chroot not working.
ok i have tryed what is on this thread. http://www.linuxquestions.org/questi...961#post293961
but it will not work. all i want is to make it where one user cannot get to any other dir but its home dir. I have looked all over the man pages but i cant get it to work. i tryed chroot account /dir but that dont work. i am clueless. I tryed looking threw the search but i cant find anything except that thread and i cant seem to get it to work. |
what's the error?
did you build a filesystem for the user? in other words if you do chroot /foldername there must be a filesystem in /foldername |
Quote:
There is no error. It just dont work. such as if i login to the account it will not make it stay in its root dir. /ftp-data/church It still has the ftp-data dir in the dir tree and i can view the whole tree. i want the account to not be able to see /ftp-data at all just the /church dir. Dont have a clue what a filesystem is :). |
what do you have specified as the DefaultRoot for the ftp?
|
Quote:
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES # # Uncomment this to allow local users to log in. #local_enable=YES # # Uncomment this to enable any form of FTP write command. #write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format #xferlog_std_format=YES # # You may change the default value for timing out an idle session. # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that turning on ascii_download_enable enables malicious remote parties # to consume your I/O resources, by issuing the command "SIZE /big/file" in # ASCII mode. # These ASCII options are split into upload and download because you may wish # to enable ASCII uploads (to prevent uploaded scripts etc. from breaking), # without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be # on the client anyway.. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_list_enable=no # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES listen=YES |
Quote:
I went into vsftpd.conf looked for this. chroot_list_enable=yes chroot_list_file=/etc/vsftpd.chroot_list said ok that looks fine. i then went into the /etc dir and made a file named /etc/vsftpd.chroot_list i add the account name to this file. restarted the vsftpd service and nothing happend. |
Quote:
UPDATE: I found out that if i change my ftp data connection mode to active mode it works perfectly. Now only thing i have to do is figure out this chroot. |
ummm still having this problem any takers?
|
I hate to keep bumping this up but i have been working on this for like 2 days and still cant figure it out. Anyone?
|
Active mode is insecure, because this asks the server to set up a connection with the remote host. Not a big deal with Vsftpd, but you shouldn't open up security holes unnecessarily if you can avoid it. Go for passive mode. Firewall-wise speaking this means allowing initiating and related traffic from any remote address+unprivileged port to TCP/21, plus allowing initiating and related traffic from any remote address+unprivileged port to TCP/unprivileged ports (port range specified in the vsftpd.conf).
To allow a specific user chrooted access in general involves 4 files: 1 PAM config, 2 PAM login database files (text and db made with the db_load command) and the vsftpd.conf. You should read the Vsftpd docs that came with the installation because the /usrc/share/doc/vsftp/EXAMPLE/VIRTUAL_USERS/ dir contains an example you can use easily. A few notes. Disable "anonymous_enable=YES" and uncomment "local_enable=YES" and "chroot_local_user=YES". Read the example dir I mentioned. If you set "chroot_local_user=YES", then you can comment out the "chroot_list" stuff as it will chroot any user mentioned in the login.db. Users not in the login.db are denied access. HTH |
All times are GMT -5. The time now is 04:04 AM. |