VSFTPD: Set User’s Default Directory Outside Chroot Directory

chrootconfigurationftppermissionsvsftpd

I have a VSFTPD setup in which users are chrooted to their home directories. Standard stuff. But this requires all of their home directories to be unwritable to them (to avoid security issues.) No problem, if they want to upload files they can upload them to a writable folder within their chroot.

But now they have to change into that folder every time to do their uploading. If I use the local_root option in the VSFTPD config file to move their default login location to that writable folder, then that becomes their chroot, and we're back to square one: it cannot be writable.

My question is, how can I move the default location that VSFTPD puts users in, to a writable directory within their chroot jail, without making the chroot directory itself writeable?

Best Answer

There is only one way to do this with vsftpd and paths must be set in the system passwd file. Paths cannot be set in the vsftpd.conf file.

In the /etc/vsftpd.conf file, set the following two options:

chroot_local_user=YES
passwd_chroot_enable=YES

You must also change the user's unix home directory to indicate where the chroot jail is rooted. The chroot jail root will be located at the path left of the /./ in the home directory path. i.e. /ftphome/./home/user/ would set the chroot jail to /ftphome/ and inside the jail the user directory would be home/user. You can do this by executing:

sudo usermod -d /ftphome/./home/user/ user

Obviously, the chroot directory and user directories inside should be setup per normal chroot preparation.

Related Solutions

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

# semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"

Be sure to include the (/.*)? at the end of the directory name.

I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of type public_content_t; this is equivalent to turning on allow_ftpd_full_access, if I understood it correctly

Essentially, yes; since SELinux allows directories/files labeled with public_content_t to be shared between different services. However, further access control is in place through the use of sebooleans (or sebool, more precisely).

Giving "ftpd full access", doesn't mean giving it the rights to do/read/write what and where it wants. SELinux has designated policies in place for the services on your system; meaning, ftpd is allowed to read files if the directory's file context (fcontext) is public_content_t. SELinux gives write permissions to the ftp server if the directory's fcontext is public_content_rw_t; other services such as samba, apache, etc. have to be allowed write permissions to those directories through the booleans, according to the pertaining RedHat Documentation. If your "local policy" gives ftpd write access in directories labelled public_content_t, it essentially strips away a layer of security. Therefore, I suggest labeling the directory with the public_content_rw_t context, and removing your custom generated local policy.

For further information and details, please see the SELinux wiki pages.

Ftp – VSFTPD how chroot not chrooted users in /home

You either use VSFTP's chroot() ability to restrict users to their home directories, or not.

If you don't then whole filesystem is exposed and you can only rely on having the correct file system permissions to protect your non-public data.

Having said that, vsftp does have a option to (somewhat) restrict the users movements with the deny_file directive:

 deny_file
          This option can be used to set  a  pattern  for  filenames  (and
          directory names etc.) which should not be accessible in any way.
          The affected items  are  not  hidden,  but  any  attempt  to  do
          anything  to  them  (download,  change  into  directory,  affect
          something within directory etc.) will be denied. This option  is
          very simple, and should not be used for serious access control -
          the filesystem's  permissions  should  be  used  in  preference.
          However,  this  option  may  be  useful ... ...

Create the deny_file e.g. ls -d /*/ |grep -v home > /etc/vsftpd/forbidden_path

Best to restrict the deny_file so it only applies to your admin_user and not all users:

Add the user_config_dir=/etc/vsftpd/user.overrides/ directive to the main vsftpd.conf configuration and create the user specific override:

# /etc/vsftpd/user.overrides/admin_user
# admin_user is excluded from chroot() but restrict his access to /home
deny_file=/etc/vsftpd/forbidden_path

and restart the ftp server and test of the behavior is as expected.

Best Answer

Related Solutions

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

Ftp – VSFTPD how chroot not chrooted users in /home

Related Topic