LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-02-2011, 07:18 PM   #1
amonamarth
Member
 
Registered: Dec 2009
Location: Los Angeles
Distribution: Fedora ,CentOS, RHEL
Posts: 59

Rep: Reputation: 17
vsftpd chrooting users that have been jailed into /home/jail/home/$username.


System details:

RHEL 4.5
openssh-3.9p1-8.RHEL4.20.src.rpm
vsftpd-2.0.1-6.el4.src.rpm

This is an FTP server, all users have been jailed to '/home/jail/home/$username', using Wolfgang Fuschlberger' script: http://www.fuschlberger.net/programs...p-chroot-jail/

The users connect via SFTP; however, they are able to cd up to '/home/jailed/' so I decided to also chroot them into their home directories, to prohibit them from cding up from '/home/jail/home/$username'.
Snippet of my /etc/vsftpd/vsftpd.conf containing relevant directives regarding chroot:

chroot_list_enable=YES
chroot_local_user=NO
chroot_list_file=/etc/vsftpd.chroot_list

This is supposed to chroot users into their home. However I wasn't seeing any changes upon reloading the vsftpd daemon. I made the changes a few times and nothing ... things were still the same; although users were jailed, they were not being chrooted; they could still cd up to '/home/jail/'. Eventually I noticed, by pure accident, that I could still connect to the FTP server even when vsftpd was stopped!!
I was baffled!

I found this directive in my /etc/ssh/sshd_config:
Subsystem sftp /usr/libexec/openssh/sftp-server

Question:
- Does it mean that openssh is directly handling SFTP connections?
 
Old 03-03-2011, 11:52 AM   #2
amonamarth
Member
 
Registered: Dec 2009
Location: Los Angeles
Distribution: Fedora ,CentOS, RHEL
Posts: 59

Original Poster
Rep: Reputation: 17
I'll answer my own question
Had a change to do some testing last night on a non-production box, running CentOS, in which vsftpd wasn't even installed ...
... and yes, it still works without an FTP daemon.

So the question now is:
- How to enable chroot for users logging in via SFTP?
 
Old 03-13-2011, 03:28 AM   #3
jnavar3
LQ Newbie
 
Registered: Mar 2011
Posts: 3

Rep: Reputation: 0
Smile I got vsftp jail to /home/user directory working, finally!

I was trying to set up vsftp in my Fedora 12 desktop and figured it wasn't easy anymore even after carefully reading and following the how-to step-by-step with this vsftpd.conf:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
passwd_chroot_enable=YES
pasv_max_port=1024
#local_root=/var/ftp/pub

and tried...:

[root@localhost ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:jimbo):
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/jimbo
Login failed.

I never stopped looking via Google and found this trick by restarting vsftpd (as root: service vsftpd restart)...

getsebool -a | grep ftp

It RETURNS this...:

allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
sftp_enable_homedirs --> off
sftpd_anon_write --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off

where "ftp_home_dir" says is "off"

So, I used setsebool...:

setsebool -P ftp_home_dir on

And viola, it finally works!

[root@localhost ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:jimbo):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/jimbo"
 
Old 03-21-2011, 03:27 PM   #4
amonamarth
Member
 
Registered: Dec 2009
Location: Los Angeles
Distribution: Fedora ,CentOS, RHEL
Posts: 59

Original Poster
Rep: Reputation: 17
jnavar3:

Thanks for your post. I got that to work ok, never had your troubles since I had SE disabled. What I'm trying to do is chroot users while using SFTP, not FTP.
The problem is that when you connect via SFTP, vsftpd is NOT used at all, in fact, I found that it doesn't even need to be running. The ftp connection is 100% handled by OpenSSH, not VSFTP. Hence the problem: can't use configuration via /etc/vsftpd.conf to configure this.

Found this way of doing it, I have not tested it yet; it uses the "ChrootDirectory" directive in /etc/ssh/sshd_config.
http://www.techrepublic.com/blog/ope...irectories/229

Last edited by amonamarth; 03-21-2011 at 06:41 PM.
 
Old 07-09-2011, 06:29 PM   #5
prh47
LQ Newbie
 
Registered: Jun 2011
Posts: 6

Rep: Reputation: 2
Thanks!

jnavar3... voila for me, too! A puzzle solved. I need to learn SELinux.
 
  


Reply

Tags
chroot jail, jail, vsftpd, vsftpdconf


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP users are jailed to home dir ride153 Linux - Server 4 03-08-2007 05:47 PM
vsftpd, web uploads, vsftpd virtual users, apache virtual hosts, home directories jerryasher Linux - Software 7 02-18-2007 06:29 AM
home users with vsftpd swobodin Linux - Software 1 02-15-2004 08:35 AM
Restricting FTP Users to their home dir in vsftpd ~ForgottenFlux~ Linux - Software 2 09-03-2003 07:54 PM
vsftpd: restricting users to home dirs groovin Linux - Security 6 11-25-2002 04:20 PM


All times are GMT -5. The time now is 02:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration