jkockler
asked on
VSFTPD security questions
Hello,
I am trying to figure out the process for locking down user sessions in vsftpd.
The information I am going on so far is as follows:
chroot_list_enable
If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.
Default: NO
chroot_local_user
If set to YES, local users will be placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users also have shell access. Only enable if you know what you are doing.
Default: NO
--- My questions are:
What are the security risks if I lock users to their home directories? I would think this is more secure, not less.
Secondly it seems even with that option, I can still browse around the higher level directories, I can't access all the directories, but I can still see them, which I don't want users to be able to do.
How exactly can I make it so a user connects, and only sees his user folder, and can not go above it, even to see the home folder, where the other users are listed. Of course I want them to be able to create and access folders within their own user folder, but absolutely nothing above it.
Thanks for any help!
I am trying to figure out the process for locking down user sessions in vsftpd.
The information I am going on so far is as follows:
chroot_list_enable
If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.
Default: NO
chroot_local_user
If set to YES, local users will be placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users also have shell access. Only enable if you know what you are doing.
Default: NO
--- My questions are:
What are the security risks if I lock users to their home directories? I would think this is more secure, not less.
Secondly it seems even with that option, I can still browse around the higher level directories, I can't access all the directories, but I can still see them, which I don't want users to be able to do.
How exactly can I make it so a user connects, and only sees his user folder, and can not go above it, even to see the home folder, where the other users are listed. Of course I want them to be able to create and access folders within their own user folder, but absolutely nothing above it.
Thanks for any help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Also i'll recommend you to configure virtual users only if you are concerned about the security.
Also i'll recommend you to configure virtual users only if you are concerned about the security.
vsftpd logging in is not the same as login through a bash shell
so it is safe to enable local users to login as long as the users login shell is set to /bin/false
so it is safe to enable local users to login as long as the users login shell is set to /bin/false
Hi,
No, use "/sbin/nologin" instead of "/bin/false"
No, use "/sbin/nologin" instead of "/bin/false"
hi,
Also do not edit "/etc/passwd" file directly instead use following commands
Commands for new user:
useradd -g ftp -s /sbin/nologin <username>
For old user:
usermod -g ftp -s /sbin/nologin <username>
Also do not edit "/etc/passwd" file directly instead use following commands
Commands for new user:
useradd -g ftp -s /sbin/nologin <username>
For old user:
usermod -g ftp -s /sbin/nologin <username>
ASKER
One last piece of clarification:
The vsftpd.conf file says
"uncomment this line to allow local users to login"
local_enable=YES
My question is, if a local user is not enable to login, then who would be logging in? I suppose setting this to yes, would have to be complimented by allowing the anonymous FTP login. ?