vsftpd and chroot_local_user / issue with linked directory

blizunt7 · 08-19-2007, 03:01 PM

Hey all,
I have my users when they log in, loggin into:

Code:

/home/ftp/user

Within each user folder is a symbolic link to a directory below the users home:

Code:

/home/ftp/www/user_web

as such:

Code:

[root@ftp1 user]$pwd
/home/ftp/user
[root@ftp1 user]$ls -l
total 4
drwxrwxr-x  3 userguest     userguest     4096 Aug 19 14:53 client_ftp
lrwxrwxrwx  1 user user   23 Aug 19 15:40 user_web -> ../www/user_web/

I add in vsftpd.conf the directive:

Code:

chroot_local_user=YES

so that users cant "cd" to higher directories, and see the contents of other directories. HOWEVER when i did this, the directory that i have an a symbolic link failed to work, as it is a directory level higher.

What can I do to prevent users from seeing directories higher "cd ..", but at the same time, allow access to a SINGLE directory via the link??

THanks so much!

ilikejam · 08-19-2007, 04:01 PM

Hi.

It's a short answer: You can't.

If a user is chroot'ed, then they can only see files below the jail directory. Links which point outside the jail won't be traversable.

It might be easier to reverse the link, so that the content exists in the jail, and is linked to from outside.

Dave

blizunt7 · 08-19-2007, 04:10 PM

I was afraid of that.

Thanks

jeenam · 08-20-2007, 11:18 AM

There are two ways to work around your problem.

1) Use aufs to create a 'union' mount (http://aufs.sourceforge.net/)

2) Use a 'bind' mount (http://aplawrence.com/Linux/mount_bind.html)

Personally I use an aufs implementation, though bind mounting should work. aufs allows filesystems to be overlayed on top of one another which is an easy way to combine the contents of multiple directories into one single directory. 'bind' mounting simply allows a directory to be mounted at another location in the filesystem.

Both will work to accomodate your jail scenario.

::There is hope::