vsftpd with local and virtual users with different chroot directories
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
vsftpd with local and virtual users with different chroot directories
Greetings All,
I am currently running vsFTPd on the latest Amazon Linux. I have setup vsFTPd to allow both local and virtual users and I am trying to setup chroot so that the virtual users all get chrooted to the same directory - /home/restuser/ftproot (this is working) and have the local users all chroot to their own home directory as defined in passwd (this is not working - local users are also being chrooted into /home/restuser/ftproot).
Here is my config info:
**INSTANCE INFO:
NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
Amazon Linux AMI release 2018.03
#local users
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
**Sample entries from /etc/passwd:
testuser:2941:1499::/home/restuser/ftproot/update/business/testuser/./:/sbin/nologin
testuser2:2942:1499::/home/restuser/ftproot/update/business/testuser2/./:/sbin/nologin
**1499 is the ftpchroot group (from /etc/group):
ftpchroot:x:1499:
--------
When I login to the ftp server as a virtual user (I will use rest10000 as an example here) everything works fine:
~ $ ftp dev-ftp-001
Connected to dev-ftp-001.
220 (vsFTPd 2.2.2)
Name (dev-ftp-001): rest10000
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 3 503 1499 4096 May 22 09:55 imports
-rw-r--r-- 1 0 0 5 May 22 09:55 test.txt
drwxrwxrwx 6 503 1499 4096 Mar 19 16:37 update
226 Directory send OK.
This is exactly what I expect to see - I am chrooted properly into /home/restuser/ftproot on the server:
[root@dev-FTP-001 ftproot]# pwd
/home/restuser/ftproot
[root@dev-FTP-001 ftproot]# ls -l
total 12
drwxrwxrwx 3 restuser ftpchroot 4096 May 22 09:55 imports
-rw-r--r-- 1 root root 5 May 22 09:55 test.txt
drwxrwxrwx+ 6 restuser ftpchroot 4096 Mar 19 16:37 update
[root@dev-FTP-001 ftproot]#
-----
Now if I try to login as testuser (a local user) I expect the be chrooted into the user's home directory (per passwd_chroot_enable=YES) but instead I get the same chroot as the virtual users:
~ $ ftp dev-ftp-001
Connected to dev-ftp-001
220 (vsFTPd 2.2.2)
Name (dev-ftp-001): testuser
331 Please specify the password.
Password:
230 Login successful.
ftp>
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 3 503 1499 4096 May 22 09:55 imports
-rw-r--r-- 1 0 0 5 May 22 09:55 test.txt
drwxrwxrwx 6 503 1499 4096 Mar 19 16:37 update
226 Directory send OK.
This DOES NOT match the home directory of the user:
[root@dev-FTP-001 testuser]# pwd
/home/restuser/ftproot/update/business/testuser
[root@dev-FTP-001 testuser]# ls -l
total 4
-rw-rw-rw- 1 root root 9 May 22 14:38 test.txt
-----
Now, if I remove "guest_enable=YES" from vsftpd.conf then my local user chroot works properly:
~ $ ftp dev-ftp-001
Connected to dev-ftp-001.
220 (vsFTPd 2.2.2)
Name (dev-ftp-001): testuser
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-rw- 1 0 0 9 May 22 14:38 test.txt
226 Directory send OK.
But now my virtual users no longer work at all:
~ $ ftp dev-ftp-001
Connected to dev-ftp-001.
220 (vsFTPd 2.2.2)
Name (dev-ftp-001): rest10000
331 Please specify the password.
Password:
500 OOPS: cannot locate user entry:rest10000
ftp: Login failed.
Does anyone know how to make these two options work together so that all virtual users get chrooted to the same directory (/home/restuser/ftproot) and all local users get chrooted to their own directories as defined in /etc/passwd?
Thanks for the suggestion! Unfortunately I tried this and it does not achieve what I need . This would allow a separate chroot directory for all virtual users. I need all virtual users to use the same directory, which my current config does allow. The problem is I want my local users to have a different chroot directory, which is where I am getting stuck. My local users are being forced into the same chroot as the virtual users.
Thanks for the suggestion! Unfortunately I tried this and it does not achieve what I need . This would allow a separate chroot directory for all virtual users. I need all virtual users to use the same directory, which my current config does allow. The problem is I want my local users to have a different chroot directory, which is where I am getting stuck. My local users are being forced into the same chroot as the virtual users.
You shouldn't define a local_root directory, because all users (virtual and real) will be chrooted into it.
Anyway, maybe this post here at LQ could be of help.
Hi, bathory, I have the same question.
I want all the local users in my Centos 7 still can access /home/localusername/ when they login.
While for the virtual user, they should access /var/ftp/virtualusername/ when they login.
You mentioned post still set the
Code:
local_root=/var/www/ftp/$USER
, so still can't solve the OP's issue.
I'm not sure this can be solved, because I see in the FAQ of vsftpd, there are some words say:
Quote:
Q) Help! Does vsftpd support virtual users?
A) Yes, via PAM integration. Set "guest_enable=YES" in /etc/vsftpd.conf. This
has the effect of mapping every non-anonymous successful login to the local
username specified in "guest_username". Then, use PAM and (e.g.) its pam_userdb
module to provide authentication against an external (i.e. non-/etc/passwd)
repository of users.
Note - currently there is a restriction that with guest_enable enabled, local
users also get mapped to guest_username.
There is an example of virtual users setup in the "EXAMPLE" directory.
So, all the local users get mapped to guest_username, which means local users can only access to
Code:
local_root=/var/www/ftp/$USER
?
Last edited by asmwarrior; 01-07-2021 at 01:32 AM.
Please next time start your own thread and not post on old threads.
Anyway, as I've posted above, there is a post here at LQ marked "Solved" that matches your situation. You may give it a try and see what you get.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.