Disable operations outside user’s home directory with chroot jail

chrootusersvsftpd

I'm trying to restrict a user to a specific directory called gclegal using a chroot jail. I've uncommented the line in the /etc/vsftpd.conf file

chroot_local_user=YES

Created a new user called kg:

$ sudo groupadd xenomai
$ sudo useradd -d /var/www/html/gclegal -g xenomai kg
$ sudo passwd kg

With this configuration I'm able to login through vsftpd with kg user but I'm also able to browse back to parent directories and modify them until /var/www/html.

How can I disable all operations outside the home of the user (/var/www/html/gclegal)?

Best Answer

Working from the vsftpd version 2.2.2, there are two options for keeping users in a chroot jail:

chroot_list_enable

Just add users to the chroot list e.g. (/etc/vsftpd/chroot_list) that you want placing in a chroot jail.

chroot_local_user

This will place all local users in a chroot jail, however, if this is set then the chroot_list becomes a list of users who DO NOT go in a chroot jail.

Therefore check your list does not contain user kg if you have chroot_local_user=YES configured.

Obviously restart the vsftpd daemon after making configuration changes.

Excert from man vsftpd.conf

   chroot_list_enable
          If activated, you may provide a list of local users who are placed in a chroot() jail  in  their  home  directory  upon  login.  The  meaning  is  slightly  different  if
          chroot_local_user  is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail.  By default, the file containing this list
          is /etc/vsftpd/chroot_list, but you may override this with the chroot_list_file setting.

          Default: NO

   chroot_local_user
          If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login.  Warning: This option has security implications, especially
          if  the  users  have  upload permission, or shell access. Only enable if you know what you are doing.  Note that these security implications are not vsftpd specific. They
          apply to all FTP daemons which offer to put local users in chroot() jails.

          Default: NO

I have configured vsftpd to chroot users and these are the /etc/vsftpd.conf settings that I used (Ubuntu 14.04):

listen=YES
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
allow_writeable_chroot=YES

NOTE: Ensure /etc/vsftpd.chroot_list or /etc/vsftpd/chroot_list are empty.

Once you get it working, if you want to keep track of ftp logins, then you can set session_support=YES and these should then apprear using the last command:

username   vsftpd:12025 IP address     Tue Oct 14 14:05 - 14:10  (00:05)
username   vsftpd:12011 IP address     Tue Oct 14 14:04 - 14:05  (00:00)

NOTE - utmp and wtmp support is only provided with PAM enabled builds.

Related Solutions

Restrict user access in linux

Users don't “effectively have root access” just because they can browse other directories. All users with shell access can browse the software installation — this isn't confidential information after all, since it can be downloaded from any number of sites. If there are directories that you don't want to expose to all shell users, given them appropriately restrictive permissions.

If you want to have a second layer of safety, you can make the accounts more restricted. If you only want to allow these users to browse, upload and download files under /var/www/html/testuser.com, then don't give them a shell account, give them a restricted account that can only use SFTP. You can specify options for a specific account in sshd_config with a Match block. (Put this at the end of the file, since the Match directive extends to the next Match directive or to the end of the file.)

Match User testuser
    Force-command internal-sftp
    ChrootDirectory /var/www/html/testuser.com

If you want to allow the users to use a few more commands such as scp and rsync, but not general shell access, use rssh or scponly as the shell on their account, and install and configure rssh or scponly to specify which commands you want to allow (see Do you need a shell for SCP?).

If you want to give a shell account that only allows running a few whitelisted programs, make their shell a restricted shell. Note that these users will be able to access files outside their home directory, based on file permissions.

If you want to give full shell access, but make everything other than home directories invisible, then you need to create some form of jail. The weakest form of jail is a chroot jail, which restricts the user to a branch of the directory tree. Restricting a user to a chroot is as easy of specifying ChrootDirectory in sshd_config; however, since the user cannot exit the jail, the directory must contain all the programs that the user will use and their data. You can use bind mounts to make some directories (e.g. /usr) visible inside the jail.

Best Answer

Related Solutions

Restrict user access in linux

Related Question