vsftpd users need to go to their home directories

I am running vsftpd on my Red Hat Enterprise Linux machine....  I need my vsftpd users to end up in their home directories when they log in...   I have tried setting up a user config directory, a "chroot" list.... every time I log in I end up in "/" directory..

Please help!
SRG041808Asked:
Who is Participating?
 
tkutherCommented:
Usually that's the only service you have to restart if vsftpd runs standalone.

Just for the fun of it, I tested all this on one of our RHEL5.4 developent machines. I changed the plain default vsftpd.conf like shown in the attached patch, created a local user "test", and here goes the ncftp output from our FTP-client machine to that new FTP-server:

$ ncftp -u test -p test testserver
NcFTP 3.2.2 (Aug 18, 2008) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to xx.xx.xx.xx...                                                                                                                                                          
(vsFTPd 2.0.5)
Logging in...                                                                                                                                                                        
Login successful.
Logged in to testserver.                                                                                                                                                              
ncftp / > cd /etc
Could not chdir to /etc: server said: Failed to change directory.
ncftp / > ls
ncftp / > 

Works like a charm.


Regarding the IPTABLES rule, the server is an OpenSUSE box in the wild, using SuSEFirewall2 as frontend, so it might not be helpful. But dpt 20, dpt21 and dpts 30000:40000 are opened.


--- vsftpd.conf.orig	2010-04-29 12:18:58.000000000 +0200
+++ vsftpd.conf	2010-04-29 12:20:31.000000000 +0200
@@ -9,7 +9,7 @@
 # capabilities.
 #
 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
-anonymous_enable=YES
+anonymous_enable=NO
 #
 # Uncomment this to allow local users to log in.
 local_enable=YES
@@ -89,7 +89,9 @@
 #deny_email_enable=YES
 # (default follows)
 #banned_email_file=/etc/vsftpd/banned_emails
-#
+
+chroot_local_user=YES
+
 # You may specify an explicit list of local users to chroot() to their home
 # directory. If chroot_local_user is YES, then this list becomes a list of
 # users to NOT chroot().

Open in new window

0
 
arichakraCommented:
Just try to login with the user using telnet/ssh & see where you are landing??? Once you can successfully login & autometically go to the home directory of the user using telent/ssh, yuour problem with ftp will resolve.
I understand home folders are not created at all!!

Please try the same & update me to proceed on this..
0
 
SRG041808Author Commented:
The home directories definitely exist and the user account is pointed to them...  When I have a user on the chroot_list they end up in their home directory but can navigate the entire system....  if they are not in chroot_list they end up at "/" and cannot go anywhere else.....  Pretty much it's backwards to what I want it to do...

Below is copy of my vsftpd.conf
 

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Authorized Use Only!
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
#
#restrict users to home directory
chroot_local_user=YES
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
#
#custom options
dual_log_enable=YES
syslog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
#
#Below tells VSFTPD the default directory
local_root=/data
#Enable and use client configuration directories
user_config_dir=/etc/vsftpd/ccd
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Open in new window

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Jan SpringerCommented:
I recommend downloading and install pure-ftpd.  It does that and more.
0
 
SRG041808Author Commented:
It appears to be a really cool service...   Is there a way to fix what is already installed?

It appears the package isn't offered by red hat and I couldnt find a RPM for my OS (Red Hat Enterprise Linux 5.4)

I've had some bad experiences installing software from source...  Either it wont work or makes the machine unstable...



0
 
Jan SpringerCommented:
I have installed pure-ftpd from source on various versions of Fedora Core, RHEL v4 and v5 and CentOS v5.

And have never had a problem.

If I could have configured vsftpd to do what I needed, I wouldn't have installed pure-ftpd.
0
 
SRG041808Author Commented:
vsftpd works for what I need it to do... there must be a way to fix my issue...
0
 
skuranCommented:
check your vsftpd.conf file for below lines and make sure you have real home dirs for users in /etc/passwd

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_list_enable=YES
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
0
 
SRG041808Author Commented:
Check and check... it's all there
0
 
tkutherCommented:
Try changing the order and add a directive, so it looks like:

chroot_local_user=YES
passwd_chroot_enable=YES
# I would uncomment those, just chroot everyone
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list

NOTE: for passwd_chroot to work, your home dir in /etc/passwd has to look like /home/ftpuser/./
(mind the trailing /./)
0
 
tkutherCommented:
Oh, and also comment out local_root and user_config_dir!
0
 
SRG041808Author Commented:
So I commented out

#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
#local_root
 #user_config_dir

chroot_local_user=YES  is enabled

I have restarted the vsftpd service and my users end up at "/" but cannot go anywhere else....

I checked /etc/passwd and the home directories do not have "/./"  

Would passwd_chroot_enable=YES hurt or still work?

Before the change my user ended up in their home dir but could navigate everywhere....
0
 
tkutherCommented:
That's weird actually. It should work fine without passwd_chroot_enable.
It does here on our sort of production FTP. I can attach our config, maybe it helps:
$ cat vsftpd.conf |sed -e '/^# /d' -e '/^$/d' -e '/^#$/d'
write_enable=YES
dirmessage_enable=YES
#nopriv_user=ftpsecure
ftpd_banner="FTP-server"
#ls_recurse_enable=YES
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
#hide_ids=YES
local_enable=YES
local_umask=072
chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
#local_max_rate=7200
anonymous_enable=NO
anon_world_readable_only=YES
#anon_upload_enable=YES
#anon_umask=022
#anon_mkdir_write_enable=YES
#anon_other_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
#anon_max_rate=7200
syslog_enable=NO
log_ftp_protocol=YES
xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
#xferlog_std_format=YES
xferlog_file=/var/log/xferlog
dual_log_enable=YES
#setproctitle_enable=YES
connect_from_port_20=YES
#idle_session_timeout=600
#data_connection_timeout=120
#async_abor_enable=YES
ascii_upload_enable=YES
#ascii_download_enable=YES
#pasv_enable=NO
pasv_address=xxx.xxx.xxx.xxx
pasv_min_port=30000
pasv_max_port=40000
#pasv_promiscuous=YES
pam_service_name=vsftpd
listen=YES

Open in new window

0
 
SRG041808Author Commented:
I make the changes and restart the service and nothing seems to take effect...  I have noticed sometimes when I make changes they wont take effect until the next day...  Is there another service that needs to be restarted other than vsftpd??

By the way I like the pasv_min_port and max port...  that maybe the solution to another issue I have.....  If you are using IPTABLES  can you tell me what command you used to open that port range...


0
 
SRG041808Author Commented:
So I discovered when I say "service vsftpd stop" and "service vsftpd start"  the changes take effect immediately...

something was messed up with doing "service vsftpd restart"

Attached is my current config....  User ends up in their home dir but can navigate anywhere....

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Authorized Use Only!
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
#
#restrict users to home directory
chroot_local_user=YES
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
#
#custom options
dual_log_enable=YES
syslog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log

#
#Below tells VSFTPD the default directory
#local_root=/data
#Enable and use client configuration directories
#user_config_dir=/etc/vsftpd/ccd
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Open in new window

0
 
SRG041808Author Commented:
How Do I make sure they stay in their home directories?
0
 
SRG041808Author Commented:
It answers one problem!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.