• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

Simple: ProFTPD Server (Directory question)

I just setup an FTP server using ProFTPD. This server is intended to be a thing that allows me to access certain files on my system from anywhere. However there is one huge problem, this system is also used as a workstation and some users have weak passwords, is there a way that I can limit it so that an FTP connection can only access a certain directory of my system (e.g /ftp/ ?) and I don't want anonomous FTP.
  • 3
1 Solution
I haven't used ProFTPD for a while but, as I recall, the default setting was for the daemon to run a chroot'ed home directory. Have a look in the configuration file to see if that setting has been changed otherwise look in the man page for the chroot settings.
m_morganAuthor Commented:
can't find anything of that sort in the config file or the man page.

If my question was unclear I want the following:

When all users login they start at a specified directory (e.g /ftp) once logged in they can only read, write, or execute things to that directory and lower (they are restricted to /ftp and it's sub-directories)

Try using "DefaultRoot" directive.
I also use this directive in my FTP server. Seems it is what you want.

Below is the explanation from the Proftpd website.
Hope it can help


Syntax: DefaultRoot directory [group-expression]
Default: /
Context: server config, <VirtualHost>, <Global>
Module: mod_auth
Compatibility: 0.99.0pl7 and later

The DefaultRoot directive controls the default root directory assigned to a user upon login. If DefaultRoot is set to a directory other than "/", a chroot operation is performed immediately after a client authenticates. This can be used to effectively isolate the client from a portion of the host system filespace. The specified root directory must begin with a / or can be the magic character '~'; meaning that the client is chroot jailed into their home directory. If the DefaultRoot directive specifies a directory which disallows access to the logged-in user's home directory, the user's current working directory after login is set to the DefaultRoot instead of their normal home directory. DefaultRoot cannot be used in <Anonymous> configuration blocks, as the <Anonymous> directive explicitly contains a root directory used for Anonymous logins.

The special character '~' is replaced with the authenticating user's home directory immediately after login. Note that the default root may be a subdirectory of the home directory, such as "~/anon-ftp".

The optional group-expression argument can be used to restrict the DefaultRoot directive to a unix group, groups or subset of groups. The expression takes the format: [!]group-name1[,[!]group-name2[,...]]. The expression is parsed in a logical boolean AND fashion, such that each member of the expression must evaluate to logically TRUE in order for the DefaultRoot directive to apply. The special character '!' is used to negate group membership.

Care should be taken when using DefaultRoot. Chroot "jails" should not be used as methods for implementing general system security as there are potentially ways that a user can "escape" the jail.

Example of a DefaultRoot configuration:

ServerName "A test ProFTPD Server"
ServerType inetd
User ftp
Group ftp
# This causes proftpd to perform a chroot into the authenticating user's directory immediately after login.
# Once this happens, the user is unable to "see" higher level directories.
# Because a group-expression is included, only users who are a member of
# the group 'users' and NOT a member of 'staff' will have their default
# root directory set to '~'.
DefaultRoot ~ users,!staff

m_morganAuthor Commented:
Is there a way that I can apply this to all groups without specifying them invidually? This way no matter who logs in they are limited to that directory?
m_morganAuthor Commented:
Is there a way to keep people from breaking out of jail?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now