I'm following this guide to setup my server:

However, the DefaultRoot suggestion in the guide is:

DefaultRoot ~

But.. The config file has:

DefaultRoot ~ !adm

I was wondering if the latter is more secure. I installed version 1.3.2 instead of 1.3.1 and I wasn't sure if this is maybe a new security thing.

Can someone please advise what the differences are between these two lines and which one I should use?

With ProFTPD the exclamation means "not."

Your example will play out as: Lock everyone into their home directory except members of group adm.

The most secure method would be DefaultRoot ~ which is without an admin group bypass, which would lock everyone into their home folders including admin group members.


The first DefaultRoot says group wheel members default to system root with the "/" character. (This has a different effect in older versions, and it's the reason I had to edit this post.)

With the second DefaultRoot, when a user logs in that is a member of group users, they will default to /home/username. This will be their root, meaning they can't cd .. into a lower directory.

The third DefaultRoot says Site-admin group members are allowed to drop down below their default directory three levels, which is usually system root.

The fourth DefaultRoot directive also states with the tilde "~" and exclamation point "!" that members of group site-admin are NOT locked into their ftp root directory.

The last directive DefaultChdir says: If /home/username has a subdirectory named ftp, then default to /home/username/ftp The user can still cd .. down one level.

These directives will work as global defaults or virtualhost settings.

Hope that explains it.

Thank you so much.

So are you suggesting to setup the virtual host this way as well as DefaultRoot ~ or just the latter?

If I were setting up the ftp server with virtual hosts, I would use the "DefaultRoot ~ "in global settings, and also in each virtualhost container. But I have not security tested this to confirm the global directive will apply to a virtual host container.

For example, I have not personally tested this -
The virtual host does not have a default rule that would apply to any group including the users group. So does the global setting apply? It should. But as I said, I have not confirmed this.

The following is how I set it up. Only one virtual host has admin access.