LinuxQuestions.org - vsftpd problem

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - vsftpd problem (https://www.linuxquestions.org/questions/linux-server-73/vsftpd-problem-682578/)

Hello,

I Googled a lot for vsftpd but I found no solution for my problem.
I have OpenSuSe 10.3 x86 version installed.
I have enabled vsftpd from network services.
As of now FTP is accesible from outside world.
I create new users and make them FTP user.
Problem is users are able to browse system folders.
I want users to see only there /home dir when they log in to FTP.
How can I restrict user's from being able to see other dir's?

Regards,
Amey.

You want to 'chroot' users to their home directory, so add the following to the vsftpd.conf file (it may be located in /etc/vsftpd/):

Code:

chroot_local_user=YES

The complete list of vsftpd configuration options are in a man page. At a command prompt use:

Code:

man vsftpd.conf

Find in vsftpd.conf and change Chroot_local_user=yes

hi,
open vsftpd.conf and find
chroot_local_user=??? -> change to chroot_local_user=yes

it wil solve to move the users other directories of your / and it will secure it.

thanks.

Thanks to both of you for quick reply.
I verified that chroot_local_user = YES command is there.
I have also created vsftpd.chroot_list txt and added 1 user in it.
restarted vsftps service from konsole.

Checked by connecting using File Zilla FTP client but still that user can see all system folder's.
Whats wrong with my config? :(

I see local_root=/srv/ftp command at the end of vsftpd.conf file. Shall I change the path to /home ?

UPDATE Issue solved :D

I didn't make change in chroot_local_user file which is located at bottom side in the vsftpd.conffile.

I was trying to configure above file in description tab. Silly me.
I read whole vsftpd.conf file by taking print out of it.
And I realized I must edit chroot_local_user in the ACL's which are available when we scroll the config file 100%
It's working now.
I have changed local_path from srv_ftp to /home

Thanks for help! :)

Now 1 problem still with me.
I have changed local_path to /home
I dont want users to exaplorer each others profile.
For that restriction what should I do?
Currently user's only see /home dir but all users under /home and there dir's are visible.
Any hint?

Thanks,
AMey.

Anybody can help me with security boundaries for vsftpd ?

chroot jail vsftpd

Hi ,

you need to edit /etc/vsftpd/vsftpd.conf
and add 3 lines.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

now create blank vsftpd.chroot_list inside /etc directory with -rw-r--r-- permission.

e.g:- cd /etc
touch vsftpd.chroot_list

Hope it will help you.

Best of luck ......

Regards
KB

Quote:

Originally Posted by Koushik Biswas (Post 3339396)

I did that yesterday only.
Whats next?
If I log in using ftp user, he can still see rest user's names in /home dir and he can explorer and can read file names how ever downloading operation failed.

I dont want user to be able to see other folder than his /home profile and empty space.

What should I do to enable that security option?

Regards,
Amey.

I think your problem is the /home. The reason I say that is you previously said "I have changed local_path to /home". So you are seeing what you are supposed to, but nto what you want. Have you tried setting local_path to /home/$USER ?

Quote:

Originally Posted by koflanagan (Post 3339920)

Thanks for quick reply.
I tried to put /home/$USER in vsftpd.conf and restarted vsftpd server.
Tried to connect using client.
It's throwing following error message > 500 OOPS: cannot change directory:/home/$USER

Any other way?

Regards,
Amey.

Quote:

chroot_local_user=YES
chroot_list_enable=YES

These two lines are conflicting. I would remove the second one and leave the first one.

Then make sure that /etc/vsftps.chroot_list is empty - to start with, as this only works with a valid chroot() directory
Then comment out the local_root line.
It WILL work, but just incase it does not, I am posting my /etc/vsftpd.conf:

Quote:

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to DARKSTAR FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES

# Chris inserted the following three lines. Note that the local_root is
# important as otherwise the /etc/vfstpd.chroot_list is ignored
chroot_local_user=YES
# local_root=/home

# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES
#
# To run vsftpd in standalone mode (rather than through inetd), uncomment
# the line below.
#listen=YES

Quote:

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# If you do not change anything here you will have a minimum setup for an
# anonymus FTP server.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.

# General Settings
#
# Uncomment this to enable any form of FTP write command.
#
#write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
#
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#
#nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
#
#ftpd_banner="Welcome to FOOBAR FTP service."
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#
#ls_recurse_enable=YES
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#
#deny_email_enable=YES
#
# (default follows)
#
#banned_email_file=/etc/vsftpd.banned_emails
#
# If enabled, all user and group information in
# directory listings will be displayed as "ftp".
#
#hide_ids=YES

# Local FTP user Settings
#
# Uncomment this to allow local users to log in.
#
#local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
#local_umask=022
#
# Uncomment to put local users in a chroot() jail in their home directory
# after login.
#
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#
#
# (default follows)
#
#chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#
#local_max_rate=7200

# Anonymus FTP user Settings
#
# Allow anonymous FTP?
#
anonymous_enable=NO
#
# Anonymous users will only be allowed to download files which are
# world readable.
#
anon_world_readable_only=YES
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#
#anon_upload_enable=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
#anon_umask=022
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#
#chown_uploads=YES
#chown_username=whoever
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#
#anon_max_rate=7200

# Log Settings
#
# Log to the syslog daemon instead of using an logfile.
#
syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
#
#log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
#
#xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note: This disables the normal logging unless you enable dual_log_enable below.
#
#xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#xferlog_file=/var/log/xferlog
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#
#dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#
#setproctitle_enable=YES

# Transfer Settings
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#
connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# Set to NO if you want to disallow the PASV method of obtaining a data
# connection.
#
#pasv_enable=NO

# PAM setting. Do NOT change this unless you know what you do!
#
pam_service_name=vsftpd

# Set listen=YES if you want vsftpd to run standalone
#
listen=YES

# Set to ssl_enable=YES if you want to enable SSL
ssl_enable=NO
anon_mkdir_write_enable=NO
anon_upload_enable=NO
chroot_local_user=YES
ftpd_banner=Welcome to FTP server!
idle_session_timeout=900
local_enable=YES
log_ftp_protocol=NO
max_clients=10
max_per_ip=3
pasv_enable=YES
pasv_max_port=40500
pasv_min_port=40000
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
write_enable=YES
local_root=/home

ABove is my vsftpd config file. I dont see any difference while comparing to your's but still same problem. :(

Make a backup of your /etc/vsftpd.conf,
then overwrite with mine.
then add the following lines:

Quote:

# PAM setting. Do NOT change this unless you know what you do!
#
pam_service_name=vsftpd

Then restart

Quote:

Originally Posted by ChrisAbela (Post 3340367)

Make a backup of your /etc/vsftpd.conf,
then overwrite with mine.
then add the following lines:

Then restart

My bad luck. It's now throwing new error after replacing your file.

Quote:

ftpserver:~ # service vsftpd start
Starting vsftpd startproc: exit status of parent of /usr/sbin/vsftpd: 1
failed

Go back to your own /etc/vsftpd.conf of course.
I had the same problem and this is how I solved it.

Add the line:

Quote:

chroot_list_file=/etc/vsftpd.chroot_list

Make sure that /etc/vsftpd.chroot_list exist and that it is empty.

Regretfully I am unable to replicate the problem now.

If this does not work I will replace my vsftpd.conf with yours and then I will try to find the bug.

Chris