FTP Security - Chroot / Jail user
(limiting user to own their home directory only)
Local account ftp user has the rights to
change to any directory outside from their /home/user by default.
Therefore, they can browse any files in any directory in FTP servers.
Let's have a close look at the example below. The user james is
browsing the /etc/sysconfig/networking directory and he knows that
there are two directories which is devices and profiles. If james has
rights on the file outside his /home directory(such as group rights),
he can just download these files.
>C:\>ftp 192.168.13.145
Connected to 192.168.13.145.
220 (vsFTPd 2.0.5)
User (192.168.13.145:(none)): james
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/home/james"
ftp> cd /etc/sysconfig/networking
250 Directory successfully changed.
ftp> pwd
257 "/etc/sysconfig/networking"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
devices
profiles
226 Directory send OK.
ftp: 19 bytes received in 0.00Seconds 19.00Kbytes/sec.
ftp> bin
200 Switching to Binary mode.
ftp> cd devices
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
ifcfg-eth0
ifcfg-eth0.bak
ifcfg-eth1
ifcfg-eth1.bak
226 Directory send OK.
ftp: 56 bytes received in 0.00Seconds 28.00Kbytes/sec.
ftp> get ifcfg-eth0
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ifcfg-eth0 (117 bytes).
226 File send OK.
ftp: 117 bytes received in 0.00Seconds 117.00Kbytes/sec. |
Thus, its always recommended to jail/
restrict FTP user access only to their /home/user direcotory.
Step1: Editing /etc/vsftpd/vsftpd.conf.
Option A: chroot all local user
By default, if you are adding in
chroot_local_user=YES .All
the local users are' chroot()' /jailed to their /home/user direcory. Go
to last line adding in the line
| vim
/etc/vsftpd/vsftpd.conf
chroot_local_user=YES |
Option B: chroot only selected users
If you want only selected ftp user
restricted to their home directory, uncomment/delete the # sign at line
94 and 96. If chroot_local_user=YES
was previously added , make
sure that chroot_local_user=YES
is removed from your vsftpd.conf file.
|
vim /etc/vsftpd/vsftpd.conf
91 # You may specify an explicit
list of local users to chroot() to their home
92 # directory. If chroot_local_user is YES, then this list becomes
a list of
93 # users to NOT chroot().
94 chroot_list_enable=YES
95 # (default follows)
96 chroot_list_file=/etc/vsftpd/chroot_list
|
Step2 (if selected option B above):
create a file named chroot_list under /etc/vsftpd/
The following example, we are creating
chroot_list and insert the user james in the list
|
cd /etc/vsftpd/
vim chroot_list
james |
Step3: Restart vsFTPD services
service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ] |
Step4
(For Option A only) : Verify your
setting
Since we chroot() all the users,
both Jane and James will not have any rights to access to other folders
C:\>ftp 192.168.13.145
Connected to 192.168.13.145.
220 (vsFTPd 2.0.5)
User (192.168.13.145:(none)): james
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"
ftp> cd /etc
550 Failed to change
directory.
ftp> quit
221 Goodbye.
C:\>ftp 192.168.13.145
Connected to 192.168.13.145.
220 (vsFTPd 2.0.5)
User (192.168.13.145:(none)): jane
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"
ftp> cd /etc
550 Failed to change
directory.
ftp> quit
221 Goodbye. |
(For Option B only) : Verify your
setting
Below shows that the chroot setting is
correct, because we only James' access right restricted
C:\>ftp 192.168.13.145
Connected to 192.168.13.145.
220 (vsFTPd 2.0.5)
User (192.168.13.145:(none)): james
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"
ftp> cd /var/log
550 Failed to change
directory.
ftp> quit
221 Goodbye.
C:\>ftp 192.168.13.145
Connected to 192.168.13.145.
220 (vsFTPd 2.0.5)
User (192.168.13.145:(none)): jane
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/home/jane"
ftp> cd /var/log
250 Directory successfully
changed.
ftp> pwd
257 "/var/log"
ftp> |
|