VSFTPD security questions

Hello,

  I am trying to figure out the process for locking down user sessions in vsftpd.

The information I am going on so far is as follows:

chroot_list_enable
If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.
Default: NO

chroot_local_user
If set to YES, local users will be placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users also have shell access. Only enable if you know what you are doing.
Default: NO


---  My questions are:

What are the security risks if I lock users to their home directories?  I would think this is more secure, not less.

Secondly it seems even with that option, I can still browse around the higher level directories, I can't access all the directories, but I can still see them, which I don't want users to be able to do.

How exactly can I make it so a user connects, and only sees his user folder, and can not go above it, even to see the home folder, where the other users are listed.  Of course I want them to be able to create and access folders within their own user folder, but absolutely nothing above it.  

Thanks for any help!
LVL 4
jkocklerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ajay_mhasalCommented:
HI,

Locking user to their home directory is more secure. And to lock the user to their home directories only edit file "etc/vsftpd.conf" file and add following

chroot_local_user=YES

Now restart the ftp server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ajay_mhasalCommented:
HI,


Pl. visit ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.1/FAQ to know the "security implications" of chroot_local_user=YES
0
ygouthamCommented:
a simple way of overcoming the security risk attached with a chroot_local_user = YES is to set the ftp users with no bash

when you add a user

useradd -g ftp_user_group -d /home/ftpusers/someusername  -s /bin/false  someusername

that ways the user would have only access through ftp into his home directory and would never have any login access into the server.
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

jkocklerAuthor Commented:
Okay great thanks for the help!

One last piece of clarification:

The vsftpd.conf file says

"uncomment this line to allow local users to login"
local_enable=YES

My question is, if a local user is not enable to login, then who would be logging in?  I suppose setting this to yes, would have to be complimented by allowing the anonymous FTP login.  ?
0
ajay_mhasalCommented:
HI,

This is because vsftpd allows you to configure virtual user i.e. non OS users which will be created for FTP access only.

For more Details pl. visit

http://howto.gumph.org/content/setup-virtual-users-and-directories-in-vsftpd/
0
ajay_mhasalCommented:
Hi,

Also i'll recommend you to configure virtual users only if you are concerned about the security.
0
ygouthamCommented:
vsftpd logging in is not the same as login through a bash shell

so it is safe to enable local users to login as long as the users login shell is set to /bin/false
0
ajay_mhasalCommented:
Hi,

No, use "/sbin/nologin" instead of "/bin/false"
0
ajay_mhasalCommented:
hi,

Also do not edit "/etc/passwd" file directly instead use following commands

Commands for new user:
useradd -g ftp -s /sbin/nologin <username>

For old user:
usermod -g ftp -s /sbin/nologin <username>
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.