vsftpd chrooting users that have been jailed into /home/jail/home/$username.
System details:
RHEL 4.5 openssh-3.9p1-8.RHEL4.20.src.rpm vsftpd-2.0.1-6.el4.src.rpm This is an FTP server, all users have been jailed to '/home/jail/home/$username', using Wolfgang Fuschlberger' script: http://www.fuschlberger.net/programs...p-chroot-jail/ The users connect via SFTP; however, they are able to cd up to '/home/jailed/' so I decided to also chroot them into their home directories, to prohibit them from cding up from '/home/jail/home/$username'. Snippet of my /etc/vsftpd/vsftpd.conf containing relevant directives regarding chroot: chroot_list_enable=YES chroot_local_user=NO chroot_list_file=/etc/vsftpd.chroot_list This is supposed to chroot users into their home. However I wasn't seeing any changes upon reloading the vsftpd daemon. I made the changes a few times and nothing ... things were still the same; although users were jailed, they were not being chrooted; they could still cd up to '/home/jail/'. Eventually I noticed, by pure accident, that I could still connect to the FTP server even when vsftpd was stopped!! I was baffled! I found this directive in my /etc/ssh/sshd_config: Subsystem sftp /usr/libexec/openssh/sftp-server Question: - Does it mean that openssh is directly handling SFTP connections? |
I'll answer my own question :)
Had a change to do some testing last night on a non-production box, running CentOS, in which vsftpd wasn't even installed ... ... and yes, it still works without an FTP daemon. So the question now is: - How to enable chroot for users logging in via SFTP? |
I got vsftp jail to /home/user directory working, finally!
I was trying to set up vsftp in my Fedora 12 desktop and figured it wasn't easy anymore even after carefully reading and following the how-to step-by-step with this vsftpd.conf:
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES chroot_list_enable=YES listen=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES passwd_chroot_enable=YES pasv_max_port=1024 #local_root=/var/ftp/pub and tried...: [root@localhost ~]# ftp 127.0.0.1 Connected to 127.0.0.1 (127.0.0.1). 220 (vsFTPd 2.2.2) Name (127.0.0.1:jimbo): 331 Please specify the password. Password: 500 OOPS: cannot change directory:/home/jimbo Login failed. I never stopped looking via Google and found this trick by restarting vsftpd (as root: service vsftpd restart)... getsebool -a | grep ftp It RETURNS this...: allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off ftp_home_dir --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off sftp_enable_homedirs --> off sftpd_anon_write --> off sftpd_full_access --> off sftpd_write_ssh_home --> off tftp_anon_write --> off where "ftp_home_dir" says is "off" So, I used setsebool...: setsebool -P ftp_home_dir on And viola, it finally works! [root@localhost ~]# ftp 127.0.0.1 Connected to 127.0.0.1 (127.0.0.1). 220 (vsFTPd 2.2.2) Name (127.0.0.1:jimbo): 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/home/jimbo" |
jnavar3:
Thanks for your post. I got that to work ok, never had your troubles since I had SE disabled. What I'm trying to do is chroot users while using SFTP, not FTP. The problem is that when you connect via SFTP, vsftpd is NOT used at all, in fact, I found that it doesn't even need to be running. The ftp connection is 100% handled by OpenSSH, not VSFTP. Hence the problem: can't use configuration via /etc/vsftpd.conf to configure this. Found this way of doing it, I have not tested it yet; it uses the "ChrootDirectory" directive in /etc/ssh/sshd_config. http://www.techrepublic.com/blog/ope...irectories/229 |
Thanks!
jnavar3... voila for me, too! A puzzle solved. I need to learn SELinux.
|
All times are GMT -5. The time now is 08:43 PM. |