• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL : How to set chroot jail for vsftp for all the users

By admin

Under default VSFTP configuration, VSFTP login users can navigate to top-level directories which might cause security issues. There are situations when you do not wish FTP users to be able to access any files outside of their own home directory. The vsftp daemon can be chrooted to implement this policy.

Set chroot jail to default $HOME directory for all local users

Follow the steps below to chroot jail to default home directory for all the local users on the system.

1. In VSFTP Server configuration file /etc/vsftpd/vsftpd.conf, set the below parameter:

# vi /etc/vsftpd/vsftpd.conf
chroot_local_user=YES
Note: Make sure “chroot_list_enable” is not set to “YES“. If chroot_list_enable=YES then you must also have the parameter chroot_list_file=/etc/vsftpd/chroot_list set in your vsftpd.conf file telling the deamon where to find the chroot_list file. vsftpd will look at that file and any user listed in that file will be placed in a chroot jail

2. Restart vsftpd service on VSFTP Server:

# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

3. Test with a chroot jail user, and create a directory under chroot directory.

# ftp ftphost
Connected to ftphost (192.168.149.10).
220 (vsFTPd 2.0.5)
Name (192.168.149.10:root): testuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192.168.149.10,72,224)
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd /
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192.168.149.10,135,209)
150 Here comes the directory listing.
226 Directory send OK.
ftp> mkdir chroot_jail_dir
257 "/chroot_jail_dir" created
ftp> ls
227 Entering Passive Mode (192.168.149.10,40,202)
150 Here comes the directory listing.
drwxr-xr-x    2 511      511          4096 Nov 12 11:40 chroot_jail_dir
226 Directory send OK.
ftp>

4. Check the location of the created directory on VSFTP Server. You would see a directory created under the home directory (/home/testuser) of the user “testuser” instead of the actual root directory (/)

Directory is not created under / as shown below:

# ls / | grep chroot_jail_dir

Instead it is created under the home directory of the “testuser” user.

# ls /home/testuser/ | grep chroot_jail_dir
chroot_jail_dir
CentOS / RHEL : How to set chroot jail for vsftp only for specific users

Filed Under: Linux

Some more articles you might also be interested in …

  1. Linux OS Service ‘anacron’
  2. How to Back Up and Restore XFS File Systems (xfsdump / xfsrestore)
  3. cp: omitting directory – error while copying a directory in Linux
  4. CentOS / RHEL 5 : How to use the faillog command to track failed login attempts
  5. How to troubleshoot NFS transfer latency issues using “nfsiostat” in CentOS / RHEL
  6. CentOS / RHEL 6 : How to change SNMP log level
  7. RHEL / CentOS : How to rebuild LVM from Archive (metadata backups)
  8. How to Configure Early-kdump Support Feature in CentOS/RHEL 8
  9. System Log File /var/log/messages Is Getting Deleted or Trimmed Automatically (CentOS/RHEL)
  10. The locate Command in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • What are different Oracle Database Vault Roles
  • Unable to export realm protected table using data pump
  • Beginners Guide to Oracle Database Vault
  • How to Disable IPv6 on Ubuntu 18.04 Bionic Beaver Linux
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary