Ftp – VSFTPD – How to jail users in his own dir

ftpvsftpd

I want to "jail" the user in his respective directory but they are being jailed at /var/www having permissions to "walk" and write in any directory at www.

Vsftpd on CentOS 7 – System details:

SITE 1:

Path: /var/www/site1
Owner and group:  site1:site1
/home/site1 is a symbolic link to /var/www/site1

SITE 2:

Path: /var/www/site2
Owner and group:  site2:site2
/home/site2 is a symbolic link to /var/www/site2

My /etc/passwd:

[...]
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
site1:x:1000:1000::/var/www/./site1:bin/bash
php-fpm:x:995:992:php-fpm:/var/lib/php/fpm:/sbin/nologin
site2:x:1001:1001::/var/www/./site2:/bin/bash

My /etc/vsftpd/vsfptd.conf:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
xferlog_enable=YES

connect_from_port_20=YES
xferlog_std_format=YES
ascii_upload_enable=YES

chroot_local_user=YES
user_sub_token=$USER
local_root=/var/www/$USER ### also tried: local_root=/home/$USER
allow_writeable_chroot=YES
passwd_chroot_enable=YES
listen=NO
listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_enable=YES
pasv_max_port=10100
pasv_min_port=10090
force_dot_files=YES

I also have disabled SELinux, with enabled it's impossible to access ftp using windows(even in active mode).

Anyone can see the problem?

Best Answer

Solved, guys! The problem was the dot in home path of /etc/passwd.

Before(Not working):

site1:x:1000:1000::/var/www/./site1:bin/bash

Now(working):

site1:x:1000:1000::/var/www/site1:bin/bash

Related Solutions

Ftp – vsftpd: allow access only for certain users

In vsftpd.conf add:
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

Edit the file to contain a username per row.

Linux – Issues with VSFTPD / FTP on Linux Ubuntu server – Steps for Troubleshooting

So here's the INPUT portion of your iptables configuration.

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

HERE^

ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED

The line that i highlighted with the REJECT is denying all inbound connections. The rules you put at the bottom to permit ftp & ftp-data are never firing. Nor are the ufw- rules.

I'm not an ubuntu person and I don't have a box handy to look at, but it's likely your init script that handles your firewall is hardcoding the first few rules, and then the place where you added your config is happening later in the boot sequence.

Related Topic