VSFTPD security questions


  I am trying to figure out the process for locking down user sessions in vsftpd.

The information I am going on so far is as follows:

If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd.chroot_list, but you may override this with the chroot_list_file setting.
Default: NO

If set to YES, local users will be placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users also have shell access. Only enable if you know what you are doing.
Default: NO

---  My questions are:

What are the security risks if I lock users to their home directories?  I would think this is more secure, not less.

Secondly it seems even with that option, I can still browse around the higher level directories, I can't access all the directories, but I can still see them, which I don't want users to be able to do.

How exactly can I make it so a user connects, and only sees his user folder, and can not go above it, even to see the home folder, where the other users are listed.  Of course I want them to be able to create and access folders within their own user folder, but absolutely nothing above it.  

Thanks for any help!
Who is Participating?
ajay_mhasalConnect With a Mentor Commented:

Locking user to their home directory is more secure. And to lock the user to their home directories only edit file "etc/vsftpd.conf" file and add following


Now restart the ftp server.
ajay_mhasalConnect With a Mentor Commented:

Pl. visit ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.1/FAQ to know the "security implications" of chroot_local_user=YES
ygouthamConnect With a Mentor Commented:
a simple way of overcoming the security risk attached with a chroot_local_user = YES is to set the ftp users with no bash

when you add a user

useradd -g ftp_user_group -d /home/ftpusers/someusername  -s /bin/false  someusername

that ways the user would have only access through ftp into his home directory and would never have any login access into the server.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

jkocklerAuthor Commented:
Okay great thanks for the help!

One last piece of clarification:

The vsftpd.conf file says

"uncomment this line to allow local users to login"

My question is, if a local user is not enable to login, then who would be logging in?  I suppose setting this to yes, would have to be complimented by allowing the anonymous FTP login.  ?
ajay_mhasalConnect With a Mentor Commented:

This is because vsftpd allows you to configure virtual user i.e. non OS users which will be created for FTP access only.

For more Details pl. visit


Also i'll recommend you to configure virtual users only if you are concerned about the security.
vsftpd logging in is not the same as login through a bash shell

so it is safe to enable local users to login as long as the users login shell is set to /bin/false

No, use "/sbin/nologin" instead of "/bin/false"

Also do not edit "/etc/passwd" file directly instead use following commands

Commands for new user:
useradd -g ftp -s /sbin/nologin <username>

For old user:
usermod -g ftp -s /sbin/nologin <username>
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.