VSFTPD

ohleary · 11-20-2003, 11:37 AM

Hi,

I have read many posts about this and mirrored the setup, but no dice. I have a RedHat 9 system. What I have done:

added a ftpuser with own group and home directory

edited /etc/vsftpd/vsftpd.conf:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

edited /etc/vsftpd.chroot_list:
added ftpuser

edited /etc/passwd entry for ftpuser:
ftpuser:X:#:#:FTP User Account:/home/ftpuser/./:/bin/false

edited /etc/shells and added:
/bin/false

restarted xinetd and vsftpd

The ftpuser can STILL traverse the entire directory structure. What the heck am I missing here?

Tramontane · 11-20-2003, 01:51 PM

from "man vsftpd.conf"

Code:

chroot_list_enable
              If activated, you may provide a list of local users
              who  are  placed  in  a chroot() jail in their home
              directory upon login. The meaning is slightly  dif_
              ferent  if chroot_local_user is set to YES. In this
              case, the list becomes a list of  users  which  are
              NOT  to  be placed in a chroot() jail.  By default,
              the    file     containing     this     list     is
              /etc/vsftpd.chroot_list,  but you may override this
              with the chroot_list_file setting.

also, you probably don't need to add "/bin/false" to your "/etc/shells" file. The point of the "/bin/false" entry in "/etc/passwd" file is that it shouldn't resolve to a valid shell.

JordanH · 11-20-2003, 01:55 PM

Ok... I see what you've done. The simple answer is that if you use chroot_local_user=YES then the vsftpd.chroot_list becomes a list of users to NOT chroot. So... you said chroot ALL users but ftpuser.

Notice the commented out lines.
In /etc/vsftpd/vsftpd.conf:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

edited /etc/vsftpd.chroot_list:
add users only that DO NOT NOT NOT NOT get chrooted.

use /sbin/nologin
edited /etc/passwd entry for ftpuser:
ftpuser:X:#:#:FTP User Account:/home/ftpuser/./:/sbin/nologin

------------

chroot_local_user=YES
chroot_list_enable=YES
means that by default ALL users get chrooted except users in the file

chroot_local_user=NO
chroot_list_enable=YES
means that by default ONLY users in the file get chrooted.

See the difference?

ohleary · 11-20-2003, 02:04 PM

Okay, it's backwards of what it seems. I changed chroot_local_user to NO and now things work fine, the user 'ftpuser' can't move up in the directory structure, can only navigate around it's home directory.

Thank you for straightening me out.