LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux Mint (https://www.linuxquestions.org/questions/linux-mint-84/)
-   -   vsftpd (https://www.linuxquestions.org/questions/linux-mint-84/vsftpd-4175471151/)

fillister 07-27-2013 03:22 PM

vsftpd
 
hello all,

Im running nadia and have install vsftpd through the software manager. I have secusfully added a user and can loginto the ftp server, unfortunatly the user has complete access to my computer. if I enable chroot local user and try to log in I get a error "cannot chroot into a writeable directory". my question is how does one go about finding where the user directory is located, I've searched the root and home directorys and just cannot find it.

any help will be greatly appreciated

Thanks

Greg

Z038 07-28-2013 01:28 AM

If you set chroot_local_user=YES in vsftpd.conf, the directory vsftpd puts him in when he connects will be his standard local login home directory. Since that directory is writable by the user, the connection will fail because vsftp does not allow the root of the chroot jail to be writable by the user. That is why you get the "500 OOPS: vsftpd: refusing to run with writable root inside chroot ()" error message.

The solution is to make the root of his chroot jail something other than his normal login directory. You use the local_root directive to do that. For example, if user1 has a home directory at /home/user1, then if you could tell vsftpd to make /home his local root provided he does not have write access to /home. He'd have to change directory into his home directory after connecting.

You could also set up an entirely different directory structure separate from the user's normal login directory, and bind mount his normal home directory on a writable subdirectory of his chrooted local root.

For example, you could create a /home/ftpuser/<username> directory for each user. For user1, create /home/ftpuser/user1. In vsftpd for user1, set local_root=/home/ftpuser/user1. Grant user1 read and execute access, but not write access, to /home/ftpuser/user1 to satisfy the vsftpd local root restriction. Create a directory under /home/ftpuser/user1 called home (i.e., /home/ftpuser/user1/home), and set permissions to 700 to make it writable by user1. Then bind mount the user's normal login home directory on this one.

vsftpd.conf would need to include something like the following:

Code:

local_enable=YES
write_enable=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/vsftpd.user_list
user_config_dir=/etc/vsftpd/vsftpd_user_conf

The effect of the above is that only users listed in the userlist_file can login, all users are chrooted except for those listed as exceptions in the chroot_list_file, and the chroot home for each user is specified in the user's config file under the user_config_dir directory.

/etc/vsftpd/vsftpd.user_list is a list of all the ftp users allowed to login.

Code:

# cat /etc/vsftpd/vsftpd.user_list
user1
user2
user3

Directory listing of /etc/vsftpd/vsftpd_user_conf shows the config file for each allowed user.

Code:

# ls -l vsftpd_user_conf
-rw-r--r-- 1 root root  29 Dec  5 11:20 user1
-rw-r--r-- 1 root root  24 Dec  5 11:07 user2
-rw-r--r-- 1 root root  27 Dec  4 23:32 user3

The contents of /etc/vsftpd/vsftpd_user_conf/user1, user2, user3 files show the chroot home directory for each.

Code:

# cat vsftpd_user_conf/user1 
local_root=/home/ftpuser/user1
#
# cat vsftpd_user_conf/user2 
local_root=/home/ftpuser/user2
#
# cat vsftpd_user_conf/user3 
local_root=/home/ftpuser/user

These commands mount the normal login /home/<username> directory on top of the "home" subdirectory under the user's ftp local root.

Code:

mount --bind /home/user1 /home/ftpuser/user1/home
mount --bind /home/user2 /home/ftpuser/user2/home
mount --bind /home/user3 /home/ftpuser/user3/home

Or you could put it in /etc/fstab:

Code:

/home/user1  /home/ftpuser/user1/home  none  defaults,bind  0  0
/home/user2  /home/ftpuser/user2/home  none  defaults,bind  0  0
/home/user3  /home/ftpuser/user3/home  none  defaults,bind  0  0

Now when user1 connects via ftp, his local root will be /home/ftpuser/user1. It is non-writable for him. There will be a home subdirectory that he can cd into, and that will have his normal login home directory bind mounted on it.

I hope that is helpful.

ukiuki 07-28-2013 03:44 AM

You do not need chroot enabled to be able to login into your user directory, all you need is to add this to the end of the vsftpd.conf
Code:

tilde_user_enable=YES
Also is a good thing to read the manual!
Code:

$ man vsftpd
Regards

fillister 07-29-2013 08:55 AM

Thanks ZO38 and uKiuki for your help, It will be a few days berfore I can try out your suggestions.

Greg


All times are GMT -5. The time now is 04:32 PM.