Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

vsftp: ftp access, not bash 1

Status
Not open for further replies.
effennel

effennel

Technical User
Oct 15, 2002
60
CA
Hello,

I am trying to setup vsftp on CentOS.

My test user can connect via sftp and is chroot'd to the proper directory. However she can browse /, /etc, more... and has access to bash.

I want to limit the user to her own directory and no access to bash.

This is the current /etc/passwd
#
ftpuser:x:503:503::/home/ftpuser/ftp:/bin/bash
#

I have tried changing the /bin/bash for /bin/false, /sbin/nologin and /dev/null. This disallows any possible login to bash and ftp.

This is the /etc/vsftpd/vsftpd.conf
#
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=Hello.
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
chroot_local_user=YES
#

I have also tried the combination
#
[...]
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
#

while adding my user to /etc/vsftpd.chroot_list.

Any suggestion? I'm a beginner, please be explicit.

Thanks
FnL
 
Sort by date Sort by votes
If the test user can browse to directories outside of their home directory, then I'd say they ain't chrooted. Are you saying that they are they are taken to their home directory but then they can sneek out? I would change this line to:

chroot_local_user=yes

All the other chroot lines should be commented out. Any time you change this file you need to restart vsftpd before the changes will take place. As for /etc/passwd, you were correct in making the shell /sbin/nologin.
 
Upvote 0 Downvote
RhythmAce,

I appreciate your help, however as I mentioned:

chroot_local_user is set to YES and users can still browser outside their home directory.

Users can't login via FTP when /sbin/nologin is set in the /etc/passwd file.

Any other tips?

Thanks
FnL
 
Upvote 0 Downvote
Some ftp clients can run shell commands if it is setup to do so by the system admin (root). Is this what you are talking about or are you saying that the test user can login to a shell account via telnet or ssh? Sorry but I'm confused. I don't know if I'm working on two unrelated problems or one. ;-)

 
Upvote 0 Downvote
All right, I'll try to make myself a little clearer:

I want users to be able to ftp to their home directory. No shell access whatsoever and chroot'd there.

With chroot_local_user=YES in vsftpd.conf and /bin/bash in passwd, users can go outside their home directory using a ftp client (sFTP actually). Also they have access to shell via ssh/telnet.

When I change /bin/bash to /sbin/nologin, all access (FTP and ssh) is cutoff.

Thanks for your help.
FnL
 
Upvote 0 Downvote
Here are the relavant parts of my vsftpd.conf:
Code: 
anonymous_enable=NO
local_enable=YES
# You may specify an explicit list of local users to chroot() to their home
chroot_local_user=YES
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
Only users in /etc/vsftpd.user_list are able to log in via ftp; even if they have a valid bash shell. And those are jailed to their home directory as specified by 'chroot_local_user=YES'.

What I notice, is that you have 'userlist_enable=YES', but no userlist file specified (at least not in the post above). I have no idea what effect this would have.
 
Upvote 0 Downvote
OH! OK! - sorry. I read where you said you cannected sftp way at the beginning of your post and I let that slip right by me. I thought it was a typo and you meant vsftp. The way sftp works is is uses an encrypted ssh transport. So basically everything is being handled by ssh even though sftp uses a different port (115). What I'm getting at is what you are seeing is pretty much the nature of the beast. You would have to find a way to chroot an ssh user because as you have found out, setting it up in vsftp's configs does nothing. You might want to do a google search for 'chroot ssh' and see if that gets you anywhere. Sorry, I wasn't able to help.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

lslamp
  • Locked
  • Question
Bash Onliner ... 1
Replies
2
Views
145
lslamp
lslamp
hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
177
Stephen_Hawk
Stephen_Hawk
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
126
CecilXavier
CecilXavier
kurio71
  • Locked
  • Question
Favicons not Working after Redirection 1
Replies
7
Views
173
ChrisHirst
ChrisHirst
waydown
  • Locked
  • Question
Network card not detected
Replies
1
Views
93
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top