Restrict VSFTP users to their home directory

By default VSFTP allows users to travel across the file system (eg. /bin, /usr, /opt, etc.,). But VSFTP provided an option to restrict all or selected users to their respective home directory by following the below simple procedure.

Restrict all the users

1. In the vsftp configuration file (/etc/vsftpd/vsftp.conf), search for “chroot_local_user “ and uncomment it

                     chroot_local_user=YES

2. Save the file & restart the service

                     service vsftpd restart

Test by logging to the server

[user1@test-server ~]$ftp server
Connected to server.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (server:user1):user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 “/”

As per above output user is restricted to user’s home directory.

Restrict only selected users

1.    In the vsftp configuration file (vsftp.conf) uncomment the following two lines

                  chroot_list_enable=YES
                  chroot_list_file=/etc/vsftpd/chroot_list

2.    Comment “chroot_local_user“  if enabled.

3.    Add the necessary usernames (eg. user5) in /etc/vsftpd/chroot_list.

4.   Save the file &  Restart the vsftp service

                  service vsftpd restart

Testing

1. User5 must be restricted to the user’s home  directory

[user1@test-server ~]$ftp server
Connected to server.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (server:user1):user5
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> pwd
257 “/”

2. Other users will have access to full file system

[user1@test-server ~]$ftp server
Connected to server.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (server:user1):user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> pwd
257 “/home/user”
ftp> cd /
ftp> ls
227 Entering Passive Mode (10,89,101,42,238,67)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jun 14  2011 bin
drwxr-xr-x    4 0        0            1024 Jun 14  2011 boot
drwxr-xr-x   17 0        0            3800 Dec 12 04:05 dev
drwxr-xr-x  107 0        0           12288 Feb 07 08:33 etc
drwxr-xr-x    6 0        0            4096 Aug 27 08:54 home …

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s