How can limit users to only their home directories..? user should go out and access or view outside its home directories. This is called VSFTPD chroot jail.



In normal situation Users could able to access and view files and directories outside their home directories. They landed on their home directories but they can jump out of that and view other files and directories as well.

#ftp localhost Connected to localhost. 220 (vsFTPd 2.2.2) 530 Please login with USER and PASS. Name (localhost:root): u1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/home/u1" ftp> cd ../.. 250 Directory successfully changed. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (127,0,0,1,124,11). 150 Here comes the directory listing. dr-xr-xr-x 2 0 0 4096 Jan 16 04:05 bin dr-xr-xr-x 5 0 0 1024 Jan 09 06:59 boot drwxr-xr-x 19 0 0 3700 Jan 19 23:25 dev drwxr-xr-x 105 0 0 12288 Jan 19 23:25 etc drwxr-xr-x 4 0 0 4096 Dec 23 05:12 home dr-xr-xr-x 8 0 0 4096 Dec 14 09:40 lib

Now as above you can see normal user can browse to outside their home directories and see content on them or copy data from FTP sites to local storage. We should stop this behaive and limit them to their own home directories only.

Configure VSFTPD Chroot Jail

First, VSFTPD service should be running on Linux system.

Edit /etc/vsftpd/vsftpd.conf file as root user. And change a bit for Chroot Jail.

# You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list

In case you like to limit all local Users then your local users should enabled first. For enabling Local users remove hash comment from below derivative and restart VSFTPD service through this command ” service vsftpd restart “.

# Uncomment this to allow local users to log in. local_enable=YES

With below derivative you could limit all local users in VSFTPD Chroot Jail.

#chroot_local_user=YES

you could also specify an explicit list of local users to not chroot Jail to their home after enabling chroot_local_user=YES with below derivative you have mention a list with users name which need not to limit to their home directories

List should maintained like below

#cat /etc/vsftpd/chroot_list u2 u3 u4

Now all local users except those mention in list are limit to their home directories… See below logs . u1 is comes under Chroot Jail but u2 not.

#ftp localhost Connected to localhost. 220 (vsFTPd 2.2.2) 530 Please login with USER and PASS. Name (localhost:root): u1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> cd .. 250 Directory successfully changed. ftp> pwd 257 "/" ftp> 221 Goodbye. #ftp localhost Connected to localhost. 220 (vsFTPd 2.2.2) 530 Please login with USER and PASS. Name (localhost:root): u2 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/home/u2" ftp> cd ../.. 250 Directory successfully changed. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (127,0,0,1,109,0). 150 Here comes the directory listing. dr-xr-xr-x 2 0 0 4096 Jan 16 04:05 bin dr-xr-xr-x 5 0 0 1024 Jan 09 06:59 boot drwxr-xr-x 19 0 0 3700 Jan 19 23:25 dev drwxr-xr-x 105 0 0 12288 Jan 20 02:45 etc drwxr-xr-x 5 0 0 4096 Jan 20 02:45 home dr-xr-xr-x 8 0 0 4096 Dec 14 09:40 lib dr-xr-xr-x 9 0 0 12288 Jan 16 04:05 lib64 drwx------ 2 0 0 16384 Dec 14 09:39 lost+found

This way we could configure Chroot Jail for local users in VSFTPD service and limit them to their home directories only