Saturday, August 8, 2009

RHCE Tips: Limiting users of vsftp to only their home directory?

Yesterdays VSFTPD troubleshooting note (read as post) brought me back this question.

If you do not wish FTP users to be able to access any files outside of their own home directory, set up chroot jail.

For consider following example:

* Ftp username : user1
* FTP home directory: /home/user1

$ ftp ftp.domain.com

Output:

Connected to ftp.domain.com.
220 (vsFTPd 2.0.5)
Name (ftp.domain.com:user1): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/user1"
ftp> cd /etc
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 7959 Mar 02 22:20 Muttrc
drwxr-xr-x 3 0 0 4096 Jul 24 12:20 Wireless
drwxr-xr-x 16 0 0 4096 Jul 30 22:58 X11
drwxr-xr-x 4 0 0 4096 Sep 05 2005 Xprint
-rw-r--r-- 1 0 0 2188 Sep 05 2005 adduser.conf
-rw-r--r-- 1 0 0 47 Aug 16 14:52 adjtime
-rw------- 1 0 0 4330 Aug 18 2005 afick.conf
-rw-r--r-- 1 0 0 194 Sep 05 2005 aliases
-rw-r--r-- 1 0 0 12288 Jul 19 21:27 aliases.db
drwxr-xr-x 2 0 0 8192 Aug 15 09:33 alternatives
...
.....
..

Now normal user can go to /etc directory (may be to all other directories) and if there is read only permission to sensitive files user can download the file via ftp.

To avoid this security problem you can lock ftp user in a jail.

Open vsftpd configuration file - /etc/vsftpd/vsftpd.conf
# vi /etc/vsftpd/vsftpd.conf

Make sure following line exists (and uncommented):
chroot_local_user=YES

Save and close the file. Restart vsftpd.
# /etc/init.d/vsftpd restart

Now all users of VSFTPD/FTP will be limited to accessing only files in their own home directory. They will not able to see /, /etc, /root and /tmp and all other directories. This is an essential security feature.

No comments:

Post a Comment