Question

4

vsftpd - restrict users to home directory

rated 0 times [ 4] [ 0] / answers: 1 / hits: 15341 / 1 Year ago, wed, january 4, 2023, 3:02:13

Setup vsftpd easily

If I run this config:

listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=NO

dirmessage_enable=YES

use_localtime=YES

xferlog_enable=YES

connect_from_port_20=YES

chroot_local_user=YES

secure_chroot_dir=/var/run/vsftpd/empty

pam_service_name=vsftpd

rsa_cert_file=/etc/ssl/private/vsftpd.pem

Then I get an error message:

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

However, if I add in allow_writeable_chroot=YES as suggested here, then it just fails to connect:

Connection attempt failed with "ECONNREFUSED - Connection refused by server"

However, if I remove that line that was just added and perform
sudo chmod a-w on the users home directory, they can now connect but the service is pointless as they can't upload anything.

Is there a way to restrict users to just their home directory, AND be able to connect and write to their home directory? Turning off chroot_local_user is not an option as they can then browse all the other users directories.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

polcomposte

Add To Favorites

Follow

Total Points: 421

Total Questions: 92

Total Answers: 109

Location: Uzbekistan

Member since Mon, Jul 20, 2020

4 Years ago

answered 1 Year ago fotres · Accepted Answer

You're looking for the allow_writeable_chroot configuration option, but this does not exist in the version of vsftpd shipped with 12.04. See bug 1065714 for a similar enquiry and details of why we can't have this in 12.04.

Turning off chroot_local_user is not an option as they can then browse all the other users directories.

Have you considered switching to private user directories by default? If you don't want users to be able to browse other users' directories, then a more secure way of achieving this is with the permission mechanism baked in to the system, rather than through each individual service. See the user management section of the server guide for details on how to do this. Would turning off chroot_local_user then be an option for you?