I need to chroot
all local users to their home directories, but one user should have access to all user directories. If I put admin_user
in chroot_list_file
he has access for whole file system. I want to restrict access for him only to /home
, but when he logs in to ftp server his default directory should be /home/admin_user
. How can achieve that?
I have vsftpd installation with following config:
# /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=002
dirmessage_enable=YES
xferlog_enable=YES
dual_log_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
max_clients=0
max_per_ip=0
# /etc/vsftpd/chroot_list
admin_user
Best Answer
You either use VSFTP's chroot() ability to restrict users to their home directories, or not.
If you don't then whole filesystem is exposed and you can only rely on having the correct file system permissions to protect your non-public data.
Having said that, vsftp does have a option to (somewhat) restrict the users movements with the
deny_file
directive:Create the deny_file e.g.
ls -d /*/ |grep -v home > /etc/vsftpd/forbidden_path
Best to restrict the
deny_file
so it only applies to youradmin_user
and not all users:Add the
user_config_dir=/etc/vsftpd/user.overrides/
directive to the mainvsftpd.conf
configuration and create the user specific override:and restart the ftp server and test of the behavior is as expected.