Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Simple: ProFTPD Server (Directory question)

Posted on 2001-07-23
Medium Priority
Last Modified: 2010-03-18
I just setup an FTP server using ProFTPD. This server is intended to be a thing that allows me to access certain files on my system from anywhere. However there is one huge problem, this system is also used as a workstation and some users have weak passwords, is there a way that I can limit it so that an FTP connection can only access a certain directory of my system (e.g /ftp/ ?) and I don't want anonomous FTP.
Question by:m_morgan
  • 3

Expert Comment

ID: 6311031
I haven't used ProFTPD for a while but, as I recall, the default setting was for the daemon to run a chroot'ed home directory. Have a look in the configuration file to see if that setting has been changed otherwise look in the man page for the chroot settings.

Author Comment

ID: 6311276
can't find anything of that sort in the config file or the man page.

If my question was unclear I want the following:

When all users login they start at a specified directory (e.g /ftp) once logged in they can only read, write, or execute things to that directory and lower (they are restricted to /ftp and it's sub-directories)

Accepted Solution

leochan72 earned 150 total points
ID: 6315709

Try using "DefaultRoot" directive.
I also use this directive in my FTP server. Seems it is what you want.

Below is the explanation from the Proftpd website.
Hope it can help


Syntax: DefaultRoot directory [group-expression]
Default: /
Context: server config, <VirtualHost>, <Global>
Module: mod_auth
Compatibility: 0.99.0pl7 and later

The DefaultRoot directive controls the default root directory assigned to a user upon login. If DefaultRoot is set to a directory other than "/", a chroot operation is performed immediately after a client authenticates. This can be used to effectively isolate the client from a portion of the host system filespace. The specified root directory must begin with a / or can be the magic character '~'; meaning that the client is chroot jailed into their home directory. If the DefaultRoot directive specifies a directory which disallows access to the logged-in user's home directory, the user's current working directory after login is set to the DefaultRoot instead of their normal home directory. DefaultRoot cannot be used in <Anonymous> configuration blocks, as the <Anonymous> directive explicitly contains a root directory used for Anonymous logins.

The special character '~' is replaced with the authenticating user's home directory immediately after login. Note that the default root may be a subdirectory of the home directory, such as "~/anon-ftp".

The optional group-expression argument can be used to restrict the DefaultRoot directive to a unix group, groups or subset of groups. The expression takes the format: [!]group-name1[,[!]group-name2[,...]]. The expression is parsed in a logical boolean AND fashion, such that each member of the expression must evaluate to logically TRUE in order for the DefaultRoot directive to apply. The special character '!' is used to negate group membership.

Care should be taken when using DefaultRoot. Chroot "jails" should not be used as methods for implementing general system security as there are potentially ways that a user can "escape" the jail.

Example of a DefaultRoot configuration:

ServerName "A test ProFTPD Server"
ServerType inetd
User ftp
Group ftp
# This causes proftpd to perform a chroot into the authenticating user's directory immediately after login.
# Once this happens, the user is unable to "see" higher level directories.
# Because a group-expression is included, only users who are a member of
# the group 'users' and NOT a member of 'staff' will have their default
# root directory set to '~'.
DefaultRoot ~ users,!staff


Author Comment

ID: 6315841
Is there a way that I can apply this to all groups without specifying them invidually? This way no matter who logs in they are limited to that directory?

Author Comment

ID: 6315867
Is there a way to keep people from breaking out of jail?

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 9 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question