How to set up sftp so that a user can’t get out of their home directory, ensuring no other users are affected? Well, there is an easy way of doing it. We can chroot either all the local users to default $HOME directory or do it only for a specific users. This post specificly lists the steps to chroot vsftpd only for specific users.
Set chroot jail to default $HOME directory for all local users except a few
1. In VSFTP Server configuration file /etc/vsftpd/vsftpd.conf, set:
# vi /etc/vsftpd/vsftpd chroot_local_user=YES chroot_list_enable=YES
2. Add users that do NOT require chroot jail in /etc/vsftpd/chroot_list file. For this example, we will add users user01 and user02:
# cat /etc/vsftpd/chroot_list user01 user02
3. Restart vsftpd service on VSFTP Server:
# service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
4. Test a user user01 which is set to chroot jail, and create a directory under chroot directory:
# ftp ftp_host Connected to ftp_host (192.168.149.10). 220 (vsFTPd 2.0.5) Name (192.168.149.10:root): user01 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192.168.149.10,61,227) 150 Here comes the directory listing. 226 Directory send OK. ftp> cd / 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (192.168.149.10,61,163) 150 Here comes the directory listing. 226 Directory send OK. ftp> mkdir chroot_jail 257 "/chroot_jail" created ftp>
5. Check created directory on VSFTP Server:
[root@ftp_host ~]# ls / | grep chroot_jail [root@ftp_host ~]# ls /home/user01/ | grep chroot_jail chroot_jail
6. Test a user user03 which is excluded to chroot jail:
[root@ftpclient ~]# ftp ftp_host Connected to ftp_host (192.168.149.10). 220 (vsFTPd 2.0.5) Name (192.168.149.10:root): user03 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/home/user03" ftp> cd / 250 Directory successfully changed. ftp> mkdir chroot_jail 257 "/chroot_jail" created ftp>
7. Check created directory on VSFTP Server:
[root@ftp_host ~]# ls / | grep chroot_jail chroot_jail
Set chroot jail to default $HOME directory for only a few of local users
1. In VSFTP Server configuration file /etc/vsftpd/vsftpd.conf, set:
chroot_list_enable=YES
2. List users which required chroot jail in /etc/vsftpd/chroot_list, add users user01 and user02:
[root@ftp_host ~]# cat /etc/vsftpd/chroot_list user01 user02
3. Restart vsftpd service on VSFTP Server:
[root@ftp_host ~]# service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
4. Test a user user01 which is set to chroot jail, and create a directory under chroot directory:
[root@ftpclient ~]# ftp ftp_host Connected to ftp_host (192.168.149.10). 220 (vsFTPd 2.0.5) Name (192.168.149.10:root): user01 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192.168.149.10,238,61) 150 Here comes the directory listing. 226 Directory send OK. ftp> cd / 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (192.168.149.10,83,211) 150 Here comes the directory listing. 226 Directory send OK. ftp> mkdir chroot_jail 257 "chroot_jail" created ftp>
5. Check created directory on VSFTP Server:
[root@ftp_host ~]# ls / | grep chroot_jail [root@ftp_host ~]# ls /home/user01/ | grep chroot_jail chroot_jail
6. Test a user user03 which is excluded to chroot jail:
[root@ftpclient ~]# ftp ftp_host Connected to ftp_host (192.168.149.10). 220 (vsFTPd 2.0.5) Name (192.168.149.10:root): user03 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/home/user03" ftp> ls 227 Entering Passive Mode (192.168.149.10,231,117) 150 Here comes the directory listing. 226 Directory send OK. ftp> cd / 250 Directory successfully changed. ftp> mkdir chroot_jail 257 "chroot_jail" created ftp>
7. Check created directory on VSFTP Server:
[root@ftp_host ~]# ls / | grep chroot_jail chroot_jail