Hi ALL

I'm using vsftpd as FTP server, and I'd like to chroot my FTP users
to their home dir. How can I do it? i.e. "jailing" them in their home
dir...
at the moment I have the following issues the user when they login to
ftp server they go to the main directory /var/ftp/

/etc/passwd
...
sdc:x:501:501::/var/ftp/sdc:/bin/bash
ase:x:502:501::/var/ftp/ase:/bin/bash
jsc:x:503:501::/var/ftp/jsc/:/bin/bash


[root@linux10 ftp]# pwd
/var/ftp
[root@linux10 ftp]# ls -al
total 28
drwx--x--x 6 root ftpusers 4096 Oct 6 13:46 .
drwxr-xr-x 22 root root 4096 Oct 5 15:42 ..
drwx------ 3 ase ftpusers 4096 Oct 6 20:30 ase
drwx------ 3 jsc ftpusers 4096 Oct 6 17:27 jsc
drwx------ 2 pons pons 4096 Oct 6 16:22 pub
drwx------ 5 sdc ftpusers 4096 Oct 6 17:19 sdc

chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
###added for TLSand SSL permission
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
local_root=/var/ftp
#userlist_file=/etc/vsftpd/ftpusers
userlist_file=/etc/vsftpd/ftpusers
#userlist_file=/etc/vsftpd/user_list
pasv_enable=YES
anon_max_rate=10485760
local_max_rate=0
max_clients=500
max_per_ip=4
passwd_chroot_enable=YES
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

> I'm using vsftpd as FTP server, and I'd like to chroot my FTP users
> to their home dir. How can I do it? i.e. "jailing"
> them in their home dir...
> at the moment I have the following issues the user when they login to
> ftp server they go to the main directory /var/ftp/
>

Here is what I did, full discussion at this link
http://www.bobhoffman.com/forums/viewtopic.php?f=4&t=11

Here is my file. Each user is locked into his folder listed in the
etc/pssword file.


ftpd_banner=Welcome to my webserver!
listen=YES
pam_service_name=vsftpd
anonymous_enable=NO
local_enable=YES
session_support=NO
write_enable=YES
chroot_local_user=YES

#supposed default settings added for security and other redhat settings
userlist_deny=YES
userlist_enable=YES
#userlist file is default to /etc/vsftpd.userlist
local_umask=022

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Bob Hoffman wrote:
>> I'm using vsftpd as FTP server, and I'd like to chroot my FTP users
>> to their home dir. How can I do it? i.e. "jailing"
>> them in their home dir...
>> at the moment I have the following issues the user when they login to
>> ftp server they go to the main directory /var/ftp/
>>
>
> Here is what I did, full discussion at this link
> http://www.bobhoffman.com/forums/viewtopic.php?f=4&t=11
>
> Here is my file. Each user is locked into his folder listed in the
> etc/pssword file.
>
>
> ftpd_banner=Welcome to my webserver!
> listen=YES
> pam_service_name=vsftpd
> anonymous_enable=NO
> local_enable=YES
> session_support=NO
> write_enable=YES
> chroot_local_user=YES
>
> #supposed default settings added for security and other redhat settings
> userlist_deny=YES
> userlist_enable=YES
> #userlist file is default to /etc/vsftpd.userlist
> local_umask=022


and here is mine

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
pasv_max_port=8000
pasv_min_port=7000
use_localtime=YES
deny_file={.*,.ssh,.*profile*}
hide_file={.*,.ssh,.*profile*}
check_shell=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
ftpd_banner=Our FTPd Server
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
syslog_enable=YES
chmod_enable=NO
secure_chroot_dir=/usr/share/empty

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Hello ubuntu-users@lists.ubuntu.com!

I have recently installed VSFTP and created user with home directory
in /var/www/user. User can connect fine, but I don't want that he can
walk through upper directories and even into "/", ...

How can I deny changing directory backwards?

Thanks in advance.

--
Best regards, TRoland
http://www.rotursoft.sk
http://exekutor.rotursoft.sk


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

You should try mysecureshell

It is a sftp server for the open ssh server. Has only one config file (really easy) and it's just a shell for the user. It supports virtual chrooting to user's home.



HTH

Regards.
*
*


2010/6/30 Roland Turcan <konf@rotursoft.sk>


Hello ubuntu-users@lists.ubuntu.com!



I have recently installed VSFTP and created user with home directory

in /var/www/user. User can connect fine, but I don't want that he can

walk through upper directories and even into "/", ...



How can I deny changing directory backwards?



Thanks in advance.



--

Best regards, TRoland

http://www.rotursoft.sk

http://exekutor.rotursoft.sk





--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

30.06.2010 09:04, Roland Turcan:

> I have recently installed VSFTP and created user with home directory
> in /var/www/user. User can connect fine, but I don't want that he can
> walk through upper directories and even into "/", ...
>
> How can I deny changing directory backwards?

man vsftpd.conf
or
http://manpages.ubuntu.com/manpages/lucid/en/man5/vsftpd.conf.5.html

Look for
chroot_list_enable
and
chroot_local_user

Setting (at least one of) those should achieve what you want.

--
Regards
mks

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Hello Markus,

Thanks. That's it.

TRoland;

<<< 30.06.2010 9:35 - Markus Schönhaber "ubuntu-users@list-post.mks-mail.de" >>>
MS> 30.06.2010 09:04, Roland Turcan:

>> I have recently installed VSFTP and created user with home directory
>> in /var/www/user. User can connect fine, but I don't want that he can
>> walk through upper directories and even into "/", ...
>>
>> How can I deny changing directory backwards?

MS> man vsftpd.conf
MS> or
MS> http://manpages.ubuntu.com/manpages/lucid/en/man5/vsftpd.conf.5.html

MS> Look for
MS> chroot_list_enable
MS> and
MS> chroot_local_user

MS> Setting (at least one of) those should achieve what you want.

MS> --
MS> Regards
MS> mks





--
Best regards, TRoland
http://www.rotursoft.sk
http://exekutor.rotursoft.sk


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Hello Marcos,

Thanks, but the question was not to change the server, but to find the
way how to set it up.

Anyway thanks for your response and I will read info about
mysecureshell which could be useful for the future.

TRoland;

<<< 30.06.2010 9:34 - Marcos "fraga.muerete@gmail.com" >>>
M> You should try mysecureshell

M> It is a sftp server for the open ssh server. Has only one config
M> file (really easy) and it's just a shell for the user. It supports
M> virtual chrooting to user's home.

M> HTH

M> Regards.
M>
M>


M> 2010/6/30 Roland Turcan <konf@rotursoft.sk>
M> Hello ubuntu-users@lists.ubuntu.com!

M> I have recently installed VSFTP and created user with home directory
M> in /var/www/user. User can connect fine, but I don't want that he can
M> walk through upper directories and even into "/", ...

M> How can I deny changing directory backwards?

M> Thanks in advance.

M> --
M> Best regards, TRoland
M> http://www.rotursoft.sk
M> http://exekutor.rotursoft.sk


M> --
M> ubuntu-users mailing list
M> ubuntu-users@lists.ubuntu.com
M> Modify settings or unsubscribe at:
M> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




--
Best regards, TRoland
http://www.rotursoft.sk
http://exekutor.rotursoft.sk


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

2010/6/30 Roland Turcan <konf@rotursoft.sk>


Hello Marcos,



Thanks, but the question was not to change the server, but to find the

way how to set it up.



Anyway thanks for your response and I will read info about

mysecureshell which could be useful for the future.



TRoland;


Yeah, I realised it.* Anyway I just thought it could be useful for people using FTP servers or SFTP to know about MySecureShell and it's ACL's that could be useful for some purposes:



Here is an overview of ACLs:
- Control bandwidth.
- Secure
viewing rights.
- Administration of server by GUI.

- Management of the activity the server with logging.

- Control by user ip, groups ...
- Remote Access
administration.
- Confinement server in a secure area (Chroot
Jail ).


HTH someone
*


<<< 30.06.2010 9:34 - Marcos "fraga.muerete@gmail.com" >>>

M> You should try mysecureshell



M> It is a sftp server for the open ssh server. Has only one config

M> file (really easy) and it's just a shell for the user. It supports

M> virtual chrooting to user's home.



M> HTH



M> Regards.

M>

M>





M> 2010/6/30 Roland Turcan <konf@rotursoft.sk>

M> Hello ubuntu-users@lists.ubuntu.com!



M> I have recently installed VSFTP and created user with home directory

M> in /var/www/user. User can connect fine, but I don't want that he can

M> walk through upper directories and even into "/", ...



M> How can I deny changing directory backwards?



M> Thanks in advance.



M> --

M> Best regards, TRoland

M> http://www.rotursoft.sk

M> http://exekutor.rotursoft.sk





M> --

M> ubuntu-users mailing list

M> ubuntu-users@lists.ubuntu.com

M> Modify settings or unsubscribe at:

M> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users









--

Best regards, TRoland

http://www.rotursoft.sk

http://exekutor.rotursoft.sk





--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users