Greetings All,

I am currently running vsFTPd on the latest Amazon Linux. I have setup vsFTPd to allow both local and virtual users and I am trying to setup chroot so that the virtual users all get chrooted to the same directory - /home/restuser/ftproot (this is working) and have the local users all chroot to their own home directory as defined in passwd (this is not working - local users are also being chrooted into /home/restuser/ftproot).

Here is my config info:

**INSTANCE INFO:
NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
Amazon Linux AMI release 2018.03

**vsFTPd info:
vsftpd: version 2.2.2

**vsftpd.conf:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
dual_log_enable=YES
xferlog_enable=YES
log_ftp_protocol=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
passwd_chroot_enable=YES
listen=YES
userlist_enable=YES
tcp_wrappers=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
pasv_enable=YES
pasv_promiscuous=NO
port_promiscuous=NO
pasv_min_port=15000
pasv_max_port=15500
use_localtime=YES
virtual_use_local_privs=YES
pam_service_name=vsftpd.hybrid
guest_enable=YES
local_root=/home/restuser/ftproot
user_sub_token=
secure_chroot_dir=/home/restuser/ftproot
hide_ids=YES

**vsftpd.hybird (PAM)
#%PAM-1.0
#virtual users
auth sufficient pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
account sufficient pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user

#local users
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth

**Sample entries from /etc/passwd:
testuser:2941:1499::/home/restuser/ftproot/update/business/testuser/./:/sbin/nologin
testuser2:2942:1499::/home/restuser/ftproot/update/business/testuser2/./:/sbin/nologin

**1499 is the ftpchroot group (from /etc/group):
ftpchroot:x:1499:

--------

When I login to the ftp server as a virtual user (I will use rest10000 as an example here) everything works fine:

~ $ ftp dev-ftp-001
Connected to dev-ftp-001.
220 (vsFTPd 2.2.2)
Name (dev-ftp-001): rest10000
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 3 503 1499 4096 May 22 09:55 imports
-rw-r--r-- 1 0 0 5 May 22 09:55 test.txt
drwxrwxrwx 6 503 1499 4096 Mar 19 16:37 update
226 Directory send OK.

This is exactly what I expect to see - I am chrooted properly into /home/restuser/ftproot on the server:
[root@dev-FTP-001 ftproot]# pwd
/home/restuser/ftproot
[root@dev-FTP-001 ftproot]# ls -l
total 12
drwxrwxrwx 3 restuser ftpchroot 4096 May 22 09:55 imports
-rw-r--r-- 1 root root 5 May 22 09:55 test.txt
drwxrwxrwx+ 6 restuser ftpchroot 4096 Mar 19 16:37 update
[root@dev-FTP-001 ftproot]#

-----

Now if I try to login as testuser (a local user) I expect the be chrooted into the user's home directory (per passwd_chroot_enable=YES) but instead I get the same chroot as the virtual users:

~ $ ftp dev-ftp-001
Connected to dev-ftp-001
220 (vsFTPd 2.2.2)
Name (dev-ftp-001): testuser
331 Please specify the password.
Password:
230 Login successful.
ftp>
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 3 503 1499 4096 May 22 09:55 imports
-rw-r--r-- 1 0 0 5 May 22 09:55 test.txt
drwxrwxrwx 6 503 1499 4096 Mar 19 16:37 update
226 Directory send OK.

This DOES NOT match the home directory of the user:
[root@dev-FTP-001 testuser]# pwd
/home/restuser/ftproot/update/business/testuser
[root@dev-FTP-001 testuser]# ls -l
total 4
-rw-rw-rw- 1 root root 9 May 22 14:38 test.txt

-----

Now, if I remove "guest_enable=YES" from vsftpd.conf then my local user chroot works properly:

~ $ ftp dev-ftp-001
Connected to dev-ftp-001.
220 (vsFTPd 2.2.2)
Name (dev-ftp-001): testuser
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-rw- 1 0 0 9 May 22 14:38 test.txt
226 Directory send OK.


But now my virtual users no longer work at all:

~ $ ftp dev-ftp-001
Connected to dev-ftp-001.
220 (vsFTPd 2.2.2)
Name (dev-ftp-001): rest10000
331 Please specify the password.
Password:
500 OOPS: cannot locate user entry:rest10000
ftp: Login failed.


Does anyone know how to make these two options work together so that all virtual users get chrooted to the same directory (/home/restuser/ftproot) and all local users get chrooted to their own directories as defined in /etc/passwd?

Thanks!
Bob

Greetings,

I am still struggling to make this work. I tried emailing the author of vsFTPd but have not gotten a response. Does anyone have any insight?

Thanks!
Bob

One last plea for help before I give up on this - has anyone been able to make this configuration work?

Hi,
You could try the "user_sub_token" option for this.
Have a look at this example for details

Regards

Thanks for the suggestion! Unfortunately I tried this and it does not achieve what I need . This would allow a separate chroot directory for all virtual users. I need all virtual users to use the same directory, which my current config does allow. The problem is I want my local users to have a different chroot directory, which is where I am getting stuck. My local users are being forced into the same chroot as the virtual users.

You shouldn't define a local_root directory, because all users (virtual and real) will be chrooted into it.
Anyway, maybe this post here at LQ could be of help.

Hi, bathory, I have the same question.
I want all the local users in my Centos 7 still can access /home/localusername/ when they login.
While for the virtual user, they should access /var/ftp/virtualusername/ when they login.
You mentioned post still set the , so still can't solve the OP's issue.

I'm not sure this can be solved, because I see in the FAQ of vsftpd, there are some words say:

So, all the local users get mapped to guest_username, which means local users can only access to ?

Hi asmwarrior,

Please next time start your own thread and not post on old threads.
Anyway, as I've posted above, there is a post here at LQ marked "Solved" that matches your situation. You may give it a try and see what you get.

Regards