Ubuntu 9.10: Chroot Jail for FTP

by Mike on October 19, 2009 · 5 comments

in FTP Server

Chroot Jail for FTP Users
One concern when users FTP into your server, is that by default users who have accounts can roam your server to view contents of files. VSFTPD by default does not allow user logins, it allows anonymous by default. Anonymous users by default are locked into the directory that they login to. This is exactly what you would want. However, if you set up user FTP accounts you will probably want to limit those users so they can only access their own files and not other users. In order to achieve this you must place them in a chroot jail.

ftp_jail

Jail All Users
In order to jail all users, keep them in their home directories, use these settings in the /etc/vsftpd.conf.
chroot_local_user=YES

Add these settings to allow anonymous logins using regular FTP and allow users to login using SSL.
anonymous_enable=YES
local_enable=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES

This creates a very useful and secure set up.
Allow Some Users to Roam the Server
You also have the option to allow special users to login and be able to move around the server. This means that these will not be jailed.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

Now edit the /etc/vsftpd.chroot_list file and enter the users you want to allow to roam the server in this file. Enter one user at a time in this list.
Add these settings to allow anonymous logins using regular FTP and allow users to login using SSL.
anonymous_enable=YES
local_enable=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES

{ 4 comments }

Francois October 26, 2009 at 7:15 pm

Well, ok, but just in case someone had missed it:

do NOT use ssl-cert-snakeoil

This certificate is for testing purposes and the private key publicly available…

JohnP October 27, 2009 at 5:02 am

Why do people still use FTP? Having a password in the clear isn’t very smart, even with internal networking.

sFTP, scp, and all sorts of other encrypted file transfer methods exist.

We all need to stop enabling FTP anywhere unless it is pull and doesn’t use a password – basically use FTP like an anonymous web site.

mike October 27, 2009 at 9:59 am

You are right about the FTP security. However, many people use it regardless. If you use SSL to protect FTP it can be a useful tool.

Travis April 19, 2010 at 8:41 am

Heh, okay, my main concern is setting up users though. Like if i wanted to create a user Anne, and then only allow this user to access /home/Annefolder I am not sure how i would go about doing this

{ 1 trackback }

Previous post:

Next post: