I've read documentation for various ftp daemons and various long threads about the security implications of using a chroot environment for an ftp server when giving users write access. If you read the vsftpd documentation, in particular, it implies that using chroot_local_user is a security hazard, while not using it is not. There seems to be no coverage of the implications of allowing the user access to the entire filesystem (as permitted by their user and group membership), nor to the confusion this can create.
So, I'd like to understand what is the correct method to use in practice. Should an ftp server with authenticated write-access users provide a non-chroot environment, a chroot environment, or some other option? Given that Windows ftp daemons don't have the option to use chroot, they need to implement isolation otherwise. Do any unix ftp daemons do something similar?
Best Answer
The correct practice you will use depends on the software you use.
If you know all your users, then I'd say using chroot is not a big deal. If you are giving accounts to people you don't if you can trust, then you may not want to.
You may want to also take a look at pureftpd and it's "chroot" options:
http://download.pureftpd.org/pub/pure-ftpd/doc/README
Of course please do your research concerning security issues. Don't take anyones word for it.
You don't need to use chroot to achieve isolation. That just makes it look nice for the user and the ignorant will think there are no other files on the server. You could also use file permissions to keep users from snooping around. You could also run your ftp daemon in a VM and reduce the risk further.