• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL : How to set chroot jail for vsftp only for specific users

By admin

How to set up sftp so that a user can’t get out of their home directory, ensuring no other users are affected? Well, there is an easy way of doing it. We can chroot either all the local users to default $HOME directory or do it only for a specific users. This post specificly lists the steps to chroot vsftpd only for specific users.

CentOS / RHEL : How to set chroot jail for vsftp for all the users

Set chroot jail to default $HOME directory for all local users except a few

1. In VSFTP Server configuration file /etc/vsftpd/vsftpd.conf, set:

# vi /etc/vsftpd/vsftpd
chroot_local_user=YES
chroot_list_enable=YES

2. Add users that do NOT require chroot jail in /etc/vsftpd/chroot_list file. For this example, we will add users user01 and user02:

# cat /etc/vsftpd/chroot_list 
user01
user02

3. Restart vsftpd service on VSFTP Server:

# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

4. Test a user user01 which is set to chroot jail, and create a directory under chroot directory:

# ftp ftp_host
Connected to ftp_host (192.168.149.10).
220 (vsFTPd 2.0.5)
Name (192.168.149.10:root): user01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192.168.149.10,61,227)
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd /
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192.168.149.10,61,163)
150 Here comes the directory listing.
226 Directory send OK.
ftp> mkdir chroot_jail
257 "/chroot_jail" created
ftp>

5. Check created directory on VSFTP Server:

[root@ftp_host ~]# ls / | grep chroot_jail
[root@ftp_host ~]# ls /home/user01/ | grep chroot_jail
chroot_jail

6. Test a user user03 which is excluded to chroot jail:

[root@ftpclient ~]# ftp ftp_host
Connected to ftp_host (192.168.149.10).
220 (vsFTPd 2.0.5)
Name (192.168.149.10:root): user03
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/user03"
ftp> cd /
250 Directory successfully changed.
ftp> mkdir chroot_jail
257 "/chroot_jail" created
ftp>

7. Check created directory on VSFTP Server:

[root@ftp_host ~]# ls / | grep chroot_jail
chroot_jail

Set chroot jail to default $HOME directory for only a few of local users

1. In VSFTP Server configuration file /etc/vsftpd/vsftpd.conf, set:

chroot_list_enable=YES
Note: Make sure “chroot_local_user” is NOT set to “YES“.

2. List users which required chroot jail in /etc/vsftpd/chroot_list, add users user01 and user02:

[root@ftp_host ~]# cat /etc/vsftpd/chroot_list 
user01
user02

3. Restart vsftpd service on VSFTP Server:

[root@ftp_host ~]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

4. Test a user user01 which is set to chroot jail, and create a directory under chroot directory:

[root@ftpclient ~]# ftp ftp_host
Connected to ftp_host (192.168.149.10).
220 (vsFTPd 2.0.5)
Name (192.168.149.10:root): user01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (192.168.149.10,238,61)
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd /
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192.168.149.10,83,211)
150 Here comes the directory listing.
226 Directory send OK.
ftp> mkdir chroot_jail
257 "chroot_jail" created
ftp>

5. Check created directory on VSFTP Server:

[root@ftp_host ~]# ls / | grep chroot_jail
[root@ftp_host ~]# ls /home/user01/ | grep chroot_jail
chroot_jail

6. Test a user user03 which is excluded to chroot jail:

[root@ftpclient ~]# ftp ftp_host
Connected to ftp_host (192.168.149.10).
220 (vsFTPd 2.0.5)
Name (192.168.149.10:root): user03
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/user03"
ftp> ls
227 Entering Passive Mode (192.168.149.10,231,117)
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd /
250 Directory successfully changed.
ftp> mkdir chroot_jail
257 "chroot_jail" created
ftp>

7. Check created directory on VSFTP Server:

[root@ftp_host ~]# ls / | grep chroot_jail
chroot_jail

Filed Under: Linux

Some more articles you might also be interested in …

  1. Creating and Removing Files and Directories Under Linux
  2. How to Start NTP Service With Slewing Enabled in Linux
  3. How To Execute The Pstack Command On CentOS/RHEL
  4. How to use auditd to monitor a file deletion in Linux
  5. CentOS / RHEL : How to Disable and Blacklist Linux Kernel Module to prevent it from loading automatically
  6. How to configure EPEL repository in OEL 7
  7. /proc/cpuinfo file explained
  8. How to recover deleted Logical volume (LV) in LVM using vgcfgrestore
  9. CentOS / RHEL 6,7 : How to recover an interrupted yum package installation
  10. How to Enable Remote Desktop to Share the Current Desktop Session in CentOS/RHEL 7

You May Also Like

Primary Sidebar

Recent Posts

  • Oracle Database – Configuring Secure Application Roles
  • Extend rule sets by using factors in Oracle Database Vault
  • What are Command Rules in oracle Database
  • Using Rule Sets in Oracle Database Vault
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary