vsftpd – Why chroot_local_user is Insecure

centosftplinuxvpsvsftpd

I'm setting up on my VPS a vsftpd, and i don't want users be allowed to leave they're ftp home directory. I'm using local_user ftp, not anonymous, so I added:

chroot_local_user=YES

I've read in a lot of forum post, that this is unsecure.

Why is this unsecure?
If this is unsecure because of using ssh to join to my VPS as well, then I could just lock out these users from sshd, right?
Is there an other option for achiving this behaviour of vsftpd? ( I dont want to remove read permissions on all folder/files for "world" on my system )

Best Answer

Check here for VSFTPD's FAQ for the answer your looking for. Below is the important excerpt that I think will answer your question.

Q) Help! What are the security implications referred to in the "chroot_local_user" option?

A) Firstly note that other ftp daemons have the same implications. It is a generic problem. The problem isn't too severe, but it is this: Some people have FTP user accounts which are not trusted to have full shell access. If these accounts can also upload files, there is a small risk. A bad user now has control of the filesystem root, which is their home directory. The ftp daemon might cause some config file to be read - e.g. /etc/some_file. With chroot(), this file is now under the control of the user. vsftpd is careful in this area. But, the system's libc might want to open locale config files or other settings...

Related Solutions

Linux – FTP using VSFTPD “Access Denied”

For permissions, you need to have the folder and files in it owned by myuser so that they can be accessed from the myuser account.

If apache (or your scripts) needs to write to the folder, then the best thing to do is use chgrp to assign the specific locations that should be written to to the www-data group, then chmod g+w that location or file. If you are giving write access to a folder, chmod g+sw will give write access to the folder and ensure that files created there will also belong to the www-data group.

The files and directories in this case would look something like:

drwxrwxr-x 2 myuser   www-data    4096 2011-04-18 03:04 webroot
-rw-rw-r-- 1 myuser   www-data    1000 2011-04-18 03:04 index.html
drwxrwsr-x 2 myuser   www-data    4096 2011-04-18 03:04 folderwithg+ws

You would want to be very careful giving write access to files and folders to apache though, otherwise an attacker might figure out a way to make your scripts overwrite themselves or replace index.html, or whatever.

Otherwise, if apache does not need to write to your document directory, the permissions should be fine as it is long as all of the subdirectories and files are world readable (and directories are world accessible).

For SSL/TLS, you're missing

ssl_enable=YES

You can force users to use encryption:

force_local_logins_ssl=YES
force_local_data_ssl=YES

And there is a ssl_ciphers= option as well, if you want to limit it to HIGH or a specific list of ciphers. If you want "implicit SSL" (instead of AUTH SSL or AUTH TLS commands to start encryption, the encryption is negotiated at the beginning of the connection) then that is implicit_ssl=YES

Centos – How to restrict created users to a directory and disable SSH for VSFTPD

I'm presuming you're mostly asking how to prevent a user being able to use SSH as - as far as I can tell - your vsftpd config should be good to go based on the chroot_local_user option being set to yes.

You can simply change the user's shell to something like /bin/false (make sure to add it to /etc/shells to prevent possible problems with the ftp server) and your user will be able to authenticate to SSH but they'll just get dumped back out.

Alternatively you could use AllowUsers/DenyUsers in /etc/ssh/sshd_config - but this could require updating the ssh config every time you change who's allowed to login, whereas you can set the user's shell to /bin/false with your useradd command by using

useradd -s /bin/false <everything else>

Then if you later want to grant them SSH access you can just use usermod to change their shell to bash (for example).

Best Answer

Related Solutions

Linux – FTP using VSFTPD “Access Denied”

Centos – How to restrict created users to a directory and disable SSH for VSFTPD

Related Topic