vsftpd configuration not working.

[hack3rcon]

Hello,
I want to configure vsftpd service and limit a user to just specific directory. I did below steps to configure vsftpd:
1- I created an account and set a password for it:

# useradd jason
# passwd jason

Then I changed vsftpd configuration as below:

Code: Select all

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
log_ftp_protocol=YES
connect_from_port_20=YES
chroot_local_user=YES
listen=NO
listen_ipv6=Yes

pam_service_name=vsftpd


# Home User
userlist_enable=YES
virtual_use_local_privs=YES
userlist_deny=NO

##
ssl_enable=YES
ssl_tlsv1_2=YES
ssl_sslv2=NO
ssl_sslv3=NO

pasv_min_port=40000
pasv_max_port=50000

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

require_ssl_reuse=NO
ssl_ciphers=HIGH

debug_ssl=YES

Then I opened "/etc/vsftpd/user_list" and added "jason" account to it. After it:

Code: Select all

# mkdir /etc/vsftpd/user_config_dir/
# touch /etc/vsftpd/user_config_dir/jason

Then opened "jason" file and added below lines into it :

Code: Select all

local_root=/var/www/wp/
write_enable=YES

Other files are:

Code: Select all

# cat ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody

And:

Code: Select all

# cat user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#root
#bin
#daemon
#adm
#lp
#sync
#shutdown
#halt
#mail
#news
#uucp
#operator
#games
#nobody
jason

And finally, restarted the vsftpd service.
I'm using FileZilla and can connect to FTP server but jason user see its home directory and can see other parts of system too.
What is my problem? Which part is wrong?

Thank you.

[reinob]

With chroot_local_user=YES you're limiting the user to their own $HOME, as defined in /etc/passwd.

If you want user specific options to apply then you need to set

Code: Select all

user_config_dir=/etc/vsftpd/user_config_dir

You have apparently assumed that the above is already the default, which is alas not the case.
"man vsftpd.conf" would have told you that.

[hack3rcon]

With chroot_local_user=YES you're limiting the user to their own $HOME, as defined in /etc/passwd.

If you want user specific options to apply then you need to set

Code: Select all

user_config_dir=/etc/vsftpd/user_config_dir

You have apparently assumed that the above is already the default, which is alas not the case.
"man vsftpd.conf" would have told you that.

Thank you for your reply.
Thus:

Code: Select all

chroot_local_user=NO
user_config_dir=/etc/vsftpd/user_config_dir

Is it OK?
How about other files like "ftpusers" and "user_list"? Are they seems OK?

[hack3rcon]

I changed the settings but not matter and my user see its home directory and other parts of system.

[reinob]

I changed the settings but not matter and my user see its home directory and other parts of system.

You're gonna have to both (1) read the man page and (2) check the logs, which are there for a reason, rather than just for wasting space.

According to http://vsftpd.beasts.org/vsftpd_conf.html

Code: Select all

userlist_file
    This option is the name of the file loaded when the userlist_enable option is active.

    Default: /etc/vsftpd.user_list 

but for some reason you're using /etc/vsftpd/user_list

I don't think I need to tell you that computers are generally very strict in what they do, i.e. they follow instructions to the letter (to the bit), and lack the "intelligence" that may suggest to you (presuming you're a human) that /etc/vsftpd.user_list and /etc/vsftpd/user_list should be "kinda like the same" -- this is absolutely not true beyond your imagination.

So again, please kindly RTFM -- and I don't mean that as an insult but as the best advice I or anyone can give you at this point.

And note that the manual is the manual, i.e. the man page and/or the official documentation. Copying and pasting from some random tutorial on the Internet will just lead to more questions being asked here. You may consult such tutorials to learn that e.g. you need the "user_list_enable" or "user_list_deny" or whatever option -> but then you should stop and consult the manual so that you know precisely what those options mean and imply.