but I've encountered the same issue posted here and have found the resolution.

It was a SELinux issue, I was seeing this in /var/log/messages:

Jul 24 05:40:25 myhost setroubleshoot: SELinux is preventing /usr/sbin/vsftpd from search access on the directory /home.

Solution was to enable allow_ftpd_full_access or ftp_home_dir booleans under SELinux via:

# setsebool -P allow_ftpd_full_access 1
or
# setsebool -P ftp_home_dir 1

The -P makes it permanent, so you can try without that first to ensure it fixes the issue before going permanent.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd.conf/chroot/vsftpd.chroot_list issue Jerman Linux - Security 2 06-01-2007 07:24 PM
vsftpd and chroot bstempi Linux - Security 10 11-08-2005 02:56 PM
VSFTPD chroot problem cwolf78 Linux - Software 1 05-08-2005 11:24 AM
vsftpd and chroot gbj Linux - Networking 3 03-08-2005 02:47 AM
VsFtpd Chroot problem... CrewXp Linux - Newbie 1 01-04-2004 03:30 PM


All times are GMT -5. The time now is 04:53 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration