VSFTPD - lock user to home directory
 

Hi,

I have read many posts about this and mirrored the setup, but no dice. I have a RedHat 9 system. What I have done:

added a ftpuser with own group and home directory

edited /etc/vsftpd/vsftpd.conf:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

edited /etc/vsftpd.chroot_list:
added ftpuser

edited /etc/passwd entry for ftpuser:
ftpuser:X:#:#:FTP User Account:/home/ftpuser/./:/bin/false

edited /etc/shells and added:
/bin/false


restarted xinetd and vsftpd

The ftpuser can STILL traverse the entire directory structure. What the heck am I missing here?

from "man vsftpd.conf"
also, you probably don't need to add "/bin/false" to your "/etc/shells" file. The point of the "/bin/false" entry in "/etc/passwd" file is that it shouldn't resolve to a valid shell.

Ok... I see what you've done. The simple answer is that if you use chroot_local_user=YES then the vsftpd.chroot_list becomes a list of users to NOT chroot. So... you said chroot ALL users but ftpuser.

Notice the commented out lines.
In /etc/vsftpd/vsftpd.conf:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

edited /etc/vsftpd.chroot_list:
add users only that DO NOT NOT NOT NOT get chrooted.

use /sbin/nologin
edited /etc/passwd entry for ftpuser:
ftpuser:X:#:#:FTP User Account:/home/ftpuser/./:/sbin/nologin

------------

chroot_local_user=YES
chroot_list_enable=YES
means that by default ALL users get chrooted except users in the file

chroot_local_user=NO
chroot_list_enable=YES
means that by default ONLY users in the file get chrooted.

See the difference?

Okay, it's backwards of what it seems. I changed chroot_local_user to NO and now things work fine, the user 'ftpuser' can't move up in the directory structure, can only navigate around it's home directory.

Thank you for straightening me out.