Avatar of Alexandre Takacs
Alexandre Takacs
Flag for Switzerland asked on

Restrict ftp to single directory


I am trying something which should be pretty trivial but in practice seems to be rather difficult - even after Googling it I see lots of entries but also lots of people failing to have it work.

I want to setup a ftp server on a Debian 10 machine and “lock” the user to a single directory where he/she can do whatever they way, but not browse around or access anything else in the filesystem.

This is using vsFTPd v 3.0.3 on a directly internet facing Debian 10 VPS.

I have created a “testftp” user and said user is listed in vsftpd.chroot_list. I have changed the user's home directory to var\www\sandpit, which is the intended folder

My problem is that the user can login but can not write to var\www\sandpit. More worryingly the user can browse around the whole file system !

What am I missing and more importantly how do I fix this ?

Here is my vsFTPd config file.
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # # Run standalone?  vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. listen=YES # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. listen_ipv6=NO # # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. #write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in  your  local  time  zone.  The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! chown_uploads=YES chown_username=testftp # # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. data_connection_timeout=60 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: ftpd_banner=Welcome to ANON FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict local users to their home directories.  See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) chroot_local_user=YES chroot_list_enable=YES # (default follows) chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Customization # # Some of vsftpd's settings don't fit the filesystem layout by # default. # # This option should be the name of a directory which is empty.  Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem. #utf8_filesystem=YES pasv_enable=YES pasv_min_port=2121 pasv_max_port=2142

Open in new window

FTPLinux Security

Avatar of undefined
Last Comment
Alexandre Takacs

8/22/2022 - Mon

Make sure the hone path has a /./username
This will last Cksum the user within their own hone dir.

/hone/username will needto be /hone/./username
Alexandre Takacs

Thanks for your input, although I don't quite fully understand it.
I have change the home directory from var/www/sandpit to var/www/./sandpit. Didn't change anything as far as I can tell: user can still browse the file system end still can't write to the intended directory.

David Favor

You said, "I am trying something which should be pretty trivial but in practice seems to be rather difficult".

You are correct.

Most FTPD servers are, to me, seriously brain dead.

They all work, if you have enough time/budget/will/expertise for setup + daily maintenance, as they always seem to break or require hours for management.

https://www.experts-exchange.com/questions/29220417/How-to-resolve-Could-not-start-transfer-FileZilla-on-Mac-Ubuntu-18-04-LAMP-on-Linode.html provides how I do this across 1000s of sites... which has my config file attached.

Because I'm immensely lazy... and mucking about with FTP is boring...

I use MySecureShell, because it's the only FTP server I've ever used that worked as I expected... out of the box...
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
David Favor

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Alexandre Takacs

Ok it seems I will go the SFTP route with MySecureShell.
Still most hosting companies provide generic linux web hosting with FTP access - I have just connected to one server I use for that very purpose and it works exeactly as I want, ie. I can only see my "www" folder (can not browse around the machine) and write to it.
How do they do it?

Id user
You are locating the user in a location where ..
You have
# (default follow
Try adding the user into the list and reload vsftp?
Alexandre Takacs

Sorry you lost me.
The user is listed in vsftpd.chroot_list. Anything else I should do ?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Not sure what the significance of your setup is.

often users are in /home/users you are placing the user in the path of the web server which is commonly has least restrictive rights
755 what are the permissions on the /var/www/testuser?

you might be able to achieve the same thing by having the user in /home/username
the user can then put what they want published in public_html
your setup could be that

Usually, the settings you have and the definition of the home dir as //home/./username commonly locks the user';s ftp session within the home dir....
Alexandre Takacs

I'm sorry but I just don't follow you...
Usually, the settings you have and the definition of the home dir as //home/./username commonly locks the user';s ftp session within the home dir.... 
Assuming it works what good would it do me ? should I then setuop a junction to the intended directory (aka var/www/sandpit) ?

UPDATE: Out of curiosity I tried it - no change, still having the same issues (no restriction on browsing, can't write to directory)

no you can configure your httpd.cong to use the public_html reference.

I am not sure I understand what you are agfer as /var/www/ is not the root of the web, the content is in html /var/www/html

so not fully clear what you are trying to do or why it seems to fail.

can you get getfacl /var/ww/sandpit output\?

the settings you have should chroot the user sandpit in the /var/www/sandpit
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Alexandre Takacs

I have gone the SFTP + MySecureShell way as per @David Favor suggestion. Seems to work fine so I'd say it is good enough of my intended user (i.e make a single directory r/w for a specific non admin user and publish said directory via HTTP). Still a bit baffled that this basic need would be so difficult to implement.