Under default VSFTP configuration, VSFTP login users can navigate to top-level directories which might cause security issues. There are situations when you do not wish FTP users to be able to access any files outside of their own home directory. The vsftp daemon can be chrooted to implement this policy.
Set chroot jail to default $HOME directory for all local users
Follow the steps below to chroot jail to default home directory for all the local users on the system.
1. In VSFTP Server configuration file /etc/vsftpd/vsftpd.conf, set the below parameter:
# vi /etc/vsftpd/vsftpd.conf chroot_local_user=YES
2. Restart vsftpd service on VSFTP Server:
# service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
3. Test with a chroot jail user, and create a directory under chroot directory.
# ftp ftphost Connected to ftphost (192.168.149.10). 220 (vsFTPd 2.0.5) Name (192.168.149.10:root): testuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (192.168.149.10,72,224) 150 Here comes the directory listing. 226 Directory send OK. ftp> cd / 250 Directory successfully changed. ftp> ls 227 Entering Passive Mode (192.168.149.10,135,209) 150 Here comes the directory listing. 226 Directory send OK. ftp> mkdir chroot_jail_dir 257 "/chroot_jail_dir" created ftp> ls 227 Entering Passive Mode (192.168.149.10,40,202) 150 Here comes the directory listing. drwxr-xr-x 2 511 511 4096 Nov 12 11:40 chroot_jail_dir 226 Directory send OK. ftp>
4. Check the location of the created directory on VSFTP Server. You would see a directory created under the home directory (/home/testuser) of the user “testuser” instead of the actual root directory (/)
Directory is not created under / as shown below:
# ls / | grep chroot_jail_dir
Instead it is created under the home directory of the “testuser” user.
# ls /home/testuser/ | grep chroot_jail_dir chroot_jail_dir