vsftpd chroot

netaccs · 12-07-2018, 03:06 AM

Netgear stora NAS Linux axentraserver.get.mystora.com 2.6.22.18-Netgear #16 Sun Jun 13 19:54:46 EDT 2010 armv5tejl armv5tejl armv5tejl GNU/Linux
I think is Debian, but not sure. There is installed vfftpd on it.
I have user called "niki" which I use to access ftp.

Code:

id niki
uid=502(niki) gid=503(niki) groups=503(niki),100(users),501(admins)

etc/passwd
niki:x:502:503::/home/niki:/bin/bash

ll /home/ |grep niki
drwxr-s---  3 niki            www               85 Mar 21  2018 

ll /home/niki/
drwsrws--- 11 niki www   119 Nov 27 22:38 storage

ll /home/niki/storage/
drwxrwxr-x  9 niki www 4.0K Dec  6 16:27 Video

This is vsftpd.conf

Code:

vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=007
#chroot_list_enable=YES
#chroot_local_user=NO
#user_config_dir=/etc/vsftpd/vsftpd_user_conf
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
charset_filter_enable=YES
charset_client=UTF-8
charset_server=UTF-8
force_local_data_ssl=NO
force_local_logins_ssl=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
pasv_max_port=50100
pasv_min_port=50000
pasv_enable=YES
port_enable=YES
ssl_enable=YES

How to disable chrooting? With current configuration I can make up and browse everything.

Thanks in advance !

vsukt · 12-07-2018, 04:57 AM

Quote:

Originally Posted by netaccs

How to disable chrooting? With current configuration I can make up and browse everything.

Hi, It should work as chroot disabled as per configuration. Try uncommenting #chroot_local_user=NO and restart the service.

netaccs · 12-07-2018, 05:09 AM

I try that, but still can chroot. Also tried "chroot_list_enable=YES"
in "chroot_list_file=/etc/vsftpd/chroot_list" enter my user and also try with empty file.
Everytime restarting vsftpd using init.d/ and restarting filezila ftp client.

netaccs · 12-13-2018, 08:04 AM

Any other idea?

bathory · 12-13-2018, 08:36 AM

Quote:

Originally Posted by netaccs

Any other idea?

You need just

Code:

chroot_local_user=YES

Comment out the 2 "chroot_list_*" options

netaccs · 12-13-2018, 08:49 AM

When trying this:
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/chroot_list (file is empty or contains just one user)

ftp client got error:
Status: Retrieving directory listing of "/storage"...
Command: CWD storage
Response: 550 Failed to change directory.
Error: Failed to retrieve directory listing

bathory · 12-13-2018, 04:50 PM

Quote:

Originally Posted by netaccs

When trying this:
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/chroot_list (file is empty or contains just one user)

ftp client got error:
Status: Retrieving directory listing of "/storage"...
Command: CWD storage
Response: 550 Failed to change directory.
Error: Failed to retrieve directory listing

The directories must have 755 permissions in order to be searchable

netaccs · 12-14-2018, 01:36 AM

With 775 and 755 I got

Code:

Status:	Retrieving directory listing of "/"...
Command:	CWD /
Error:	Connection closed by server
Error:	Failed to retrieve directory listing

Also trying with my user into vsftpd.chroot.list or empty file.

drwxrwxr-x 3 niki www 85 Mar 21 2018 niki
drwxrwxr-x 11 niki www 119 Nov 27 22:38 storage

Can't find how to enable logging of vsftpd

bathory · 12-14-2018, 02:15 AM

Quote:

Originally Posted by netaccs

With 775 and 755 I got

Code:

Status:	Retrieving directory listing of "/"...
Command:	CWD /
Error:	Connection closed by server
Error:	Failed to retrieve directory listing

Also trying with my user into vsftpd.chroot.list or empty file.

drwxrwxr-x 3 niki www 85 Mar 21 2018 niki
drwxrwxr-x 11 niki www 119 Nov 27 22:38 storage

Can't find how to enable logging of vsftpd

Try this (esp. use: log_ftp_protocol=YES)

netaccs · 12-14-2018, 07:03 AM

First I make touch /var/log/vsftpd.log, then add this to vsftpd.conf
log_ftp_protocol=YES
xferlog_std_format=YES (also with xferlog_std_format=NO)
but still vsftpd.log is empty.

bathory · 12-14-2018, 07:55 AM

Quote:

Originally Posted by netaccs

First I make touch /var/log/vsftpd.log, then add this to vsftpd.conf
log_ftp_protocol=YES
xferlog_std_format=YES (also with xferlog_std_format=NO)
but still vsftpd.log is empty.

In order to log the full ftp session you need to set

Code:

xferlog_std_format=NO

Perhaps you have to also disable tcp_wrappers (set tcp_wrappers=NO, or comment out the option)

netaccs · 12-14-2018, 09:01 AM

Still same. I put 775 on vsftpd.log file
-rwxrwxr-x 1 root root 0 Dec 14 11:11 vsftpd.log

There is current config, am I wrong something?

Code:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=007
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
log_ftp_protocol=YES
xferlog_std_format=NO
listen=YES
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
#tcp_wrappers=YES
tcp_wrappers=NO
charset_filter_enable=YES
charset_client=UTF-8
charset_server=UTF-8
force_local_data_ssl=NO
force_local_logins_ssl=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
pasv_max_port=50100
pasv_min_port=50000
pasv_enable=YES
port_enable=YES
ssl_enable=YES

bathory · 12-14-2018, 05:23 PM

Quote:

Originally Posted by netaccs

Still same. I put 775 on vsftpd.log file
-rwxrwxr-x 1 root root 0 Dec 14 11:11 vsftpd.log

There is current config, am I wrong something?

Code:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=007
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
log_ftp_protocol=YES
xferlog_std_format=NO
listen=YES
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
#tcp_wrappers=YES
tcp_wrappers=NO
charset_filter_enable=YES
charset_client=UTF-8
charset_server=UTF-8
force_local_data_ssl=NO
force_local_logins_ssl=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
pasv_max_port=50100
pasv_min_port=50000
pasv_enable=YES
port_enable=YES
ssl_enable=YES

Are you sure vsftpd is running? Can you connect from localhost?
Is vsftpd patched in order to use the charset_* options?

I suggest you to ditch your config file and read this howto (if you're running debian, or find one for your distro).
Start without the SSL/TLS stuff and if it works, go ahead and configure the secure part (step 6).

netaccs · 12-15-2018, 01:14 AM

It is working ot nas (Netgear stora) and it is some limited linux edition. No "apt" and other commands.
May be some other trick for chrooting?

bathory · 12-15-2018, 08:37 AM

Quote:

Originally Posted by netaccs

It is working ot nas (Netgear stora) and it is some limited linux edition. No "apt" and other commands.
May be some other trick for chrooting?

You're supposed to use the link above just to configure vsftpd.
No need to use apt or anything else since vsftpd is already installed.